24 ) SY EX. 8 | COMPLETE | 暗記メーカー

24 ) SY EX. 8 | COMPLETE

91問 • 5ヶ月前

問題一覧

//////////////// During a forensic investigation, Kwame records information about each drive, including where it was acquired, who made the forensic copy, the MD5 hash of the drive, and other details. What term describes the process Kwame is using as he labels evidence with details of who acquired and validated it?

- Chain of custody

Susan needs to perform forensics on a virtual machine. What process should she use to ensure she gets all of the forensic data she may need?

- Suspend the machine and copy the contents of the directory it resides in.

Allison wants to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form responses saved in?

- SQLite

While Chris is attempting to image a device, he encounters write issues and cannot write the image as currently set (refer to the image shown here). What issue is he most likely encountering?

- The destination drive is formatted FAT32.

Saanvi needs to validate the MD5 checksum of a file on a Windows system to ensure that there were no unauthorized changes to the binary file. He is not allowed to install any programs and cannot run files from external media or drives. What Windows utility can he use to get the MD5 hash of the file?

- certutil

Forensic investigation shows that the target of an investigation used the Windows Quick Format command to attempt to destroy evidence on a USB thumb drive. Which of the NIST sanitization techniques has the target of the investigation used in their attempt to conceal evidence?

- None of the above

During an incident response process, Susan plugs a system back into the network, allowing it normal network access. What phase of the incident response process is Susan performing?

- Containment, eradication, and recovery

Mei's team has completed the initial phases of their incident response process and is assessing the time required to recover from the incident. Using the NIST recoverability effort categories, the team has determined that they can predict the time to recover but will require additional resources. How should she categorize this using the NIST model?

- Supplemented

Janet is attempting to conceal her actions on a company-owned computer. As part of her cleanup attempts, she deletes all the files she downloaded from a corporate file server using a browser in incognito mode. How can a forensic investigator determine what files she downloaded?

- Drive analysis

Jose is aware that an attacker has compromised a system on his network but wants to continue to observe the attacker's efforts as they continue their attack. If Jose wants to prevent additional impact on his network while watching what the attacker does, what containment method should he use?

- Isolation

When Abdul arrived at work this morning, he found an email in his inbox that read, "Your systems are weak; we will own your network by the end of the week." How would he categorize this sign of a potential incident if he was using the NIST SP 800-61 descriptions of incident signs?

- A precursor

During an incident response process, Cynthia conducts a lessons learned review. What phase of the incident response process is she in?

- Post-incident recovery

As part of his incident response program, Allan is designing a playbook for zero-day threats. Which of the following should not be in his plan to handle them?

- Patching

As the CISO of her organization, Mei is working on an incident classification scheme and wants to base her design on NIST's definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view?

- An adverse event

Fred wants to identify digital evidence that can place an individual in a specific place at a specific time. Which of the following types of digital forensic data is not commonly used to attempt to document physical location at specific times?

- Microsoft Office document metadata

Kai has completed the validation process of her media sanitization efforts and has checked a sample of the drives she had purged using a built-in cryptographic wipe utility. What is her next step?

- Create documentation.

In his role as a small company's information security manager, Mike has a limited budget for hiring permanent staff. Although his team can handle simple virus infections, he does not currently have a way to handle significant information security incidents. Which of the following options should Mike investigate to ensure that his company is prepared for security incidents?

- Outsource to an incident response provider.

Bohai wants to ensure that media has been properly sanitized. Which of the following options properly lists sanitization descriptions from least to most effective?

- Clear, purge, destroy

Degaussing is an example of what form of media sanitization?

- Purging.

While reviewing storage usage on a Windows system, Brian checks the volume shadow copy storage as shown here: What purpose does this storage serve, and can he safely delete it?

- It provides a block-level snapshot and can be safely deleted.

Lauren recovers a number of 16GB and 32GB microSD cards during a forensic investigation. Without checking them manually, what filesystem type is she most likely to find them formatted in as if they were used with a digital camera?

- FAT32

After arriving at an investigation site, Brian determines that three powered-on computers need to be taken for forensic examination. What steps should he take before removing the PCs?

- Collect live forensic information, take photos of each system, and power them down.

In his role as a forensic examiner, Lukas has been asked to produce forensic evidence related to a civil case. What is this process called?

- E-discovery

As Mika studies her company's computer forensics playbook, she notices that forensic investigators are required to use a chain of custody form. Which of the following best describes the information that she should record on that form if she was conducting a forensic investigation?

- All individuals who work with evidence in the investigation

Scott needs to ensure that the system he just rebuilt after an incident is secure. Which type of scan will provide him with the most useful information to meet his goal?

- An authenticated vulnerability scan from a trusted internal network

What is the primary role of management in the incident response process?

- Providing authority and resources

Max wants to improve the effectiveness of the incident analysis process he is responsible for as the leader of his organization's CSIRT. Which of the following is not a commonly recommended best practice based on NIST's guidelines?

- Maintain backups of every system and device.

NIST describes four major phases in the incident response cycle. Which of the following is not one of the four?

- Notification and communication

Charles wants to perform memory forensics on a Windows system and wants to access pagefile.sys. When he attempts to copy it, he receives the following error. What access method is required to access the page file?

- Shut the system down, remove the drive, and copy it from another system.

Where is slack space found in the following Windows partition map?

- The System Reserved and C: partitions

Ty needs to determine the proper retention policy for his organization's incident data. If he wants to follow common industry practices and does not have specific legal or contractual obligations that he needs to meet, what timeframe should he select?

- 1 to 2 years

The system that Alice has identified as the source of beaconing traffic is one of her organization's critical e-commerce servers. To maintain her organization's operations, she needs to quickly restore the server to its original, uncompromised state. What criterion is likely to be impacted the most by this action?

- Ability to preserve evidence

Piper wants to create a forensic image that third-party investigators can use but does not know what tool the third-party investigation team that her company intends to engage will use. Which of the following forensic formats should she choose if she wants almost any forensic tool to be able to access the image?

- RAW

As part of his forensic investigation, Scott intends to make a forensic image of a network share that is mounted by the PC that is the focus of his investigation. What information will he be unable to capture?

- Deleted files

What common incident response follow-up activity includes asking questions like "What additional tools or resources are needed to detect or analyze future events?"

- Lessons learned review

Suki has been asked to capture forensic data from a Windows PC and needs to ensure that she captures the data in their order of volatility. Which order is correct from most to least volatile?

- CPU cache, network traffic, disk drives, optical media

During an incident response process, Suki heads to a compromised system and disconnects its network cable. What phase of the incident response process is Suki performing?

- Containment, eradication, and recovery

Scott needs to verify that the forensic image he has created is an exact duplicate of the original drive. Which of the following methods is considered forensically sound?

- All of the above

What strategy does NIST suggest for identifying attackers during an incident response process?

- Identifying attackers is not an important part of the incident response process.

While performing forensic analysis of an iPhone backup, Cynthia discovers that she has only some of the information that she expects the phone to contain. What is the most likely scenario that would result in the backup she is using having partial information?

- The backup is a differential backup.

Cullen wants to ensure that his chain of custody documentation will stand up to examination in court. Which of the following options will provide him with the best documentary proof of his actions?

- A second examiner acting as a witness and countersigning all actions

Cynthia is reviewing her organization's incident response recovery process, which is outlined here. Which of the following recommendations should she make to ensure that further issues do not occur during the restoration process?

- Isolate the system before restoring from backups.

Saria is reviewing the contents of a drive as part of a forensic effort and notes that the file she is reviewing takes up more space on the disk than its actual size, as shown here. What has she discovered?

- Slack space

Kathleen is restoring a critical business system to operation after a ma or compromise and needs to validate that the operating system and application files are legitimate and do not have any malicious code included in them. What type of tool should she use to validate this?

- A trusted system binary kit

Mel is creating the evidence log for a computer that was part of an attack on an external third-party system. What network-related information should he include in that log if he wants to follow NIST's recommendations?

- IP addresses, MAC addresses, hostname

Ryan believes that systems on his network have been compromised by an advanced persistent threat actor. He has observed a number of large file transfers outbound to remote sites via TLS-protected HTTP sessions from systems that do not typically send data to those locations. Which of the following techniques is most likely to detect the APT infections?

- Endpoint forensics

Ben is investigating a potential malware infection of a laptop belonging to a senior manager in the company he works for. When the manager opens a document, website, or other application that takes user input, words start to appear as though they are being typed. What is the first step that Ben should take in his investigation?

- Disconnect the system from the network.

Kathleen's forensic analysis of a laptop that is believed to have been used to access sensitive corporate data shows that the suspect tried to overwrite the data they downloaded as part of antiforensic activities by deleting the original files and then copying other files to the drive. Where is Kathleen most likely to find evidence of the original files?

- Slack space

Angela wants to access the decryption key for a BitLocker-encrypted system, but the system is currently turned off. Which of the following methods is a viable method if a Windows system is turned off?

- Hibernation file analysis

Adam believes that a system on his network is infected but does not know which system. To detect it, he creates a query for his network monitoring software based on the following pseudocode. What type of traffic is he most likely trying to detect?

- Beaconing

As an employee of the U.S. government, Megan is required to use NIST's information impact categories to classify security incidents. During a recent incident, proprietary information was changed. How should she classify this incident?

- As an integrity loss

During what stage of an event is preservation of evidence typically handled?

- Containment, eradication, and recovery

Lukas wants to purge a drive to ensure that data cannot be extracted when it is sent offsite. Which of the following is not a valid option for purging hard drives on a Windows system?

- Use the built-in Windows delete command line.

Which of the following is not a valid use case for live forensic imaging?

- Postmortem forensics

While reviewing the actions taken during an incident response process, Mei is informed by the local desktop support staff person that the infected machine was returned to service by using a Windows System Restore point. Which of the following items will a Windows System Restore return to a previous state?

- Windows system files

During a major incident response effort, Kobe discovers evidence that a critical application server may have been the data repository and egress point in the compromise he is investigating. If he is unable to take the system offline, which of the following options will provide him with the best forensic data?

- Create an image using a tool like FTK Imager Lite.

Manish finds the following entries on a Linux system in /var/log/auth. log. If he is the only user with root privileges, requires two-factor authentication to log in as root, and did not take the actions shown, what should he check for?

- A privilege escalation attack from a lower privileged account or service

As part of his forensic analysis of a series of photos, John runs exiftool for each photo. He receives the following listing from one photo. What useful forensic information can he gather from this photo?

- The original creation date, the device type, the GPS location, and manufacturer of the device

During the preparation phase of his organization's incident response process, Oscar gathers a laptop with useful software including a sniffer and forensics tools, thumb drives and external hard drives, networking equipment, and a variety of cables. What is this type of preprepared equipment commonly called?

- A jump kit

As John proceeds with a forensic investigation involving numerous images, he finds a directory labeled Downloaded from Facebook. The images appear relevant to his investigation, so he processes them for metadata using exiftool. The following image shows the data provided. What forensically useful information can John gather from this output?

- None; Facebook strips almost all useful metadata from images.

Which of the following properly lists the order of volatility from least to most volatile?

- DVDs, hard drives, virtual memory, caches

While conducting a forensic review of a system involved in a data breach, Alex discovers a number of Microsoft Word files including files with filenames like critical data.dox and sales estimates 2023.dox. When he attempts to review the files using a text editor for any useful information, he finds only unreadable data. What has occurred?

- Microsoft Word files are stored in ZIP format.

Lukas believes that one of his users has attempted to use built-in Windows commands to probe servers on the network he is responsible for. How can he recover the command history for that user if the system has been rebooted since the reconnaissance has occurred?

- The Windows command prompt does not store command history.

Angela is conducting an incident response exercise and needs to assess the economic impact on her organization of a $500,000 expense related to an information security incident. How should she categorize this?

- Angela cannot assess the impact with the data given.

What step follows sanitization of media according to NIST guidelines for secure media handling?

- Validation

Latisha wants to create a documented chain of custody for the systems that she is handling as part of a forensic investigation. Which of the following will provide her with evidence that systems were not tampered with while she is not working with them?

- Tamper-proof seals

Matt's incident response team has collected log information and is working on identifying attackers using that information. What two stages of the NIST incident response process is his team working in?

- Detection and analysis, and containment, eradication, and recovery

Raj discovers that the forensic image he has attempted to create has failed. What is the most likely reason for this failure?

- The destination disk has bad sectors.

Liam notices the following entries in his Squert web console (a web console for Squil IDS data). What should he do next to determine what occurred?

- Review SSH logs.

Which of the following activities is not part of the containment and restoration process?

- Identifying the attacker

Samantha has recently taken a new position as the first staff security analyst that her employer has ever had. During her first week, she discovers that there is no information security policy and that the IT staff do not know what to do during a security incident. Samantha plans to start up a CSIRT to handle incident response. What type of documentation should she provide to describe specific procedures that the CSIRT will use during events like malware infections and server compromise?

- A playbook

What is space between the last sector containing logical data and the end of the cluster called?

- Slack space

Jack is preparing to take a currently running PC back to his forensic lab for analysis. As Jack considers his forensic process, one of his peers recommends that he simply unplug the power cable rather than doing a software-based shutdown. Why might Jack choose to follow this advice?

- It will prevent shutdown scripts from running.

Rick wants to validate his recovery efforts and intends to scan a web server he is responsible for with a scanning tool. What tool should he use to get the most useful information about system vulnerabilities?

- OpenVAS

What is the key goal of the containment stage of an incident response process?

- To limit further damage from occurring

What level of forensic data extraction will most likely be possible and reasonable for a corporate forensic examiner who deals with modern phones that provide filesystem encryption?

- Level 2: Logical extraction

Wang believes that a Windows system he is responsible for is compromised and wants to monitor traffic to and from it. Which of the following is not a typical capture option in circumstances like these?

- A packet capture tool installed on the system

Carol has discovered an attack that appears to be following the process flow shown here. What type of attack should she identify this as?

- Advanced persistent threat

Refer to the image shown here for questions 124-126. 124. During an e-discovery process, Carol reviews the request from opposing counsel and builds a list of all the individuals identified. She then contacts the IT staff who support each person to request a list of their IT assets. What phase of the EDRM flow is she in?

- Identification

Refer to the image shown here for questions 124-126. 125. During the preservation phase of her work, Carol discovers that information requested as part of the discovery request has been deleted as part of a regularly scheduled data cleanup as required by her organization's policies. What should Carol do?

- Report the issue to counsel.

In what phase should Carol expect to spend the most person-hours?

- Processing, review, and analysis

The incident response kit that Cassandra is building is based around a powerful laptop so that she can perform onsite drive acquisitions and analysis. If she expects to need to acquire data from SATA, SSD, and flash drives, what item should she include in her kit?

- A multi-interface drive adapter

Which of the following items is not typically found in corporate forensic kits?

- Crime scene tape

What incident response tool should Kai build prior to an incident to ensure that staff can reach critical responders when needed?

- A call list

Greg finds a series of log entries in his web server logs showing long strings "AAAAAAAAAAAAAAAAAAAAAAA", followed by strings of characters. What type of attack has he most likely discovered?

- A buffer overflow attack

During a security incident, Joanna makes a series of changes to production systems to contain the damage. What type of change should she file in her organization's change control process when the response effort is concluding?

- Emergency change

Which one of the following incident response test types provides an interactive exercise for the entire team but does not run the risk of disrupting normal business activity?

- Tabletop exercise

Which of the following cloud service environments is likely to provide the best available information for forensic analysis?

- laas

Ken is helping his organization prepare for future incident response efforts and would like to ensure that they conduct regular training exercises. Which one of the following exercises could he use to remind incident responders of their responsibilities with the least impact on other organizational priorities?

- Checklist review

When analyzing network traffic for indicators of compromise, which one of the following service/port pairings would indicate a common protocol running on a nonstandard port?

- SSH on TCP port 1433

////////////////////// Camilla is participating in the eradication and recovery stage of an incident response process. Which one of the following activities would not normally occur during this phase?

- Analysis of drive capacity consumption

THE P.T: 1 CHRONICLE: ( ex.9 )

The R.S.S.H Delivery Company · 90問 · 6ヶ月前

THE P.T: 1 CHRONICLE: ( ex.9 )