1. (3)
   strftime(%F %T, 1232467200) would format the time and date stamp as 2009-01-20 16:00:00. 1232467200 is the Unix time code for this time and date, but conversions are not required for the 210-255 exam. Notice how this is the same for all four options.
   %F is the formatting option that's used for dates in the RFC 8601 format, and presents time in UTC, which is equivalent to the GMT (+00.00) time zone. Using the %c option presents the date in the format that's used in the local system. %T is used to present 24-hour time in seconds.
2. (2)
   The awk command can be used to read through a serial file line by line, separating fields. The default is to use whitespace between fields, but this can be changed, for example, to comma-separated values or other delimiters.
   The grep CLI command can be used to search through data using regular expressions. pcregrep can do this and also use grouping. The split command can be used to create separate files by number of lines or by number of bytes.

3. (2)
   One of the aims of normalization is minimizing duplication of data. While redundancy is useful in many other areas (for example, redundant hardware, connectivity, bandwidth, and so on), redundancy of data is often undesirable as it introduces the risk of consistency errors.
   Ideally, log file space requirements should be minimized through all cybersecurity operations. One of the criticisms or costs of normalization is that drawing in data from, or writing to, multiple tables or calculating fields on the fly introduces a higher processing overhead.
4. (4)
   Atomic data is a rule that's applied at the first normal form (and therefore applies to all subsequent normal forms). It requires that each field may only contain a single value; that is, there are no fields with a list of values.
   The contents of each field doesn't need to be unique; this is only required of the key field, or the composite key fields in combination. The requirement for each field title and each record to be unique are separate requirements of the first normal form.
5. (1)
   The Cisco ASA checks to see if there is an existing connection for the source and destination hosts for that specific traffic. If there is an existing connection, the Cisco ASA bypasses the ACL checks and performs application inspection checks.
   Cisco AMP relates more closely to packet inspection for threat detection, NetFlow is more closely related to the volume of data transfer, and firewalls perform the ACL checks.
6. (1)
   The completed command would be awk '{$2=strftime("%c %T",$2)} {print}' orig.log > new.log. The first item is the command (awk), while the section enclosed in single quote marks are the actions to be carried out. First, the second field is changed to reflect human-readable time using strftime, and then the result of this is output using print. The final statement is to provide the input and output file names.
7. (3)
   Using the %c conversion specification uses the local time settings to apply the conversion. The local time settings on the other operator's computer doesn't match; they are likely in the wrong time zone, or in a different format.
   The logs were both using Unix time, which starts from 1 January, 1970. This can be seen from the scale of the numbers, which wouldn't make sense for GetSystemTimeAsFileTime on Windows. Because they are both using Unix time, the time zone is not applied.

8. (2)
   The HTTP GET message is shown in line 10. The file would have been downloaded in reply to this message (likely the entries starting in lines 16-20).
   The details of the 5-tuple are as follows:
   Source IP: 219.83.193.158
   Source Port: 80
   Destination IP: 81.173.237.255
   Destination Port: 59918
   Protocol: TCP

9. (2)
   The inside local IP address was 10.10.10.40. This is translated into the public-facing socket 81.173.237.255:59918 using port address translation (NAT overload). The outside IP address was 219.83.193.158 and refers to the destination. We don't know whether further translation happens at the far end (although this is very likely).
10. (4)
    Cisco's AMP includes Network File Trajectory, along with other retrospective analysis tools out of the box.
    While AMP, Splunk, and QRadar do have SIEM capabilities (to a greater or lesser extent), retrospective analysis is only available (without customization) on Cisco's AMP.