Chapter 7 Memory analysis

Question 1

What memory format captures are a common format for memory dumps. These files
can be created by various live memory acquisition tools (DumpIt,
WinPMEM, Redline, and others).

Answer 1

RAW

Question 2

In Memory Acquisiton: What is generated when a system crashes or when a user tells the OS to produce a crash.

Answer 2

Crash Dump

Question 3

In Memory Acquisition: In windows systems, particularly laptops, store this file in hiberfil.sys on the root of the OS partition.

Answer 3

Hibernation

Question 4

In Memory Acquisition: What has become the standard for analyzing memory dumps:

Answer 4

Expert Witness Disk Image Format (EWF)

Question 5

This is the format used by WinPMEM, a component of Rekall, but can
also be used with Volatility. It is an open standard that was designed
around the ZIP file format. It can combine multiple, related streams of
data from memory, files, and disk simultaneously. It handles memory gaps
and unreadable areas of memory and has metadata support.

Answer 5

AFF4: Advanced Forensic Framework Disk Image, AFF Version 4.

Question 6

What are two memory analysis frameworks often used by
memory forensics investigators. These frameworks allow the investigator to
use a ready-made module that simplifies memory image analysis by
interpreting the memory image structure and extracting useful data.

Answer 6

ReKall and Volatility

Question 7

What is the best-known memory analysis tool that supports digital investigation on Windows, Linux and Mac Memory images?

Answer 7

Volatility

Question 8

What is a framework developed by Google and an alternative to Volatility.?

Answer 8

Rekall

Question 9

What is a general Framework that organizes a memory-based investigation and helps the investigatory find the first lead or sign of malware in the memory image.

Answer 9

The Six-Step Investigation Process.

Question 10

What are the steps of the Six-Step Investigation Process?

Answer 10

1. Process, 2. DLL and Handles, 3. Network 4. Code Injection 5. RootKits 6. Dump

Question 11

What Step investigates a rogue process?

Answer 11

Step 1 Processes

Question 12

What step checks DLL (Dynamic-Link Library) used by various executables?

Answer 12

Step 2 DLL and Handles

Question 13

What step in the six-step investigation process Checks Network Activity and artifacts?

Answer 13

Step 3 Network

Question 14

What step in the six-step investigation process Checks for malware traces in memory?

Answer 14

Step 4 Code injection

Question 15

What step in the six-step investigation process Checks for signs of RootKits?

Answer 15

Step 5 RootKits

Question 16

What step in the six-step investigation process Dump Suspicious processes for in-depth analysis?

Answer 16

Step 6 Dump The last step in the process, the dump, extracts files, processes, and other
objects from the memory image for further investigation.

Question 17

What is crucial in Determining the right profile to use to correctly analyze a memory image?

Answer 17

Memory identification and the verification of image integrity

Question 18

What network artifacts on a memory image can be helpful to find suspicious network connections?

Answer 18

Ports, Destination IP, Origin Process, Socket Information

Question 19

What scans for identifiable TCP Connections in older Versions of Windows

Answer 19

ConnScan

Question 20

What Scans for all Open Sockets?

Answer 20

Sockets
(A socket is one endpoint of a two-way communication link between two programs running on the network. A socket is bound to a port number so that the TCP layer can identify the application that data is destined to be sent to.)

Question 21

What can be used to scan for connections and sockets in newer Windows Versions?

Answer 21

Netscan

Question 22

What Volatility plugin displays local open port for any protocol, including TCP and UDP?

Answer 22

Sockets Plugin

Question 23

What Volatility Plugin utilities are complementary and should be used together when conducting a network analysis?

Answer 23

ConnScan and Sockets.

Because not all ports detected by ConnScan will be displayed by Sockets.

Question 24

Because some artifacts, such as URL, Function calls, and files names, can be loaded as plain text in memory, then can be extacted by applications such as?

Answer 24

Strings and Bulk Extractor

Question 25

What is network-related information not identified in Memory?

Answer 25

URL’s

Question 26

For Memory Interaction, What framework provides two ways to interact with a memory image with plugins and Volshell.

Answer 26

The Volatility framework.

Question 27

What are two ways the Volatility Framework provides to interact with a memory image?

Answer 27

Plugins and Volshell

Question 28

What Volatility utility is the most common method of analyzing a memory image, which includes a set of ready-to-use plugins and commands?

Answer 28

Plugins

Question 29

Which Volatility utility is an advanced debug shell that interacts with memory.

Answer 29

Volshell

Question 30

What is the most import objects in memory images from an investigator’s perspective, as they provide a wealth of information about files that were executed on the system in a given timeframe.

Answer 30

Processes and process analysis is the first step in an investigation of malicious activity.

Question 31

What is one of the most common attack techniques?

Answer 31

Code Injection

Question 32

What Volatility plugin detects possible code injections by finding a memory section marked as executable that is not backed up with a file on disk?

Answer 32

MalFind

Question 33

What is an executable loaded in memory that can be extracted and inspected?

Answer 33

A Process

Question 34

What scans for an command line history buffer?

Answer 34

Cmdscan

Question 35

What scans for available console information, Not only does it print the commands an attacker typed, but it collects the entire screen buffer, including both input and output?

Answer 35

Consoles

Question 36

What is intelligence gathering that usually starts with public sources called?

Answer 36

Open-Source Intelligence (OSINT)

Question 37

What are the step of Advanced Persistant Threat(APT) Flow?

Answer 37

1. OSINT (Recon), 2. External Takeover, 3. Privilege Escalation, 4. Lateral Movement Internal Takeover 5. Hiding Mechanism and Information Theft

Question 38

What is the term refers to any action taken to delay a computer investigation?

Answer 38

Anti-Forensics

Question 39

What  involves hiding harmful code by embedding it in commonly used files or data. Bits of data in regular 
computer files (such as image files, text files, and sound files) are replaced with bits of malicious coded information?

Answer 39

Steganography

Question 40

What is called when a malicious party impersonates another device or user on a network to launch attacks against network hosts, steal data, spread malware, or bypass access controls?

Answer 40

Spoofing

Question 41

What is considered an obfuscation technique that is a means of distributing an executable in a “compressed” state?

Answer 41

Packing

Question 42

What is a tool that modifies the formatting of code by data so it will be harder to detect the file’s header and content.?

Answer 42

A Packer tool

Question 43

SOC ROLES:

A junior staff member who receives alerts and determines if they should be escalated to incidents?

Answer 43

Tier 1 Analyst

Question 44

SOC ROLES:

A staff member that is notified about incidents discovered by Tier 1. Is qualified to perform basic acts of mitigation, such as disconnecting the infected machine from the network.

Answer 44

Tier 2 Analyst:

Question 45

SOC ROLES:

A highly-experienced staff member or consultant with enough IT and Cybersecurity experience and knowledge to conduct DFIR activities and lead other personnel in the containment and eradication of malicious elements.

Answer 45

Tier 3 Analyst

Question 46

SOC Roles:

Manages the daily operation of the center, and reports to the senior security leader (CISO).

Answer 46

SOC Manager

Question 47

SOC ROLES:

Responsible for the overall security program, which ranges from cyber risk management to vulnerability management, to any other security-related function associated with incident response.

Answer 47

Chief Information Security Officer (CISO)

Question 48

Additional Roles in Case of a Breach:

Plays an important role in ensuring that organizational risks are adequately addressed.

Answer 48

Chief Executive Officer (CEO)

Question 49

Additional Roles in Case of a Breach

During high profile breaches these personnel offer the proper messaging for the media.

Answer 49

Public Relations

Question 50

Additional Roles in Case of a Breach:

They manage routers, switches and other network infrastructure, may also be engaged to gather information or assist DFIR analysts in the gathering of forensic evidence.

Answer 50

Network Team

Question 51

Additional Roles in Case of a Breach:

This team may also be able to provide insight if there are anomalies in the amount and type of traffic traversing the organization’s networks.

Answer 51

Network Operations Center (NOC)

Question 52

Additional Roles in Case of a Breach:

They are often the first to receive signs of trouble from employees, and may be able to provide additional support to help record the frequency and scope of the incident.

Answer 52

Help Desk

Question 53

After team members are defined, it is important to monitor the tasks of each team and the roles responsible for their completion. What is used to identify tasks, teams, and roles?

Answer 53

RACI Chart (Responsible, Accountable, Consulted and Informed)

Question 54

What is a non-regulatory governmental agency, associated with the U.S. Department of Commerce, which focus is to develop technology, metrics, and standards?

Answer 54

NIST (National Institute of Standards and Technology)

Question 55

What is a private U.S. for-profit Company that offers research and education in the field of information security and Derives its methodologies from NIST standards?

Answer 55

SANS Institute

Question 56

What are the phases of incident response methodologies established by SANS institute?

Answer 56

Phase 1. Preparation, Phase 2. Identification, Phase 3. Containment, Phase 4. Eradication, Phase 5. Recovery, Phase 6. Lessons Learned.

Question 57

SANS Incident Response Methodology:

Which phase of SANS Incident Response is a plan developed on how to handle a cyber attack? Including investing in an incident logging system so members can log what actions were taken during an incident in real-time, specifics on backups and replications of data established, and security controls are configured to filter or blacklist know indicator of compromise (IOC).

Answer 57

Preparation Phase

Question 58

SANS Incident Response Methodology:

Which phase of SANS Incident Response recognizes the network has been comprised by malware or cyber attack and declares an incident to execute incident response plan?

Answer 58

Identification

Question 59

SANS Incident Response Methodology:

Which phase of SANS Incident Response does the IR Team attempt to contain the incident and reduce any damage resulting from the attack. This includes isolating infected workstations and segmenting network traffic from infected workstations to reduce the impact on the organization

Answer 59

Containment

Question 60

SANS Incident Response Methodology:

Which phase of SANS Incident Response is to eliminate the infection and executing the DR plan by restoring affected systems?

Answer 60

Eradication Phase (The team also begins focusing on where the attack originated from, to remediate any vulnerabilities that enable the incident to occur.

Question 61

SANS Incident Response Methodology:

Which phase of SANS Incident Response are Post-incident activities to analyze the attack, review logged information, and produce a report with a timeline of the incident?

Answer 61

Lessons Learned Phase

Question 62

What is a set tools DFIR analysts put together in preparation for an incident.

Answer 62

Jump Kit

Question 63

What refers to the strategy of restoring normal business operation after a disaster occurs including earthquakes, fires, floods, cyberattacks, and others?

Answer 63

Disaster Recovery Plan

Question 64

A backup site that is up and running continuously, and ready for immediate switchover.?

Answer 64

Hot Site

Question 65

A site that hosts servers and other resources for backup purposes, but is not as ready for a switchover as a hot site.

Answer 65

warm site

Question 66

A low-cost site that does not always have the necessary equipment to enable resumption of normal operation?

Answer 66

Cold Site

Question 67

Refer to a set of activities meant to ensure that organizational leaders are informed about risks, and are aware of the necessity to comply with regulations, policies, procedures, and
standards.

Answer 67

Governance, risk, and Compliance (GRC)

Question 68

Official top-level management directives that must be complied with by all people and systems within the scope of the policy.

Answer 68

Policies

Question 69

Documents derived from policies but are more specific about high-level requirements that must be followed for a process or system to operate.

Answer 69

Standard

Question 70

Documents derived from policies and standards that detail mandatory step-by-step directions for personnel and systems?

Answer 70

procedures

Question 71

Points that suggest how to follow mandatory policies, standards, and procedures, and help clarify what to do in specific circumstances?

Answer 71

Guidelines

Question 72

What is the European Union privacy law that places strong restrictions on the protection and use of personal data?

Answer 72

Global Data protection Regulation (EU) 2016/679

Question 73

What is Named after two USA Senators who sponsored the passage of the law, with the purpose of protecting investors and the public against financial fraud?

Answer 73

Sarbanes-Oxley (SOX)

Question 74

What agencies issue laws to protect private and sensitive health-related data?

Answer 74

Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health Act (HITECH)

Question 75

In a organization who usually establishes response policy, budget, and staffing

Answer 75

Management

Question 76

In a organization who/what usually ensures security controls and policy enforcement?

Answer 76

Information Assurance

Question 77

In a organization who usually are Information Technology Experts.

Answer 77

IT Support

Question 78

In a organization who usually handles insider threat situations, such as employees who violate business policies.

Answer 78

Human Resources

Question 79

In a organization who usually works closely and in parallel with IRT

Answer 79

Business Continuity Plan (BCP)/(DR) Disaster Recovery

Question 80

Conducts organization-wide drills regarding facilities?

Answer 80

Physical Security

Question 81

When handling incidents what do cyber security analyst use to guide them through the process of determining the validity of a security-related alert.

Answer 81

A Playbook (SOC playbook)

Question 82

What is used as an efficient method to handle incidents and ensure that a SOC team focuses on the most relevant event, within the shortest periods of time?

Answer 82

SOC Playbooks

Question 83

What is a solution or tool that enables organizations to collect data about security threats from multiple sources and respond to events with minimal human interaction?

Answer 83

Security Orchestration, Automation, and Response (SOAR)

Question 84

What systems include automated playbooks that collect alert data, ingest it, and respond based on the alert type and other collected criteria?

Answer 84

Security Orchestration, Automation and Response (SOAR)

Question 85

How Long should logs be retained to build a baseline of normal behavior, and enable historical activity analysis?

Answer 85

Logs should be maintained for three months to build a baseline.

Question 86

Containment Strategies:

When you Block or allow a specific object (IP,Domain,etc.)

Answer 86

Block List/Allow List Filtering

Question 87

Containment Strategies:

When you Isolate infected networks from clean machines

Answer 87

Segmentation

Question 88

Containment Strategies:

What uses patterns of known indicators related to past attacks, to prevent attack propagation?

Answer 88

IOC (Indicators of Compromise)

Question 89

Containment Strategies:

DDoS traffic from a malicious network should be dropped and prevented from reaching it destination?

Answer 89

Black Holing Shunt

Question 90

Containment Strategies:

Email filter controls should be updated with signatures/IoCs of phishing emails.

Answer 90

Email Filtering

Question 91

Containment Strategies:

Disconnect an infected system from the network?

Answer 91

Host Isolation