sybex IR missed
a
Craig is revising his organization's incident response plan and wants to ensure that the plan includes coordination with all relevant internal and external entities. Which one of the following stakeholders should he be most cautious about coordinating with? A. Regulatory bodies B. Senior leadership C. Legal D. Human resources
a (a witness is always ideal)
Cullen wants to ensure that his chain of custody documentation will stand up to examination in court. Which of the following options will provide him with the best documentary proof of his actions? A. A second examiner acting as a witness and countersigning all actions B. A complete forensic log book signed and sealed by a notary public
jump kit
During the preparation phase of his organization's incident response process, Oscar gathers a laptop with useful software including a sniffer and forensics tools, thumb drives and external hard drives, networking equipment, and a variety of cables. What is this type of preprepared equipment commonly called?
b (old serial port monitor)
Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage? A. SNMP B. Portmon C. Packet sniffing D. NetFlow
-pe
Faruk wants to use netstat to get the process name, the PID, and the username associated with abnormally behaving processes that are running on a Linux system he is investigating. What netstat flags will provide him with: 1. process name/id/details 2. username/extended info
its a default setting
Frank wants to log the creation of user accounts on a Windows workstation. What tool should he use to enable this logging?
b
Jack is preparing to take a currently running PC back to his forensic lab for analysis. As Jack considers his forensic process, one of his peers recommends that he simply pull the power cable rather than doing a software-based shutdown. Why might Jack choose to follow this advice? A. It will create a crash log, providing useful memory forensic information. B. It will prevent shutdown scripts from running.
a
Jessica wants to access a macOS FileVault 2-encrypted drive. Which of the following methods is not a possible means of unlocking the volume? A. Change the FileVault key using a trusted user account. B. Retrieve the key from memory while the volume is mounted. C. Acquire the recovery key. D. Extract the keys from iCloud.
C:\Windows\System32\config
Joe wants to recover the passwords for local Windows users on a Windows workstation. Where are the password hashes stored? (not accessible while booted)
unallocated space
Kathleen's forensic analysis of a laptop that is believed to have been used to access sensitive corporate data shows that the suspect tried to overwrite the data they downloaded as part of antiforensic activities by deleting the original files and then copying other files to the drive. Where is Kathleen most likely to find evidence of the original files?
a (can be done w individuals asynchronously)
Ken is helping his organization prepare for future incident response efforts and would like to ensure that they conduct regular training exercises. Which one of the following exercises could he use to remind incident responders of their responsibilities with the least impact on other organizational priorities? A. Checklist review B. Tabletop exercise
b (ftk imager can create a live image from portable media, and image > capturing just memory)
Kobe discovers evidence that a critical application server may have been the data repository and egress point in the compromise he is investigating. If he is unable to take the system offline, which of the following options will provide him with the best forensic data? B. Create an image using a tool like FTK Imager Lite. C. Capture the system memory using a tool like Volatility.
vendor
MAC addr OUI lookup tells you what?
bssid
MAC address of an access point
b
Maria wants to understand what a malware package does and executes it in a virtual machine that is instrumented using tools that will track what the program does, what changes it makes, and what network traffic it sends while allowing her to make changes on the system or to click files as needed. What type of analysis has Maria performed? A. Manual code reversing B. Interactive behavior analysis C. Static property analysis D. Dynamic code analysis
SSID
Mei is planning to deploy rogue access point detection capabilities for her network. If she wants to deploy the most effective detection capability she can, it would be authorized ___
ZIP
Modern Microsoft Office files are actually stored in a __ format.
precursors
NIST SP 800-61 categorizes signs that an incident may occur in the future as:
d
NIST SP 800-61 identifies six outside parties that an incident response team will typically communicate with. Which of the following is not one of those parties? A. Customers, constituents, and media B. Internet service providers C. Law enforcement agencies D. Legal counsel
auditctl
Rick wants to monitor permissions and ownership changes of critical files on the Red Hat Linux system he is responsible for. What Linux tool can he use to do this? Used to configure kernel options related to auditing, view status of the configuration, and load audit rules
/etc/pam.d
Sadiq wants to verify that authentication to a Linux service has two-factor authentication settings set as a requirement. Which common Linux directory can he check for this type of setting, listed by application, if the application supports it?
c (incremental = most powerful mode, as it will try all possible character combinations as defined by the settings you enter)
Scott wants to recover user passwords for systems as part of a forensic analysis effort. If he wants to test for the broadest range of passwords, which of the following modes should he run John the Ripper in? A. Single crack mode B. Wordlist mode C. Incremental mode D. External mode
F
T/F Pulling the cord will create a memory or crash dump
T
T/F There is no common standard for determining the age of a user account in Linux
NX bit
Technology that enables the CPU to protect certain sections of memory. This feature, coupled with implementation by the operating system, stops malicious attacks from getting to essential operating system files. Microsoft calls the feature Data Execution Prevention (DEP), intel XD
apfs (apple file system)
The default macOS drive format
b
Tom is building his incident response team and is concerned about how the organization will address insider threats. Which business function would be most capable of assisting with the development of disciplinary policies? B. Human resources C. Legal counsel
a (HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ NetworkList\Profiles)
Vlad wants to determine whether the user of a company-owned laptop accessed a malicious wireless access point. Where can he find the list of wireless networks that the system knows about? A. The registry B. The user profile directory C. The wireless adapter cache
3 years
What is the minimum retention period for incident data for U.S. federal government agencies?
unallocated
When a computer file is deleted, it is not erased from a hard drive. Instead, the space occupied by the deleted file becomes "___" and available for saving other data
abc
Which of the following are possible ways to manually check her Windows workstation for a list of previously connected USB drives? A. Check the security audit logs. B. Check the setupapi log file. C. Search the registry. D. Check the user's profile.
c
Which of the following items will a Windows system restore return to a previous state? A. Personal files B. Malware C. Windows system files D. All installed apps
a (sites can run mining scripts when visited or ads execute code)
While reviewing system logs, Charles discovers that the processor for the workstation he is reviewing has consistently hit 100 percent processor utilization by the web browser. After reviewing the rest of the system, no unauthorized software appears to have been installed. What should Charles do next? A. Review the sites visited by the web browser when the CPU utilization issues occur B. Check the browser binary against a known good version
c (leaves data in unallocated space on the new volume)
Windows Quick Format command to attempt to destroy evidence on a USB thumb drive. Which of the NIST sanitization techniques has the target of the investigation used in their attempt to conceal evidence? A. Clear B. Purge C. None of the above
SAM (sec acct mgr)
Windows stores and manages the local user and group accounts/passwords in a database file called ___
Tamper-proof seals
__ are used when it is necessary to prove that devices, systems, or spaces were not accessed. They often include holographic logos that help to ensure that tampering is both visible and cannot be easily hidden by replacing the sticker.
RAW
__ files are supported almost universally by forensic tools.
Slack space
___ is created when only a portion of space allocated to save information (called a cluster) is used. For instance, say a file size is 25 kb and the computer allocates a 32 kb cluster in which to save the data. The unused portion is ___.
Trusted system binary kits
____ like those provided by the National Software Reference Library include known good hashes of many operating systems and applications
AccessEnum
a GUI-based sysinternals program that gives a full view of filesystem and registry settings and can display either files with permissions that are less restrictive than the parent or any files with permissions that differ from the parent.
FAT32
can expect most devices, esp portable media devices/cameras, to format media as __ by default because of its broad compatibility across devices and operating systems.
FISMA
federal info security management act - US law requires federal agencies to create, document and implement security program
pull the plug > shut down and copy from drive on another system
how to copy pagefile.sys?
4
ifconfig resets traffic counters at __ GB
1
linux execute #
4
linux read #
2
linux write #
windows system restore
make __ when you install a new app, driver, or Windows update. won't affect your personal files, but it will remove apps, drivers, and updates installed after it was made. Not useful for malware, more for instability
pressure
memory ___ is a macOS-specific term used to describe the availability of memory resources. Yellow segments on a memory __ chart indicate that memory resources are still available but are being tasked by memory management processes such as compression.
d
nc -k -l 6667. He does not recognize the service, believes it may be a malicious process, and needs assistance in determining what it is. Which of the following would best describe what he has encountered? C. A user running a shell command D. A netcat server
payment card info
pci
a (flow covers traffic patterns/destinations, snmp covers internal device health and links)
server in the datacenter that Chris is responsible for monitoring unexpectedly connects to an off-site IP address and transfers 9 GB of data to the remote system. What type of monitoring should Chris enable to best assist him in detecting future events of this type? A. Flow logs with heuristic analysis B. SNMP monitoring with heuristic analysis
community string, version
snmpwalk -c public 10.1.10.1 -v1 what do the c and v stand for?
AccessChk
sysinternals Command-line program that can check the rights a user or group has to resources
essid
the same as the SSID but is used across multiple access points as part of the same WLAN
c
track the changes made to the registry and filesystem while running a suspect executable on a Windows system. Which Sysinternals tool will allow her to do this? A. App Monitor B. Resource Tracker C. Process Monitor
SNMPWalk
uses a sequence of GETNEXT requests to query network entities for a tree of information is a tool useful in enumerating hosts running SNMP
acquiring bank (a financial institution which accepts and processes credit and debit cards transactions on behalf of merchants)
. If Brian's company is PCI DSS compliant and experiences a breach of card data, they will have to disclose to their ___
c (if there were 2+ setbacks, would increase to extended)
. Mei's team has completed the initial phases of their incident response process and is assessing the time required to recover from the incident. Using the NIST recoverability effort categories, the team has determined that they can predict the time to recover but will require additional resources. How should she categorize this using the NIST model? A. Regular B. Supplemented C. Extended
b
. Stefan wants to prevent evil twin attacks from working on his wireless network. Which of the following is not a useful method for detecting evil twins? A. Check for BSSID. B. Check the SSID. C. Check the attributes (channel, cipher, authentication method). D. Check for tagged parameters like the organizational unique identifier.
1-2 years
. Ty needs to determine the proper retention policy for his organization's incident data. If he wants to follow common industry practices and does not have specific legal or contractual obligations that he needs to meet, what timeframe should he select?
server
A computer that awaits and responds to requests for data.
ophcrack (c, uses rainbow tables)
Adam wants to quickly crack passwords from a Windows system. Which of the following tools will provide the fastest results in most circumstances? A. John the Ripper B. Ocl Hashcat C. Ophcrack
c (if unsure go w live; static requires power down)
After arriving at an investigation site, Brian determines that three powered-on computers need to be taken for forensic examination. What steps should he take before removing the PCs? C. Collect live forensic information, take photos of each system, and power them down. D. Collect a static drive image, validate the hash of the image, and securely transport each system.
d
Alexandra is attempting to determine why a Windows system keeps filling its disk. If she wants to see a graphical view of the contents of the disk that allows her to drill down on each cluster, what Sysinternals tool should she use? C. GraphDisk D. DiskView
sqlite
Allison wants to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form fill information saved in?
c
Angela is attempting to determine when a user account was created on a Windows 10 workstation. What method is her best option if she believes the account was created recently? A. Check the System log. C. Check the Security log
a
Angela wants to access the decryption key for a BitLocker-encrypted system, but the system is currently turned off. Which of the following methods is a viable method if a Windows system is turned off? A. Hibernation file analysis B. Memory analysis C. Boot-sector analysis
b (proprietary breach only when accessed or exfiltrated, integ when changed/del)
As an employee of the U.S. government, Megan is required to use NIST's information impact categories to classify security incidents. During a recent incident, proprietary information was changed. How should she classify this incident? A. As a privacy breach B. As an integrity loss C. As a proprietary breach
c (AE's are events w/ negative consequences, which this includes unless we know that it was intentionally done)
As the CISO of her organization, Mei is working on an incident classification scheme and wants to base her design on NIST's definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view? B. An event C. An adverse event D. A security incident
us-cert
Ben works at a U.S. federal agency that has experienced a data breach. Under FISMA, which organization does he have to report this incident to?
abd
Carlos needs to create a forensic copy of a BitLocker-encrypted drive. Which of the following are methods that he could use to acquire the BitLocker key? A. Analyzing the hibernation file B. Analyzing a memory dump file C. Retrieving the key from the MBR D. Performing a FireWire attack on mounted drives
a
Chris wants to run John the Ripper against a Linux system's passwords. What does he need to attempt password recovery on the system? A. Both /etc/passwd and /etc/shadow B. /etc/shadow C. /etc/passwd