Lukas wants to purge a drive to ensure that data cannot be extracted from it when it is
sent off-site. Which of the following is not a valid option for purging hard drives on a
Windows system?
A. Use the built-in Windows sdelete command line.
B. Use Eraser.
C. Use DBAN.
D. Encrypt the drive and then delete the key.
Which of the following commands is the standard way to determine how old a user
account is on a Linux system if [username] is replaced by the user ID that you
are checking?
A. userstat [username]
B. ls -ld /home/[username]
C. aureport -auth | grep [username]
D. None of the above.
Profiling networks and systems can help to identify unexpected activity. What type of
detection can be used once a profile has been created?
A. Dynamic analysis
B. Anomaly analysis
C. Static analysis
D. Behavioral analysis.
Manish wants to monitor file permission changes on a Windows system he is responsible
for. What audit category should he enable to allow this?
A. File Permissions
B. User Rights
C. File System
D. Audit Objects.
During the preparation phase of his organization’s incident response process, Oscar
gathers a laptop with useful software including a sniffer and forensics tools, thumb drives
and external hard drives, networking equipment, and a variety of cables. What is this type
of preprepared equipment commonly called?
A. A grab bag
B. A jump kit
C. A crash cart
D. A first responder kit.
Chris is analyzing Chrome browsing information as part of a forensic investigation. After
querying the visits table that Chrome stores, he discovers a 64-bit integer value stored as
“visit time” listed with a value of 131355792940000000. What conversion does he need
to perform on this data to make it useful?
A. The value is in seconds since January 1, 1970.
B. The value is in seconds since January 1, 1601.
C. The value is a Microsoft timestamp and can be converted using the time utility.
D. The value is an ISO 8601–formatted date and can be converted with any ISO time
utility.
Marsha needs to ensure that the workstations she is responsible for have received a critical
Windows patch. Which of the following methods should she avoid using to validate patch
status for Windows 10 systems?
A. Check the Update History manually.
B. Run the Microsoft Baseline Security Analyzer.
C. Create and run a PowerShell script to search for the specific patch she needs to check.
D. Use an endpoint configuration manager to validate patch status for each machine on
her domain.
While conducting a forensic review of a system involved in a data breach, Alex discovers a
number of Microsoft Word files including files with filenames like critical_data.docx
and sales_estimates_2020.docx. When he attempts to review the files using a text
editor for any useful information, he finds only unreadable data. What has occurred?
A. Microsoft Word files are stored in ZIP format.
B. Microsoft Word files are encrypted.
C. Microsoft Word files can be opened only by Microsoft Word.
D. The user has used antiforensic techniques to scramble the data.
During an incident response effort, Alex discovers a running Unix process that shows
that it was run using the command nc -k -l 6667. He does not recognize the service,
believes it may be a malicious process, and needs assistance in determining what it is.
Which of the following would best describe what he has encountered?
A. An IRC server
B. A network catalog server
C. A user running a shell command
D. A netcat server.
What step follows sanitization of media according to NIST guidelines for secure
media handling?
A. Reuse
B. Validation
C. Destruction
D. Documentation.
Raj discovers that the forensic image he has attempted to create has failed. What is the
most likely reason for this failure?
A. Data was modified.
B. The source disk is encrypted.
C. The destination disk has bad sectors.
D. The data cannot be copied in RAW format.
Pranab wants to determine when a USB device was first plugged into a Windows workstation.
What file should he check for this information?
A. The registry
B. The setupapi log file
C. The system log
D. The data is not kept on a Windows system.
A major new botnet infection that uses a peer-to-peer command-and-control process has
been released. Latisha wants to detect infected systems but knows that peer-to-peer communication
is irregular and encrypted. If she wants to monitor her entire network for this
type of traffic, what method should she use to catch infected systems?
A. Build an IPS rule to detect all peer-to-peer communications that match the botnet’s
installer signature.
B. Use beaconing detection scripts focused on the command-and-control systems.
C. Capture network flows for all hosts and use filters to remove normal traffic types.
D. Immediately build a network traffic baseline and analyze it for anomalies.
What useful information cannot be determined from the contents of the $HOME/.ssh
folder when conducting forensic investigations of a Linux system?
A. Remote hosts that have been connected to
B. Private keys used to log in elsewhere
C. Public keys used for logins to this system
D. Passphrases associated with the keys.
Carlos needs to create a forensic copy of a BitLocker-encrypted drive. Which of the following
is not a method that he could use to acquire the BitLocker key?
A. Analyzing the hibernation file
B. Analyzing a memory dump file
C. Retrieving the key from the MBR
D. Performing a FireWire attack on mounted drives.
Adam works for a large university and sees the following graph in his PRTG console
when looking at a yearlong view. What behavioral analysis could he leverage based on
this pattern?
A. Identify unexpected traffic during breaks like the low point at Christmas.
B. He can determine why major traffic drops happen on weekends.
C. He can identify top talkers.
D. Adam cannot make any behavioral determinations based on this chart.
What is space between the last sector containing logical data and the end of the
cluster called?
A. Unallocated space
B. Ephemeral space
C. Slack space
D. Unformatted space.
Faruk wants to use netstat to get the process name, the PID, and the username associated
with abnormally behaving processes that are running on a Linux system he is investigating.
What netstat flags will provide him with this information?
A. -na
B. -pt
C. -pe
D. -sa.
Jack is preparing to take a currently running PC back to his forensic lab for analysis. As
Jack considers his forensic process, one of his peers recommends that he simply pull the
power cable rather than doing a software-based shutdown. Why might Jack choose to
follow this advice?
A. It will create a crash log, providing useful memory forensic information.
B. It will prevent shutdown scripts from running.
C. It will create a memory dump, providing useful forensic information.
D. It will cause memory-resident malware to be captured, allowing analysis.
|
