Domain 7

Question 1

taking a bit by bit image or binary image of physical memory, gathering details about running processes and gathering network connection data

Answer 1

live forensics

Question 2

portions of a disk partition that are marked as actively containing data

Answer 2

allocated space

Question 3

portions of a disk partition that do not contain active data

Answer 3

unallocated space

Question 4

data is stored in specific sized chunks known as clusters which are sometimes referred to as sectors or blocks

Answer 4

slack space

Question 5

hard disks routinely end up with sectors that cannot be read due to some physical defect

Answer 5

bad block/clusters/sectors

Question 6

Legal counsel gaining access to pertinent electronic information during the pretrial discovery phase of civil legal proceedings

Answer 6

e-discovery

Question 7

Incident response steps

Answer 7

detection ( identification)
response ( containment )
mitigation ( eradication )
reporting
recovery
remediation
lessons learned

Question 8

incident response phase that includes steps before an incident occurs. ex: preparing an incident handling checklist

Answer 8

preparation

Question 9

incident response phase, aka identification, is the phase in which events are analyzed in order to determine whether these events might comprise a security incident

Answer 9

detection

Question 10

incident response phase, aka containment, is the point at which the incident response team begins interacting with affected systems and attempts to keep further damage from occuring as a result of the incident

Answer 10

response (containment)

Question 11

A binary forensic backup is made of systems in what incident response phase?

Answer 11

response (containment)

Question 12

incident response phase, aka eradication, that involves the process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase

Answer 12

mitigation (eradication)

Question 13

incident response phase ____ occurs throughout the process beginning with detection

Answer 13

reporting

Question 14

incident response phase that involves cautiously restoring the system or systems to operational status

Answer 14

recovery phase

Question 15

incident response phase that occurs during the mitigation phase and involves mitigating vulnerabilities in the system

Answer 15

remediation

Question 16

the goal of this incident response phase is to provide a final report on the incident which will be delivered to management

Answer 16

lessons learned

Question 17

A worm spreading on a trusted network; NIDS alerts

What kind of positive/negative?

Answer 17

true positive

Question 18

User surfs the web to an allowed site; NIDS is silent

What kind of positive/negative?

Answer 18

True negative

Question 19

User surfs the web to an allowed site; NIDS alerts

What kind of positive/negative?

Answer 19

False positive

Question 20

A worm is spreading on a trusted network; NIDS is silent

What kind of positive/negative?

Answer 20

False negative

Question 21

Regarding RAID, ___ achieves full data redundancy by writing the same data to multiple hard disks

Answer 21

mirroring

Question 22

Regarding RAID, ___ focuses on increasing read/write performance by spreading data across multiple hard disks. This does not provide data redundancy.

Answer 22

striping

Question 23

Regarding RAID, ___ achieves data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance

Answer 23

parity

Question 24

Aka stripe set, RAID __ employs striping to increase the performance of read and writes

Answer 24

0

Question 25

Aka mirrored set, RAID __ creates/writes an exact duplicate of all data to an additional disk

Answer 25

1

Question 26

RAID __ is a legacy technology that requires either 14 or 39 hard disks and a specially designed hardware controller, which makes this RAID cost prohibitive

Answer 26

2

Question 27

RAID ___ stripes data at the byte level across multiple disks but an additional disk is used for parity

Answer 27

3

Question 28

Provides same functionality as RAID 3 but strips data at the block level rather than byte.

Answer 28

4

Question 29

RAID __ is a striped set with distributed parity across the same striped disks. Most popular RAID because it provides low cost performance and redundancy is 1 disk fails

Answer 29

5

Question 30

Same as RAID 5, but accommodates for failure of 2 disks rather than 1

Answer 30

6

Question 31

A striped set of mirrors. aka RAID 1+0 to indicate a nested RAID

Answer 31

RAID 10

Question 32

Provides procedures and capabilities to sustain an organization’s essential strategic functions at an alternate site for up to 30 days

Answer 32

Continuity of Operations Plan (COOP)

Question 33

Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat

Answer 33

Occupant Emergency Plan (OEP)

Question 34

NIST 800-34 is

Answer 34

Contingency Planning Guide for Federal Information Systems

Question 35

ISO/IEC-27031 is

Answer 35

focuses on BCP

Question 36

BS 25999-2 was replaced by

Answer 36

BS ISO 22301 Business Continuity Management Systems Requirements

Question 37

states that when a crime is committed
the perpetrator will leave something
behind and take something with them

Answer 37

Locard’s Principle

Question 38

Most digital evidence is found in ____ storage

Answer 38

secondary

Question 39

The court views unaltered evidence as ___

Answer 39

best evidence

Question 40

Heuristic scanners are prone to false positives but are useful in detecting ____

Answer 40

zero day vulnerabilties

Question 41

Archive bit is flipped to ___ when no back up is required

Answer 41

0

Question 42

Archive bit is flipped to ___ when a file is created or modified

Answer 42

1

Question 43

Who must approve RPO, RTO, WRT, and MTD?

Answer 43

System Owner

Question 44

You should always restore the most ___ systems first

Answer 44

critical