Digital Forensics and Incident Response

Most Linux logs are located in what directory? 1-/var/log/ 2-/etc/ 3-/bin/ 4-/boot/

1-/var/log/

What is the method of loading more than one data sector into a single file called? 1-Alternate Data Stream (ADS) 2-Deleting a file 3-Encrypting a file 4-None of the Above

1-Alternate Data Stream (ADS)

Which of the following is a Memory Dump format? 1-ISO 2-PDF 3-RAW 4-TXT

3-RAW

Browser Caches contain browsed URLs only True or False

False

DNS Cache is erased when the browser history is erased. True or False

False

It is NOT possible to find URLs during Memory Analysis. True or False

False

Volatility is drive cloning software. True or False

False

WinPrefetchView is a tool to read browser artifacts. True or False

False

"vol.py -f Imageinfo" is the command for identifying profiles within a memory artifact when using Volatility. True or False

True

Network Time Protocol is critical for log analysis. True or False

True

Which of the following is a way of hiding malware at the start of your boot sector? 1-Bootkit 2-Scheduled Tasks 3-Startup Folder 4-Services

1-Bootkit

Browser cache artifacts include: 1-Cookies 2-Browsed URLS 3-User Accounts 4-All of the above

1-Cookies

Which of the following is software that can both clone a disk and dump memory? 1-FTK Imager 2-NMAP 3-EWF 4-DD

1-FTK IMager

What is the Linux equivalent of the MFT? 1-Inode 2-MBR 3-NTFS 4-Ext4

1-Inode

Which is a stable tool used for doing a memory dump in Linux? 1-LiME 2-LeMONaide 3-Redact 4-Netstat

1-LiME

What do Pslist and Pstree help show in memory forensics? 1-Lists out processes and their parent child relationships 2-Lists out IPs and Domains 3-List out DLLs and associated processes 4-None of the Above

1-Lists out processes and their parent child relationships

Which of the following is not a Threat Exchange? 1-NIST 2-OTX 3-X-Force 4-Facebook

1-NIST

What is a useful piece of process information that is volatile? 1-Remote Connections 2-Registry Settings 3-Security Event Log 4-All of the Above

1-Remote Connections

Which is the process of deconstructing an executable to reveal its design, architecture, and activity? 1-Reverse Engineering 2-Memory analysis 3-Dead Disk Analysis 4-Malware Analysis

1-Reverse Engineering

Which of the following is not a section of a PE File? 1-.rsrc 2-.live 3-.rdata 4-.text

2-.live

What Part of the CIA Triad deals with making sure users can access data and services? 1-Confidentiality 2-Availablility 3-Integrity 4-Accountability

2-Availablilty

What establishes the standard for normal behavior? 1-Statistical Frequency 2-Baselines 3-Anomalous usage 4-Host firewalls

2-Baselines

What is the main purpose of Live Forensics? 1-Getting things done fast is the most important when dealing with forensics 2-Capturing volatile data that will be lost once the system is powered down 3-You can use the system in question to do your analysis 4-Playing with fire is fun

2-Capturing volatile data that will be lost once the system is powered down

Which of the following is a tool used for Drive Cloning? 1-FastDump 2-DD 3-HxD 4-Volatility

2-DD

Which of the following IS NOT a common way of hiding persistence? 1-Registry Keys 2-Debugging 3-Services 4-Scheduled Tasks

2-Debugging

What is an organization's most valuable asset? 1-Money in the bank 2-Employees 3-Buildings 4-Corporate Secrets

2-Employee

Volatile memory is saved to disk when you do this? 1-Lock screen 2-Hibernation 3-Alt + F4 4-Shutdown

2-Hibernation

Suspicious behavior can be discovered by looking at which? 1-Resignation letters of executives 2-Increased Traffic 3-Watching peoples webcams 4-None of the Above

2-Increased Traffic

Which of the following is not a common malware type? 1-Backdoor 2-Insider Threat 3-Ransomware 4-Rootkit

2-Insider Threat

What is the PowerShell command for installing PowerForensics? 1-Import-Module PowerForensics 2-Install-Module -Name PowerForensics 3-Install-Module PowerForensics 4-Get-PowerForensics

2-Install-Module -Name PowerForensics

Which is a command that can be used to acquire process information on Linux? 1-Ls 2-Lsof 3-Netstat 4-Cat

2-Lsof

Which of the following was one of the institutions that created the modern-day approach to Incident Response? 1-CIA 2-NIST 3-CompTIA 4-(ISC)2

2-NIST

What is an example of an intangible asset? 1-Vehicles 2-Patents 3-Software 4-Hardware

2-Patents

Which is a PowerShell forensics framework? 1-DD 2-PowerForensics 3-FTK Imager 4-Volatility

2-PowerForensics

Which of the following is a common log generator? 1-Powershell 2-Syslog 3-NTP 4-All of the above

2-Syslog

Which of the following is a live Linux distribution dedicated to cloning drives? 1-CAINE 2-FTK Imager 3-Clonezilla 4-Autopsy

3-Clonezilla

Which of the following is a good place to search for CVEs? 1-cve.shodan.com 2-cve.virustotal.org 3-Cve.mitre.org 4-None of the above

3-Cve.mitre.org

What is the newest type of Boot Record called? 1-MBR 2-SDN 3-GPT 4-MFT

3-GPT

Windows Logon Type IDs tell us what? 1-The brand of computer being logged onto 2-The name of the user account used for logon 3-How a user account was used to logon to a system 4-None of the Above

3-How a user account was used to logon to a system

When looking at Inodes, what command shows only deleted nodes? 1-ffstat 2-losetup 3-Ils 4-df -T

3-Ils

What part of the CIA Triad deals with making sure data is not improperly changed? 1-Confidentiality 2-Availablility 3-Integrity 4-Accountability

3-Integrity

Which of the following is a great way of identifying compromise in your environment? 1-PCAP Analysis 2-CVSS 3-IoCs 4-Malware Analysis

3-IoCs

Which IS NOT an investigation step for Memory Analysis? 1-Investigating rogue processes 2-Check DLLs used by various executables 3-Make sure logs are sent to your SIEM 4-Check network activity and artifacts

3-Make sure logs are sent to your SIEM

What can be used to parse logs into other formats (IIS, CSV, XML, EVT)? 1-Autopsy 2-Microsoft Event Viewer 3-Microsoft Log Parser 2.2 4-Wireshark

3-Microsoft Log Parser 2.2

Which is a tool that can be used to do data acquisition over a network? 1-Nmap 2-DD 3-Netcat 4-FTK Imager

3-Netcat

Which is a tool that is used to print all the hard-coded text in an executable file? 1-Nirsoft 2-ProcMon 3-Strings 4-LiME

3-Strings

Which of the following is a valid Linux log command? 1-Vol 2-ls 3-Tail 4-All of the above

3-Tail

What is something you want to search for in Memory Forensics? 1-Parental Structures 2-Hidden Processes 3-Suspicious Details 4-All of the Above

4-All of the Above

What will display recent user activity? 1-Most Recently Used (MRU) 2-Jump List 3-RunMRU 4-All of the Above

4-All of the Above

Which network artifact is available during memory analysis? 1-Open Sockets 2-IP Address 3-Created Time 4-All of the Above

4-All of the Above

What are potential analysis targets for PowerForensics? 1-Windows Artifacts 2-Windows Registry 3-Application Cache 4-All of the above

4-All of the above

Which of the following Linux component(s) has/have file representation? 1-Running processes 2-Configurations 3-Settings 4-All of the above

4-All of the above

Which of the following is a component of Threat Hunting? 1-Log parsing 2-Research 3-Forensics 4-All of the above

4-All of the above

Which of the following is a network connection analysis plug-in for Volatility? 1-Netscan 2-Connscan 3-Sockets 4-All of the above

4-All of the above

Which of the following is a reason to use logs? 1-Used in IR investigations 2-Required for GRC strategies 3-Evidence in court 4-All of the above

4-All of the above

Which of the following is a suspicious behavior? 1-Domain Identification 2-Increased network traffic 3-Service inspection 4-All of the above

4-All of the above

Which of the following is a valid capture format? 1-RAW 2-DD 3-ISO 4-All of the above

4-All of the above

Which of the following is an investigation step when performing Memory Analysis? 1-Rootkits 2-Network 3-DLL & Handles 4-All of the above

4-All of the above

Which of the following is a Recoverable Artifact? 1-Registry Entries 2-Browser History 3-Master File Table 4-All of the Above

4-All of the above.

Which of the following is a popular suite of Linux tool binaries? 1-Nirsoft 2-Sysinternals 3-Swap Digger 4-Busybox

4-Busybox

Which of the following is a memory dumping tool? 1-VMDK 2-DD 3-GREP 4-FTK Imager

4-FTK Imager

What is a forensic artifact? 1-A SIEM solution 2-Dinosaur bones and ancient relics 3-RAM 4-Files to which data is written to and can be later recovered

4-Files to which data is written to and can be later recovered

What is another name for file headers that help us identify a file type? 1-File Carving 2-LSASS 3-ADS 4-Magic Numbers

4-Magic Numbers

What part of the CIA Triad deals with making sure that someone cannot deny the validity of something? 1-Confidentiality 2-Availability 3-Integrity 4-Non-Repudiation

4-Non-Repudiation

Which of the following IS NOT a Windows Event viewer log classification? 1-Alert 2-Informational 3-Error 4-SNMP

4-SNMP

Which is a popular tool for extracting files over the network? 1-Volatility 2-Netstat 3-Netcat 4-dd

4-dd

It is not possible to do a drive capture over the network. True or False

False

Linux logs are not vulnerable to attacks against their integrity. True or False

False

MBR is the Boot Record Type for Windows 10. True or False

False

Memory.dmp files can be read natively by Volatility. True or False

False

Most data in Linux is binary. True or False

False

PowerForensics only works on Live Systems. True or False

False

Processes in Linux have a parent-child relationship. True or False

False

Static Malware Analysis runs malware to understand it's behaviors. True or False

False

The FAT32 file system allows for Alternative Data Streams (ADS). True or False

False

There is no way to recover browser activity. True or False

False

Threat Hunting is a reactive approach to cyber security. True or False

False

Windows logs cannot be deleted. True or False

False

YARA rules are the most basic method of malware identification. True or False

False

Anomaly Detection systems are vulnerable to creating false-positive alerts. True or False

True

Command line data can be found in memory analysis. True or False

True

DRP is defined as outlining response strategies for unplanned events. True or False

True

Errors can occur in PowerForensics when parsing drives larger than 2 TB. True or False

True

Hashing can be used to verify the integrity of a drive copy. True or False

True

It is possible to obtain a memory dump after a system has been shut down. True or False

True

Linux does journaling on its file system. True or False

True

Linux logs are vulnerable to attacks against their integrity. True or False

True

NTFS can do file disk compression. True or False

True

On NTFS file systems, deleted files are recoverable. True or False

True

PowerShell history is a volatile memory artifact. True or False

True

Prefetch was designed to speed-up the loading of commonly used applications. True or False

True

Process Hollowing is a way of hiding malware. True or False

True

RACI stands for Responsible, Accountable, Consulted and Informed? True or False

True

Sometimes only partial image captures are possible. True or False

True

Static Malware Analysis is safer than Dynamic Malware Analysis. True or False

True

Sterilized Media is recommended for data acquisition. True or False

True

Swap Digger is a bash script for analyzing swap space. True or False

True

Threat Intelligence is an important part of Threat Hunting. True or False

True

Volatility is the most popular Memory Forensics toolkit. True or False

True

ZEEK can be used to investigate PCAP files. True or False

True