EXAM OBJECTIVES COVERED IN THIS CHAPTER:
3.1 Given a scenario, distinguish threat data or behavior to determine the impact of an incident.
3.2 Given a scenario, prepare a toolkit and use appropriate forensics tools during an investigation.
3.3 Explain the importance of communication during the incident response process.
3.4 Given a scenario, analyze common symptoms to select the best course of action to support incident response.
3.5 Summarize the incident recovery and post-incident response process.
If Lucca wants to validate the application files he has downloaded from the vendor of his application, what information should he request from them?
Jeff discovers multiple .jpg photos during his forensic investigation of a computer involved in an incident. When he runs exiftool to gather file metadata, which information is not likely to be part of the images even if they have complete metadata intact?
Chris wants to run John the Ripper against a Linux system’s passwords. What does he need to attempt password recovery on the system?
Charles needs to review the permissions set on a directory structure on a Window system he is investigating. Which Sysinternals tool will provide him with this functionality?
John has designed his network as shown here and places untrusted systems that want to connect to the network into the Guests network segment. What is this type of segmentation called?
The organization that Alex works for classifies security related events using NIST’s standard definitions. Which classification should he use when he discovers key logging software on one of his frequent business traveler’s laptop?
Jennifer is planning to deploy rogue access point detection capabilities for her network. If she wants to deploy the most effective detection capability she can, which of the following detection types should she deploy first?
Dan is designing a segmented network that places systems with different levels of security requirements into different subnets with firewalls and other network security devices between them. What phase of the incident response process is Dan in?
The company that Brian works for processes credit cards and is required to be compliant with PCI-DSS. If Brian’s company experiences a breach of card data, what type of disclosure will they be required to provide?
Lauren wants to create a backup of Linux permissions before making changes to the Linux workstation she is attempting to remediate. What Linux tool can she use to back up the permissions of an entire directory on the system?
While working to restore systems to their original configuration after a long-term APT compromise, Charles has three options.
He can remove the compromised accounts and rootkit tools and then fix the issues that allowed the attackers to access the systems.
Which option should Charles choose in this scenario?
Jessica wants to access a macOS FileVault 2–encrypted drive. Which of the following methods is not a possible means of unlocking the volume?
Susan discovers the following log entries that occurred within seconds of each other in her Squert (a Sguil web interface) console. What have her network sensors most likely detected?
Frank wants to log the creation of user accounts on a Windows 7 workstation. What tool should he use to enable this logging?
If Danielle wants to purge a drive, which of the following options will accomplish her goal?
Cynthia wants to build scripts to detect malware beaconing behavior. Which of the following is not a typical means of identifying malware beaconing behavior on a network?
While performing post-rebuild validation efforts, Scott scans a server from a remote network and sees no vulnerabilities. Joanna, the administrator of the machine, runs a scan and discovers two critical vulnerabilities and five moderate issues. What is most likely causing the difference in their reports?
As part of his organization’s cooperation in a large criminal case, Adam’s forensic team has been asked to send a forensic image of a highly sensitive compromised system in RAW format to an external forensic examiner. What steps should Adam’s team take prior to sending a drive containing the forensic image?
Mika wants to analyze the contents of a drive without causing any changes to the drive. What method is best suited to ensuring this?
What type of forensic investigation–related form is shown here?
Lisa is following the CompTIA process for validation after a compromise. Which of the following actions should be included in this phase?
Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage?
James wants to determine whether other Windows systems on his network are infected with the same malware package that he has discovered on the workstation he is analyzing. He has removed the system from his network by unplugging its network cable, as required by corporate policy. He knows that the system has previously exhibited beaconing behavior and wants to use that behavior to identify other infected systems. How can he safely create a fingerprint for this beaconing without modifying the infected system?
Fred is attempting to determine whether a user account is accessing other systems on his network and uses lsof to determine what files the user account has open. What information should he identify when faced with the following lsof output?
After completing an incident response process and providing a final report to management, what step should Casey use to identify improvement to her incident response plan?
The senior management at the company that Kathleen works for is concerned about rogue devices on the network. If Kathleen wants to identify rogue devices on her wired network, which of the following solutions will quickly provide the most accurate information?
While investigating a system error, Lauren runs the df command on a Linux box that she is the administrator for. What problem and likely cause should she identify based on this listing?
# df -h /var/
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 40G 11.2G 28.8 28% /
/dev/sda2 3.9G 3.9G 0 100% /var
In order, which set of Linux permissions are least permissive to most permissive?
As Lauren prepares her organization’s security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via awareness?
Scott wants to recover user passwords for systems as part of a forensic analysis effort. If he wants to test for the broadest range of passwords, which of the following modes should he run John the Ripper in?
During a forensic investigation, Charles discovers that he needs to capture a virtual machine that is part of the critical operations of his company’s website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow?
Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as forensic evidence during an investigation. After she signs off on the chain of custody log and starts to prepare for her investigation, one of the first things she notes is that each cable and port was labeled with a color-coded sticker by the on-site team. Why are the items labeled like this?
Laura needs to create a secure messaging capability for her incident response team. Which of the following methods will provide her with a secure messaging tool?
While reviewing her Nagios logs, Selah discovers the error message shown here. What should she do about this error?
Alex needs to sanitize hard drives that will be leaving his organization after a lease is over. The drives contained information that his organization classifies as sensitive data that competitors would find valuable if they could obtain it. Which choice is the most appropriate to ensure that data exposure does not occur during this process?
Selah is preparing to collect a forensic image for a Macintosh computer. What hard drive format is she most likely to encounter?
During a forensic analysis of an employee’s computer as part of a human resources investigation into misuse of company resources, Tim discovers a program called Eraser installed on the PC. What should Tim expect to find as part of his investigation?
Jessica wants to recover deleted files from slack space and needs to identify where the files begin and end. What is this process called?
Lauren is the IT manager for a small company and occasionally serves as the organization’s information security officer. Which of the following roles should she include as the leader of her organization’s CSIRT?
During her forensic analysis of a Windows system, Cynthia accesses the registry and checks \HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogin. What domain was the system connected to, and what was the username that would appear at login?
Lauren wants to ensure that the two most commonly used methods for preventing Linux buffer overflow attacks are enabled for the operating system she is installing on her servers. What two related technologies should she investigate to help protect her systems?
Angela is attempting to determine when a user account was created on a Windows 10 workstation. What method is her best option if she believes the account was created recently?
Alex suspects that an attacker has modified a Linux executable using static libraries. Which of the following Linux commands is best suited to determining whether this has occurred?
Lauren wants to detect administrative account abuse on a Windows server that she is responsible for. What type of auditing permissions should she enable to determine whether users with administrative rights are making changes?
Cameron believes that the Ubuntu Linux system that he is restoring to service has already been fully updated. What command can he use to check for new updates, and where can he check for the history of updates on his system?
Adam wants to quickly crack passwords from a Windows 7 system. Which of the following tools will provide the fastest results in most circumstances?
Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed?
Kelly sees high CPU utilization in the Windows Task Manager, as shown here, while reviewing a system’s performance issues. If she wants to get a detailed view of the CPU usage by application, with PIDs and average CPU usage, what native Windows tool can she use to gather that detail?
During a forensic investigation, Steve records information about each drive, including where it was acquired, who made the forensic copy, the MD5 hash of the drive, and other details. What term describes the process Steve is using as he labels evidence with details of who acquired and validated it?
Roger’s SolarWinds monitoring system provides Windows memory utilization reporting. Use the chart shown here to determine what actions Roger should take based on his monitoring.
NIST defines five major types of threat information types in NIST SP 800-150, “Guide to Cyber Threat Information Sharing.”
Which of these should Frank seek out to help him best protect the midsize organization he works for against unknown threats?
Alex wants to determine whether the user of a company-owned laptop accessed a malicious wireless access point. Where can he find the list of wireless networks that the system knows about?
Fred wants to prevent buffer overflows from succeeding against his organization’s web applications. What technique is best suited to preventing this type of attack from succeeding?
Susan needs to perform forensics on a virtual machine. What process should she use to ensure she gets all of the forensic data she may need?
Allison wants to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form fill information saved in?
While Chris is attempting to image a device, he encounters write issues and cannot write the image as currently set. What issue is he most likely encountering?
Christina is configuring her SolarWinds alerts for rogue devices and wants to select an appropriate reset condition for rogue MAC address alerts. Which of the options shown here is best suited to handling rogue devices if she wants to avoid creating additional work for her team?
Fred needs to validate the MD5 checksum of a file on a Windows system but is not allowed to install any programs and cannot run files from external media or drives. What Windows utility can he use to get the MD5 hash of the file?
Which of the following is not an important part of the incident response communication process?
Alex is diagnosing major network issues at a large organization and sees the following graph in her PRTG console on the “outside” interface of her border router. What can Alex presume has occurred?
Which of the following commands is not useful for determining the list of network interfaces on a Linux system?
What Windows memory protection methodology is shown here?
Forensic investigation shows that the target of the investigation used the Windows Quick Format command to attempt to destroy evidence on a USB thumb drive. Which of the NIST sanitization techniques has the target of the investigation used in their attempt to conceal evidence?
Angela wants to use her network security device to detect potential beaconing behavior. Which of the following options is best suited to detecting beaconing using her network security device?
During an incident response process Susan plugs a system back into the network, allowing it normal network access. What phase of the incident response process is Susan performing?
A server in the data center that Chris is responsible for monitoring unexpectedly connects to an off-site IP address and transfers 9GB of data to the remote system. What type of monitoring should Chris enable to best assist him in detecting future events of this type?
Jennifer’s team has completed the initial phases of their incident response process and is assessing the time required to recover from the incident. Using the NIST recoverability effort categories, the team has determined that they can predict the time to recover but will require additional resources. How should she categorize this using the NIST model?
Which of the following mobile device forensic techniques is not a valid method of isolation during forensic examination?
Rick wants to monitor permissions and ownership changes of critical files on the Red Hat Linux system he is responsible for. What Linux tool can he use to do this?
Janet is attempting to conceal her actions on a company-owned computer. As part of her cleanup attempts, she deletes all of the files she downloaded from a corporate file server using a browser in incognito mode. How can a forensic investigator determine what files she downloaded?
Joe is aware that an attacker has compromised a system on his network but wants to continue to observe the attacker’s efforts as they continue their attack. If Joe wants to prevent additional impact on his network while watching what the attacker does, what containment method should he use?
When Charles arrived at work this morning, he found an email in his inbox that read, “Your systems are weak; we will own your network by the end of the week.” How would he categorize this sign of a potential incident if he was using the NIST SP 800-61 descriptions of incident signs?
During an incident response process, Cynthia conducts a lessons-learned review. What phase of the incident response process is she in?
As part of his incident response program, Allan is designing a playbook for zero-day threats. Which of the following should not be in his plan to handle them?
As the CISO of her organization, Jennifer is working on an incident classification scheme and wants to base her design on NIST’s definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view?
Fred wants to identify digital evidence that can place an individual in a specific place at a specific time. Which of the following types of digital forensic data is not commonly used to attempt to document physical location at specific times?
Cynthia has completed the validation process of her media sanitization efforts and has checked a sample of the drives she had purged using a built-in cryptographic wipe utility. What is her next step?
In his role as a small company’s information security manager, Mike has a limited budget for hiring permanent staff. While his team can handle simple virus infections, he does not currently have a way to handle significant information security incidents. Which of the following options should Mike investigate to ensure that his company is prepared for security incidents?
The Stuxnet attack relied on engineers who transported malware with them, crossing the air gap between networks. What type of threat is most likely to cross an air-gapped network?
While reviewing his network for rogue devices, Dan notes that a system with MAC address D4:BE:D9:E5:F9:18 has been connected to a switch in one of the offices in his building for three days. What information can this provide Dan that may be helpful if he conducts a physical survey of the office?
Frank wants to ensure that media has been properly sanitized. Which of the following options properly lists sanitization descriptions from least to most effective?
Degaussing is an example of what form of media sanitization?
While reviewing storage usage on a Windows system, Brian checks the volume shadow copy storage as shown here:
C:WINDOWSsystem32>vssadmin list Shadowstorage
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Shadow Copy Storage association
For volume: (C:)\?Volume{c3b53dae-0e54-13e3-97ab-806e6f6e69633}
Shadow Copy Storage volume: (C:)\?Volume{c3b53dae-0e54-13e3-97ab-806e6f6e6963}
Used Shadow Copy Storage space: 25.6 GB (2%)
Allocated Shadow Copy Storage space: 26.0 GB (2%)
Maximum Shadow Copy Storage space: 89.4 GB (10%)
What purpose does this storage serve, and can he safely delete it?
Near the end of a typical business day, Danielle is notified that her organization’s email servers have been blacklisted because of email that appears to originate from her domain. What information does she need to start investigating the source of the spam emails?
Lauren recovers a number of 16GB and 32GB microSD cards during a forensic investigation. Without checking them manually, what filesystem type is she most likely to find them formatted in as if they were used with a digital camera?
While checking for bandwidth consumption issues, Alex uses the ifconfig command on the Linux box that he is reviewing. He sees that the device has sent less than 4Gb of data, but his network flow logs show that the system has sent over 20Gb. What problem has Alex encountered?
After arriving at an investigation site, Brian determines that three powered-on computers need to be taken for forensic examination. What steps should he take before removing the PCs?
In his role as a forensic examiner, Lucas has been asked to produce forensic evidence related to a civil case. What is this process called?
During their organization’s incident response preparation, Charles and Linda are identifying critical information assets that the company uses. Included in their organizational data sets is a list of customer names, addresses, phone numbers, and demographic information. How should Charles and Linda classify this information?
As Lauren studies her company’s computer forensics playbook, she notices that forensic investigators are required to use a chain of custody form. What information would she record on that form if she was conducting a forensic investigation?
Scott needs to ensure that the system he just rebuilt after an incident is secure. Which type of scan will provide him with the most useful information to meet his goal?
What is the primary role of management in the incident response process?
While reviewing his OSSEC SIEM logs, Chris notices the following entries. What should his next action be if he wants to quickly identify the new user’s creation date and time?
Jessica wants to track the changes made to the registry and filesystem while running a suspect executable on a Windows system. Which Sysinternals tool will allow her to do this?
Frank wants to improve the effectiveness of the incident analysis process he is responsible for as the leader of his organization’s CSIRT. Which of the following is not a commonly recommended best practice based on NIST’s guidelines?
NIST describes four major phases in the incident response cycle. Which of the following is not one of the four?
Charles wants to perform memory forensics on a Windows system and wants to access pagefile.sys. When he attempts to copy it, he receives the following error. What access method is required to access the page file?
Chris wants to prevent evil twin attacks from working on his wireless network. Which of the following is not a useful method for detecting evil twins?
Where is slack space found in the following Windows partition map?
Luke needs to verify settings on a macOS computer to ensure that the configuration items he expects are set properly. What type of file is commonly used to store configuration settings for macOS systems?
Adam needs to determine the proper retention policy for his organization’s incident data. If he wants to follow common industry practices and does not have specific legal or contractual obligations that he needs to meet, what time frame should he select?
The system that Alice has identified as the source of beaconing traffic is one of her organization’s critical e-commerce servers. To maintain her organization’s operations, she needs to quickly restore the server to its original, uncompromised state. What criteria is most likely to be impacted the most by this action?
After law enforcement was called because of potential criminal activity discovered as part of a forensic investigation, the officers on the scene seized three servers. When can Joe expect his servers to be returned?
Lauren wants to create a forensic image that third-party investigators can use but does not know what tool the third-party investigation team that her company intends to engage will use. Which of the following forensic formats should she choose if she wants almost any forensic tool to be able to access the image?
After Janet’s attempts to conceal her downloads of important corporate information were discovered, forensic investigators learned that she frequently copied work files to a USB drive. Which of the following is not a possible way to manually check her Windows workstation for a list of previously connected USB drives?
As part of his forensic investigation, Scott intends to make a forensic image of a network share that is mounted by the PC that is the focus of his investigation. What information will he be unable to capture?
NIST SP 800-61 identifies six outside parties that an incident response team will typically communicate with. Which of the following is not one of those parties?
What common incident response follow-up activity includes asking questions like “What additional tools or resources are needed to detect or analyze future events?”
Susan has been asked to capture forensic data from a Windows PC and needs to ensure that she captures the data in their order of volatility. Which order is correct from most volatile to least volatile?
During an incident response process, Susan heads to a compromised system and pulls its network cable. What phase of the incident response process is Susan performing?
Scott needs to verify that the forensic image he has created is an exact duplicate of the original drive. Which of the following methods is considered forensically sound?
What strategy does NIST suggest for identifying attackers during an incident response process?
Rick is conducting a forensic investigation of a compromised system. He knows from user reports that issues started at approximately 3:30 p.m. on June 12. Using the SANS SIFT open source forensic tool, what process should he use to determine what occurred?
Charles believes that an attacker may have added accounts and attempted to obtain extra rights on a Linux workstation. Which of the following is not a common way to check for unexpected accounts like this?
Ben wants to coordinate with other organizations in the information security community to share data and current events as well as warnings of new security issues. What type of organization should he join?
While investigating a spam email, Adam is able to capture headers from one of the email messages that was received. He notes that the sender was Carmen Victoria Garci. What facts can he gather from the headers shown here?
Lauren needs to access a macOS system but does not have the user’s password. If the system is not FileVaulted, which of the following options is not a valid recovery method?
While performing forensic analysis of an iPhone backup, Cynthia discovers that she has only some of the information that she expects the phone to contain. What is the most likely scenario that would result in the backup she is using having partial information?
Chris wants to ensure that his chain of custody documentation will stand up to examination in court. Which of the following options will provide him with the best documentary proof of his actions?
Cynthia is reviewing her organization’s incident response recovery process, which is outlined here. Which of the following recommendations should she make to ensure that further issues do not occur during the restoration process?
After zero wiping a system’s hard drive and rebuilding it with all security patches and trusted accounts, Lauren is notified that the system is once again showing signs of compromise. Which of the following types of malware package cannot survive this type of eradication effort?
Patents, copyrights, trademarks, and trade secrets are all related to what type of data?
Which of the following issues is not commonly associated with BYOD devices?
Saria is reviewing the contents of a drive as part of a forensic effort and notes that the file she is reviewing takes up more space on the disk than its actual size, as shown here. What has she discovered?
What is the minimum retention period for incident data for U.S. federal government agencies?
Kathleen is restoring a critical business system to operation after a major compromise and needs to validate that the operating system and application files are legitimate and do not have any malicious code included in them. What type of tool should she use to validate this?
Charles wants to verify that authentication to a Linux service has two-factor authentication settings set as a requirement. Which common Linux directory can he check for this type of setting, listed by application, if the application supports it?
Charles is creating the evidence log for a computer that was part of an attack on an external third-party system. What network-related information should he include in that log if he wants to follow NIST’s recommendations?
Chris believes that systems on his network have been compromised by an advanced persistent threat actor. He has observed a number of large file transfers outbound to remote sites via TLS-protected HTTP sessions from systems that do not typically send data to those locations. Which of the following techniques is most likely to detect the APT infections?
After submitting a suspected malware package to VirusTotal, Alex receives the following results. What does this tell Alex?
Ben is investigating a potential malware infection of a laptop belonging to a senior manager in the company he works for. When the manager opens a document, website, or other application that takes user input, words start to appear as though they are being typed. What is the first step that Ben should take in his investigation?
Kathleen’s forensic analysis of a laptop that is believed to have been used to access sensitive corporate data shows that the suspect tried to overwrite the data they downloaded as part of antiforensic activities by deleting the original files and then copying other files to the drive. Where is Kathleen most likely to find evidence of the original files?
As part of a test of her network’s monitoring infrastructure, Kelly uses snmpwalk to validate her router SNMP settings. She executes snmpwalk as shown here:
snmpwalk -c public 10.1.10.1 -v1
iso.3.6.1.2.1.1.0 = STRING: "RouterOS 3.6"
iso.3.6.1.2.1.2.0 = OID: iso.3.6.1.4.1.30800
iso.3.6.1.2.1.1.3.0 = Timeticks: (1927523) 08:09:11
iso.3.6.1.2.1.1.4.0 = STRING: "root"
iso.3.6.1.2.1.1.5.0 = STRING: "RouterOS"
...
Which of the following pieces of information is not something she can discover from this query?
Laura needs to check on memory, CPU, disk, network, and power usage on a Mac. What GUI tool can she use to check these?
Angela wants to access the decryption key for a BitLocker-encrypted system, but the system is currently turned off. Which of the following methods is a viable method if a Windows system is turned off?
Adam believes that a system on his network is infected but does not know which system. To detect it, he creates a query for his network monitoring software based on the following pseudocode. What type of traffic is he most likely trying to detect?
destip: [*] and duration < 10 packets and destbytes < 3000 and flowcompleted = true
and application = http or https or tcp or unknown and content != uripath:* and content
!= contentencoding:*
Casey’s search for a possible Linux backdoor account during a forensic investigation has led her to check through the filesystem for issues. Where should she look for back doors associated with services?
As an employee of the U.S. government, Megan is required to use NIST’s information impact categories to classify security incidents. During a recent incident, proprietary information was changed. How should she classify this incident?
During what stage of an event is preservation of evidence typically handled?
Susan is reviewing event logs to determine who has accessed a workstation after business hours. When she runs secpol.msc on the Windows system she is reviewing, she sees the following settings. What important information will be missing from her logs?
Cynthia runs the command shown here while checking usage of her Linux system. Which of the following statements is true based on the information shown?
Lucas wants to purge a drive to ensure that data cannot be extracted from it when it is sent off-site. Which of the following is not a valid option for purging hard drives on a Windows system?
The company that Charleen works for has been preparing for a merger, and during a quiet phase she discovers that the corporate secure file server that contained the details of the merger has been compromised. As she works on her report, how should she most accurately categorize the data that was breached?
Which of the following is not a valid use case for live forensic imaging?
Which of the following commands is the standard way to determine how old a user account is on a Linux system if [username] is replaced by the user ID that you are checking?
Profiling networks and systems can help to identify unexpected activity. What type of detection can be used once a profile has been created?
While reviewing the actions taken during an incident response process, Jennifer is informed by the local desktop support staff person that the infected machine was returned to service by using a Windows system restore point. Which of the following items will a Windows system restore return to a previous state?
During a major incident response effort, Ben discovers evidence that a critical application server may have been the data repository and egress point in the compromise he is investigating. If he is unable to take the system offline, which of the following options will provide him with the best forensic data?
Charles wants to monitor file permission changes on a Windows system he is responsible for. What audit category should he enable to allow this?
Charles finds the following entries on a Linux system in /var/log/auth.log. If he is the only user with root privileges, requires two-factor authentication to log in as root, and did not take the actions shown, what should he check for?
[https://drive.google.com/open?id=0B4u5n3PsqCBjTDViWHhycjhhSzQ]
A disgruntled former employee uses the systems she was responsible for to slow down the network that Chris is responsible for protecting during a critical business event. What NIST threat classification best fits this type of attack?
As part of his forensic analysis of a series of photos, John runs exiftool for each photo. He receives the following listing from one photo. What useful forensic information can he gather from this photo?
During the preparation phase of his organization’s incident response process, Ben gathers a laptop with useful software including a sniffer and forensics tools, thumb drives and external hard drives, networking equipment, and a variety of cables. What is this type of pre-prepared equipment commonly called?
Chris is analyzing Chrome browsing information as part of a forensic investigation. After querying the visits table that Chrome stores, he discovers a 64-bit integer value stored as “visit time” listed with a value of 131355792940000000. What conversion does he need to perform on this data to make it useful?
Cynthia needs to ensure that the workstations she is responsible for have received a critical Windows patch. Which of the following methods should she avoid using to validate patch status for Windows 10 systems?
As John proceeds with a forensic investigation involving numerous images, he finds a directory labeled Downloaded from Facebook. The images appear relevant to his investigation, so he processes them for metadata using exiftool. The following image shows the data provided. What forensically useful information can John gather from this output?
The hospital that Ben works at is required to be HIPAA compliant and needs to protect HIPAA data. Which of the following is not an example of PHI?
Ben works at a U.S. federal agency that has experienced a data breach. Under FISMA, which organization does he have to report this incident to?
Which of the following properly lists the order of volatility from least volatile to most volatile?
Joe wants to recovery the passwords for local Windows users on a Windows 7 workstation. Where are the password hashes stored?
While conducting a forensic review of a system involved in a data breach, Alex discovers a number of Microsoft Word files including files with filenames like critical_data.docx and sales_estimates_2017.docx. When he attempts to review the files using a text editor for any useful information, he finds only unreadable data. What has occurred?
Rick is attempting to diagnose high memory utilization issues on a macOS system and notices a chart showing memory pressure. What does memory pressure indicate for macOS when the graph is yellow and looks like the following image?
Lucas believes that one of his users has attempted to use built-in Windows commands to probe servers on the network he is responsible for. How can he recover the command history for that user if the system has been rebooted since the reconnaissance has occurred?
While conducting a wireless site survey, Susan discovers two wireless access points that are both using the same MAC address. When she attempts to connect to each, she is sent to a login page for her organization. What should she be worried about?
During an incident response process, Alex discovers a running Unix process that shows that it was run using the command nc -k -l 6667. He does not recognize the service and needs assistance in determining what it is. Which of the following would best describe what he has encountered?
Angela is conducting an incident response exercise and needs to assess the economic impact to her organization of a $500,000 expense related to an information security incident. How should she categorize this?
Chris needs to verify that his Linux system is sending system logs to his SIEM. What method can he use to verify that the events he is generating are being sent and received properly?
Susan wants to protect the Windows workstations in her domain from buffer overflow attacks. What should she recommend to the domain administrators at her company?
What step follows sanitization of media according to NIST guidelines for secure media handling?
Joe is responding to a ransomware incident that has encrypted financial and business data throughout the organization, including current payroll and HR data. As events currently stand, payroll cannot be run for the current pay period. If Joe uses the NIST functional impact categories shown here, how should Joe rate this incident?
Lauren wants to create a documented chain of custody for the systems that she is handling as part of a forensic investigation. Which of the following will provide her with evidence that systems were not tampered with while she is not working with them?
Matt’s incident response team has collected log information and is working on identifying attackers using that information. What two stages of the NIST incident response process is his time working in?
Angela wants to understand what a malware package does and executes it in a virtual machine that is instrumented using tools that will track what the program does, what changes it makes, and what network traffic it sends while allowing her to make changes on the system or to click files as needed. What type of analysis has Angela performed?
Ben discovers that the forensic image he has attempted to create has failed. What is the most likely reason for this failure?
Derek sets up a series of virtual machines that are automatically created in a completely isolated environment. Once created, the systems are used to run potentially malicious software and files. The actions taken by those files and programs are recorded and then reported. What technique is Derek using?
Chris notices the following entries in his Squert web console (a web console for Sguil IDS data). What should he do next to determine what occurred?
Lauren wants to avoid running a program installed by a user that she believes is set with a RunOnce key in the Windows registry but needs to boot the system. What can she do to prevent RunOnce from executing the programs listed in the registry key?
Joseph wants to determine when a USB device was first plugged into a Windows workstation. What file should he check for this information?
A major new botnet infection that uses a peer-to-peer command-and-control process much like 2007’s Storm botnet has been released. Lauren wants to detect infected systems but knows that peer-to-peer communication is irregular and encrypted. If she wants to monitor her entire network for this type of traffic, what method should she use to catch infected systems?
Which of the following activities is not part of the containment and restoration process?
Angela has recently taken a new position as the first security analyst that her employer has ever had on staff. During her first week, she discovers that there is no information security policy and that the IT staff do not know what to do during a security incident. Angela plans to stand up a CSIRT to handle incident response. What type of documentation should she provide to describe specific procedures that the CSIRT will use during events like malware infections and server compromise?
What type of attack behavior is shown here?
While investigating a compromise, Jack discovers four files that he does not recognize and believes may be malware. What can he do to quickly and effectively check the files to see whether they are malware?
Alex is attempting to determine why a Windows system keeps filling its disk. If she wants to see a graphical view of the contents of the disk that allows her to drill down on each cluster, what Sysinternals tool should she use?
What useful information cannot be determined from the contents of the $HOME/.ssh folder when conducting forensic investigations of a Linux system?
John believes that the image files he has encountered during a forensic investigation were downloaded from a site on the Internet. What tool can John use to help identify where the files were downloaded from?
Brian’s network suddenly stops working at 8:40 AM, interrupting video conferences, streaming, and other services throughout his organization, and then resumes functioning. When Brian logs into his PRTG console and checks his router’s traffic via the primary connection’s redundant network link, he sees the following graph. What should Brian presume occurred based on this information?
Alex needs to create a forensic copy of a BitLocker-encrypted drive. Which of the following is not a method that he could use to acquire the BitLocker key?
Adam works for a large university and sees the following graph in his PRTG console when looking at a year-long view. What behavioral analysis could he leverage based on this pattern?
What is space between the last sector containing logical data and the end of the cluster called?
Frank wants to use netstat to get the process name, the PID, and the username associated with processes that are running on a Linux system he is investigating. What netstat flags will provide him with this information?
Jack is preparing to take a currently running PC back to his forensic lab for analysis. As Jack considers his forensic process, one of his peers recommends that he simply pull the power cable rather than doing a software-based shutdown. Why might Jack choose to follow this advice?
Amanda has been tasked with acquiring data from an iPhone as part of a mobile forensics effort. At this point, should she remove the SIM (or UICC) card from the device if she receives the device in a powered-on state?
Rick wants to validate his recovery efforts and intends to scan a web server he is responsible for with a scanning tool. What tool should he use to get the most useful information about system vulnerabilities?
What is the key goal of the containment stage of an incident response process?
What level of forensic data extraction will most likely be possible and reasonable for a corporate forensic examiner who deals with modern phones that provide filesystem encryption?
Angela is performing a forensic analysis of a Windows 10 system and wants to provide an overview of usage of the system using information contained in the Windows registry. Which of the following is not a data element she can pull from the SAM?
Samantha is preparing a report describing the common attack models used by advanced persistent threat actors. Which of the following is a typical characteristic of APT attacks?
During an incident response process, Alice is assigned to gather details about what data was accessed, if it was exfiltrated, and what type of data was exposed. What type of analysis is she doing?
Angela has discovered an attack that appears to be following the process flow shown here. What type of attack should she identify this as?
Refer to the image shown here for questions 201 to 203.
During an e-discovery process, Angela reviews the request from opposing counsel and builds a list of all of the individuals identified. She then contacts the IT staff who support each person to request a list of their IT assets. What phase of the EDRM flow is she in?
During the preservation phase of her work, Angela discovers that information requested as part of the discovery request has been deleted as part of a regularly scheduled data cleanup as required by her organization’s policies. What should Angela do?
What phase should Angela expect to spend the most person-hours in?
The incident response kit that Cassandra is building is based around a powerful laptop so that she can perform on-site drive acquisitions and analysis. If she expects to need to acquire data from both SATA and IDE drives, what item should she include in her kit?
Which of the following items is not typically found in corporate forensic kits?
What incident response tool should Lauren build prior to an incident to ensure that staff can reach critical responders when needed?
While performing process analysis on a compromised Linux system, Kathleen discovers a process called “john” that is running. What should she identify as the most likely use of the program?
Which of the following organizations is not typically involved in post-incident communications?
While reviewing system logs, Charles discovers that the processor for the workstation he is reviewing has consistently hit 100% processor utilization by the web browser. After reviewing the rest of the system, no unauthorized software appears to have been installed. What should Charles do next?
Lauren finds that the version of Java installed on her organization’s web server has been replaced. What type of issue is this best categorized as?
Greg finds a series of log entries in his Apache logs showing long strings “AAAAAAAAAAAAAAAAAAAAAAA” followed by strings of characters. What type of attack has he most likely discovered?
Catherine wants to detect unexpected output from the application she is responsible for managing and monitoring. What type of tool can she use to detect unexpected output effectively?