Ty needs to determine the proper retention policy for his organization’s incident data. If he
wants to follow common industry practices and does not have specific legal or contractual
obligations that he needs to meet, what timeframe should he select?
A. 30 days B. 90 days C. 1 to 2 years D. 7 years.
The system that Alice has identified as the source of beaconing traffic is one of her organization’s
critical e-commerce servers. To maintain her organization’s operations, she needs
to quickly restore the server to its original, uncompromised state. What criterion is most
likely to be impacted the most by this action?
A. Damage to the system or service B. Service availability C. Ability to preserve evidence D. Time and resources needed to implement the strategy.
After law enforcement was called because of potential criminal activity discovered as part
of a forensic investigation, the officers on the scene seized three servers. When can Joe
expect his servers to be returned?
A. After 30 days, which provides enough time for a reasonable imaging process B. After 6 months, as required by law C. After 1 year, as most cases resolve in that amount of time D. Joe should not plan on a timeframe for return.
After Janet’s attempts to conceal her downloads of important corporate information were
discovered, forensic investigators learned that she frequently copied work files to a USB
drive. Which of the following is not a possible way to manually check her Windows workstation
for a list of previously connected USB drives? A. Check the security audit logs. B. Check the setupapi log file. C. Search the registry. D. Check the user’s profile.
As part of his forensic investigation, Scott intends to make a forensic image of a network
share that is mounted by the PC that is the focus of his investigation. What information
will he be unable to capture? A. File creation dates B. Deleted files C. File permission data D. File metadata.
NIST SP 800-61 identifies six outside parties that an incident response team will typically
communicate with. Which of the following is not one of those parties?
A. Customers, constituents, and media B. Internet service providers C. Law enforcement agencies D. Legal counsel.
What common incident response follow-up activity includes asking questions like “What
additional tools or resources are needed to detect or analyze future events?”
A. Preparation B. Lessons learned review C. Evidence gathering D. Procedural analysis.
During an incident response process, Suki heads to a compromised system and pulls its
network cable. What phase of the incident response process is Suki performing? A. Preparation B. Detection and analysis C. Containment, eradication, and recovery D. Postincident activity.
Scott needs to verify that the forensic image he has created is an exact duplicate of the
original drive. Which of the following methods is considered forensically sound?
A. Create a MD5 hash B. Create a SHA-1 hash C. Create a SHA-2 hash
D. All of the above.
What strategy does NIST suggest for identifying attackers during an incident
response process? A. Use geographic IP tracking to identify the attacker’s location. B. Contact upstream ISPs for assistance in tracking down the attacker. C. Contact local law enforcement so that they can use law enforcement–specific tools. D. Identifying attackers is not an important part of the incident response process.
Vlad believes that an attacker may have added accounts and attempted to obtain extra
rights on a Linux workstation. Which of the following is not a common way to check for
unexpected accounts like this?
A. Review /etc/passwd and /etc/shadow for unexpected accounts. B. Check /home/ for new user directories C. Review /etc/sudoers for unexpected accounts. D. Check /etc/groups for group membership issues.
Azra needs to access a macOS system but does not have the user’s password. If the system
is not FileVaulted, which of the following options is not a valid recovery method? A. Use Single User mode to reset the password. B. Use Recovery mode to recover the password. C. Use Target Disk mode to delete the Keychain. D. Reset the password from another privileged user account.
Cullen wants to ensure that his chain of custody documentation will stand up to examination
in court. Which of the following options will provide him with the best documentary
proof of his actions? A. A second examiner acting as a witness and countersigning all actions B. A complete forensic log book signed and sealed by a notary public C. A documented forensic process with required sign-off D. Taking pictures of all independent forensic actions.
A. Change passwords before restoring from backup B. Isolate the system before restoring from backups C. Securely wipe the drive before restoration D. Vulnerability scan before patching.
After zero-wiping a system’s hard drive and rebuilding it with all security patches and
trusted accounts, Azra is notified that the system is once again showing signs of compromise.
Which of the following types of malware package cannot survive this type of eradication effort? A. An MBR-resident malware tool B. A UEFI-resident malware C. A BIOS-resident malware D. A slack space–resident malware package.
A. Slack space B. Hidden content C. Sparse files D. Encryption overhead.
Kathleen is restoring a critical business system to operation after a major compromise
and needs to validate that the operating system and application files are legitimate and do
not have any malicious code included in them. What type of tool should she use to validate
this? A. A trusted system binary kit B. Dynamic code analysis C. Static code analysis
D. File rainbow tables.
Mel is creating the evidence log for a computer that was part of an attack on an external
third-party system. What network-related information should he include in that log if he
wants to follow NIST’s recommendations?
A. Subnet mask, DHCP server, hostname, MAC address B. IP addresses, MAC addresses, hostname C. Domain, hostname, MAC addresses, IP addresses D. NIC manufacturer, MAC addresses, IP addresses, DHCP configuration.
Ryan believes that systems on his network have been compromised by an advanced persistent
threat actor. He has observed a number of large file transfers outbound to remote sites
via TLS-protected HTTP sessions from systems that do not typically send data to those
locations. Which of the following techniques is most likely to detect the APT infections?
A. Network traffic analysis B. Network forensics C. Endpoint behavior analysis D. Endpoint forensics.
Kathleen’s forensic analysis of a laptop that is believed to have been used to access sensitive
corporate data shows that the suspect tried to overwrite the data they downloaded as part
of antiforensic activities by deleting the original files and then copying other files to the
drive. Where is Kathleen most likely to find evidence of the original files? A. The MBR B. Unallocated space C. Slack space D. The FAT.
As part of a test of her network’s monitoring infrastructure, Kelly uses snmpwalk to validate
her router SNMP settings. She executes snmpwalk as shown here:
snmpwalk -c public 10.1.10.1 -v1
iso.3.6.1.2.1.1.0 = STRING: "RouterOS 3.6"
iso.3.6.1.2.1.2.0 = OID: iso.3.6.1.4.1.30800
iso.3.6.1.2.1.1.3.0 = Timeticks: (1927523) 08:09:11
iso.3.6.1.2.1.1.4.0 = STRING: "root"
iso.3.6.1.2.1.1.5.0 = STRING: "RouterOS"
...
Which of the following pieces of information is not something she can discover from this query? A. SNMP v1 is enabled. B. The community string is public. C. The community string is root. D. The contact name is root.
Laura needs to check on memory, CPU, disk, network, and power usage on a Mac. What
GUI tool can she use to check these?
A. Resource Monitor B. System Monitor C. Activity Monitor D. Sysradar.
Angela wants to access the decryption key for a BitLocker-encrypted system, but the
system is currently turned off. Which of the following methods is a viable method if a
Windows system is turned off? A. Hibernation file analysis B. Memory analysis C. Boot-sector analysis D. Brute-force cracking.
Adam believes that a system on his network is infected but does not know which system.
To detect it, he creates a query for his network monitoring software based on the following
pseudocode. What type of traffic is he most likely trying to detect?
destip: [*] and duration < 10 packets and destbytes < 3000 and flowcompleted = true
and application = http or https or tcp or unknown and content != uripath:* and content != contentencoding:*
A. Users browsing malicious sites B. Adware C. Beaconing D. Outbound port scanning.
Casey’s search for a possible Linux backdoor account during a forensic investigation has
led her to check through the filesystem for issues. Where should she look for back doors
associated with services? A. /etc/passwd B. /etc/xinetd.conf C. /etc/shadow D. $HOME/.ssh/.
During what stage of an event is preservation of evidence typically handled?
A. Preparation B. Detection and analysis C. Containment, eradication, and recovery D. Postincident activity.
Lukas wants to purge a drive to ensure that data cannot be extracted from it when it is
sent off-site. Which of the following is not a valid option for purging hard drives on a
Windows system?
A. Use the built-in Windows sdelete command line. B. Use Eraser. C. Use DBAN. D. Encrypt the drive and then delete the key.
Which of the following is not a valid use case for live forensic imaging? A. Malware analysis B. Encrypted drives C. Postmortem forensics
D. Nonsupported filesystems.
Which of the following commands is the standard way to determine how old a user
account is on a Linux system if [username] is replaced by the user ID that you
are checking?
A. userstat [username] B. ls -ld /home/[username] C. aureport -auth | grep [username] D. None of the above.
Profiling networks and systems can help to identify unexpected activity. What type of
detection can be used once a profile has been created?
A. Dynamic analysis B. Anomaly analysis C. Static analysis D. Behavioral analysis.
During a major incident response effort, Kobe discovers evidence that a critical application
server may have been the data repository and egress point in the compromise he is investigating.
If he is unable to take the system offline, which of the following options will provide
him with the best forensic data?
A. Reboot the server and mount the system drive using a USB-bootable forensic suite. B. Create an image using a tool like FTK Imager Lite. C. Capture the system memory using a tool like Volatility. D. Install and run an imaging tool on the live server.
Manish wants to monitor file permission changes on a Windows system he is responsible
for. What audit category should he enable to allow this?
A. File Permissions B. User Rights C. File System D. Audit Objects.
During the preparation phase of his organization’s incident response process, Oscar
gathers a laptop with useful software including a sniffer and forensics tools, thumb drives
and external hard drives, networking equipment, and a variety of cables. What is this type
of preprepared equipment commonly called?
A. A grab bag B. A jump kit C. A crash cart D. A first responder kit.
Chris is analyzing Chrome browsing information as part of a forensic investigation. After
querying the visits table that Chrome stores, he discovers a 64-bit integer value stored as
“visit time” listed with a value of 131355792940000000. What conversion does he need
to perform on this data to make it useful?
A. The value is in seconds since January 1, 1970. B. The value is in seconds since January 1, 1601. C. The value is a Microsoft timestamp and can be converted using the time utility. D. The value is an ISO 8601–formatted date and can be converted with any ISO time utility.
Marsha needs to ensure that the workstations she is responsible for have received a critical
Windows patch. Which of the following methods should she avoid using to validate patch
status for Windows 10 systems?
A. Check the Update History manually. B. Run the Microsoft Baseline Security Analyzer. C. Create and run a PowerShell script to search for the specific patch she needs to check. D. Use an endpoint configuration manager to validate patch status for each machine on
her domain.
Joe wants to recover the passwords for local Windows users on a Windows workstation.
Where are the password hashes stored?
A. C:\Windows\System32\passwords B. C:\Windows\System32\config C. C:\Windows\Secure\config D. C:\Windows\Secure\accounts.
While conducting a forensic review of a system involved in a data breach, Alex discovers a
number of Microsoft Word files including files with filenames like critical_data.docx
and sales_estimates_2020.docx. When he attempts to review the files using a text
editor for any useful information, he finds only unreadable data. What has occurred?
A. Microsoft Word files are stored in ZIP format. B. Microsoft Word files are encrypted. C. Microsoft Word files can be opened only by Microsoft Word. D. The user has used antiforensic techniques to scramble the data.
Lukas believes that one of his users has attempted to use built-in Windows commands to
probe servers on the network he is responsible for. How can he recover the command history
for that user if the system has been rebooted since the reconnaissance has occurred?
A. Check the Bash history. B. Open a command prompt window and press F7. C. Manually open the command history from the user’s profile directory. D. The Windows command prompt does not store command history.
Susan wants to protect the Windows workstations in her domain from buffer overflow
attacks. What should she recommend to the domain administrators at her company?
A. Install an antimalware tool. B. Install an antivirus tool. C. Enable DEP in Windows. D. Set VirtualAllocProtection to 1 in the registry.
Latisha wants to create a documented chain of custody for the systems that she is handling
as part of a forensic investigation. Which of the following will provide her with evidence
that systems were not tampered with while she is not working with them?
A. A chain-of-custody log B. Tamper-proof seals C. System logs D. None of the above.
Latisha wants to avoid running a program installed by a user that she believes is set with
a RunOnce key in the Windows registry but needs to boot the system. What can she do to
prevent RunOnce from executing the programs listed in the registry key?
A. Disable the registry at boot. B. Boot into Safe Mode. C. Boot with the -RunOnce flag. D. RunOnce cannot be disabled; she will need to boot from external media to disable it
first.
Pranab wants to determine when a USB device was first plugged into a Windows workstation.
What file should he check for this information?
A. The registry B. The setupapi log file
C. The system log D. The data is not kept on a Windows system.
A major new botnet infection that uses a peer-to-peer command-and-control process has
been released. Latisha wants to detect infected systems but knows that peer-to-peer communication
is irregular and encrypted. If she wants to monitor her entire network for this
type of traffic, what method should she use to catch infected systems?
A. Build an IPS rule to detect all peer-to-peer communications that match the botnet’s
installer signature. B. Use beaconing detection scripts focused on the command-and-control systems. C. Capture network flows for all hosts and use filters to remove normal traffic types. D. Immediately build a network traffic baseline and analyze it for anomalies.
Samantha has recently taken a new position as the first security analyst that her employer
has ever had on staff. During her first week, she discovers that there is no information
security policy and that the IT staff do not know what to do during a security incident.
Samantha plans to start up a CSIRT to handle incident response. What type of documentation
should she provide to describe specific procedures that the CSIRT will use during
events like malware infections and server compromise? A. An incident response policy B. An operations manual C. An incident response program D. A playbook.
What useful information cannot be determined from the contents of the $HOME/.ssh
folder when conducting forensic investigations of a Linux system?
A. Remote hosts that have been connected to B. Private keys used to log in elsewhere C. Public keys used for logins to this system D. Passphrases associated with the keys.
Carlos needs to create a forensic copy of a BitLocker-encrypted drive. Which of the following
is not a method that he could use to acquire the BitLocker key?
A. Analyzing the hibernation file B. Analyzing a memory dump file C. Retrieving the key from the MBR D. Performing a FireWire attack on mounted drives.
A. Identify unexpected traffic during breaks like the low point at Christmas. B. He can determine why major traffic drops happen on weekends. C. He can identify top talkers. D. Adam cannot make any behavioral determinations based on this chart.
What is space between the last sector containing logical data and the end of the
cluster called?
A. Unallocated space B. Ephemeral space C. Slack space
D. Unformatted space.
Jack is preparing to take a currently running PC back to his forensic lab for analysis. As
Jack considers his forensic process, one of his peers recommends that he simply pull the
power cable rather than doing a software-based shutdown. Why might Jack choose to
follow this advice?
A. It will create a crash log, providing useful memory forensic information. B. It will prevent shutdown scripts from running. C. It will create a memory dump, providing useful forensic information. D. It will cause memory-resident malware to be captured, allowing analysis.
Amanda has been tasked with acquiring data from an iPhone as part of a mobile
forensics effort. At what point should she remove the SIM (or UICC) card from the device
if she receives the device in a powered-on state?
A. While powered on, but after logical collection B. While powered on, prior to logical collection C. While powered off, after logical collection D. While powered off, before logical collection.
During the preservation phase of her work, Carol discovers that information requested as part of the discovery request has been deleted as part of a regularly scheduled data cleanup as required by her organization’s policies. What should Carol do? A. Conduct a forensic recovery of the data. B. Create synthetic data to replace the missing data. C. Report the issue to counsel. D. Purge any other data related to the request based on the same policy.
While reviewing system logs, Charles discovers that the processor for the workstation he is
reviewing has consistently hit 100 percent processor utilization by the web browser. After
reviewing the rest of the system, no unauthorized software appears to have been installed.
What should Charles do next?
A. Review the sites visited by the web browser when the CPU utilization issues occur B. Check the browser binary against a known good version C. Reinstall the browser D. Disable TLS.
Barb wants to detect unexpected output from the application she is responsible for
managing and monitoring. What type of tool can she use to detect unexpected output
effectively? A. A log analysis tool B. A behavior-based analysis tool C. A signature-based detection tool D. Manual analysis.
Tom is building his incident response team and is concerned about how the organization
will address insider threats. Which business function would be most capable of assisting
with the development of disciplinary policies? A. Information security B. Human resources C. Legal counsel D. Senior management.
Which one of the following incident response test types provides an interactive exercise for
the entire team but does not run the risk of disrupting normal business activity?
A. Full interruption test B. Checklist review C. Management review D. Tabletop exercise.
Which of the following cloud service environments is likely to provide the best available
information for forensic analysis?
A. SaaS B. IaaS C. PaaS D. IDaaS.
Ken is helping his organization prepare for future incident response efforts and would like
to ensure that they conduct regular training exercises. Which one of the following exercises
could he use to remind incident responders of their responsibilities with the least
impact on other organizational priorities?
A. Checklist review B. Structured walkthrough C. Capture the flag D. Tabletop exercise.
Camilla is participating in the eradication and recovery stage of an incident response process.
Which one of the following activities would not normally occur during this phase?
A. Vulnerability mitigation B. Restoration of permissions
C. Verification of logging/communication to security monitoring D. Analysis of drive capacity consumption.
Craig is revising his organization’s incident response plan and wants to ensure that the
plan includes coordination with all relevant internal and external entities. Which one of
the following stakeholders should he be most cautious about coordinating with?
A. Regulatory bodies B. Senior leadership C. Legal D. Human resources.
|
