DFIR - Short List
Which of the following tools can be used to find persistent malware?
Autoruns
Which SOC role is responsible for creating a strategy for data and IT asset protection?
CISO
NetScan
Can be used in more recent versions of Windows
To test company software and analyze its behavior in real-time, which of the following should be used?
Dynamic analysis
UPX is what type of tool?
Packer
Which of the following is NOT CPU architecture?
Pi
What are the stages of NIST methodologies?
Preparation, detection & analysis, containment, eradication & recovery, post-incident Activity
Which of the following tools can be used to obfuscate malware code?
UPX
Which of the following is NOT a containment strategy for a cybersecurity incident?
Updating IDS rules
Which tool should an investor use to dynamically investigate malware?
Debugger
Which of the following systems contains metadata for each stored file?
NTFS
Which of the following tools can check network connections? To investigate if any network connections were established.
Netstat
Which of the following tools can be used to research RAM dumps?
Volatility
How is a file hidden using steganography?
By hiding a file within another file
Which of the following can be examined during static malware analysis?
Executable file strings
Which of the following is NOT a feature of Wireshark?
Replace network traffic
What is a sandbox used for?
To test malware in an isolated environment
Which of the following are commonly used for malware persistence?
-Services -Registry Keys
Which of the following is a Windows Rvent Viewer classification?
-Error -Debug -Alert
Updating IDS rules is a containment strategy for a cybersecurity incident.
False
What is DumpIt used for?
Memory Captures
Which of the following is NOT included in the digital forensics process?
Penetration testing
Which of the following is NOT a tool that is used for data carving?
DumpIt
Which of the following is the most common file system used in Linux distributions?
Ext4
What tool is used to make a copy of a hard drive?
FTK Imager
You can recover a computer's RAM only when it is turned.
Off
Which of the following can help examine a process like a file named code.exe?
Process Dump
What can we not get when the computer is turned off?
RAM
What is the responsibility of a CISO?
To create a strategy for data and IT asset protection and maintain it
Which of the following statements is true?
When data is erased from the operating system, it remains on the HDD until it is overwritten
Which does NOT contain memory artifacts that can be analyzed?
RAM disk
Which of the following are commonly used for malware persistence?
Registry keys, Run Once registry keys, startup folder, schedule tasks
Which of the following is a network sniffing tool?
tcpdump
What is the difference between Wireshark and tcpdump?
tcpdump is command-based; Wireshark has a GUI interface
Which of the following should be monitored during dynamic malware analysis?
-Network activity -Registry changes -File system changes
Which of the following tools can be used for drive cloning?
-dd -FTK Imager
