CySA+ Final - Study Guide 2022 with complete solution
Which format does dd produce files in?
A. ddf
B. RAW
C. EN01
D. OVF -Answer- B. dd creates files in RAW, bit-by-bit format. EN01 is the EnCase
forensic file for
...
CySA+ Final - Study Guide 2022 with complete solution
Which format does dd produce files in?
A. ddf
B. RAW
C. EN01
D. OVF -Answer- B. dd creates files in RAW, bit-by-bit format. EN01 is the EnCase
forensic file format, OVF is virtualization file format, and ddf is a made-up answer.
Files remnants found in clusters that have been only partially rewritten by new files
found are in what type of space?
A. Outer
B. Slack
C. Unallocated space
D. Non-Euclidean -Answer- B. Slack space is the space that remains when only a
portion of a cluster is used by a file. Data from previous files may remain in the slack
space since it is typically not wiped or overwritten. Unallocated space is space on a
drive that has not been made into part of a partition. Outer space and non-Euclidean
space are not terms used for filesystems or forensics.
Mike is looking for information about files that were changed on a Windows system.
Which of the following is least likely to contain useful information for his investigation?
A. The MFT
B. INDX files
C. Event logs
D. Volume shadow copies -Answer- C. Event logs do not typically contain significant
amounts of information about file changes. The Master File Table and file indexes
(INDX files) both have specific information about files, whereas volume shadow copies
can help show differences between files and locations at a point in time.
Alice wants to copy a drive without any chance of it being modified by the copying
process. What type of device should she use to ensure that this does not happen?
A. read blocker
B. drive cloner
C. write blocker
D. hash validator -Answer- C. Write blockers ensure that no changes are made to a
source drive when creating a forensic copy. Preventing reads would stop you from
copying the drive, drive cloners may or may not have write blocking capabilities built in,
and hash validation is useful to ensure contents match but don't stop changes to the
source drive from occurring.
Frederick wants to determine if a thumb drive was ever plugged into a Windows system.
How can he test for this?
A. Review the MFT
B. Check the system's live memory
C. Use USB HistorianD. Create a forensic image of the drive -Answer- C. USB Historian provides a list of
devices that are logged in the Windows Registry. Frederick can check the USB device's
serial number and other identifying information against the Windows system's historical
data. If the device isn't listed, it is not absolute proof, but if it is listed, it is reasonable to
assume that it was used on the device.
What two files may contain encryption keys normally stored only in memory on a
Window system?
A. The MFT and the hash file
B. The Registry and hibernation files
C. Core dumps and encryption logs
D. Core dumps and hibernation files -Answer- D. Core dumps and hibernation files both
contain an image of the live memory of a system, potentially allowing encryption keys to
be retrieved from the stored file. The MFT provides information about file layout, and the
Registry contains system information but shouldn't have encryption keys stored in it.
There is no hash file or encryption log stored as a Windows default file.
Jeff is investigating a system compromise and knows that the first event was reported
on October 5th. What forensic tool capability should he use to map other events found
in logs and files to this date?
A. timeline
B. log viewer
C. Registry analysis
D. Timestamp validator -Answer- A. Timelines are one of the most useful tools when
conducting an investigation of a compromise or other event. Forensic tools provide builtin timeline capabilities to allow this type of analysis.
During her forensic copy validation process Danielle received the following MD5 sums
from her original drive and the cloned image after using dd. What is likely wrong?
b49794e007e909c00a51ae208cacb169 original.img
d9ff8a0cf6bc0ab066b6416e7e7abf35 clone.img
A. The original was modified.
B. The clone was modified.
C. dd failed.
D. An unknown change or problem occurred. -Answer- D. Since Danielle did not hash
her source drive prior to cloning, you cannot determine where the problem occurred. If
she had run MD5sum prior to the cloning process as well as after, she could verify that
the original disk had not changed.
Jennifer wants to perform memory analysis and forensics for Windows, macOS, and
Linux systems. Which of the following is best suited to her needs?
A. LiME
B. DumpIt
C. fmemD. The Volatility Framework -Answer- D. The Volatility Framework is designed to work
with Windows, macOS, and Linux, and it provides in-depth memory forensics and
analysis capabilities. LiME and fmem are Linux tools, whereas DumpIt is a Windowsonly tool.
Alex is conducting a forensic examination of a Windows system and wants to determine
if an application was installed. Where can he find the Windows installer log files for a
user named Jim?
A. C:\Windows\System 32\Installers
B. C:\Windows\Install.log
C. C:\Windows\Jim\Install.log
D. C:\Windows\Jim\AppData\Local\Temp -Answer- D. Windows installer logs are
typically kept in the user's temporary app data folder. Windows does not keep install log
files, and System32 does not contain an Installers directory.
Kathleen needs to find data contained in memory but only has an image of an offline
Windows system. Where does she have the best chance of recovering the information
she needs?
A. The Registry
B. %SystemRoot%\MEMORY.DMP
C. A system restore point file
D. %SystemRoot%/WinDBG -Answer- B. Windows crash dumps are stored in
%SystemRoot%\MEMORY.DMP and contain the memory state of the system when the
system crash occurred. This is her best bet for gathering the information she needs
without access to a live image. The Registry and system restore point do not contain
this information, and WinDbg is a Windows debugger, not an image of live memory.
Carl does not have the ability to capture data from a cell phone using forensic or
imaging software, and the phone does not have removable storage. Fortunately, the
phone was not set up with a PIN or screen lock. What is his best option to ensure he
can see email and other data stored there?
A. Physical acquisition
B. Logical access
C. File system access
D. Manual access -Answer- D. Manual access is used when phones cannot be
forensically imaged or accessed as a volume or filesystem. Manual access requires that
the phone be reviewed by hand, with pictures and notes preserved to document the
contents of the phone.
What forensic issue might the presence of a program like CCleaner indicate?
A. Anti-forensic activities
B. Full disk encryption
C. Malware packing
D. MAC time modifications -Answer- A. CCleaner is a PC cleanup utility that wipes
Internet history, destroys cookies and other cached data, and can impede forensic
investigations. CCleaner may be an indication of intentional anti-forensic activities on asystem. It is not a full disk encryption tool or malware packer, nor will it modify MAC
times.
Which of the following is not a potential issue with live imaging of a system?
A. Remnant data from the imaging tool
B. Unallocated space will be captured
C. Memory or drive contents may change during the imaging process
D. Malware may detect the imaging tool and work to avoid it -Answer- B. Unallocated
space is typically not captured during a live image, potentially resulting in data being
missed. Remnant data from the tool, memory and drive contents changing while the
image is occurring, and malware detecting the tool are all possible issues.
During his investigation, Jeff, a certified forensic examiner, is provided with a drive
image created by an IT staff member and is asked to add it to his forensic case. What is
the most important issue could Jeff encounter if the case goes to court?
A. Bad checksums
B. Hash mismatch
C. Anti-forensic activities
D. Inability to certify chain of custody -Answer- D. Jeff did not create the image and
cannot validate chain of custody for the drive. This also means he cannot prove that the
drive is a copy of the original. Since we do not know the checksum for the original drive,
we do not have a bad checksum or a hash mismatch—there isn't an original to compare
it to. Anti-forensics activities may have occurred, but that is not able to be determined
from the question.
Jeff is investigating a system that is running malware that he believes encrypts its data
on the drive. What process should he use to have the best chance of viewing that data
in an unencrypted form?
A. Live imaging
B. Offline imaging
C. Brute-force encryption cracking
D. Cause a system crash and analyze the memory dump -Answer- A. Imaging the
system while the program is live has the best probability of allowing Jeff to capture the
encryption keys or decrypted data from memory. An offline image after the system is
shut down will likely result in having to deal with the encrypted file. Brute-force attacks
are typically slow and may not succeed, and causing a system crash may result in
corrupted or nonexistent data.
Susan has been asked to identify the applications that start when a Windows system
does. Where should she look first?
A. INDX files
B. Volume shadow copiesC. The Registry
D. The MFT -Answer- C. Windows stores information about programs that run when
Windows starts in the Registry as Run and RunOnce Registry keys, which run each
time a user logs in. INDX files and the MFT are both useful for file information, and
volume shadow copies can be used to see point-in-time information about a system.
During a forensic investigation Ben asks Chris to sit with him and to sign off on the
actions he has taken. What is he doing?
A. Maintaining chain of custody
B. Over-the-shoulder validation
C. Pair forensics
D. Separation of duties -Answer- A. Ben is maintaining chain-of-custody documentation.
Chris is acting as the validator for the actions that Ben takes, and acts as a witness to
the process.
Which tool is not commonly used to generate the hash of a forensic copy?
A. MD5
B. FTK
C. SHA1
D. AES -Answer- D. While AES does have a hashing mode, MD5, SHA1, and built-in
hashing tools in FTK and other commercial tools are more commonly used for forensic
hashes.
Which of the following Linux command-line tools will show you how much disk space is
in use?
A. top
B. df
C. lsof
D. ps -Answer- B. The df tool will show you a system's current disk utilization. Both the
top and the ps tools will show you information about processes, CPU, and memory
utilization, and lsof is a multifunction tool for listing open files.
Which one of the phases of incident response involves primarily active undertakings
designed to limit the damage that an attacker might cause?
A. Containment, Eradication, and Recovery
B. Preparation
C. Post-Incident Activity
D. Detection and Analysis -Answer- A. The containment, eradication, and recovery
phase of incident response includes active undertakings designed to minimize the
damage caused by the incident and restore normal operations as quickly as possible.
Which one of the following criteria is not normally used when evaluating the
appropriateness of a cybersecurity incident containment strategy?
A. Effectiveness of the strategy
B. Evidence preservation requirements
C. Log records generated by the strategyD. Cost of the strategy -Answer- C. NIST recommends using six criteria to evaluate a
containment strategy: the potential damage to resources, the need for evidence
preservation, service availability, time and resources required (including cost),
effectiveness of the strategy, and duration of the solution.
Alice is responding to a cybersecurity incident and notices a system that she suspects is
compromised. She places this system on a quarantine VLAN with limited access to
other networked systems. What containment strategy is Alice pursuing?
A. Eradication
B. Isolation
C. Segmentation
D. Removal -Answer- C. In a segmentation approach, the suspect system is placed on
a separate network where it has very limited access to other networked resources.
Alice confers with other team members and decides that even allowing limited access to
other systems is an unacceptable risk and decides instead to prevent the quarantine
VLAN from accessing any other systems by putting firewall rules in place that limit
access to other enterprise systems. The attacker can still control the system to allow
Alice to continue monitoring the incident. What strategy is she now pursuing?
A. Eradication
B. Isolation
C. Segmentation
D. Removal -Answer- B. In the isolation strategy, the quarantine network is directly
connected to the Internet or restricted severely by firewall rules so that the attacker may
continue to control it but not gain access to any other networked resources.
After observing the attacker, Alice decides to remove the Internet connection entirely,
leaving the systems running but inaccessible from outside the quarantine VLAN. What
strategy is she now pursuing?
A. Eradication
B. Isolation
C. Segmentation
D. Removal -Answer- D. In the removal approach, Alice keeps the systems running for
forensic purposes but completely cuts off their access to or from other networks,
including the Internet.
Which one of the following tools may be used to isolate an attacker so that he or she
may not cause damage to production systems but may still be observed by
cybersecurity analysts?
A. Sandbox
B. Playpen
C. IDS
D. DLP -Answer- A. Sandboxes are isolation tools used to contain attackers within an
environment where they believe they are conducting an attack but, in reality, are
operating in a benign environment.Tamara is a cybersecurity analyst for a private business that is suffering a security
breach. She believes the attackers have compromised a database containing sensitive
information. Which one of the following activities should be Tamara's first priority?
A. Identifying the source of the attack
B. Eradication
C. Containment
D. Recovery -Answer- C. Tamara's first priority should be containing the attack. This will
prevent it from spreading to other systems and also potentially stop the exfiltration of
sensitive information. Only after containing the attack should Tamara move on to
eradication and recovery activities. Identifying the source of the attack should be a low
priority.
Which one of the following activities does CompTIA classify as part of the recovery
validation effort?
A. Rebuilding systems
B. Sanitization
C. Secure disposal
D. Scanning -Answer- D. CompTIA includes patching, permissions, security scanning,
and verifying logging/communication to monitoring in the set of validation activities that
cybersecurity analysts should undertake in the aftermath of a security incident.
Which one of the following pieces of information is most critical to conducting a solid
incident recovery effort?
A. Identity of the attacker
B. Time of the attack
C. Root cause of the attack
D. Attacks on other organizations -Answer- C. Understanding the root cause of an
attack is critical to the incident recovery effort. Analysts should examine all available
information to help reconstruct the attacker's actions. This information is crucial to
remediating security controls and preventing future similar attacks.
Lynda is disposing of a drive containing sensitive information that was collected during
the response to a cybersecurity incident. The information is categorized as a high
security risk and she wishes to reuse the media during a future incident. What is the
appropriate disposition for this information?
A. Clear
B. Erase
C. Purge
D. Destroy -Answer- C. Lynda should consult the flowchart that appears in Figure 8.7.
Following that chart, the appropriate disposition for media that contains high security
risk information and will be reused within the organization is to purge it.
Which one of the following activities is not normally conducted during the recovery
validation phase?
A. Verify the permissions assigned to each account
B. Implement new firewall rulesC. Conduct vulnerability scans
D. Verify logging is functioning properly -Answer- B. New firewall rules, if required,
would be implemented during the eradication and recovery phase. The validation phase
includes verifying accounts and permissions, verifying that logging is working properly,
and conducting vulnerability scans.
What incident response activity focuses on removing any artifacts of the incident that
may remain on the organization's network?
A. Containment
B. Recovery
C. Post-Incident Activities
D. Eradication -Answer- D. The primary purpose of eradication is to remove any of the
artifacts of the incident that may remain on the organization's network. This may include
the removal of any malicious code from the network, the sanitization of compromised
media, and the securing of compromised user accounts.
Which one of the following is not a common use of formal incident reports?
A. Training new team members
B. Sharing with other organizations
C. Developing new security controls
D. Assisting with legal action -Answer- B. There are many potential uses for written
incident reports. First, it creates an institutional memory of the incident that is useful
when developing new security controls and training new security team members.
Second, it may serve as an important record of the incident if there is ever legal action
that results from the incident. These reports should be classified and not disclosed to
external parties.
Which one of the following data elements would not normally be included in an evidence
log?
A. Serial number
B. Record of handling
C. Storage location
D. Malware signatures -Answer- D. Malware signatures would not normally be included
in an evidence log. The log would typically contain identifying information (e.g., the
location, serial number, model number, hostname, MAC addresses and IP addresses of
a computer), the name, title and phone number of each individual who collected or
handled the evidence during the investigation, the time and date (including time zone) of
each occurrence of evidence handling, and the locations where the evidence was
stored.
Sondra determines that an attacker has gained access to a server containing critical
business files and wishes to ensure that the attacker cannot delete those files. Which
one of the following strategies would meet Sondra's goal?
A. Isolation
B. Segmentation
C. RemovalD. None of the above -Answer- D. Even removing a system from the network doesn't
guarantee that the attack will not continue. In the example given in this chapter, an
attacker can run a script on the server that detects when it has been removed from the
network and then proceeds to destroy data stored on the server.
Joe would like to determine the appropriate disposition of a flash drive used to gather
highly sensitive evidence during an incident response effort. He does not need to reuse
the drive but wants to return it to its owner, an outside contractor. What is the
appropriate disposition?
A. Destroy
B. Clear
C. Erase
D. Purge -Answer- A. The data disposition flowchart in Figure 8.7 directs that any media
containing highly sensitive information that will leave the control of the organization
must be destroyed. Joe should purchase a new replacement device to provide to the
contractor.
Which one of the following is not typically found in a cybersecurity incident report?
A. Chronology of events
B. Identity of the attacker
C. Estimates of impact
D. Documentation of lessons learned -Answer- B. Incident reports should include a
chronology of events, estimates of the impact, and documentation of lessons learned, in
addition to other information. Incident response efforts should not normally focus on
uncovering the identity of the attacker, so this information would not be found in an
incident report.
What NIST publication contains guidance on cybersecurity incident handling?
A. SP 800-53
B. SP 800-88
C. SP 800-18
D. SP 800-61 -Answer- D. NIST SP 800-61 is the Computer Security Incident Handling
Guide. NIST SP 800-53 is Security and Privacy Controls for Federal Information
Systems and Organizations. NIST SP 800-88 is Guidelines for Media Sanitization. NIST
SP 800-18 is the Guide for Developing Security Plans for Federal Information Systems.
Which one of the following is not a purging activity?
A. Resetting to factory state
B. Overwriting
C. Block erase
D. Cryptographic erase -Answer- A. Resetting a device to factory state is an example of
a data clearing activity. Data purging activities include overwriting, block erase, and
cryptographic erase activities when performed through the use of dedicated,
standardized device commands.Ben is responding to a security incident and determines that the attacker is using
systems on Ben's network to attack a third party. Which one of the following
containment approaches will prevent Ben's systems from being used in this manner?
A. Removal
B. Isolation
C. Detection
D. Segmentation -Answer- A. Only removal of the compromised system from the
network will stop the attack against other systems. Isolated and/or segmented systems
are still permitted access to the Internet and could continue their attack. Detection is a
purely passive activity that does not disrupt the attacker at all.
Joe is authoring a document that explains to system administrators one way that they
might comply with the organization's requirement to encrypt all laptops. What type of
document is Joe writing?
A. Policy
B. Guideline
C. Procedure
D. Standard -Answer- B. The key word in this scenario is "one way." This indicates that
compliance with the document is not mandatory, so Joe must be authoring a guideline.
Policies, standards, and procedures are all mandatory.
Which one of the following statements is not true about compensating controls under
PCI DSS?
A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the
absence of a control needed to meet another requirement.
B. Controls must meet the intent of the original requirement.
C. Controls must meet the rigor of the original requirement.
D. Compensating controls must provide a similar level of defense as the original
requirement. -Answer- A. PCI DSS compensating controls must be "above and beyond"
other PCI DSS requirements. This specifically bans the use of a control used to meet
one requirement as a compensating control for another requirement.
What law creates cybersecurity obligations for healthcare providers and others in the
health industry?
A. HIPAA
B. FERPA
C. GLBA
D. PCI DSS -Answer- A. The Health Insurance Portability and Accountability Act
(HIPAA) includes security and privacy rules that affect healthcare providers, health
insurers, and health information clearinghouses.Which one of the following is not one of the five core security functions defined by the
NIST Cybersecurity Framework?
A. Identify
B. Contain
C. Respond
D. Recover -Answer- B. The five security functions described in the NIST Cybersecurity
Framework are identify, protect, detect, respond, and recover.
What ISO standard applies to information security management controls?
A. 9001
B. 27001
C. 14032
D. 57033 -Answer- B. The International Organization for Standardization (ISO)
publishes ISO 27001, a standard document titled "Information technology—Security
techniques—Information security management systems—Requirements."
Which one of the following documents must normally be approved by the CEO or
similarly high-level executive?
A. Standard
B. Procedure
C. Guideline
D. Policy -Answer- D. Policies require approval from the highest level of management,
usually the CEO. Other documents may often be approved by other managers, such as
the CISO.
What SABSA architecture layer corresponds to the designer's view of security
architecture?
A. Contextual security architecture
B. Conceptual security architecture
C. Logical security architecture
D. Component security architecture -Answer- C. The logical security architecture
corresponds to the designer's view in the SABSA model. The contextual architecture is
the business view, the conceptual architecture is the architect's view, and the
component architecture is the tradesman's view.
What law governs the financial records of publicly traded companies?
A. GLBA
B. SOX
C. FERPA
D. PCI DSS -Answer- B. The Sarbanes-Oxley (SOX) Act applies to the financial records
of publicly traded companies and requires that those companies have a strong degree
of assurance around the IT systems that store and process those records.
What TOGAF domain provides the organization's approach to storing and managing
information assets?
A. Business architectureB. Applications architecture
C. Data architecture
D. Technical architecture -Answer- C. In the TOGAF model, the data architecture
provides the organization's approach to storing and managing information assets.
Which one of the following would not normally be found in an organization's information
security policy?
A. Statement of the importance of cybersecurity
B. Requirement to use AES-256 encryption
C. Delegation of authority
D. Designation of responsible executive -Answer- B. Security policies do not normally
contain prescriptive technical guidance, such as a requirement to use a specific
encryption algorithm. This type of detail would normally be found in a security standard.
Darren is helping the Human Resources department create a new policy for background
checks on new hires. What type of control is Darren creating?
A. Physical
B. Technical
C. Logical
D. Administrative -Answer- D. Administrative controls are procedural mechanisms that
an organization follows to implement sound security management practices. Examples
of administrative controls include user account reviews, employee background
investigations, log reviews, and separation of duties policies.
Which one of the following control models describes the five core activities associated
with IT service management as service strategy, service design, service transition,
service operation, and continual service improvement?
A. COBIT
B. TOGAF
C. ISO 27001
D. ITIL -Answer- D. The Information Technology Infrastructure Library (ITIL) is a
framework that offers a comprehensive approach to IT service management (ITSM)
within the modern enterprise. ITIL covers five core activities: Service Strategy, Service
Design, Service Transition, Service Operation, and Continual Service Improvement.
What compliance obligation applies to merchants and service providers who work with
credit card information?
A. FERPA
B. SOX
C. HIPAA
D. PCI DSS -Answer- D. The Payment Card Industry Data Security Standard (PCI DSS)
provides detailed rules about the storage, processing, and transmission of credit and
debit card information. PCI DSS is not a law but rather a contractual obligation that
applies to credit card merchants and service providers.Which one of the following policies would typically answer questions about when an
organization should destroy records?
A. Data ownership policy
B. Account management policy
C. Password policy
D. Data retention policy -Answer- D. The data retention policy outlines what information
the organization will maintain and the length of time different categories of information
will be retained prior to destruction.
While studying an organization's risk management process under the NIST
Cybersecurity Framework, Rob determines that the organization adapts its
cybersecurity practices based on lessons learned and predictive indicators derived from
previous and current cybersecurity activities. What tier should he assign based on this
measure?
A. Tier 1
B. Tier 2
C. Tier 3
D. Tier 4 -Answer- D. The description provided matches the definition of a Tier 4
(Adaptive) organization's risk management practices under the NIST Cybersecurity
Framework.
Which one of the following security policy framework components does not contain
mandatory guidance for individuals in the organization?
A. Policy
B. Standard
C. Procedure
D. Guideline -Answer- D. Guidelines are the only element of the security policy
framework that are optional. Compliance with policies, standards, and procedures is
mandatory.
Tina is creating a set of firewall rules designed to block denial-of-service attacks from
entering her organization's network. What type of control is Tina designing?
A. Logical control
B. Physical control
C. Administrative control
D. Root access control -Answer- A. Logical controls are technical controls that enforce
confidentiality, integrity, and availability in the digital space. Examples of logical security
controls include firewall rules, access control lists, intrusion prevention systems, and
encryption.
Allan is developing a document that lists the acceptable mechanisms for securely
obtaining remote administrative access to servers in his organization. What type of
document is Allan writing?
A. Policy
B. Standard
C. Guideli
[Show More]
