Incident Response and Computer Forensics

Question 1

What must be determined by the first responder to an incident?

The severity of the event

Which other personnel must be called in

The dollar amount associated with the incident

Answer 1

The severity of the event

A quick assessment of the situation severity by the first responder will determine who needs to be called or what should be done next, based on the incident response policy

Question 2

After seizing computer equipment alleged to have been involved in a crime, it is placed in a corridor unattended for ten minutes while officers subdue a violent suspect. The seized equipment is no longer admissible as evidence because of what violation?

Order of volatility

Damage control

Chain of custody

Answer 2

Chain of custody

Chain of custody has been violated. Chain of custody involves documenting evidence being collected thoroughly and legally while ensuring that the evidence cannot be tampered with. If the chain of custody has not been maintained because the equipment was unattended, it could result in evidence being deemed inadmissible by a court of law

Question 3

A warrant has been issued to investigate a server believed to be used by organized crime to swap credit card information. Following the order of volatility, which data should you collect first?

Electronic memory (RAM)

Hard disk

USB flash drive

Answer 3

Electronic memory (RAM)

The order of volatility determines which data is most at risk of loss. Electronic memory (RAM) data is lost when a device is powered off, as are the contents of the CPU cache; therefore, data must be properly collected before the other listed items

Question 4

While capturing network traffic, you notice an abnormally excessive number of outbound SMTP packets. To determine whether this is an incident that requires escalation or reporting, what else should you consult?

The contents of your inbox

The mail server log

The mail server documentation

Answer 4

The mail server log

The mail server log will reveal SMTP activity such as excessive outbound SMTP traffic. Real-time active monitoring of logs and long-term trend analysis can alert administrators immediately; this is the function of a security sensor such as an intrusion detection system (IDS), which can forward security alerts to a centralized security information and event management (SIEM) dashboard. SIEM dashboards can be secured so that sensitive alerts are available only to the appropriate security personnel. Documentation from previous similar incidents contains lessons learned that can aid in quick remediation

Question 5

You decide to work late on a Saturday night to replace wiring in your server room. Upon arriving, you realize that a break-in has occurred and server backup tapes appear to be missing. What should you do as law enforcement officials arrive?

Clean up the server room.

Sketch a picture of the area that was illegally entered on a notepad.

Alert officials that the surveillance video is on the premises.

Answer 5

Alert officials that the surveillance video is on the premises.

Video surveillance provides important evidence that could be used to solve this crime. For the organization, analyzing data retention policies for backups should be consulted to determine which data was compromised

Question 6

Which of the following best visually illustrates the state of a running computer at the time it was seized by law enforcement?

Digital photograph of the motherboard

Digital photograph of the screen

Visio network diagram

Answer 6

Digital photograph of the screen

A digital photograph of a screen can prove relevant to the particular crime because it may reveal what was happening on the system at the time it was seized

Question 7

Choose the correct order of volatility when collecting digital evidence:

Swap file, RAM, DVD-R, hard disk

RAM, DVD-R, swap file, hard disk

RAM, swap file, hard disk, DVD-R

Answer 7

RAM, swap file, hard disk, DVD-R

Digital forensic evidence must first be collected from the most fragile (power-dependent) locations such as RAM and the swap file. Swap files contain data from physical RAM that were paged to disk to make room for something else in physical RAM. Hard disks are the next most vulnerable, because hard disk data can simply be deleted and the disk can be filled with useless data to make data recovery difficult. A DVD-R is less susceptible to data loss than hard disks since it is read-only

Question 8

What can a forensic analyst do to reduce the number of files that must be analyzed on a seized disk?

Write a Visual Basic script that deletes files older than 30 days.

Delete files thought to be operating system files.

Ensure that the original disk is pristine and use a hash table on a copy of the files.

Answer 8

Ensure that the original disk is pristine and use a hash table on a copy of the files.

A hash table calculates file hashes for each file. Known standard operating system file hashes can be compared to your file hashes to quickly exclude known authentic operating system files that have not been modified

Question 9

A professional who is present at the time of evidence gathering can be summoned to appear in court or to prepare a report on her findings for use in court. This person referred to as what?

Defendant

Auditor

Forensic expert witness

Answer 9

Forensic expert witness

A forensic expert witness has specialized knowledge and experience in a field beyond that of the average person, and thus her testimony is deemed authentic

Question 10

Which of the following best describes chain of custody?

Delegating evidence collection to your superior

Preserving, protecting, and documenting evidence

Capturing a system image to another disk

Answer 10

Preserving, protecting, and documenting evidence

Preserving, protecting, and documenting evidence is referred to as chain of custody. The legally required implementation of evidence preservation is referred to as “legal hold.”

Question 11

While working on an insider trading case, you are asked to prove that an e-mail message is authentic and was sent to another employee. Which of the following should you consider? (Choose two.)

Was the message encrypted?

Was the message digitally signed?

Are user public keys properly protected?

Are user private keys properly protected?

Answer 11

Was the message digitally signed?

Are user private keys properly protected?

Digitally signing an e-mail message requires a user’s unique private key to which only he has access, which means he had to have sent the message and cannot dispute this fact (nonrepudiation). One factor used to arrive at this conclusion is how well protected user private keys are. If user private keys are simply stored on a hard disk without a password, anybody could have digitally signed the message, in which case user interviews and video surveillance may be used to place a user at a device where he may have access to a private key

Question 12

What type of evidence would be the most difficult for a perpetrator to forge?

IP address

MAC address

Cell phone SIM card

Answer 12

Cell phone SIM card

Cell phone subscriber identification module (SIM) cards contain unique data such as a serial number, the user’s contacts, text messages, and other relevant mobile subscriber data. This is used in Global System for Mobility (GSM) communication mobile devices and enables the user to use any GSM mobile device as long as a SIM card is inserted

Question 13

What is the purpose of disk forensic software? (Choose two.)

Using file encryption to ensure copied data mirrors original data

Using file hashes to ensure copied data mirrors original data

Protecting data on the original disks

Creating file hashes on the original disks

Answer 13

Using file hashes to ensure copied data mirrors original data

Protecting data on the original disks

A generated file hash, also called a checksum, is unique to the file on which it was based. Any change to the file invalidates the file hash. This is a method to digitally ensure that the correct version of a file is being analyzed and is part of document provenance, which strives to verify data origin and how it was processed and stored. Data on a seized hard disk must remain intact. Forensic disk software runs on a separate device or boots using its own operating system and uses bitstream copying to copy entire hard disk contents. File hashes should never be generated on the source hard disk; it is imperative that it remain undisturbed

Question 14

CDMA mobile devices do not use SIM cards.

GSM mobile devices do not use SIM cards.

GSM mobile devices use SIM cards.

Answer 14

GSM mobile devices do not use SIM cards.

Global System for Mobile (GSM) communication devices use SIM cards. This means you could purchase a new GSM mobile device and simply insert your SIM card without having to contact your mobile wireless service provider

Question 15

You must analyze data on a digital camera’s internal memory. You plan to connect your forensic computer to the camera using a USB cable. What should you do to ensure that you do not modify data on the camera?

Ensure that the camera is turned off.

Flag all files on the camera as read-only.

Use a USB write-blocking device.

Answer 15

Use a USB write-blocking device.

USB write-blocking devices ensure that data can travel in only one direction when collecting digital evidence from storage media, such as a digital camera’s internal memory. If this tool is used, this fact must be documented to adhere to chain-of-custody procedures

Question 16

What can be used to ensure that seized mobile wireless devices do not communicate with other devices?

SIM card

Faraday bag

Antistatic bag

Answer 16

Faraday bag

A Faraday bag is a mobile device shield that prevents wireless signals to or from the mobile device. This must be used immediately upon seizure of a wireless mobile device to ensure that data stored on it is not modified through wireless remote communications

Question 17

She must disable promiscuous mode on her NIC.

Each switch port is an isolated collision domain.

Each switch port is an isolated broadcast domain.

Answer 17

Each switch port is an isolated collision domain.

Ethernet switches isolate each port into its own collision domain. When capturing network traffic, this means you will not see traffic to or from other computers plugged into other switch ports, other than broadcast and multicast packets. Some switches allow you to copy all switch traffic to a monitoring port, but the scenario did not mention this

Question 18

A network intrusion detection device captures network traffic during the commission of a crime on a network. You notice NTP and TCP packets from all network hosts in the capture. You must find a way to correlate captured packets to a date and time to ensure the packet captures will be considered admissible as evidence. What should you do? (Choose two.)

Nothing. NTP keeps time in sync on a network.

Nothing. Packet captures are time stamped.

Without digital signatures, date and time cannot be authenticated.

Without encryption, date and time cannot be authenticated.

Answer 18

Nothing. NTP keeps time in sync on a network.

Nothing. Packet captures are time stamped.

Network Time Protocol (NTP) keeps computers synchronized to a reliable time source. Captured network traffic is time stamped and includes offset time stamps from when the capture was started

Question 19

You arrive at a scene where a computer must be seized as evidence. The computer is powered off and has an external USB hard drive plugged in. What should you do first?

Turn on the computer.

Unplug the external USB hard drive.

Thoroughly document the state of the equipment.

Answer 19

Thoroughly document the state of the equipment.

Thoroughly documenting the state of equipment before it is seized is critical to adhere to chain-of-custody procedures. Failure to do so will render collected evidence inadmissible

Question 20

You are asked to examine a hard disk for fragments of instant messaging conversations as well as deleted files. How should you do this?

Use bitstream copying tools.

Log in to the computer and copy the original hard drive contents to an external USB hard drive.

View log files.

Answer 20

Use bitstream copying tools.

Bitstream forensic copying tools copy hard disk data at the bit level, not at the file level. When a file is deleted, it may disappear from the file system, but the file data in its entirety is intact on the hard disk until the hard disk is filled with new data. Deleted files are not copied with file-level copying, but they are with bitstream copying

Question 21

How can a forensic analyst benefit from analyzing metadata? (Choose three.)

JPEG metadata can reveal specific camera settings.

Microsoft Word metadata can reveal the author name.

Microsoft Excel metadata can reveal your MAC address.

PDF metadata can reveal the registered company name.

Answer 21

JPEG metadata can reveal specific camera settings.

Microsoft Word metadata can reveal the author name.

PDF metadata can reveal the registered company name.

Metadata, also called tags, is information that describes data. For example, a JPEG picture stored on a web server taken with a digital camera could contain hidden data including camera settings as well as date and time stamps. Metadata also applied to e-mail message transmission path details and mobile device details such as operating system version. Microsoft Word and Portable Document Format (PDF) documents contain metadata such as the document author name, registered company name, and so on

Question 22

Which of the following rules must be followed when performing forensic analysis? (Choose two.)

Work only with the original, authentic data.

Work only with a copy of data.

Seek legal permission to conduct an analysis.

Seek your manager’s permission to conduct an analysis.

Answer 22

Work only with a copy of data.

Seek legal permission to conduct an analysis.

You must obtain proper legal permission to seize and analyze data. Perform analysis on a forensic copy of data; never work on the original data, because this will render evidence inadmissible

Question 23

The IT director is creating the following year’s budget. You are asked to submit forensics dollar figures for your Cloud Security Incident Response Team (CSIRT). Which item should you not submit?

Travel expenses

Training expenses

ALE amounts

Answer 23

ALE amounts

Annual loss expectancy (ALE) is used to calculate the probability of asset failure over a year. It is used when performing a risk assessment and doesn’t relate to a forensics budget

Question 24

At 9:30 a.m., users report that network performance has been severely degraded since the workday began at 8 a.m. After network analysis and a quick discussion with your IT security team, you conclude that a worm virus has infected your network. What should you do to contain the damage? (Choose two.)

Determine the severity of the security breach.

Unplug SAN devices.

Shut down all servers.

Shut down Ethernet switches.

Answer 24

Determine the severity of the security breach.

Shut down Ethernet switches.

Once the severity of the issue has been determined, the quickest way to control the spread of a worm virus is to eliminate network connectivity

Question 25

A suspect deletes incriminating files and empties the Windows recycle bin. Which of the following statements are true regarding the deletion? (Choose two.)

The files cannot be recovered.

The files can be recovered.

Deleted files contain all of their original data until the hard disk is filled with other data.

Deleted files contain all of their original data until the hard disk is defragmented.

Answer 25

The files can be recovered.

Deleted files contain all of their original data until the hard disk is filled with other data.

Emptying the Windows recycle bin makes deleted files inaccessible to Windows users; however, the entire file contents are still on the disk until the disk is filled with other data. A third-party tool must be used to recover the deleted items in this case

Question 26

Which built-in Linux operating system tool can be used to create an exact copy of a disk volume for forensic analysis?

memdump

dd

WinHex

Answer 26

dd

The built-in Linux dd command can be used to copy a disk volume to an image file for future analysis while leaving the original file system intact. A commercial tool equivalent is FTK Imager

Question 27

You are reviewing existing network security controls and need to get up to speed on current lateral movement attacks commonly used by malicious users. What should you consult?

Diamond model

Cyber kill chain

Mitre Att&ck

Answer 27

Mitre Att&ck

The Mitre Att&ck knowledge base will provide details regarding current malicious user techniques used for lateral movement from a compromised host

Question 28

Which of the following items can enforce the RTO for a failed server?

Disaster recovery plan

Communication plan

Stakeholder management

Answer 28

Disaster recovery plan

A disaster recovery plan (DRP) outlines the steps to be taken to recover from a disruptive incident. A server DRP can enforce the recovery time objective (RTO) for a given server, which specifies the maximum tolerable amount of downtime. Period DRP drills should be conducted as a proof of concept (PoC) activity to ensure the efficacy of the DRP

Question 29

You need to review log files to determine whether network reconnaissance to learn of hostnames and IP addresses has occurred. Where will you most likely find this information?

rsyslog configuration

VoIP traffic log

DNS server log

Answer 29

DNS server log

DNS servers contain resource records detailing items such as host names and corresponding IP addresses; these records are consulted to resolve friendly names to IP addresses. As a result, reconnaissance scans that attempt to enumerate DNS servers will be shown in DNS server logs. As a measure of counterintelligence against attackers, a fake honeypot DNS server with incorrect information may be installed to throw off attackers

Question 30

Which Linux command is specifically designed to view systemd logs?

NXLog

IPFIX

journalctl

Answer 30

journalctl

The Linux journalctl command is used to view systemd logs and includes filtering capabilities, such as journalctl –b to view only those log entries related to the most recent system boot (as this will show you journal entries that have been collected since the most recent reboot)

Question 31

Which SOAR component is used to automate IT-related security incident response?

Playbook

Legal hold

Runbook

Answer 31

Runbook

Security orchestration, automation, and response (SOAR) is a software solution designed to make incident response more efficient by reducing response time through automation. Runbooks contains series of actions to be executed based on conditions—such as a DDoS attack occurring against the company network