D3: Cyber Incident Response - PQs
If Lucca wants to validate the application files he has downloaded from the vendor of his application, what information should he request from them? A. File size and file creation date B. MD5 hash C. Private key and cryptographic hash D. Public key and cryptographic has
. B. Lucca only needs a verifiable MD5 hash to validate the files under most circumstances.
When Charles arrived at work this morning, he found an email in his inbox that read, "Your systems are weak; we will own your network by the end of the week." How would he categorize this sign of a potential incident if he was using the NIST SP 800-61 descriptions of incident signs? A. An indicator B. A threat C. A risk D. A precursor
D. NIST SP 800-61 categorizes signs of an incident into two categories, precursors and indicators. Precursors are signs that an incident may occur in the future. Since there is not an indicator that an event is in progress, this can be categorized as a precursor. Now Charles needs to figure out how he will monitor for a potential attack!
Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed? A. Logical B. Bit-by-bit C. Sparse D. None of the above
A. A logical acquisition focuses on specific files of interest, such as a specific type of file, or files from a specific location. In Eric's case, a logical acquisition meets his needs. A sparse acquisition also collects data from unallocated space. A bit-by-bit acquisition is typically performed for a full drive and will take longer.
Chris wants to run John the Ripper against a Linux system's passwords. What does he need to attempt password recovery on the system? A. Both /etc/passwd and /etc/shadow B. /etc/shadow C. /etc/passwd D. Chris cannot recover passwords; only hashes are stored
A. Chris needs both /etc/passwd and /etc/shadow for John to crack the passwords. While only hashes are stored, John the Ripper includes built-in brute-force tools that will crack the passwords.
Allison wants to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form fill information saved in? A. SQLite B. Plain text C. Base64 encoded text D. NoSQL
A. Chrome stores a broad range of useful forensic information in its SQLite database, including cookies, favicons, history, logins, top sites, web form data, and other details.
A server in the data center that Chris is responsible for monitoring unexpectedly connects to an off-site IP address and transfers 9GB of data to the remote system. What type of monitoring should Chris enable to best assist him in detecting future events of this type? A. Flow logs with heuristic analysis B. SNMP monitoring with heuristic analysis C. Flow logs with signature based detection D. SNMP monitoring with signature-based detection
A. Flow logs would show Chris outbound traffic flows based on remote IP addresses as well as volume of traffic, and behavioral (heuristic) analysis will help him to alert on similar behaviors. Chris should build an alert that alarms when servers in his data center connect to domains that are not already whitelisted and should strongly consider whether servers should be allowed to initiate outbound connections at all!
Lauren wants to ensure that the two most commonly used methods for preventing Linux buffer overflow attacks are enabled for the operating system she is installing on her servers. What two related technologies should she investigate to help protect her systems? A. The NX bit and ASLR B. StackAntismash and DEP C. Position-independent variables and ASLR D. DEP and the position-independent variables
A. The NX bit sets fine-grained permissions to mapped memory regions, while ASLR ensures that shared libraries are loaded at randomized locations, making it difficult for attackers to leverage known locations in memory via shared library attacks. DEP is a Windows tool for memory protection, and position-independent variables are a compilerlevel protection that is used to secure programs when they are compiled
Cameron believes that the Ubuntu Linux system that he is restoring to service has already been fully updated. What command can he use to check for new updates, and where can he check for the history of updates on his system? A. apt-get -u upgrade, /var/log/apt B. rpm -i upgrade, /var/log/rpm C. upgrade -l, /var/log/upgrades D. apt-get install -u; Ubuntu Linux does not provide a history of updates
A. The apt command is used to install and upgrade packages in Ubuntu Linux from the command line. The command apt-get -u upgrade will list needed upgrades and patches (and adding the -V flag will provide useful version information). The information about what patches were installed is retained in /var/log/apt, although log rotation may remove or compress older update information
Ben wants to coordinate with other organizations in the information security community to share data and current events as well as warnings of new security issues. What type of organization should he join? A. An ISAC B. A CSIRT C. A VPAC D. An IRT
A.Information Sharing and Analysis Centers (ISACs) are information sharing and com-munity support organizations that work within vertical industries like energy, higher education, and other business domains. Ben may choose to have his organization join an ISAC to share and obtain information about threats and activities that are particularly rel-evant to what his organization does.
While conducting a forensic review of a system involved in a data breach, Alex discovers a number of Microsoft Word files including files with filenames like critical_data.docx and sales_estimates_2017.docx. When he attempts to review the files using a text editor for any useful information, he finds only unreadable data. What has occurred? A. Microsoft Word files are stored in .zip format. B. Microsoft Word files are encrypted. C. Microsoft Word files can be opened only by Microsoft Word. D. The user has used antiforensic techniques to scramble the data.
A.Modern Microsoft Office files are actually stored in a .zip format. Alex will need to open them using a utility that can unzip them before he can manually review their con-tents. He may want to use a dedicated Microsoft Office forensics tool or a forensics suite with built-in support for Office documents.
Charles wants to verify that authentication to a Linux service has two-factor authentication settings set as a requirement. Which common Linux directory can he check for this type of setting, listed by application, if the application supports it? A. /etc/pam.d B. /etc/passwd C. /etc/auth.d D. /etc/tfa
A.Pluggable authentication module (PAM)-aware applications have a file in the /etc/pam.d directory. These files list directives that define the module and what settings or con-trols are enabled. Charles should ensure that the multifactor authentication system he uses is configured as required in the PAM files for the services he is reviewing.
Kathleen is restoring a critical business system to operation after a major compromise and needs to validate that the operating system and application files are legitimate and do not have any malicious code included in them. What type of tool should she use to validate this? A. A trusted system binary kit B. Dynamic code analysis C. Static code analysis D. File rainbow tables
A.Trusted system binary kits like those provided by the National Software Reference Library include known good hashes of many operating systems and applications. Kathleen can validate the files on her system
Catherine wants to detect unexpected output from the application she is responsible for managing and monitoring. What type of tool can she use to detect unexpected output effectively? A. A log analysis tool B. A behavior based analysis tool C. A signature based detection tool D. Manual analysis
B. Catherine can configure a behavior based analysis tool which can capture and analyze normal behavior for her application, then alert her when unexpected behavior occurs. While this require initial setup, it requires less long term work than constant manual monitoring, and unlike signature based or log analysis based tools, it will typically handle unexpected outputs appropriately.
Chris wants to prevent evil twin attacks from working on his wireless network. Which of the following is not a useful method for detecting evil twins? A. Check for BSSID. B. Check the SSID. C. Check the attributes (channel, cipher, authentication method). D. Check for tagged parameters like the organizational unique identifier.
B. Checking the SSID won't help since an evil twin specifically clones the SSID of a legitimate AP. Evil twins can be identified by checking their BSSID (the wireless MAC address). If the wireless MAC has been cloned, checking additional attributes such as the channel, cipher, or authentication method can help identify them. In many cases, they can also be identified using the organizational unique identifier (OUI) that is sent as a tagged parameter in beacon frames. 99. C. Slack space is leftover st
During a forensic investigation, Charles discovers that he needs to capture a virtual machine that is part of the critical operations of his company's website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow? A. Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in. B. Copy the virtual disk files and then use a memory capture tool. C. Escalate to management to get permission to suspend the system to allow a true forensic copy. D. Use a tool like the Volatility Framework to capture the live machine completely.
B. If business concerns override his ability to suspend the system, the best option that Charles has is to copy the virtual disk files and then use a live memory imaging tool. This will give him the best forensic copy achievable under the circumstances. Snapshotting the system and booting it will result in a loss of live memory artifacts. Escalating may be possible in some circumstances, but the scenario specifies that the system must remain online. Finally, volatility can capture memory artifacts but is not designed to capture a full virtual machine
Jennifer is planning to deploy rogue access point detection capabilities for her network. If she wants to deploy the most effective detection capability she can, which of the following detection types should she deploy first? A. Authorized MAC B. Authorized SSID C. Authorized channel D. Authorized vendor
B. In most cases, the first detection type Jennifer should deploy is a rogue SSID detection capability. This will help her reduce the risk of users connecting to untrusted SSIDs. She may still want to conduct scans of APs that are using channels they should not be, and of course her network should either use network access controls or scan for rogue MAC addresses to prevent direct connection of rogue APs and other devices
Fred needs to validate the MD5 checksum of a file on a Windows system but is not allowed to install any programs and cannot run files from external media or drives. What Windows utility can he use to get the MD5 hash of the file? A. md5sum B. certutil C. sha1sum D. hashchec
B. Modern versions of Windows include the built-in certutil utility. Running certutil -hashfile [file location] md5 will calculate the MD5 hash of a file. certutil also supports SHA1 and SHA256 as well as other less frequently used hashes. md5sum and sha1sum are Linux utilities, and hashcheck is a shell extension for Windows
NIST defines five major types of threat information types in NIST SP 800-150, "Guide to Cyber Threat Information Sharing." 1. Indicators, which are technical artifacts or observables that suggest an attack is imminent, currently underway, or compromise may have already occurred 2. Tactics, techniques, and procedures that describe the behavior of an actor 3. Security alerts like advisories and bulletins 4. Threat intelligence reports that describe actors, systems, and information being targeted and the methods being used 5. Tool configurations that support collection, exchange, analysis, and use of threat information Which of these should Frank seek out to help him best protect the midsize organization he works for against unknown threats? A. 1, 2, and 5 B. 1, 3, and 5 C. 2, 4, and 5 D. 1, 2, and 4
B. The more effort Frank puts into staying up-to-date with information by collecting threat information (5), monitoring for indicators (1), and staying up-to-date on security alerts (3), the stronger his organization's security will be. Understanding specific threat actors may become relevant if they specifically target organizations like Frank's, but as a midsize organization Frank's employer is less likely to be specifically targeted directly
Chris is analyzing Chrome browsing information as part of a forensic investigation. After querying the visits table that Chrome stores, he discovers a 64-bit integer value stored as "visit time" listed with a value of 131355792940000000. What conversion does he need to perform on this data to make it useful? A. The value is in seconds since January 1, 1970. B. The value is in seconds since January 1, 1601. C. The value is a Microsoft timestamp and can be converted using the time utility. D. The value is an ISO 8601-formatted date and can be converted with any ISO time utility
B.Chrome uses the number of seconds since midnight on January 1, 1601, for its time-stamps. This is similar to the file time used by Microsoft in some locations, although the file time records time in 100 nanosecond slices instead of seconds. Since the problem did not specify an operating system and Chrome is broadly available for multiple platforms, you'll likely have recognized that this is unlikely to be a Microsoft timestamp. ISO 8601 is written in a format like this: 2017-04-02T04:01:34+00:00.
Jack is preparing to take a currently running PC back to his forensic lab for analysis. As Jack considers his forensic process, one of his peers recommends that he simply pull the power cable rather than doing a software-based shutdown. Why might Jack choose to follow this advice? A. It will create a crash log, providing useful memory forensic information. B. It will prevent shutdown scripts from running. C. It will create a memory dump, providing useful forensic information. D. It will cause memory-resident malware to be captured, allowing analysis.
B.If the system contains any shutdown scripts or if there are temporary files that would be deleted at shutdown, simply pulling the power cable will leave these files in place for forensic analysis. Pulling the cord will not create a memory or crash dump, and memory-resident malware will be lost at power-off.
What level of forensic data extraction will most likely be possible and reasonable for a corporate forensic examiner who deals with modern phones that provide filesystem encryption? A. Level 1: Manual extraction B. Level 2: Logical extraction C. Level 3: JTAG or HEX dumping D. Level 4: Chip extraction
B.Logical copies of data and volumes from an unlocked or decrypted device is the most likely mobile forensic scenario in many cases. Most forensic examiners do not have access to chip-level forensic capabilities that physically remove flash memory from the circuit board, and JTAG-level acquisition may involve invasive acquisition techniques like directly connecting to chips on a circuit board
Casey's search for a possible Linux backdoor account during a forensic investigation has led her to check through the filesystem for issues. Where should she look for back doors associated with services? A. /etc/passwd B. /etc/xinetd.conf C. /etc/shadow D. $HOME/.ssh/
B.Services are often started by xinetd (although newer versions of some distributions now use systemctl). Both /etc/passwd and /etc/shadow are associated with user accounts, and $HOME/.ssh/ contains SSH keys and other details for SSH-based logins
Joe wants to recovery the passwords for local Windows users on a Windows 7 workstation. Where are the password hashes stored? A. C:\Windows\System32\passwords B. C:\Windows\System32\config C. C:\Windows\Secure\config D. C:\Windows\Secure\accounts
B.The SAM is stored in C:\Windows\System32\config but is not accessible while the system is booted. The hashed passwords are also stored in the registry at HKEY_LOCAL_MACHINE\SAM but are also protected while the system is booted. The best way to recover the SAM is by booting off of removable media or using a tool like fgdump
Joseph wants to determine when a USB device was first plugged into a Windows workstation. What file should he check for this information? A. The registry B. The setupapi log file C. The system log D. The data is not kept on a Windows system.
B.The setupapi file (C:\Windows\INF\setupapi.dev.log) records the first time a USB device is connected to a Windows system using the local system's time. Other device infor-mation is collected in the registry,
After arriving at an investigation site, Brian determines that three powered-on computers need to be taken for forensic examination. What steps should he take before removing the PCs? A. Power them down, take pictures of how each is connected, and log each system in as evidence. B. Take photos of each system, power them down, and attach a tamper-evident seal to each PC. C. Collect live forensic information, take photos of each system, and power them down. D. Collect a static drive image, validate the hash of the image, and securely transport each system.
C. Brian should determine whether he needs live forensic information, but if he is not certain, the safest path for him is to collect live forensic information, take photos so that he knows how each system was set up and configured, and then power them down. He would then log each system as evidence and will likely create forensic copies of the drives once he reaches his forensic work area or may use a portable forensic system to make drive images on-site. Powering a running system down can result in the loss of significant forensic information, meaning that powering a system down before collecting some information is typically not recommended. Collecting a static image of a drive requires powering the system down first!
As the CISO of her organization, Jennifer is working on an incident classification scheme and wants to base her design on NIST's definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view? A. An incident B. An event C. An adverse event D. A security incident
C. NIST describes events with negative consequences as adverse events. It might be tempting to immediately call this a security incident; however, this wouldn't be classified that way until an investigation was conducted. If the user accidentally accessed the file, it would typically not change classification. Intentional or malicious access would cause the adverse event to become a security incident
Lauren recovers a number of 16GB and 32GB microSD cards during a forensic investigation. Without checking them manually, what filesystem type is she most likely to find them formatted in as if they were used with a digital camera? A. RAW B. FAT16 C. FAT32 D. HFS
C. Most portable consumer devices, especially those that generate large files, format their storage as FAT32. FAT16 is limited to 2GB partitions
Jessica wants to track the changes made to the registry and filesystem while running a suspect executable on a Windows system. Which Sysinternals tool will allow her to do this? A. App Monitor B. Resource Tracker C. Process Monitor D. There is not a Sysinternals tool with this capability.
C. Process Monitor provides detailed tracking of filesystem and registry changes as well as other details that can be useful when determining what changes an application makes to a system. This is often used by system administrators as well as forensic and incident response professionals, as it can help make tracking down intricate installer problems much easier!
Adam wants to quickly crack passwords from a Windows 7 system. Which of the following tools will provide the fastest results in most circumstances? A. John the Ripper B. Cain and Abel C. Ophcrack D. Hashcat
C. Under most circumstances Ophcrack's rainbow table-based cracking will result in the fastest hash cracking. Hashcat's high-speed, GPU-driven cracking techniques are likely to come in second, with John the Ripper and Cain and Abel's traditional CPU-driven cracking methods remaining slower unless their mutation-based password cracks discover simple passwords very quickly
Which of the following mobile device forensic techniques is not a valid method of isolation during forensic examination? A. Use a forensic SIM. B. Buy and use a forensic isolation appliance. C. Place the device in an antistatic bag. D. Put the device in airplane mode
C. Using a forensic SIM (which provides some but not all of the files necessary for the phone to work); using a dedicated forensic isolation appliance that blocks Wi-Fi, cellular, and Bluetooth signals; or even simply putting a device into airplane mode are all valid mobile forensic techniques for device isolation. While manipulating the device to put it into airplane mode may seem strange to traditional forensic examiners, this is a useful technique that can be documented as part of the forensic exercise if allowed by the forensic protocols your organization follows.
While reviewing the actions taken during an incident response process, Jennifer is informed by the local desktop support staff person that the infected machine was returned to service by using a Windows system restore point. Which of the following items will a Windows system restore return to a previous state? A. Personal files B. Malware C. Windows system files D. All installed apps
C.A system restore should not be used to rebuild a system after an infection or compromise since it restores only Windows system files, some program files, registry settings, and hardware drivers. This means that personal files and most malware, as well as pro-grams installed or modifications to programs after the restore point is created, will not be restored
The system that Alice has identified as the source of beaconing traffic is one of her organization's critical e-commerce servers. To maintain her organization's operations, she needs to quickly restore the server to its original, uncompromised state. What criteria is most likely to be impacted the most by this action? A. Damage to the system or service B. Service availability C. Ability to preserve evidence D. Time and resources needed to implement the strategy
C.If Alice focuses on a quick restoration, she is unlikely to preserve all of the evidence she would be able to during a longer incident response process.
Charles wants to monitor file permission changes on a Windows system he is responsible for. What audit category should he enable to allow this? A. File Permissions B. User Rights C. Filesystem D. Audit Objects
C.The File System audit subcategory includes the ability to monitor for both access to objects (event ID 4663) and permission changes (event ID 4670). Charles will probably be most interested in 4670 permission change events, as 4663 events include read, write, delete, and other occurrences and can be quite noisy!
Laura needs to check on memory, CPU, disk, network, and power usage on a Mac. What GUI tool can she use to check these? A. Resource Monitor B. System Monitor C. Activity Monitor D. Sysradar
C.The built-in macOS utility for measuring memory, CPU, disk, network, and power usage is Activity Monitor
Lauren needs to access a macOS system but does not have the user's password. If the system is not FileVaulted, which of the following options is not a valid recovery method? A. Use Single User mode to reset the password. B. Use Recovery mode to recover the password. C. Use Target Disk mode to delete the Keychain. D. Reset the password from another privileged user account.
C.The keychain in macOS stores user credentials but does not store user account pass-words. All of the other options listed are possible solutions for Lauren, but none of them will work if the system has FileVault turned on.
A major new botnet infection that uses a peer-to-peer command-and-control process much like 2007's Storm botnet has been released. Lauren wants to detect infected systems but knows that peer-to-peer communication is irregular and encrypted. If she wants to monitor her entire network for this type of traffic, what method should she use to catch infected systems? A. Build an IPS rule to detect all peer-to-peer communications that match the botnet's installer signature. B. Use beaconing detection scripts focused on the command-and-control systems. C. Capture network flows for all hosts and use filters to remove normal traffic types. D. Immediately build a network traffic baseline and analyze it for anomalies.
C.The only solution from Lauren's list that might work is to capture network flows, remove normal traffic, and then analyze what is left
Lauren wants to detect administrative account abuse on a Windows server that she is responsible for. What type of auditing permissions should she enable to determine whether users with administrative rights are making changes? A. Success B. Fail C. Full control D. All
D. Lauren will get the most information by setting auditing to All but may receive a very large number of events if she audits commonly used folders. Auditing only success or failure would not show all actions, and full control is a permission, not an audit setting
Laura needs to create a secure messaging capability for her incident response team. Which of the following methods will provide her with a secure messaging tool? A. Text messaging B. A Jabber server with TLS enabled C. Email with TLS enabled D. A messaging application that uses the Signal protocol
D. The Signal protocol is designed for secure end-to-end messaging, and using a distinct messaging tool for incident response can be helpful to ensure that staff separate incident communication from day-to-day operations. Text messaging is not secure. Email with TLS enabled is encrypted only between the workstation and email server and may be exposed in plain text at rest and between other servers. A Jabber server with TLS may be a reasonable solution but is less secure than a Signal-based application.
Forensic investigation shows that the target of the investigation used the Windows Quick Format command to attempt to destroy evidence on a USB thumb drive. Which of the NIST sanitization techniques has the target of the investigation used in their attempt to conceal evidence? A. Clear B. Purge C. Destroy D. None of the above
D. The Windows Quick Format option leaves data in unallocated space on the new volume, allowing the data to be carved and retrieved. This does not meet the requirements for any of the three levels of sanitization defined by NIST. 64. C. Angela's best choice would be to implement IP re
Angela is performing a forensic analysis of a Windows 10 system and wants to provide an overview of usage of the system using information contained in the Windows registry. Which of the following is not a data element she can pull from the SAM? A. Password expiration setting B. User account type C. Number of logins D. The first time the account logged in
D. While the registry contains the account creation date and time as well as the last login date and time, it does not contain the time the user first logged in
Frank wants to log the creation of user accounts on a Windows 7 workstation. What tool should he use to enable this logging? A. secpol.msc B. auditpol.msc C. regedit D. Frank does not need to make a change; this is a default setting
D. Windows audits account creation by default. Frank can search for account creation events under event ID 4720 for modern Windows operating systems.
NIST SP 800-61 identifies six outside parties that an incident response team will typically communicate with. Which of the following is not one of those parties? A. Customers, constituents, and media B. Internet service providers C. Law enforcement agencies D. Legal counsel
D.NIST identifies customers, constituents, media, other incident response teams, Internet service providers, incident reporters, law enforcement agencies, and software and support vendors as outside parties that an IR team will communicate with.
The company that Charleen works for has been preparing for a merger, and during a quiet phase she discovers that the corporate secure file server that contained the details of the merger has been compromised. As she works on her report, how should she most accurately categorize the data that was breached? A. PII B. PHI C. Intellectual property D. Corporate confidential data
D.The CySA+ exam objectives specifically identify data including merger and acquisition information as well as accounting data. This data is obviously not personally identifiable information or personal health information, and corporate confidential data describes it more accurately based on the exam objectives than intellectual property.
During an incident response process, Alex discovers a running Unix process that shows that it was run using the command nc -k -l 6667. He does not recognize the service and needs assistance in determining what it is. Which of the following would best describe what he has encountered? A. An IRCC server B. A network catalog server C. A user running a shell command D. A netcat server
D.The program netcat is typically run using nc. The -k flag for netcat makes it listen continuously rather than terminating after a client disconnects, and -l determines the port that it is listening on. In this case, the netcat server is listening on TCP port 6667, which is typically associated with IRC.
Which of the following commands is the standard way to determine how old a user account is on a Linux system if [username] is replaced by the user ID that you are checking? A. userstat [username] B. ls -ld /home/[username] C. aureport -auth | grep [username] D. None of the above
D.There is no common standard for determining the age of a user account in Linux. Some organizations add a comment to user accounts using the -c flag for user creation to note when they are created. Using the ls command with the -ld flag will show the date of file creation, which may indicate when a user account was created if a home directory was created for the user at account creation, but this is not a requirement. The aureport com-mand is useful if auditd is in use, but that is not consistent between Linux distros.