DFIR Exam
Which of the following should be monitored during dynamic malware analysis? (Choose all correct answers.)
File system changes,Network activity,Registry changes
Which of the following is not a tool that is used for data carving?
DumpIt
Which of the following is the most common file system used in Linux distributions?
Ext4
Which of the following is not CPU architecture?
Pi
Which of the following is not a feature of Wireshark?
Replace network traffic
Which of the following is not included in the digital forensics process?
Penetration Testing
What is the correct incident response lifecycle per the NIST incident response methodology?
Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity
Which of the following are commonly used for malware persistence?(Choose all correct answers.)
Scheduled tasks Correct! Registry keys Correct! Services
What is the responsibility of a CISO?
To create a strategy for data and IT asset protection and maintain it
What is a sandbox used for?
To test malware in an isolated environment
What is the difference between Wireshark and tcpdump?
tcpdump is command-based; Wireshark has a GUI interface.
Which of the following tools can be used to find persistent malware?
Autoruns
Which of the following tools can be used to research RAM dumps?
Volatility
Which of the following statements is true?
When data is erased from the operating system, it remains on the HDD until it is overwritten.
How is a file hidden using steganography?
By hiding a file within another file
Which of the following tools can be used for drive cloning? (Choose all correct answers.)
dd Correct! FTK Imager
Which of the following tools can be used to obfuscate malware code?
UPX Tools that can be used to obfuscate malware code are PEID and UPX. Both tools are used to pack executable files, making them harder to detect by antivirus software. PEID, also known as PEiD, is a program that can analyze portable executable (PE) files and detect if they are packed with a particular type of packer.
Which of the following is not a containment strategy for a cybersecurity incident?
Updating IDS rules Updating IDS rules is not a containment strategy for a cybersecurity incident. Read:Containment strategies for a cybersecurity incident
Which of the following is a Windows Event Viewer classification?(Choose all correct answers.)
Debug Correct! Alert Correct! Error
Which tool should an investigator use to dynamically investigate malware?
Debugger
