DFIR
This Digital Forensic Step: _____?_______ of relevant data to further an investigation or arrive at conclusions that can be translated into security-related actions within an organization is?
Analysis
This is a forensics technique that involves reassembling files from pieces of raw data, when no file system metadata is available?
Data Carving
This Event Viewer Classification is Generated by applications for troubleshooting purposes?
Debug
Determining if an incident occurred, and what type of incident it was.
Detection and analysis
Hackers can encrypt static data to avoid detection. This type of obfuscation is called?
Encryption
Name the Data Carving tool that is not a carving software, it is commonly used to view raw data. It is a hex editor that can edit a raw disk of any size, and modify RAM. It has an easy-to-use UI with many helpful features, such as search and replace, checksums, digests, insertion of byte patterns, and more
HxD
This Event Viewer Classification is Generated during a benign operation, with records of normal and expected behavior.
Informational
What action would you take for Incident Response Containment?
Isolate network segments, shut down compromised servers,
When Analyzing the file's access to registry entries the analyst is looking for?
Registry Changes
Hackers can hide information in network traffic. This type of obfuscation is called?
Tunneling
What is an automatic and pre-built in the Kali Linux distribution. All that is needed is to choose which action to perform on the specified executable.
UPX
What is an open-source collection of Python-based tools that support both Linux and Windows. It has an option to read different types of memory dumps and filter them according to different parameters. Extensions can be added to gather even more information about the processes.
Volatility Framework
This Event Viewer Classification is Generated when something is missing or required by an application or system.
Warning
This capture tool is A CLI-based Linux tool that can be used to clone entire drives and partitions.
dd
This CPU Architecture types for x86 is a competitor of Intel CPUs. In the past, there were compatibility issues with operating systems and programs based on this type of architecture.
AMD
This CPU Architecture types for x86 is mainly used in mobile and low power devices. It includes approximately 5000 different commands.
ARM
This capture tool is a commercial tool used for backups and restorations, but is not typically used for forensics.
Acronis
This Event Viewer Classification is an Actionable warning or error message that require someone's attention.
Alert
Network Activity is defined as?
Analyzing the system's network activity
The Technique when Common DLLs that run in every process can be infected?
AppCert DLL
This technique that the MBR can be manipulated to load malware upon restart?
Bootkit
Name the Data Carving tool that attempts to rebuild and recover files without using a specific file system structure. Is distinguished from other forensic tools by its speed and thoroughness. Because it ignores the file system structure, the tool can process different parts of a disk in parallel.
Bulk Extractor
John was tasked to investigate a network attack in accordance with the network forensics investigation flow process. What should be John's first step?
Check for malware signatures
This capture tool is A Linux distribution for drive cloning and imaging.
Clonezilla
This Digital Forensic Step: _____?_______ of data in a professional and timely manner and organizing and categorizing the data to efficiently manage it is called?
Collection
In Wireshark, filters are powerful tools that can be used to narrow searches for a specific goal. For example, if you are looking only for outbound HTTP traffic, you could use the following: src host x.x.x.x & http (where x.x.x.x is your IP address) Name the Wireshark Feature?
Display Filter Expressions
This Event Viewer Classification is Generated when a mistake occurs in the OS or other system software
Error
This Digital Forensic Step: _____?_______ of data by forensic analysts working with the appropriate tools to determine which information is relevant to the scope of an investigation is called?
Examination
Depending on the location of the capture, Wireshark can provide a tool to transfer some objects such as files over the network. What Wireshark feature is available to do this?
Export
This capture tool is an FTK Toolkit tool used to capture data.
FTK Imager
What happens when a file is deleted what conditions is recoverable. The process of obtaining deleted files and metadata in data streams is referred to as?
File Carving
When Malware makes changes inside the OS file system this is called?
File system changes
What is a fast imaging and advanced forensic tool. Secures sensitive data with AES 256-bit encryption, and is to for drive captures and clones?
Logicube Falcon
This CPU Architecture types for x86 is used in low power devices, such as IoT. Many router exploits contain payloads based on this type of architecture.
MIPS
What is the roles of an organizations SOC manager?
Manages the daily operation of the center, and reports to the senior security leader (CISO)
This CPU Architecture types for x86 is a new architecture for Intel CPUs.It has two main designs: NASM X86 for 32-bit, and NASM X64 for 64-bit
NASM
John opened an executable file and noticed unusual activity, such as files that opened on their own. For further investigation, he wanted to check if any new network connections were established. Which of the following tools can check network connections?
Netstat
What is the main intent of a Sandbox and what is it solving?
Online sandboxes are automated dynamic analysis platforms that do not require installation. Investigate Malware.
What Packing technique used to hide malware and make it harder to detect and analyze?
PEiD
Name the Data Carving tool that is a powerful free, open-source, and multi-platform carving tool that focuses on rebuilding and recovering media files.
PhotoRec
Actions performed after an incident, including collecting data left behind by an intrusion (artifacts), preserving the data for future use as evidence, and studying what can be learned from the incident to improve Cybersecurity against future events. Is all part of?
Post incident activities
This initial step of the process is where each member of the incident response team reviews the role they will play during an incident
Preparation and planning
Regedit is a utility that can be used to hide and launch programs activated automatically by RunOnce (run and delete) keys. This type of Persistence technique is called?
Registry Keys
What is an advanced forensics and incident response framework, developed by Google. It leverages exact debugging information provided by operating system vendors to precisely locate significant kernel data structures.
Rekall
This Digital Forensic Step: _____?_______ is an essential step in any cyber forensics process and must address the target audience. If it will be used in a court of law, it will require information that may constitute "evidence". is called
Reporting
What is the roles of an organizations CISO?
Responsible for the overall security program, which ranges from cyber risk management to vulnerability management, to any other security-related function associated with incident response.
After you enter a website, a pop-up appears saying your computer files were infected, and offering to fix the problem for a small fee. Which of the following attacks did you encounter?
Scareware
A task can be set to run a malicious payload upon system boot. This type of Persistence technique is called?
Scheduled task
Malware can register a ______?______with a binary path that points to a malicious executable program on the disk.
Service
When a malicious party impersonates another device or user on a network to launch attacks against network hosts, steal data, spread malware, or bypass access controls. This type of obfuscation is called?
Spoofing
Malware can persist through this folder, whereby all executable files in the folder will be run upon powering on the system.
Startup
Hackers can hide crucial information in existing files. This type of obfuscation is called?
Stegnography
Wireshark enables data _____?______ instead of packet-by-packet inspection. By inspecting an entire stream you can obtain more information about network activity. Name the Wireshark Feature?
Stream Inspection
This CPU Architecture types for x86, the legacy architecture for Intel CPUs. It is a 16-bit architecture, and to use it, an emulator (known as a Turbo emulator) is required.
TASM
Containment, eradication, and recovery steps in the NIST is defined as?
Taking action to mitigate the incident.
This is a common tool used for network capture and investigation. It is installed by default on most servers and network equipment and can be run via CLI.
Tcpdump