Cybersecurity - 13 & 14

Ace your homework & exams now with Quizwiz!

Kathleen needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering the information she needs?

%SystemRoot%\MEMORY.DMP

Frederick's organization has been informed that data must be preserved due to pending legal action. What is this type of requirement called?

A legal hold

Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date?

A timeline

Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen during her data acquisition process?

A write blocker

Which tool is not commonly used to generate the hash of a forensic copy?

AES

During her forensic copy validation process, Danielle hashed the original, cloned the image files, and received the following MD5 sums. What is likely wrong?

An unknown change or problem occured

What forensic issue might the presence of a program like CCleaner indicate?

Antiforensic activities

Alex is conducting a forensic examination of a Window system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim?

C:\Windows\Jim\AppData\Local\Temp

Which one of the phases of the incident response involves primarily active undertakings designed to limit the damage that an attacker might cause?

Containment, Eradication, and Recovery

What two files may contain encryption keys normally stored only in memory on a Window system?

Core dumps and hibernation files

Mike is looking for information about files that were changed on a Windows endpoint system. Which of the following is least likely to contain useful information for his investigation?

Event logs

Which one of the following activities is not normally conducted during the recovery validation phase?

Implement new firewall rules

During his investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff member and is asked to add it to his forensic case. What is the most important issue that Jeff could encounter if the case goes to court and his procedures are questioned?

Inability to certify chain of custody

Jeff is investigating a system that is running malware that he believes encrypts its data on the drive. What process should he use to have the best chance of viewing that data in an unencrypted form?

Live imaging

Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy?

Log records generated by the strategy

During a forensic investigation Ben asks Chris to sit with him and to sign off on the actions he has taken. What is he doing?

Maintaining chain of custody

Carl does not have the ability to capture data from a cell phone using mobile forensic or imaging software, and the phone does not have removable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored there?

Manual Access

Which format does dd produce files in while disk imaging?

RAW

After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing?

Removal

What NIST publication contains guidance on cybersecurity incident handling?

SP 800-61

Which one of the following tools may be used to isolate an attacker so that they may not cause damage to production systems but may still be observed by cybersecurity analysts?

Sandbox

Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing?

Segmentation

Which one of the following is not a common use of formal incident reports?

Sharing with other organizations

File carving is used to find file remnants found in clusters on disks that have been only partially rewritten by new files. What is the technical term for where these files are found?

Slack

Jennifer wants to preform memory analysis and forensics for Windows, MacOS, and Linux systems. Which of the following is best suited to her needs?

The volatility frameork

Which of the following is not a potential issue with live imaging of a system?

Unallocated apace will be captures

Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority?

containment

Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition?

destroy

What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network?

eradication

Which one of the following is not typically found in a cybersecurity incident report?

identity of the attacker

Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing?

isolation

Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal?

none of the above

Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information?

purge

Which one of the following data elements would not normally be included in an evidence log?

record of handling

Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner?

removal

Which one of the following is not a purging activity?

resetting to factory state

Which one of the following pieces of information is most critical to conducting a solid incident recovery effort?

root cause of the attack

Which one of the following activities does CompTIA classify as part of the recovery validation effort?

scanning

Which of the following issues makes both cloud and virtualized environments more difficult to perform forensics on?

systems mat be ephemeral

Susan needs to capture network traffic from a Linux server that does not use a GUI. What packet capture utility is found on many Linux systems and works from the command line?

tcpdump


Related study sets

NU271 Week 3 PrepU: Agents for Treating Heart Failure

View Set

CLC057 PERFORMANCE BASED PAYMENTS

View Set

Digital Citizenship Exam Study Guide.

View Set

Nutrition test 2 (carbs, protein, lipids)

View Set

Classical Literacy Intro, Level I,II, and III

View Set

Other Series 7 and Questions I got Wrong

View Set

PrepU: Chapter 65: Assessment of Neurologic Function

View Set