DFIR Overview

Ace your homework & exams now with Quizwiz!

What is the method of loading more than one data sector into a single file called? A. Alternate Data Stream (ADS) B. Deleting a file C. Encrypting a file D. None of the Above

A. Alternate Data Stream (ADS)

David wants to test company software and analyze its behavior in real time. Which of the following methods should he use? A. Dynamic analysis B. Static analysis C. Sandbox analysis D. MTTR

A. Dynamic analysis

Which of the following is software that can both clone a disk and dump memory? A. FTK Imager B. NMAP C. EWF D. DD

A. FTK Imager

What is the Linux equivalent of the MFT? A. Inode B. MBR C. NTFS D. Ext4

A. Inode

Which is a stable tool used for doing a memory dump in Linux? A. LiME B. LeMONaide C. Redact D. Netstat

A. LiME

What do Pslist and Pstree help show in memory forensics? A. Lists out processes and their parent child relationships B. Lists out IPs and Domains C. List out DLLs and associated processes D. None of the Above

A. Lists out processes and their parent child relationships

Which of the following services provides proof of the origin and integrity of data? A. Non-repudiation B. Accountability C. SOC D. Logs and event anomalies

A. Non-repudiation

Which of the following is a debugger that can be used to analyze malware while it's running?A. OllyDbg B. NMAP C. HxD D. None of the above

A. OllyDbg

Bob, a security analyst, received notifications from a program called code.exe and wants to examine its process. Which of the following can help him examine the process? A. Process Dump B. DLL Dump C. Memory Dump D. All of the above

A. Process Dump

What is a useful piece of process information that is volatile? A. Remote Connections B. Registry Settings C. Security Event Logs D. All of the Above

A. Remote Connections

Which of the following is used for minimal footprint in a system? A. Static binaries B. Netcat C. Netstat D. Lsof

A. Static binaries

Why is it important to use logs? A. They store records of potentially important events. B. They record web-related attacks. C. They store records of well-known attacks. D. None of the above.

A. They store records of potentially important events.

Which of the following is a common use for proxies? A. Traffic Inspection B. VPN capabilities C. Application Scanning D. All of the above

A. Traffic Inspection

Which of the following programming languages issues machine code instructions and is difficult to learn? A. C B. Assembly C. Pascal D. Fortran

B. Assembly

What part of the CIA Triad deals with making sure users can access data and services? A. Confidentiality B. Availability C. Integrity D. Accountability

B. Availability

What is the main purpose of Live Forensics? A. Getting things done fast is the most important when dealing with forensics B. Capturing volatile data that will be lost once the system is powered down C. You can use the system in question to do your analysis D. Playing with fire is fun

B. Capturing volatile data that will be lost once the system is powered down

John was tasked to investigate a network attack in accordance with the network forensics investigation flow process. What should be John's first step? A. Filter by IOCs and gathered data B. Check for malware signatures C. Analyze the protocol data D. Identify traffic abnormalities

B. Check for malware signatures

Which of the following is a tool used for Drive Cloning? A. FastDump B. DD C. HxD D. Volatility

B. DD

Tom wants to check sites that were accessed by employees to make sure they are not entering prohibited sites. Which of the following should he check to do that? (This doesn't make sense) A. Site cache B. DNS cache C. Server cache D. None of the above.

B. DNS cache

What is an organization's most valuable asset? A. Money in the bank B. Employees C. Buildings D. Corporate Secrets

B. Employees

Why is it important to use an IR plan? A. It is necessary for when the SOC crashes due to a ransomware attack. B. Having an IR plan can help focus on performing the necessary tasks. C. An IR plan is used once, when the IR team still isn't ready to operate. D. None of the above.

B. Having an IR plan can help focus on performing the necessary tasks.

Volatile memory is saved to disk when you do this? A. Lock Screen B. Hibernation C. Alt+F4 D. Shutdown

B. Hibernation

What is the PowerShell command for installing PowerForensics? A. import-Module PowerForensics B. Install-Module -Name PowerForensics C. Install-Module PowerForensics D. Get-PowerForensics

B. Install-Module -Name PowerForensics

Which is a command that can be used to acquire process information on Linux? A. Ls B. Lsof C. Netstat D. Cat

B. Lsof

Which of the following was one of the institutions that created the modern-day approach to Incident Response A. CIA B. NIST C. CompTIA D. (ISC)2

B. NIST

Which of the following serves as a source for network traffic data sources? A. Threat Intel B. Network Logs C. ProcMon D. All of the above

B. Network Logs

What is the correct process used by APT groups? A. Priv Esc > External and Internal Takeover > Hiding and Info Theft B. OSINT > External Takeover > Priv Esc> Lateral Move and Int TO > Hiding/IT C. OSINT > Internal Takeover > Lateral Movement > Information Theft D. None of the above.

B. OSINT > External Takeover > Priv Esc> Lateral Move and Int TO > Hiding/IT

What is an example of an intangible asset? A. Vehicles B. Patents C. Software D. Hardware

B. Patents

Which of the following contains RAW data, has no format, only bytes, and requires tools for capture? A. Primary memory B. Physical memory C. Virtual memory D. Secondary memory

B. Physical memory

Which is a PowerShell forensics framework? A. DD B. PowerForensics C. FTK Imager D. Volatility

B. PowerForensics

Which of the following is part of the APT attack flow? A. Threat Intelligence B. Privilege Escalation C. Encrypt organizational data D. None of the above

B. Privilege Escalation

Which of the following tools allows for the repeating of previously captured traffic? A. UDPReplay B. TCPReplay C. TCPRepeater D. None of the above

B. TCPReplay

What is the difference between threat hunting (TH) and threat intelligence (TI) A. TH works with tools, TI does not work with tools. B. TI is a process within TH and involves learning from other sources. C. Threat Hunting is a red team job, Threat Intelligence is a blue team job. D. Threat Hunting and Threat Intelligence are the same.

B. TI is a process within TH and involves learning from other sources.

Which of the following is an anti-forensic technique? A. Strings B. Tunneling C. MIPS D. All of the above

B. Tunneling

Which of the following is a live Linux distribution dedicated to cloning drives? A. CAINE B. FTK Imager C. Clonezilla D. Autopsy

C. Clonezilla

What is the newest type of Boot Record called? A. MBR B. SDN C. GPT D. MFT

C. GPT

Which of the following is a common identification method that can verify the identity of specific files? A. Firewall B. Binary pattern C. Hashing D. Data sanitization

C. Hashing

What part of the CIA Triad deals with making sure data is not improperly changed? A. Confidentiality B. Availability C. Integrity D. Non-Repudiation

C. Integrity

Which IS NOT an investigation step for Memory Analysis? A. Investigating rogue processes B. Check DLLs used by various executables C. Make sure logs are sent to your SIEM D. Check network activity and artifacts

C. Make sure logs are sent to your SIEM

Which is a tool that can be used to do data acquisition over a network? A. Nmap B. DD C. Netcat D. FTK Imager

C. Netcat

Which of the following is a description of an IDS? A. Network device that proactively protects traffic B. Network decrypting device C. Network device that inspects traffic D. None of the above

C. Network device that inspects traffic

Which of the following is a Memory Dump format? A. ISO B. PDF C. RAW D. TXT

C. RAW

After you enter a website, a pop-up appears saying your computer files were infected and offering to fix the problem for a small fee. Which of the following attacks did you encounter? A. Worm B. Evil Twin C. Scareware D. MITM

C. Scareware

When looking at Inodes, what command shows only deleted nodes? A. ffstat B. losetup C. ils D. df -T

C. ils

What is something you want to search for in Memory Forensics? A. Parental Structures B. Hidden Processes C. Suspicious Details D. All of the Above

D. All of the Above

What will display recent user activity? A. Most Recently Used (MRU) B. Jump List C. RunMRU D. All of the Above

D. All of the Above

Which network artifact is available during memory analysis? A. Open Sockets B. IP Address C. Created Time D. All of the Above

D. All of the Above

Which of the following is a Recoverable Artifact? A. Registry Entries B. Browser History C. Master File Table D. All of the Above

D. All of the Above

Browser cache artifacts include: A. Cookies B. Browsed URLS C. User Accounts D. All of the above

D. All of the above

What are potential analysis targets for PowerForensics? A. Windows Artifacts B. Windows Registry C. Application Cache D. All of the above

D. All of the above

Which of the following Linux component(s) has/have file representation? A. Running processes B. Configurations C. Settings D. All of the above

D. All of the above

Which of the following is a network connection analysis plug-in for Volatility? A. Netscan B. Connscan C. Sockets D. All of the above

D. All of the above

Which of the following is a step in the Network Forensic investigation flow? A. Identify traffic abnormalities B. Analyze the protocol data C. Filter by IOCs and gathered data D. All of the above

D. All of the above

Which of the following is a type of hacker? A. Cybercriminals pursuing financial gains B. Hacktivists pursuing ideology C. State-sponsored attackers focused on collecting information D. All of the above

D. All of the above

Which of the following is a valid CPU Architecture? A. ARM B. AMD C. MIPS D. All of the above

D. All of the above

Which of the following is a valid capture format? A. RAW B. dd C. ISO D. All of the above

D. All of the above

Which of the following is an investigation step when performing Memory Analysis? A. Rootkits B. Network C. DLL & Handles D. All of the above

D. All of the above

Which of the following is a tool that can be used to detect persistent malware? A. IOC B. DD C. UPX D. Autoruns

D. Autoruns

Which of the following is a popular suite of Linux tool binaries? A. Nirsoft B. Sysinternals C. Swap Digger D. Busybox

D. Busybox

Which of the following is a memory dumping tool? A. VMDK B. DD C. GREP D. FTK Imager

D. FTK Imager

What is a forensic artifact? A. A SIEM solution B. Dinosaur bones and ancient relics C. RAM D. Files to which data is written to and can be later recovered

D. Files to which data is written to and can be later recovered

What is another name for file headers that help us identify a file type? A. File Carving B. LSASS C. ADS D. Magic Numbers

D. Magic Numbers

Which of the following systems contains metadata for each stored file? A. FAT32 B. FAT C. exFAT D. NTFS

D. NTFS

John opened an executable file and noticed unusual activity, such as files that opened on their own. For further investigation, he wanted to check if any new network connections were established. Which of the following tools can check network connections? A. Net framework B. Telnet C. FakeNet-ng D. Netstat

D. Netstat

What part of the CIA Triad deals with making sure that someone cannot deny the validity of something? A. Confidentiality B. Availability C. Integrity D. Non-Repudiation

D. Non-Repudiation

Which is not an Intel debugging term? A. INT3/0xCC B. Patching C. Breakpoint D. None of the above

D. None of the above

Browser Caches contain browsed URLs only True False

False

DNS Cache is erased when the browser history is erased. True False

False

It is NOT possible to find URLs during Memory Analysis. True False

False

It is not possible to do a drive capture over the network. True False

False

MBR is the Boot Record Type for Windows 10. True False

False

Memory.dmp files can be read natively by Volatility. True False

False

Most data in Linux is binary. True False

False

Pi is a CPU architecture. True False

False

PowerForensics only works on Live Systems. True False

False

Processes in Linux have a parent-child relationship. True False

False

The FAT32 file system allows for Alternative Data Streams (ADS). True False

False

There is no way to recover browser activity. True False

False

Volatility is a drive cloning software. True False

False

WinPrefetchView is a tool to read browser artifacts. True False

False

Zeek-Cut doesn't have the ability to parse through and filter a pcap file. True False

False

"vol.py -f Imageinfo" is the command for identifying profiles within a memory artifact when using Volatility. True False

True

Command line data can be found in memory analysis. True False

True

Debugging malware is a slow and tedious process. True False

True

Diaster Recovery Plan (DRP) is defined as outlining response strategies for unplanned events. True False

True

Errors can occur in PowerForensics when parsing drives larger than 2 TB. True False

True

Hashing can be used to verify the integrity of a drive copy. True False

True

It is possible to obtain a memory dump after a system has been shut down. True False

True

Linux does journaling on its file system. True False

True

NTFS can do file disk compression. True False

True

On NTFS file systems, deleted files are recoverable. True False

True

PowerShell history is a volatile memory artifact. True False

True

Prefetch was designed to speed-up the loading of commonly used applications. True False

True

RACI stands for Responsible, Accountable, Consulted & Informed. True false

True

Sometimes only partial image captures are possible. True False

True

Sterilized Media is recommended for data acquisition. True False

True

Swap Digger is a bash script for analyzing swap space. True False

True

There are ways to evade debugging tools. True False

True

UPX is a tool used that can be used to obfuscate malware code. True False

True

Volatility is the most popular Memory Forensics toolkit. True False

True


Related study sets

6 components of health and wellness

View Set

Module 7 - LinkedIn - Excel Essential Training (Office/Microsoft 365)

View Set

Chapter 7 - Virtualization and Cloud Computing

View Set

cyber section 4 and 5 practice questions

View Set

Chapter 44: Nursing Care of the Child With an Alteration in Mobility/Neuromuscular or Musculoskeletal Disorder

View Set

Ethics Chapter 4 The Nature of Capitalism

View Set

ACCT 324- Ch.9 (Negligence and Strict Liability)

View Set