Section 31 Incident Response and Forensics

Question 1

A set of procedures that an investigator follows when examining a computer security incident.

Answer 1

Incident Response

Question 2

Program consisting of the monitoring and detection of security events on a computer network and the execution of proper responses to those security events.

Answer 2

Incident Management Program

Question 3

Process of recognizing whether an event that occurs should be classified as an incident.

Answer 3

Identification

Question 4

Focused on data restoration, system repair, and re-enabling any servers or networks taken offline during the incident response.

Answer 4

Recovery

Question 5

Signals that are sent between two parties or two devices that are sent via a path or method different from that of the primary communications between the two parties or devices.

Answer 5

Out of band communication

Question 6

Executives and managers who are responsible for business operations and functional areas.

Answer 6

Senior Leadership

Question 7

Governmental organizations that oversee the compliance with specific regulations and laws.

Answer 7

Regulatory Bodies

Question 8

The business or organization’s legal counsel is responsible for mitigating risk from civil lawmakers.

Answer 8

Legal

Question 9

Used to ensure no breaches of employment law or employee contracts is made using an incident response.

Answer 9

Human Resources (HR)

Question 10

Used to manage negative publicity from a serious incident.

Answer 10

Public Relations (PR)

Question 11

Three variations of syslog which all permit the logging of data from different types of systems in a central repository.

Answer 11

Syslog/ry-slog/syslog-ng

Question 12

A Linux command line utility used for querying and displayed logs from journald, the systemd logging service on linux.

Answer 12

Journalctl

Question 13

A multi platform log management tool that helps to easily identify security risks, policy branches or analyze operational problems in server logs, operation system logs, and application logs.

Answer 13

Nxlog

Question 14

A network protocol system created by CISCO that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume and paths on the network.

Answer 14

Netflow

Question 15

Short “sampled flow”, it provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring.

Answer 15

sflow

Question 16

A universal standard of exporter for internet protocol flow information from routers, probes and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting and billing by defining how IP flow information is to be formatted and transferred from an exporter to a collector.

Answer 16

IPfix

Question 17

Data that describes other data by providing an underlying definition or description by summarizing basic information about data that makes finding and working with particular instances of data easier.

Answer 17

Metadata

Question 18

Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected.

Answer 18

Collection

Question 19

Create a copy of evidence for analysis and use repeatable methods and tools during analysis

Answer 19

Analysis

Question 20

Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis.

Answer 20

Reporting

Question 21

A process designed to preserve all relevant information when litigation is reasonably expected to occur.

Answer 21

Legal Hold

Question 22

A tool that shows the sequence of file system events within a source image in a graphical format.

Answer 22

Timeline

Question 23

The methods and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk.

Answer 23

Data Acquisition

Question 24

A network diagnostic command for displaying possible routes and measuring transit delays of packets across an internet protocol network.

Answer 24

tracert/tracer-route

Question 25

Utility used to determine the IP address associated with a domain name, obtain the mail server settings for a domain, and other DNS information.

Answer 25

nslookup/dig

Question 26

Utility that displays all the network configurations of the currently connected network devices and can modify the DHCP and DNS settings

Answer 26

ipconfig/ifconfig

Question 27

AN open source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses.

Answer 27

nmap

Question 28

Utility used to determine if a host is reachable on an internet protocol network.

Answer 28

ping/pathping

Question 29

An open source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks.

Answer 29

hping

Question 30

Utility that displays network connections for transmission control protocol, routing tables, and a number of network interfaces and network protocol statistics.

Answer 30

netstat

Question 31

Utility for reading from and writing to network connections using TCP or UDP which is a dependable backend that can be used directly or easily driven by other programs and scripts

Answer 31

netcat

Question 32

Utility for viewing and modifying the local Address Resolution Protocol (ARP) cache on a given host or server.

Answer 32

arp

Question 33

Utility that is used to view and manipulate the IP routing table on a host or server.

Answer 33

route

Question 34

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network.

Answer 34

sn1per