DFIR

Question 1

DF

Answer 1

Digital Forensics: Examining and analyzing artifacts after a cyberattack

Question 2

IR

Answer 2

Incident Response: Performing actions when a cyber event occurs

Question 3

DFIR

Answer 3

Investigate and respond to a cyberattack after an incident

Question 4

Threat Hunting

Answer 4

Active defense. Proactively search for threats

Question 5

IRP

Answer 5

Incident Response Plan

Question 6

Stages of Incident Response Planning

Answer 6

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned

Question 7

DFIR Process

Answer 7

Collect Evidence, Examine Collected Data, Analyze Important Artifacts, Report the Findings

Question 8

DF Analysis Types

Answer 8

Dead Analysis (powered off computers)
Live Analysis (powered on computers)

Question 9

Targeted Artifacts

Answer 9

Files on a Drive, Memory Artifacts, Processes, Log Files, Cached Data

Question 10

Acquisition Tools

Answer 10

dd (data Dump): Drive Acquisition
FTK Imager: Drive and Memory Acquisition
DumpIt: Memory Acquisition

Question 11

Non-Repudiation

Answer 11

Provides proof of the origin and integrity of data

Question 12

RACI

Answer 12

Responsible, Accountable, Consulted, Informed
Used to assigned roles and responsibilities for each incident alert

Question 13

NIST

Answer 13

National Institution of Standards and Technology
Government agency

Question 14

SANS

Answer 14

Private organization. Offers research and education in the field of information security

Question 15

DRP

Answer 15

Disaster Recovery Plan
Outlines response strategies for unplanned events. Helps minimize the effects

Question 16

Data Acquisition Recommendations

Answer 16

Memory before drive acquisition
Memory captures are better is user is logged on
Use sterilized media
Document the capture properly
System interaction should be minimal
Capture to an external source

Question 17

Full Clone

Answer 17

The closest option to having the actual drive

Question 18

Logical Image

Answer 18

Narrows the search field. Some evidence may be spread across multiple partitions.

Question 19

Capture Formats

Answer 19

RAW, ISO, EWF, dd

Question 20

Clonezilla

Answer 20

Linux distribution for cloning drives. Not typically for forensic purposes.
Can clone over the network

Question 21

FTK Imager

Answer 21

Part of Forensic Toolkit Suite. Clone drive through interactive wizard

Question 22

Forensic Image Formats

Answer 22

E01: Provides compression per file checksum and password protection
AFF: Stores the imaged disk as compressed segments for better saving and metadata of the image

Question 23

Autopsy

Answer 23

Uses forensic tools from The Sleuth Kit. Created cases for captures

Question 24

Image Splitting

Answer 24

Virtualization software may split a drive into multiple files. Splitting is done to increase read and write speeds

Question 25

History

Answer 25

Includes entered URLs and webpages marked as favorites

Question 26

Cache

Answer 26

Files, images, scripts, and other media-related data

Question 27

Prefetch Files

Answer 27

Applications executed in Windows create prefetch filed The files are used as cache for loading time optimization

Question 28

Power Forensics

Answer 28

Add-on to PowerShell and is a Forensics framework Works with FAT and NTFS and can be launched from live systems Depends mostly on the MFT (Master File Table)

Question 29

PowerForensics Operation Modes

Answer 29

Live System and Mounted Drive Errors can occur if the drive is lager than 2TB

Question 30

PowerForensics Analysis Capabilities

Answer 30

Boot and Partitions, NTFS and EXT4, Windows Artifacts, Windows Registry, Application Cache

Question 31

Boot Record types

Answer 31

MBR: Supports up to 4 partitions per storage device and only with storage devices up to 2 TB GPT: Supports up to 16 exabytes and supports up to 128 partitions

Question 32

NTFS Specialties

Answer 32

Journaling: Recording storage device activity Indexing: Enables quick access to files stored on devices Alternate Data Stream (ADS): More than one resource included in a single file

Question 33

File Carving

Answer 33

Reassembles files from fragments when no metadata is available. Can be used to recover partially overwritten files

Question 34

Memory Analysis 6 Investigation Steps

Answer 34

Processes, DLL & Handles, Network, Code Injection, Rootkits, Dump

Question 35

Network Investigation: Network Connections

Answer 35

Connscan: Scans for identifiable TCP connections in older versions of Windows (Netscan can be used in more recent versions of Windows) Sockets: Scans for all open sockets

Question 36

Logs

Answer 36

Automatically created to sore records of events

Question 37

Log Classification

Answer 37

Informational, Debug, Warning, Error, Alert

Question 38

Log Attacks- What to Attack

Answer 38

Host which logs are generated, Transmitted logs, Agents that collect logs, Database in which logs are stored

Question 39

Threat Hunting

Answer 39

Proactive approach to handling cyberattacks. Aims to protect an organization from covert cyberthreats

Question 40

Threat Intelligence

Answer 40

Based on learning from other's mistakes. Forensic researchers can learn about new exploration techniques from public sources

Question 41

IOC

Answer 41

Indicators of Compromise. Help determine is an organization was harmed by a threat that was implemented. Can be used to distinguish false positives.

Question 42

Malware Forensics Suspicious Behavior

Answer 42

Increased Traffic, Accessed File Types, Service Inspection, Domain Identification, Persistence

Question 43

Zeek

Answer 43

Framework used to parse, normalize, and correlate logs. Focuses on extracting security-related information from logs to detect anomalies.

Question 44

Malware Analysis

Answer 44

Describes all actions, methods, and tools used to identify and study malicious behavior.

Question 45

Reverse Engineering

Answer 45

The process of deconstructing an executable to reveal its design, architecture, and activity

Question 46

Static Analysis

Answer 46

Can provide a lot of info even without executing the code. Used to identify IoC's

Question 47

Binwalk

Answer 47

Static Malware Analysis tool. Enables identification of magic byte patterns in a file.

Question 48

DLL

Answer 48

Dynamic Linked Library: A Windows file containing code and data that can be used by another program

Question 49

Dynamic Analysis

Answer 49

Methodology based on executing malware. Used to analyze malware's behavior and impact on the system

Question 50

Monitored Data

Answer 50

File System Changes, Network Activity, Registry Changes