Cybersecurity - 13 & 14
Kathleen needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering the information she needs?
%SystemRoot%\MEMORY.DMP
Frederick's organization has been informed that data must be preserved due to pending legal action. What is this type of requirement called?
A legal hold
Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date?
A timeline
Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen during her data acquisition process?
A write blocker
Which tool is not commonly used to generate the hash of a forensic copy?
AES
During her forensic copy validation process, Danielle hashed the original, cloned the image files, and received the following MD5 sums. What is likely wrong?
An unknown change or problem occured
What forensic issue might the presence of a program like CCleaner indicate?
Antiforensic activities
Alex is conducting a forensic examination of a Window system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim?
C:\Windows\Jim\AppData\Local\Temp
Which one of the phases of the incident response involves primarily active undertakings designed to limit the damage that an attacker might cause?
Containment, Eradication, and Recovery
What two files may contain encryption keys normally stored only in memory on a Window system?
Core dumps and hibernation files
Mike is looking for information about files that were changed on a Windows endpoint system. Which of the following is least likely to contain useful information for his investigation?
Event logs
Which one of the following activities is not normally conducted during the recovery validation phase?
Implement new firewall rules
During his investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff member and is asked to add it to his forensic case. What is the most important issue that Jeff could encounter if the case goes to court and his procedures are questioned?
Inability to certify chain of custody
Jeff is investigating a system that is running malware that he believes encrypts its data on the drive. What process should he use to have the best chance of viewing that data in an unencrypted form?
Live imaging
Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy?
Log records generated by the strategy
During a forensic investigation Ben asks Chris to sit with him and to sign off on the actions he has taken. What is he doing?
Maintaining chain of custody
Carl does not have the ability to capture data from a cell phone using mobile forensic or imaging software, and the phone does not have removable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored there?
Manual Access
Which format does dd produce files in while disk imaging?
RAW
After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing?
Removal
What NIST publication contains guidance on cybersecurity incident handling?
SP 800-61
Which one of the following tools may be used to isolate an attacker so that they may not cause damage to production systems but may still be observed by cybersecurity analysts?
Sandbox
Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing?
Segmentation
Which one of the following is not a common use of formal incident reports?
Sharing with other organizations
File carving is used to find file remnants found in clusters on disks that have been only partially rewritten by new files. What is the technical term for where these files are found?
Slack
Jennifer wants to preform memory analysis and forensics for Windows, MacOS, and Linux systems. Which of the following is best suited to her needs?
The volatility frameork
Which of the following is not a potential issue with live imaging of a system?
Unallocated apace will be captures
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority?
containment
Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition?
destroy
What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network?
eradication
Which one of the following is not typically found in a cybersecurity incident report?
identity of the attacker
Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing?
isolation
Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal?
none of the above
Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information?
purge
Which one of the following data elements would not normally be included in an evidence log?
record of handling
Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner?
removal
Which one of the following is not a purging activity?
resetting to factory state
Which one of the following pieces of information is most critical to conducting a solid incident recovery effort?
root cause of the attack
Which one of the following activities does CompTIA classify as part of the recovery validation effort?
scanning
Which of the following issues makes both cloud and virtualized environments more difficult to perform forensics on?
systems mat be ephemeral
Susan needs to capture network traffic from a Linux server that does not use a GUI. What packet capture utility is found on many Linux systems and works from the command line?
tcpdump