Chapter 3
Domain 3.0: Incident Response and Management

  1. Consider the threat modeling analysis shown here. What attack framework was used to develop this analysis?
    A framework of threat modeling analysis. Adversary, capability, victim, and infrastructure are the four components.
    1. ATT&CK
    2. Cyber Kill Chain
    3. STRIDE
    4. Diamond
  2. As part of an organization-wide red team exercise, Frank is able to use a known vulnerability to compromise an Apache web server. Frank knows that the Apache service is running under a limited user account. Once he has gained access, what should his next step be if he wants to use the system to pivot to protected systems behind the screened subnet (DMZ) that the web server resides in?
    1. Vulnerability scanning
    2. Privilege escalation
    3. Patching
    4. Installing additional tools
  3. Helen is using the Lockheed Martin Cyber Kill Chain to analyze an attack that took place against her organization. During the attack, the perpetrator attached a malicious tool to an email message that was sent to the victim. What phase of the Cyber Kill Chain includes this type of activity?
    1. Weaponization
    2. Delivery
    3. Exploitation
    4. Actions on objectives
  4. Betty wants to review the security logs on her Windows workstation. What tool should she use to do this?
    1. Secpol.msc
    2. Event Viewer
    3. Log Viewer
    4. Logview.msc
  5. The ATT&CK framework defines which of the following as “the specifics behind how the adversary would attack the target?”
    1. The threat actor
    2. The targeting method
    3. The attack vector
    4. The organizational weakness
  6. Jamal wants to leverage a framework to improve his threat hunting for network defense. What threat-hunting framework should he select to help his team categorize and analyze threats more effectively?
    1. MOPAR
    2. CVSS
    3. MITRE ATT&CK
    4. CAPEC
  7. Maria is an Active Directory domain administrator for her company, and she knows that a quickly spreading botnet relies on a series of domain names for command and control and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent offsite Windows users from connecting to botnet command-and-control systems?
    1. Force a BGP update.
    2. Set up a DNS sinkhole.
    3. Modify the hosts file.
    4. Install an antimalware application.
  8. While attempting to stop a rogue service, Monica issues the following Linux command on an Ubuntu system using upstart: 
    service rogueservice stop

    After a reboot, she discovers the service running again. What happened, and what does she need to do to prevent this?

    1. The service restarted at reboot, so she needs to include the -p, or permanent, flag.
    2. The service restarted itself, so she needs to delete the binary associated with the service.
    3. The service restarted at reboot, so she should add an .override file to stop the service from starting.
    4. A malicious user restarted the service, so she needs to ensure users cannot restart services.

    Questions 9–12 refer to the following scenario and image.

    Bill is reviewing the authentication logs for a Linux system that he operates and encounters the following log entries:

    Aug 30 09:46:54 ip-172-30-0-62 sshd[3051]: Accepted publickey for ec2-user from 10.174.238.88 port 57478 ssh2: RSA e5:f5:c1:46:bb:49:a1:43:da:9d:50:c5:37:bd:79:22
Aug 30 09:46:54 ip-172-30-0-62 ssh[3051]: pam_unix[sshd:session]: session opened for user ec2-user by (uid=0)
Aug 30 09:48:06 ip-172-30-0-62 sudo: ec2-user : TTY=ps/0 ; PWD=/home/ec2-user ; USER=root; COMMAND=/bin/bash
  9. What is the IP address of the system where the user was logged in when they initiated the connection?
    1. 172.30.0.62
    2. 62.0.30.172
    3. 10.174.238.88
    4. 9.48.6.0
  10. What service did the user use to connect to the server?
    1. HTTPS
    2. PTS
    3. SSH
    4. Telnet
  11. What authentication technique did the user use to connect to the server?
    1. Password
    2. PKI
    3. Token
    4. Biometric
  12. What account did the individual use to connect to the server?
    1. root
    2. ec2-user
    3. bash
    4. pam_unix
  13. Alaina adds the openphish URL list to her SOAR tool and sees the following entries: 
    http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/success.htm
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/sitekey.php
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/success.htm
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/sitekey.php

    What action should she take based on phishing URLs like these?

    1. Block the IP address at her border firewall.
    2. Monitor for the IP address using her IDS.
    3. Delete emails with the URL from inbound email.
    4. Nothing, as these have not been confirmed.
  14. Rowan wants to block drive-by-downloads and bot command-and-control channels while redirecting potentially impacted systems to a warning message. What should she implement to do this?
    1. A DNS sinkhole
    2. A WAF
    3. An IDS
    4. A UEBA

    Use the following table and rating information for questions 15–17.

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) uses a 1–100 scale for incident prioritization, with weight assigned to each of a number of categories. The functional impact score is weighted in their demonstration as follows:

    Functional ImpactRating
    No impact0
    No impact to services20
    Minimal impact to noncritical services35
    Minimal impact to critical services40
    Significant impact to noncritical services50
    Denial of noncritical services60
    Significant impact to critical services70
    Denial of critical services or loss of control100
  15. Nathan discovers a malware package on an end-user workstation. What rating should he give this if he is considering organization impact based on the table shown?
    1. No impact
    2. No impact to services
    3. Denial of noncritical services
    4. Denial of critical services or loss of control
  16. Nathan's organization uses a software-as-a-service (SaaS) tool to manage their customer mailing lists, which they use to inform customers of upcoming sales a week in advance. The organization's primary line of business software continues to function and merchandise can be sold. Because of a service outage, they are unable to add new customers to the list for a full business day. How should Nathan rate this local impact issue during the outage?
    1. Minimal impact to noncritical services
    2. Minimal impact to critical services
    3. Significant impact to noncritical services
    4. Denial of noncritical services
  17. During an investigation into a compromised system, Nathan discovers signs of an advanced persistent threat (APT) resident in his organization's administrative systems. How should he classify this threat?
    1. Significant impact to noncritical services
    2. Denial of noncritical services
    3. Significant impact to critical services
    4. Denial of critical services or loss of control
  18. Melissa is using the US-CERT's scale to measure the impact of the location of observed activity by a threat actor. Which of the following should be the highest rated threat activity location?
    1. Critical system screened subnet (DMZ)
    2. Business network
    3. Business screened subnet (DMZ)
    4. Safety systems
  19. Derek's organization has been working to recover from a recent malware infection that caused outages across the organization during an important part of their business cycle. To properly triage, what should Derek pay the most attention to first?
    1. The immediate impact on operations so that his team can restore functionality
    2. The total impact of the event so that his team can provide an accurate final report
    3. The immediate impact on operations so that his team can identify the likely threat actor
    4. The total impact of the event so that his team can build a new threat model for future use
  20. Jeff discovers multiple JPEG photos during his forensic investigation of a computer involved in an incident. When he runs exiftool to gather file metadata, which information is not likely to be part of the images even if they have complete metadata intact?
    1. GPS location
    2. Camera type
    3. Number of copies made
    4. Correct date/timestamp
  21. John has designed his network as shown here and places untrusted systems that want to connect to the network into the Guests network segment. What is this type of segmentation called?
    A system architecture. It involves internet, screened subnet, high security, users, and guests.
    1. Proactive network segmentation
    2. Isolation
    3. Quarantine
    4. Removal
  22. The organization that Jamal works for classifies security related events using NIST's standard definitions. Which classification should he use when he discovers key logging software on one of his frequent business travelers' laptop?
    1. An event
    2. An adverse event
    3. A security incident
    4. A policy violation
  23. Dan is designing a segmented network that places systems with different levels of security requirements into different subnets with firewalls and other network security devices between them. What phase of the incident response process is Dan in?
    1. Post-incident activity
    2. Detection and analysis
    3. Preparation
    4. Containment, eradication, and recovery
  24. Lauren wants to create a backup of Linux permissions before making changes to the Linux workstation she is attempting to remediate. What Linux tool can she use to back up the permissions of an entire directory on the system?
    1. She can use chbkup.
    2. She can use getfacl.
    3. She can use aclman.
    4. There is not a common Linux permission backup tool.
  25. While working to restore systems to their original configuration after a long-term APT compromise, Manish has three options.
    1. He can restore from a backup and then update patches on the system.
    2. He can rebuild and patch the system using original installation media and application software using his organization's build documentation.
    3. He can remove the compromised accounts and rootkit tools and then fix the issues that allowed the attackers to access the systems.

    Which option should Manish choose in this scenario?

    1. Option A.
    2. Option B.
    3. Option C.
    4. None of the above. Manish should hire a third party to assess the systems before proceeding.
  26. Jessica wants to access a macOS FileVault 2–encrypted drive. Which of the following methods is not a possible means of unlocking the volume?
    1. Change the FileVault key using a trusted user account.
    2. Retrieve the key from memory while the volume is mounted.
    3. Acquire the recovery key.
    4. Extract the keys from iCloud.
  27. Susan discovers the following log entries that occurred within seconds of each other in her Squert (a Sguil web interface) console. What have her network sensors most likely detected?
    A table depicts the log entries.
    1. A failed database connection from a server
    2. A denial-of-service attack
    3. A port scan
    4. A misconfigured log source
  28. If Suki wants to purge a drive, which of the following options will accomplish her goal?
    1. Cryptographic erase
    2. Reformat
    3. Overwrite
    4. Repartition
  29. While performing post-rebuild validation efforts, Scott scans a server from a remote network and sees no vulnerabilities. Joanna, the administrator of the machine, runs a scan and discovers two critical vulnerabilities and five moderate issues. What is most likely causing the difference in their reports?
    1. Different patch levels were used during the scans.
    2. They are scanning through a load balancer.
    3. There is a firewall between the remote network and the server.
    4. Scott or Joanna ran the vulnerability scan with different settings.
  30. As part of his organization's cooperation in a large criminal case, Adam's forensic team has been asked to send a forensic image of a highly sensitive compromised system in RAW format to an external forensic examiner. What steps should Adam's team take prior to sending a drive containing the forensic image?
    1. Encode in EO1 format and provide a hash of the original file on the drive.
    2. Encode in FTK format and provide a hash of the new file on the drive.
    3. Encrypt the RAW file and transfer a hash and key under separate cover.
    4. Decrypt the RAW file and transfer a hash under separate cover.
  31. Mika wants to analyze the contents of a drive without causing any changes to the drive. What method is best suited to ensuring this?
    1. Set the “read-only” jumper on the drive.
    2. Use a write blocker.
    3. Use a read blocker.
    4. Use a forensic software package.
  32. What type of forensic investigation–related form is shown here?
    An illustration of a forensic investigation–related form.
    1. Chain of custody
    2. Report of examination
    3. Forensic discovery log
    4. Policy custody release
  33. James wants to determine whether other Windows systems on his network are infected with the same malware package that he has discovered on the workstation he is analyzing. He has removed the system from his network by unplugging its network cable, as required by corporate policy. He knows that the system has previously exhibited beaconing behavior and wants to use that behavior to identify other infected systems. How can he safely create a fingerprint for this beaconing without modifying the infected system?
    1. Plug the system into the network and capture the traffic quickly at the firewall using Wireshark or tcpdump.
    2. Plug the system into an isolated switch and use a span port or tap and Wireshark/tcpdump to capture traffic.
    3. Review the ARP cache for outbound traffic.
    4. Review the Windows Defender Firewall log for traffic logs.
  34. After completing an incident response process and providing a final report to management, what step should Casey use to identify improvement to her incident response plan?
    1. Update system documentation.
    2. Conduct a lessons learned session.
    3. Review patching status and vulnerability scans.
    4. Engage third-party consultants.
  35. During a forensic investigation, Lukas discovers that he needs to capture a virtual machine that is part of the critical operations of his company's website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow?
    1. Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in.
    2. Copy the virtual disk files and then use a memory capture tool.
    3. Escalate to management to get permission to suspend the system to allow a true forensic copy.
    4. Use a tool like the Volatility Framework to capture the live machine completely.
  36. Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as forensic evidence during an investigation. After she signs off on the chain of custody log and starts to prepare for her investigation, one of the first things she notes is that each cable and port was labeled with a color-coded sticker by the onsite team. Why are the items labeled like this?
    1. To ensure chain of custody
    2. To ensure correct reassembly
    3. To allow for easier documentation of acquisition
    4. To tamper-proof the system
  37. While reviewing her Nagios logs, Selah discovers the error message shown here. What should she do about this error?
    An illustration of an error message.
    1. Check for evidence of a port scan.
    2. Review the Apache error log.
    3. Reboot the server to restore the service.
    4. Restart the Apache service.
  38. Lakshman needs to sanitize hard drives that will be leaving his organization after a lease is over. The drives contained information that his organization classifies as sensitive data that competitors would find valuable if they could obtain it. Which choice is the most appropriate to ensure that data exposure does not occur during this process?
    1. Clear, validate, and document.
    2. Purge the drives.
    3. Purge, validate, and document.
    4. The drives must be destroyed to ensure no data loss.
  39. Selah is preparing to collect a forensic image for a Macintosh computer running the Ventura operating system. What hard drive format is she most likely to encounter?
    1. FAT32
    2. MacFAT
    3. APFS
    4. HFS+
  40. During a forensic analysis of an employee's computer as part of a human resources investigation into misuse of company resources, Tim discovers a program called Eraser installed on the PC. What should Tim expect to find as part of his investigation?
    1. A wiped C: drive
    2. Antiforensic activities
    3. All slack space cleared
    4. Temporary files and Internet history wiped
  41. Jessica wants to recover deleted files from slack space and needs to identify where the files begin and end. What is this process called?
    1. Slacking
    2. Data carving
    3. Disk recovery
    4. Header manipulation
  42. Latisha is the IT manager for a small company and occasionally serves as the organization's information security officer. Who would be the most appropriate leader for her organization's CSIRT?
    1. Her lead IT support staff technician.
    2. Her organization's legal counsel.
    3. A third-party IR team lead.
    4. She should select herself.
  43. During her forensic analysis of a Windows system, Cynthia accesses the registry and checks \HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogin (as shown here). What domain was the system connected to, and what was the username that would appear at login?
    A window page depicts the name, type, and data.
    1. Admin, administrator
    2. No domain, administrator
    3. Legal, admin
    4. Corporate, no default username
  44. Alex suspects that an attacker has modified a Linux executable using static libraries. Which of the following Linux commands is best suited to determining whether this has occurred?
    1. file
    2. stat
    3. strings
    4. grep
  45. Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed?
    1. Logical
    2. Bit-by-bit
    3. Sparse
    4. None of the above
  46. During a forensic investigation, Kwame records information about each drive, including where it was acquired, who made the forensic copy, the MD5 hash of the drive, and other details. What term describes the process Kwame is using as he labels evidence with details of who acquired and validated it?
    1. Direct evidence
    2. Circumstantial evidence
    3. Incident logging
    4. Chain of custody
  47. Susan needs to perform forensics on a virtual machine. What process should she use to ensure she gets all of the forensic data she may need?
    1. Suspend the machine and copy the contents of the directory it resides in.
    2. Perform a live image of the machine.
    3. Suspend the machine and make a forensic copy of the drive it resides on.
    4. Turn the virtual machine off and make a forensic copy of it.
  48. Allison wants to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form responses saved in?
    1. SQLite
    2. Plain text
    3. Base64-encoded text
    4. NoSQL
  49. While Chris is attempting to image a device, he encounters write issues and cannot write the image as currently set (refer to the image shown here). What issue is he most likely encountering?
    A select image destination dialog box.
    1. The files need to be compressed.
    2. The destination drive is formatted FAT32.
    3. The destination drive is formatted NTFS.
    4. The files are encrypted.
  50. Saanvi needs to validate the MD5 checksum of a file on a Windows system to ensure that there were no unauthorized changes to the binary file. He is not allowed to install any programs and cannot run files from external media or drives. What Windows utility can he use to get the MD5 hash of the file?
    1. md5sum
    2. certutil
    3. sha1sum
    4. hashcheck
  51. Forensic investigation shows that the target of an investigation used the Windows Quick Format command to attempt to destroy evidence on a USB thumb drive. Which of the NIST sanitization techniques has the target of the investigation used in their attempt to conceal evidence?
    1. Clear
    2. Purge
    3. Destroy
    4. None of the above
  52. During an incident response process, Susan plugs a system back into the network, allowing it normal network access. What phase of the incident response process is Susan performing?
    1. Preparation
    2. Detection and analysis
    3. Containment, eradication, and recovery
    4. Post-incident activity
  53. Mei's team has completed the initial phases of their incident response process and is assessing the time required to recover from the incident. Using the NIST recoverability effort categories, the team has determined that they can predict the time to recover but will require additional resources. How should she categorize this using the NIST model?
    1. Regular
    2. Supplemented
    3. Extended
    4. Not recoverable
  54. Janet is attempting to conceal her actions on a company-owned computer. As part of her cleanup attempts, she deletes all the files she downloaded from a corporate file server using a browser in incognito mode. How can a forensic investigator determine what files she downloaded?
    1. Network flows
    2. SMB logs
    3. Browser cache
    4. Drive analysis
  55. Jose is aware that an attacker has compromised a system on his network but wants to continue to observe the attacker's efforts as they continue their attack. If Jose wants to prevent additional impact on his network while watching what the attacker does, what containment method should he use?
    1. Removal
    2. Isolation
    3. Segmentation
    4. Detection
  56. When Abdul arrived at work this morning, he found an email in his inbox that read, “Your systems are weak; we will own your network by the end of the week.” How would he categorize this sign of a potential incident if he was using the NIST SP 800-61 descriptions of incident signs?
    1. An indicator
    2. A threat
    3. A risk
    4. A precursor
  57. During an incident response process, Cynthia conducts a lessons learned review. What phase of the incident response process is she in?
    1. Preparation
    2. Detection and analysis
    3. Containment, eradication, and recovery
    4. Post-incident recovery
  58. As part of his incident response program, Allan is designing a playbook for zero-day threats. Which of the following should not be in his plan to handle them?
    1. Segmentation
    2. Patching
    3. Using threat intelligence
    4. Allow listing/whitelisting
  59. As the CISO of her organization, Mei is working on an incident classification scheme and wants to base her design on NIST's definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view?
    1. An incident
    2. An event
    3. An adverse event
    4. A security incident
  60. Fred wants to identify digital evidence that can place an individual in a specific place at a specific time. Which of the following types of digital forensic data is not commonly used to attempt to document physical location at specific times?
    1. Cell phone GPS logs
    2. Photograph metadata
    3. Cell phone tower logs
    4. Microsoft Office document metadata
  61. Kai has completed the validation process of her media sanitization efforts and has checked a sample of the drives she had purged using a built-in cryptographic wipe utility. What is her next step?
    1. Resample to validate her testing.
    2. Destroy the drives.
    3. Create documentation.
    4. She is done and can send the drives on for disposition.
  62. In his role as a small company's information security manager, Mike has a limited budget for hiring permanent staff. Although his team can handle simple virus infections, he does not currently have a way to handle significant information security incidents. Which of the following options should Mike investigate to ensure that his company is prepared for security incidents?
    1. Outsource to a third-party SOC.
    2. Create an internal SOC.
    3. Hire an internal incident response team.
    4. Outsource to an incident response provider.
  63. Bohai wants to ensure that media has been properly sanitized. Which of the following options properly lists sanitization descriptions from least to most effective?
    1. Purge, clear, destroy
    2. Eliminate, eradicate, destroy
    3. Clear, purge, destroy
    4. Eradicate, eliminate, destroy
  64. Degaussing is an example of what form of media sanitization?
    1. Clearing.
    2. Purging.
    3. Cryptoshredding.
    4. It is not a form of media sanitization.
  65. While reviewing storage usage on a Windows system, Brian checks the volume shadow copy storage as shown here: 
            C:WINDOWSsystem32>vssadmin list Shadowstorage
        vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
        (C) Copyright 2001-2013 Microsoft Corp.
        Shadow Copy Storage association
           For volume: (C:)\?Volume{c3b53dae-0e54-13e3-97ab-806e6f6e69633}
           Shadow Copy Storage volume: (C:)\?Volume{c3b53dae-0e54-13e3-97ab-806e6f6e6963}
           Used Shadow Copy Storage space: 25.6 GB (2%)
           Allocated Shadow Copy Storage space: 26.0 GB (2%)
           Maximum Shadow Copy Storage space: 89.4 GB (10%)

    What purpose does this storage serve, and can he safely delete it?

    1. It provides a block-level snapshot and can be safely deleted.
    2. It provides secure hidden storage and can be safely deleted.
    3. It provides secure hidden storage and cannot be safely deleted.
    4. It provides a block-level snapshot and cannot be safely deleted.
  66. Lauren recovers a number of 16GB and 32GB microSD cards during a forensic investigation. Without checking them manually, what filesystem type is she most likely to find them formatted in as if they were used with a digital camera?
    1. RAW
    2. FAT16
    3. FAT32
    4. APFS
  67. After arriving at an investigation site, Brian determines that three powered-on computers need to be taken for forensic examination. What steps should he take before removing the PCs?
    1. Power them down, take pictures of how each is connected, and log each system in as evidence.
    2. Take photos of each system, power them down, and attach a tamper-evident seal to each PC.
    3. Collect live forensic information, take photos of each system, and power them down.
    4. Collect a static drive image, validate the hash of the image, and securely transport each system.
  68. In his role as a forensic examiner, Lukas has been asked to produce forensic evidence related to a civil case. What is this process called?
    1. Criminal forensics
    2. E-discovery
    3. Cyber production
    4. Civil tort
  69. As Mika studies her company's computer forensics playbook, she notices that forensic investigators are required to use a chain of custody form. Which of the following best describes the information that she should record on that form if she was conducting a forensic investigation?
    1. The list of individuals who made contact with files leading to the investigation
    2. The list of former owners or operators of the PC involved in the investigation
    3. All individuals who work with evidence in the investigation
    4. The police officers who take possession of the evidence
  70. Scott needs to ensure that the system he just rebuilt after an incident is secure. Which type of scan will provide him with the most useful information to meet his goal?
    1. An authenticated vulnerability scan from a trusted internal network
    2. An unauthenticated vulnerability scan from a trusted internal network
    3. An authenticated scan from an untrusted external network
    4. An unauthenticated scan from an untrusted external network
  71. What is the primary role of management in the incident response process?
    1. Leading the CSIRT
    2. Acting as the primary interface with law enforcement
    3. Providing authority and resources
    4. Assessing impact on stakeholders
  72. Max wants to improve the effectiveness of the incident analysis process he is responsible for as the leader of his organization's CSIRT. Which of the following is not a commonly recommended best practice based on NIST's guidelines?
    1. Profile networks and systems to measure the characteristics of expected activity.
    2. Perform event correlation to combine information from multiple sources.
    3. Maintain backups of every system and device.
    4. Capture network traffic as soon as an incident is suspected.
  73. NIST describes four major phases in the incident response cycle. Which of the following is not one of the four?
    1. Containment, eradication, and recovery
    2. Notification and communication
    3. Detection and analysis
    4. Preparation
  74. Charles wants to perform memory forensics on a Windows system and wants to access pagefile.sys. When he attempts to copy it, he receives the following error. What access method is required to access the page file?
    A window of file in use.
    1. Run Windows File Explorer as an administrator and repeat the copy.
    2. Open the file using fmem.
    3. Run cmd.exe as an administrator and repeat the copy.
    4. Shut the system down, remove the drive, and copy it from another system.
  75. Where is slack space found in the following Windows partition map?
    A Windows partition map.
    1. The System Reserved partition
    2. The System Reserved and Unallocated partitions
    3. The System Reserved and C: partitions
    4. The C: and unallocated partitions
  76. Ty needs to determine the proper retention policy for his organization's incident data. If he wants to follow common industry practices and does not have specific legal or contractual obligations that he needs to meet, what timeframe should he select?
    1. 30 days
    2. 90 days
    3. 1 to 2 years
    4. 7 years
  77. The system that Alice has identified as the source of beaconing traffic is one of her organization's critical e-commerce servers. To maintain her organization's operations, she needs to quickly restore the server to its original, uncompromised state. What criterion is likely to be impacted the most by this action?
    1. Damage to the system or service
    2. Service availability
    3. Ability to preserve evidence
    4. Time and resources needed to implement the strategy
  78. Piper wants to create a forensic image that third-party investigators can use but does not know what tool the third-party investigation team that her company intends to engage will use. Which of the following forensic formats should she choose if she wants almost any forensic tool to be able to access the image?
    1. E01
    2. AFF
    3. RAW
    4. AD1
  79. As part of his forensic investigation, Scott intends to make a forensic image of a network share that is mounted by the PC that is the focus of his investigation. What information will he be unable to capture?
    1. File creation dates
    2. Deleted files
    3. File permission data
    4. File metadata
  80. What common incident response follow-up activity includes asking questions like “What additional tools or resources are needed to detect or analyze future events?”
    1. Preparation
    2. Lessons learned review
    3. Evidence gathering
    4. Procedural analysis
  81. Suki has been asked to capture forensic data from a Windows PC and needs to ensure that she captures the data in their order of volatility. Which order is correct from most to least volatile?
    1. Network traffic, CPU cache, disk drives, optical media
    2. CPU cache, network traffic, disk drives, optical media
    3. Optical media, disk drives, network traffic, CPU cache
    4. Network traffic, CPU cache, optical media, disk drives
  82. During an incident response process, Suki heads to a compromised system and disconnects its network cable. What phase of the incident response process is Suki performing?
    1. Preparation
    2. Detection and analysis
    3. Containment, eradication, and recovery
    4. Post-incident activity
  83. Scott needs to verify that the forensic image he has created is an exact duplicate of the original drive. Which of the following methods is considered forensically sound?
    1. Create a MD5 hash
    2. Create a SHA-1 hash
    3. Create a SHA-2 hash
    4. All of the above
  84. What strategy does NIST suggest for identifying attackers during an incident response process?
    1. Use geographic IP tracking to identify the attacker's location.
    2. Contact upstream ISPs for assistance in tracking down the attacker.
    3. Contact local law enforcement so that they can use law enforcement–specific tools.
    4. Identifying attackers is not an important part of the incident response process.
  85. While performing forensic analysis of an iPhone backup, Cynthia discovers that she has only some of the information that she expects the phone to contain. What is the most likely scenario that would result in the backup she is using having partial information?
    1. The backup was interrupted.
    2. The backup is encrypted.
    3. The backup is a differential backup.
    4. The backup is stored in iCloud.
  86. Cullen wants to ensure that his chain of custody documentation will stand up to examination in court. Which of the following options will provide him with the best documentary proof of his actions?
    1. A second examiner acting as a witness and countersigning all actions
    2. A complete forensic logbook signed and sealed by a notary public
    3. A documented forensic process with required sign-off
    4. Taking pictures of all independent forensic actions
  87. Cynthia is reviewing her organization's incident response recovery process, which is outlined here. Which of the following recommendations should she make to ensure that further issues do not occur during the restoration process?
    A flow diagram. Restore from clean backups, install patches, change all password, and assess system security are the 4 steps.
    1. Change passwords before restoring from backup.
    2. Isolate the system before restoring from backups.
    3. Securely wipe the drive before restoration.
    4. Vulnerability scan before patching.
  88. Saria is reviewing the contents of a drive as part of a forensic effort and notes that the file she is reviewing takes up more space on the disk than its actual size, as shown here. What has she discovered?
    A dialog box exposes the general settings screen.
    1. Slack space
    2. Hidden content
    3. Sparse files
    4. Encryption overhead
  89. Kathleen is restoring a critical business system to operation after a major compromise and needs to validate that the operating system and application files are legitimate and do not have any malicious code included in them. What type of tool should she use to validate this?
    1. A trusted system binary kit
    2. Dynamic code analysis
    3. Static code analysis
    4. File rainbow tables
  90. Mel is creating the evidence log for a computer that was part of an attack on an external third-party system. What network-related information should he include in that log if he wants to follow NIST's recommendations?
    1. Subnet mask, DHCP server, hostname, MAC address
    2. IP addresses, MAC addresses, hostname
    3. Domain, hostname, MAC addresses, IP addresses
    4. NIC manufacturer, MAC addresses, IP addresses, DHCP configuration
  91. Ryan believes that systems on his network have been compromised by an advanced persistent threat actor. He has observed a number of large file transfers outbound to remote sites via TLS-protected HTTP sessions from systems that do not typically send data to those locations. Which of the following techniques is most likely to detect the APT infections?
    1. Network traffic analysis
    2. Network forensics
    3. Endpoint behavior analysis
    4. Endpoint forensics
  92. Ben is investigating a potential malware infection of a laptop belonging to a senior manager in the company he works for. When the manager opens a document, website, or other application that takes user input, words start to appear as though they are being typed. What is the first step that Ben should take in his investigation?
    1. Run an antivirus scan.
    2. Disconnect the system from the network.
    3. Wipe the system and reinstall.
    4. Observe and record what is being typed.
  93. Kathleen's forensic analysis of a laptop that is believed to have been used to access sensitive corporate data shows that the suspect tried to overwrite the data they downloaded as part of antiforensic activities by deleting the original files and then copying other files to the drive. Where is Kathleen most likely to find evidence of the original files?
    1. The MBR
    2. Unallocated space
    3. Slack space
    4. The FAT
  94. Angela wants to access the decryption key for a BitLocker-encrypted system, but the system is currently turned off. Which of the following methods is a viable method if a Windows system is turned off?
    1. Hibernation file analysis
    2. Memory analysis
    3. Boot-sector analysis
    4. Brute-force cracking
  95. Adam believes that a system on his network is infected but does not know which system. To detect it, he creates a query for his network monitoring software based on the following pseudocode. What type of traffic is he most likely trying to detect? 
            destip: [*] and duration < 10 packets and destbytes < 3000 and flowcompleted = true
        and application = http or https or tcp or unknown and content != uripath:* and content
        != contentencoding:*
    1. Users browsing malicious sites
    2. Adware
    3. Beaconing
    4. Outbound port scanning
  96. As an employee of the U.S. government, Megan is required to use NIST's information impact categories to classify security incidents. During a recent incident, proprietary information was changed. How should she classify this incident?
    1. As a privacy breach
    2. As an integrity loss
    3. As a proprietary breach
    4. As an availability breach
  97. During what stage of an event is preservation of evidence typically handled?
    1. Preparation
    2. Detection and analysis
    3. Containment, eradication, and recovery
    4. Post-incident activity
  98. Lukas wants to purge a drive to ensure that data cannot be extracted when it is sent offsite. Which of the following is not a valid option for purging hard drives on a Windows system?
    1. Use the built-in Windows sdelete command line.
    2. Use Eraser.
    3. Use DBAN.
    4. Encrypt the drive and then delete the key.
  99. Which of the following is not a valid use case for live forensic imaging?
    1. Malware analysis
    2. Encrypted drives
    3. Postmortem forensics
    4. Nonsupported filesystems
  100. While reviewing the actions taken during an incident response process, Mei is informed by the local desktop support staff person that the infected machine was returned to service by using a Windows System Restore point. Which of the following items will a Windows System Restore return to a previous state?
    1. Personal files
    2. Malware
    3. Windows system files
    4. All installed apps
  101. During a major incident response effort, Kobe discovers evidence that a critical application server may have been the data repository and egress point in the compromise he is investigating. If he is unable to take the system offline, which of the following options will provide him with the best forensic data?
    1. Reboot the server and mount the system drive using a USB-bootable forensic suite.
    2. Create an image using a tool like FTK Imager Lite.
    3. Capture the system memory using a tool like Volatility.
    4. Install and run an imaging tool on the live server.
  102. Manish finds the following entries on a Linux system in /var/log/auth.log. If he is the only user with root privileges, requires two-factor authentication to log in as root, and did not take the actions shown, what should he check for?
    A window page depicts an output.
    1. A hacked root account
    2. A privilege escalation attack from a lower privileged account or service
    3. A malware infection
    4. A RAT
  103. As part of his forensic analysis of a series of photos, John runs exiftool for each photo. He receives the following listing from one photo. What useful forensic information can he gather from this photo?
    A window page depicts the forensic analysis details.
    1. The original creation date, the device type, the GPS location, and the creator's name
    2. The endian order of the file, the file type, the GPS location, and the scene type
    3. The original creation date, the device type, the GPS location, and manufacturer of the device
    4. The MIME type, the GPS time, the GPS location, and the creator's name
  104. During the preparation phase of his organization's incident response process, Oscar gathers a laptop with useful software including a sniffer and forensics tools, thumb drives and external hard drives, networking equipment, and a variety of cables. What is this type of preprepared equipment commonly called?
    1. A grab bag
    2. A jump kit
    3. A crash cart
    4. A first responder kit
  105. As John proceeds with a forensic investigation involving numerous images, he finds a directory labeled Downloaded from Facebook. The images appear relevant to his investigation, so he processes them for metadata using exiftool. The following image shows the data provided. What forensically useful information can John gather from this output?
    A window page depicts the forensic analysis details.
    1. The original file creation date and time.
    2. The device used to capture the image.
    3. The original digest (hash) of the file, allowing comparison to the original.
    4. None; Facebook strips almost all useful metadata from images.
  106. Which of the following properly lists the order of volatility from least to most volatile?
    1. Printouts, swap files, CPU cache, RAM
    2. Hard drives, USB media, DVDs, CD-RWs
    3. DVDs, hard drives, virtual memory, caches
    4. RAM, swap files, SSDs, printouts
  107. While conducting a forensic review of a system involved in a data breach, Alex discovers a number of Microsoft Word files including files with filenames like critical_data.docx and sales_estimates_2023.docx. When he attempts to review the files using a text editor for any useful information, he finds only unreadable data. What has occurred?
    1. Microsoft Word files are stored in ZIP format.
    2. Microsoft Word files are encrypted.
    3. Microsoft Word files can be opened only by Microsoft Word.
    4. The user has used antiforensic techniques to scramble the data.
  108. Lukas believes that one of his users has attempted to use built-in Windows commands to probe servers on the network he is responsible for. How can he recover the command history for that user if the system has been rebooted since the reconnaissance has occurred?
    1. Check the Bash history.
    2. Open a command prompt window and press F7.
    3. Manually open the command history from the user's profile directory.
    4. The Windows command prompt does not store command history.
  109. Angela is conducting an incident response exercise and needs to assess the economic impact on her organization of a $500,000 expense related to an information security incident. How should she categorize this?
    1. Low impact.
    2. Medium impact.
    3. High impact.
    4. Angela cannot assess the impact with the data given.
  110. What step follows sanitization of media according to NIST guidelines for secure media handling?
    1. Reuse
    2. Validation
    3. Destruction
    4. Documentation
  111. Latisha wants to create a documented chain of custody for the systems that she is handling as part of a forensic investigation. Which of the following will provide her with evidence that systems were not tampered with while she is not working with them?
    1. A chain of custody log
    2. Tamper-proof seals
    3. System logs
    4. None of the above
  112. Matt's incident response team has collected log information and is working on identifying attackers using that information. What two stages of the NIST incident response process is his team working in?
    1. Preparation and containment, eradication, and recovery
    2. Preparation and post-incident activity
    3. Detection and analysis, and containment, eradication, and recovery
    4. Containment, eradication, and recovery and post-incident activity
  113. Raj discovers that the forensic image he has attempted to create has failed. What is the most likely reason for this failure?
    1. Data was modified.
    2. The source disk is encrypted.
    3. The destination disk has bad sectors.
    4. The data cannot be copied in RAW format.
  114. Liam notices the following entries in his Squert web console (a web console for Sguil IDS data). What should he do next to determine what occurred?
    An illustration exposes the entries in Squert web console.
    1. Review SSH logs.
    2. Disable SSH and then investigate further.
    3. Disconnect the server from the Internet and then investigate.
    4. Immediately change his password.
  115. Which of the following activities is not part of the containment and restoration process?
    1. Minimizing loss
    2. Identifying the attacker
    3. Limiting service disruption
    4. Rebuilding compromised systems
  116. Samantha has recently taken a new position as the first staff security analyst that her employer has ever had. During her first week, she discovers that there is no information security policy and that the IT staff do not know what to do during a security incident. Samantha plans to start up a CSIRT to handle incident response. What type of documentation should she provide to describe specific procedures that the CSIRT will use during events like malware infections and server compromise?
    1. An incident response policy
    2. An operations manual
    3. An incident response program
    4. A playbook
  117. What is space between the last sector containing logical data and the end of the cluster called?
    1. Unallocated space
    2. Ephemeral space
    3. Slack space
    4. Unformatted space
  118. Jack is preparing to take a currently running PC back to his forensic lab for analysis. As Jack considers his forensic process, one of his peers recommends that he simply unplug the power cable rather than doing a software-based shutdown. Why might Jack choose to follow this advice?
    1. It will create a crash log, providing useful memory forensic information.
    2. It will prevent shutdown scripts from running.
    3. It will create a memory dump, providing useful forensic information.
    4. It will cause memory-resident malware to be captured, allowing analysis.
  119. Rick wants to validate his recovery efforts and intends to scan a web server he is responsible for with a scanning tool. What tool should he use to get the most useful information about system vulnerabilities?
    1. Wapiti
    2. Nmap
    3. OpenVAS
    4. ZAP
  120. What is the key goal of the containment stage of an incident response process?
    1. To limit leaks to the press or customers
    2. To limit further damage from occurring
    3. To prevent data exfiltration
    4. To restore systems to normal operation
  121. What level of forensic data extraction will most likely be possible and reasonable for a corporate forensic examiner who deals with modern phones that provide filesystem encryption?
    1. Level 1: Manual extraction
    2. Level 2: Logical extraction
    3. Level 3: JTAG or HEX dumping
    4. Level 4: Chip extraction
  122. Wang believes that a Windows system he is responsible for is compromised and wants to monitor traffic to and from it. Which of the following is not a typical capture option in circumstances like these?
    1. A packet capture tool installed on the system
    2. A packet capture tool on another system on the same network
    3. Packet capture at the network edge
    4. Packet capture at the network core
  123. Carol has discovered an attack that appears to be following the process flow shown here. What type of attack should she identify this as?
    A framework. Identify target, prepare for attack, initial intrusion, expand access, exfiltrate data, and conceal evidence and retain access are the components.
    1. Phishing
    2. Zero-day exploit
    3. Whaling
    4. Advanced persistent threat

    Refer to the image shown here for questions 124–126.

    An illustration with high volume and high relevance. Information governance is the input of the network.
  124. During an e-discovery process, Carol reviews the request from opposing counsel and builds a list of all the individuals identified. She then contacts the IT staff who support each person to request a list of their IT assets. What phase of the EDRM flow is she in?
    1. Information governance
    2. Identification
    3. Preservation
    4. Collection
  125. During the preservation phase of her work, Carol discovers that information requested as part of the discovery request has been deleted as part of a regularly scheduled data cleanup as required by her organization's policies. What should Carol do?
    1. Conduct a forensic recovery of the data.
    2. Create synthetic data to replace the missing data.
    3. Report the issue to counsel.
    4. Purge any other data related to the request based on the same policy.
  126. In what phase should Carol expect to spend the most person-hours?
    1. Identification
    2. Collection and preservation
    3. Processing, review, and analysis
    4. Production
  127. The incident response kit that Cassandra is building is based around a powerful laptop so that she can perform onsite drive acquisitions and analysis. If she expects to need to acquire data from SATA, SSD, and flash drives, what item should she include in her kit?
    1. A write blocker
    2. A USB hard drive
    3. A multi-interface drive adapter
    4. A USB-C cable
  128. Which of the following items is not typically found in corporate forensic kits?
    1. Write blockers
    2. Crime scene tape
    3. Label makers
    4. Decryption tools
  129. What incident response tool should Kai build prior to an incident to ensure that staff can reach critical responders when needed?
    1. A triage triangle
    2. A call list
    3. A call rotation
    4. A responsibility matrix
  130. Greg finds a series of log entries in his web server logs showing long strings "AAAAAAAAAAAAAAAAAAAAAAA", followed by strings of characters. What type of attack has he most likely discovered?
    1. A SQL injection attack
    2. A denial-of-service attack
    3. A buffer overflow attack
    4. A PHP string-ring attack
  131. During a security incident, Joanna makes a series of changes to production systems to contain the damage. What type of change should she file in her organization's change control process when the response effort is concluding?
    1. Routine change
    2. Priority change
    3. Emergency change
    4. Pre-approved change
  132. Which one of the following incident response test types provides an interactive exercise for the entire team but does not run the risk of disrupting normal business activity?
    1. Full interruption test
    2. Checklist review
    3. Management review
    4. Tabletop exercise
  133. Which of the following cloud service environments is likely to provide the best available information for forensic analysis?
    1. SaaS
    2. IaaS
    3. PaaS
    4. IDaaS
  134. Ken is helping his organization prepare for future incident response efforts and would like to ensure that they conduct regular training exercises. Which one of the following exercises could he use to remind incident responders of their responsibilities with the least impact on other organizational priorities?
    1. Checklist review
    2. Structured walk-through
    3. Capture the flag
    4. Tabletop exercise
  135. When analyzing network traffic for indicators of compromise, which one of the following service/port pairings would indicate a common protocol running on a nonstandard port?
    1. HTTPS on TCP port 443
    2. RDP on TCP port 3389
    3. SSH on TCP port 1433
    4. HTTP on TCP port 80
  136. Camilla is participating in the eradication and recovery stage of an incident response process. Which one of the following activities would not normally occur during this phase?
    1. Vulnerability mitigation
    2. Restoration of permissions
    3. Verification of logging/communication to security monitoring
    4. Analysis of drive capacity consumption
  137. What type of exercise actually activates an organization's incident response plan but has the lowest likelihood of disrupting normal activities?
    1. Checklist review
    2. Tabletop exercise
    3. Full interruption test
    4. Parallel test
  138. Which one of the following events is least likely to trigger the review of an organization's information security program?
    1. Security incident
    2. Changes in compliance obligations
    3. Changes in team members
    4. Changes in business processes
  139. The Open Source Security Testing Methodology Manual (OSS TMM) is focused on testing in three major areas. Which one of the following is not one of those areas?
    1. Physical locations
    2. Communications
    3. Web servers
    4. Human interactions
  140. Kevin is conducting an assessment of a web application using the OWASP Testing Guide. He is searching for XSS vulnerabilities in the application and would like to use an approach that balances the time required to conduct the testing and the effectiveness of the test. Which approach would be most appropriate?
    1. Use an automated testing tool.
    2. Conduct a penetration test.
    3. Test each input field manually.
    4. Interview the software developers.
  141. What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles?
    1. Weekly
    2. Monthly
    3. Semiannually
    4. Annually
  142. Which one of the following programs has the primary goal of ensuring that an organization is able to maintain normal operations during a disaster or other disruption?
    1. Disaster recovery
    2. Incident response
    3. Risk management
    4. Business continuity
  143. Which one of the following programs has the primary goal of helping the organization quickly recover normal operations if they are disrupted?
    1. Disaster recovery
    2. Incident response
    3. Risk management
    4. Business continuity
  144. During what phase of the incident response process would an organization implement defenses designed to reduce the likelihood of a security incident?
    1. Preparation
    2. Detection and analysis
    3. Containment, eradication, and recovery
    4. Post-incident activity
  145. After wrapping up an incident response investigation, Chris is attempting to determine what went wrong so that he can implement new security controls that will prevent similar incidents in the future. What term best describes his work?
    1. Lessons learned review
    2. Post-incident activity
    3. Incident management
    4. Root-cause analysis
  146. What common criticism is leveled at the Cyber Kill Chain?
    1. Not all threats are aimed at a kill.
    2. It is too detailed.
    3. It includes actions outside the defended network.
    4. It focuses too much on insider threats.
  147. Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority?
    1. Identifying the source of the attack
    2. Eradication
    3. Containment
    4. Recovery
  148. Robert is finishing a draft of a proposed incident response policy for his organization. Who would be the most appropriate person to sign the policy?
    1. CEO
    2. Director of security
    3. CIO
    4. CSIRT leader
  149. Which one of the following is not an objective of the containment, eradication, and recovery phase of incident response?
    1. Detect an incident in progress.
    2. Implement a containment strategy.
    3. Identify the attackers.
    4. Eradicate the effects of the incident.
  150. Which one of the following is not a phase of the threat lifecycle addressed in the MITRE ATT&CK model?
    1. Domination
    2. Exfiltration
    3. Execution
    4. Privilege escalation
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.185.180