CySA+ Final - Study Guide 2022 with complete solution. Rated A

Document Content and Description Below

CySA+ Final - Study Guide 2022 with complete solution Which format does dd produce files in? A. ddf B. RAW C. EN01 D. OVF -Answer- B. dd creates files in RAW, bit-by-bit format. EN01 is the EnCas... e forensic file format, OVF is virtualization file format, and ddf is a made-up answer. Files remnants found in clusters that have been only partially rewritten by new files found are in what type of space? A. Outer B. Slack C. Unallocated space D. Non-Euclidean -Answer- B. Slack space is the space that remains when only a portion of a cluster is used by a file. Data from previous files may remain in the slack space since it is typically not wiped or overwritten. Unallocated space is space on a drive that has not been made into part of a partition. Outer space and non-Euclidean space are not terms used for filesystems or forensics. Mike is looking for information about files that were changed on a Windows system. Which of the following is least likely to contain useful information for his investigation? A. The MFT B. INDX files C. Event logs D. Volume shadow copies -Answer- C. Event logs do not typically contain significant amounts of information about file changes. The Master File Table and file indexes (INDX files) both have specific information about files, whereas volume shadow copies can help show differences between files and locations at a point in time. Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen? A. read blocker B. drive cloner C. write blocker D. hash validator -Answer- C. Write blockers ensure that no changes are made to a source drive when creating a forensic copy. Preventing reads would stop you from copying the drive, drive cloners may or may not have write blocking capabilities built in, and hash validation is useful to ensure contents match but don't stop changes to the source drive from occurring. Frederick wants to determine if a thumb drive was ever plugged into a Windows system. How can he test for this? A. Review the MFT B. Check the system's live memory C. Use USB HistorianD. Create a forensic image of the drive -Answer- C. USB Historian provides a list of devices that are logged in the Windows Registry. Frederick can check the USB device's serial number and other identifying information against the Windows system's historical data. If the device isn't listed, it is not absolute proof, but if it is listed, it is reasonable to assume that it was used on the device. What two files may contain encryption keys normally stored only in memory on a Window system? A. The MFT and the hash file B. The Registry and hibernation files C. Core dumps and encryption logs D. Core dumps and hibernation files -Answer- D. Core dumps and hibernation files both contain an image of the live memory of a system, potentially allowing encryption keys to be retrieved from the stored file. The MFT provides information about file layout, and the Registry contains system information but shouldn't have encryption keys stored in it. There is no hash file or encryption log stored as a Windows default file. Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date? A. timeline B. log viewer C. Registry analysis D. Timestamp validator -Answer- A. Timelines are one of the most useful tools when conducting an investigation of a compromise or other event. Forensic tools provide builtin timeline capabilities to allow this type of analysis. During her forensic copy validation process Danielle received the following MD5 sums from her original drive and the cloned image after using dd. What is likely wrong? b49794e007e909c00a51ae208cacb169 original.img d9ff8a0cf6bc0ab066b6416e7e7abf35 clone.img A. The original was modified. B. The clone was modified. C. dd failed. D. An unknown change or problem occurred. -Answer- D. Since Danielle did not hash her source drive prior to cloning, you cannot determine where the problem occurred. If she had run MD5sum prior to the cloning process as well as after, she could verify that the original disk had not changed. Jennifer wants to perform memory analysis and forensics for Windows, macOS, and Linux systems. Which of the following is best suited to her needs? A. LiME B. DumpIt C. fmemD. The Volatility Framework -Answer- D. The Volatility Framework is designed to work with Windows, macOS, and Linux, and it provides in-depth memory forensics and analysis capabilities. LiME and fmem are Linux tools, whereas DumpIt is a Windowsonly tool. Alex is conducting a forensic examination of a Windows system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim? A. C:\Windows\System 32\Installers B. C:\Windows\Install.log C. C:\Windows\Jim\Install.log D. C:\Windows\Jim\AppData\Local\Temp -Answer- D. Windows installer logs are typically kept in the user's temporary app data folder. Windows does not keep install log files, and System32 does not contain an Installers directory. Kathleen needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering the information she needs? A. The Registry B. %SystemRoot%\MEMORY.DMP C. A system restore point file D. %SystemRoot%/WinDBG -Answer- B. Windows crash dumps are stored in %SystemRoot%\MEMORY.DMP and contain the memory state of the system when the system crash occurred. This is her best bet for gathering the information she needs without access to a live image. The Registry and system restore point do not contain this information, and WinDbg is a Windows debugger, not an image of live memory. Carl does not have the ability to capture data from a cell phone using forensic or imaging software, and the phone does not have removable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored there? A. Physical acquisition B. Logical access C. File system access D. Manual access -Answer- D. Manual access is used when phones cannot be forensically imaged or accessed as a volume or filesystem. Manual access requires that the phone be reviewed by hand, with pictures and notes preserved to document the contents of the phone. What forensic issue might the presence of a program like CCleaner indicate? A. Anti-forensic activities B. Full disk encryption C. Malware packing D. MAC time modifications -Answer- A. CCleaner is a PC cleanup utility that wipes Internet history, destroys cookies and other cached data, and can impede forensic investigations. CCleaner may be an indication of intentional anti-forensic activities on asystem. It is not a full disk encryption tool or malware packer, nor will it modify MAC times. Which of the following is not a potential issue with live imaging of a system? A. Remnant data from the imaging tool B. Unallocated space will be captured C. Memory or drive contents may change during the imaging process D. Malware may detect the imaging tool and work to avoid it -Answer- B. Unallocated space is typically not captured during a live image, potentially resulting in data being missed. Remnant data from the tool, memory and drive contents changing while the image is occurring, and malware detecting the tool are all possible issues. During his investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff member and is asked to add it to his forensic case. What is the most important issue could Jeff encounter if the case goes to court? A. Bad checksums B. Hash mismatch C. Anti-forensic activities D. Inability to certify chain of custody -Answer- D. Jeff did not create the image and cannot validate chain of custody for the drive. This also means he cannot prove that the drive is a copy of the original. Since we do not know the checksum for the original drive, we do not have a bad checksum or a hash mismatch—there isn't an original to compare it to. Anti-forensics activities may have occurred, but that is not able to be determined from the question. Jeff is investigating a system that is running malware that he believes encrypts its data on the drive. What process should he use to have the best chance of viewing that data in an unencrypted form? A. Live imaging B. Offline imaging C. Brute-force encryption cracking D. Cause a system crash and analyze the memory dump -Answer- A. Imaging the system while the program is live has the best probability of allowing Jeff to capture the encryption keys or decrypted data from memory. An offline image after the system is shut down will likely result in having to deal with the encrypted file. Brute-force attacks are typically slow and may not succeed, and causing a system crash may result in corrupted or nonexistent data. Susan has been asked to identify the applications that start when a Windows system does. Where should she look first? A. INDX files B. Volume shadow copiesC. The Registry D. The MFT -Answer- C. Windows stores information about programs that run when Windows starts in the Registry as Run and RunOnce Registry keys, which run each time a user logs in. INDX files and the MFT are both useful for file information, and volume shadow copies can be used to see point-in-time information about a system. During a forensic investigation Ben asks Chris to sit with him and to sign off on the actions he has taken. What is he doing? A. Maintaining chain of custody B. Over-the-shoulder validation C. Pair forensics D. Separation of duties -Answer- A. Ben is maintaining chain-of-custody documentation. Chris is acting as the validator for the actions that Ben takes, and acts as a witness to the process. Which tool is not commonly used to generate the hash of a forensic copy? A. MD5 B. FTK C. SHA1 D. AES -Answer- D. While AES does have a hashing mode, MD5, SHA1, and built-in hashing tools in FTK and other commercial tools are more commonly used for forensic hashes. Which of the following Linux command-line tools will show you how much disk space is in use? A. top B. df C. lsof D. ps -Answer- B. The df tool will show you a system's current disk utilization. Both the top and the ps tools will show you information about processes, CPU, and memory utilization, and lsof is a multifunction tool for listing open files. Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause? A. Containment, Eradication, and Recovery B. Preparation C. Post-Incident Activity D. Detection and Analysis -Answer- A. The containment, eradication, and recovery phase of incident response includes active undertakings designed to minimize the damage caused by the incident and restore normal operations as quickly as possible. Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy? A. Effectiveness of the strategy B. Evidence preservation requirements C. Log records generated by the strategyD. Cost of the strategy -Answer- C. NIST recommends using six criteria to evaluate a containment strategy: the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost), effectiveness of the strategy, and duration of the solution. Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing? A. Eradication B. Isolation C. Segmentation D. Removal -Answer- C. In a segmentation approach, the suspect system is placed on a separate network where it has very limited access to other networked resources. Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing? A. Eradication B. Isolation C. Segmentation D. Removal -Answer- B. In the isolation strategy, the quarantine network is directly connected to the Internet or restricted severely by firewall rules so that the attacker may continue to control it but not gain access to any other networked resources. After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing? A. Eradication B. Isolation C. Segmentation D. Removal -Answer- D. In the removal approach, Alice keeps the systems running for forensic purposes but completely cuts off their access to or from other networks, including the Internet. Which one of the following tools may be used to isolate an attacker so that he or she may not cause damage to production systems but may still be observed by cybersecurity analysts? A. Sandbox B. Playpen C. IDS D. DLP -Answer- A. Sandboxes are isolation tools used to contain attackers within an environment where they believe they are conducting an attack but, in reality, are operating in a benign environment.Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority? A. Identifying the source of the attack B. Eradication C. Containment D. Recovery -Answer- C. Tamara's first priority should be containing the attack. This will prevent it from spreading to other systems and also potentially stop the exfiltration of sensitive information. Only after containing the attack should Tamara move on to eradication and recovery activities. Identifying the source of the attack should be a low priority. Which one of the following activities does CompTIA classify as part of the recovery validation effort? A. Rebuilding systems B. Sanitization C. Secure disposal D. Scanning -Answer- D. CompTIA includes patching, permissions, security scanning, and verifying logging/communication to monitoring in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident. Which one of the following pieces of information is most critical to conducting a solid incident recovery effort? A. Identity of the attacker B. Time of the attack C. Root cause of the attack D. Attacks on other organizations -Answer- C. Understanding the root cause of an attack is critical to the incident recovery effort. Analysts should examine all available information to help reconstruct the attacker's actions. This information is crucial to remediating security controls and preventing future similar attacks. Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information? A. Clear B. Erase C. Purge D. Destroy -Answer- C. Lynda should consult the flowchart that appears in Figure 8.7. Following that chart, the appropriate disposition for media that contains high security risk information and will be reused within the organization is to purge it. Which one of the following activities is not normally conducted during the recovery validation phase? A. Verify the permissions assigned to each account B. Implement new firewall rulesC. Conduct vulnerability scans D. Verify logging is functioning properly -Answer- B. New firewall rules, if required, would be implemented during the eradication and recovery phase. The validation phase includes verifying accounts and permissions, verifying that logging is working properly, and conducting vulnerability scans. What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network? A. Containment B. Recovery C. Post-Incident Activities D. Eradication -Answer- D. The primary purpose of eradication is to remove any of the artifacts of the incident that may remain on the organization's network. This may include the removal of any malicious code from the network, the sanitization of compromised media, and the securing of compromised user accounts. Which one of the following is not a common use of formal incident reports? A. Training new team members B. Sharing with other organizations C. Developing new security controls D. Assisting with legal action -Answer- B. There are many potential uses for written incident reports. First, it creates an institutional memory of the incident that is useful when developing new security controls and training new security team members. Second, it may serve as an important record of the incident if there is ever legal action that results from the incident. These reports should be classified and not disclosed to external parties. Which one of the following data elements would not normally be included in an evidence log? A. Serial number B. Record of handling C. Storage location D. Malware signatures -Answer- D. Malware signatures would not normally be included in an evidence log. The log would typically contain identifying information (e.g., the location, serial number, model number, hostname, MAC addresses and IP addresses of a computer), the name, title and phone number of each individual who collected or handled the evidence during the investigation, the time and date (including time zone) of each occurrence of evidence handling, and the locations where the evidence was stored. Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal? A. Isolation B. Segmentation C. RemovalD. None of the above -Answer- D. Even removing a system from the network doesn't guarantee that the attack will not continue. In the example given in this chapter, an attacker can run a script on the server that detects when it has been removed from the network and then proceeds to destroy data stored on the server. Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition? A. Destroy B. Clear C. E [Show More]

Last updated: 2 years ago

Preview 1 out of 50 pages