Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CASP+ Prepare for ISSAP > Chapter 8 Implementing Incident Response and Forensics > Flashcards

Chapter 8 Implementing Incident Response and Forensics Flashcards

1
Q

During a security incident, a team member was able to refer to known documentation and databases of attack vectors to aid the response. What is this an example of?

A. Event classification
B. A false positive
C. A false negative
D. A true positive

A

A. Event classification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

During a security incident, a team member responded to a SIEM alert and successfully stopped an attempted data exfiltration. What can be said about the SIEM alert?

A. It is a false positive
B. It is a false negative
C. It is a true positive
D. It is a true negative

A

C. It is a true positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

During a security incident, a senior team leader coordinated with members already dealing with a breach. They were told to concentrate their efforts on a new threat. What process led to the team leaders actions?

A. Preparation
B. Analysis
C. Triage event
D. Pre-escalation tasks

A

C. Triage event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A CSIRT team needs to be identified, including leadership with a clear reporting and escalation process. At what stage of the incident response process should this be done?

A. Preparation
B. Detection
C. Analysis
D. Containment

A

A. Preparation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

During a recent security incident, a team member responded to a SIEM alert stating that multiple workstations on a network segment have been infected with crypto malware. What part of the incident process should be followed?

A. Preparation
B. Detection
C. Analysis
D. Containment

A

D. Containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

After a security incident, workstations that were previously infected with crypoto malware were placed in quarantine, wiped and successfully scanned with an updated antivirus. What part of the incident response process should be followed?

A. Analysis
B. Containment
C. Recovery
D. Lessons Learned

A

C. Recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

During a security incident, multiple systems were impacted by a DDOS attack. To mitigate the effect of the attack, a CSIRT team member follows procedures to trigger a BGP route update. This deflects the attack and the systems remain operation. What documentation did the CSIRT team member refer to?

A. Communication
B. Runbooks
C. Configuration guides
D. Vendor documentation

A

B. Runbooks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Critical infrastructure has been targeted by attackers who demand large payments in bitcoin to reveal the technology and keys needed to access the encrypted data. To avoid paying the ransom, analysts have been tasked to crack the cypher. What technique will they use?

A. Ransomware
B. Data exfiltration
C. Cryptanalysis
D. Steganalysis

A

C. Cryptanalysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

During a security incident, multiple systems were impacted by a DDoS attack. A security professional working in the SOC can view the events on a reporting dashboard and call up automated scripts to mitigate the attack. What system was used to respond to the attack?

A. Containment
B. SOAR
C. Communication Plan
D. Configuration guides

A

B. SOAR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A technician who is part of the IRT is called to take a forensic copy of a hard drive on the CEO’s laptop. He takes notes of the step by step process and stores the evidence in a locked cabinet in the CISO’s office. What will make this evidence inadmissible?

A. Evidence collection
B. Lack of chain of custody
C. Missing order of volatility
D. Missing memory snapshots

A

B. Lack of chain of custody

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A forensic investigator is called to capture all the possible evidence from a compromised laptop. To save battery life, the system is put into sleep mode. What important forensic process has been overlooked?

A. Cloning
B. Evidence preservation
C. Secure storage
D. Backups

A

B. Evidence preservation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A forensic investigator is called to capture all possible evidence from a compromised computer that has been switched off. They gain access to the hard drive and connect a write blocker before recording the current hash value of the hard drive image. What important forensic process has been followed?

A. Integrity preservation
B. Hashing
C. Cryptanalysis
D. Steganalysis

A

A. Integrity preservation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Law enforcement needs to retrieve graphic image files that have been deleted or hidden in unallocated space on a hacker’s hard drive. What tools should they use when analyzing the captured forensic image?

A. File carving tools
B. objdump
C. strace
D. netstat

A

A. File carving tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

FBI forensics experts are investigating a new variant of APT that has replaced Linux operating system files on government computers. What tools should they use to understand the behavior and logic of these files?

A. Runbooks
B. Binary analysis tools
C. Imaging tools
D. vmstat

A

B. Binary analysis tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A forensic investigator suspects stolen data is hidden within JPEG images on a suspectts computer. After capturing a forensic image, what techniques should they use when analyzing the JPEG image files?

A. Integrity preservation
B. Hashing
C. Cryptanalysis
D. Steganalysis

A

D. Steganalysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Attackers have managed to install additional services on a company’s DMZ network. Security personnel need to identify all the systems in the DMZ and all the services that are currently running. What command line tool best gathers this information?

A. Nmap
B. Aircrack-ng
C. Volatility
D. The Sleuth Kit

A

A. Nmap

17
Q

A forensic investigator is called to capture all possible evidence from a compromised computer that has been switched off. They gain access to the hard drive and connect a write blocker. What tool should be used to create a bit by bit forensic copy?

A. dd
B . Hashing utilities
C. sha256sum
D. ssdeep

A

A. dd

18
Q

To stop a running process on a Red Hat Linux server, an investigator needs to see all the currently running processes and their process IDs. What command line tool will allow the investiagtor to view this information?

A. netstat -a
B. ps -A
C. tcpdump -i
D. sha1sum <filename></filename>

A

B. ps -A

19
Q

While analyzing a running Red Hat Linux server, an investigator needs to show the number of available computing resources and currently used resources. The requirements are for the running processor, memory and swap space on the disk. What tool should be used?

A. vmstat
B. ldd
C. lsof
D. tcpdump

A

A. vmstat

20
Q

During a live investigation on a Fedora Linux server, a forensic analyst needs to view a listing of all opened files, the process that was used to open them, and the user account associated with the open files. What would be the best command line tool to use?

A. vmstat
B. ldd
C. lsof
D. tcpdump

A

C. lsof

21
Q

While analyzing a running Red Hat Linux server, an investigator needs to run commands on the system under investigation to reflect all the outputs on the forensic workstation. The analysis also needs to transfer a file for investigation using minimum interactions. What command line tool should be used?

A. netcat
B. tcpdump
C. conntrack
D. Wireshark

A

A. netcat

22
Q

Security professionals need to assess the security of wireless networks. A tool needs to be identified that allows wireless traffic to be monitored, and the WEP and WPA security to be attacked (via packet injection) and cracked. What would be the best command line tool to use here?

A. netcat
B. tcpdump
C. Aircrack-ng
D. Wireshark

A

C. Aircrack-ng

23
Q

A forensic investigator needs to search through a network capture saved as a pcap file. They are looking for evidence of data exfiltration from a suspect host computer. To minimize disruption, they need to identify a command line tool that will provide this functionality. What should they choose?

A. netcat
B. tcpdump
C. Aircrack -ng
D. Wireshark

A

B. tcpdump

24
Q

A forensic investigator is performing analysis on syslog files. They are looking for evidence of unusual activity based upon report from User Behavior Analysis (UBA). Several packets show signs of unusual activity. Which of the following requires further investigation?

A. nc -w 180 -p 12345 -l < shadow.txt
B. tcpdump -I eth0
C. conntrack -L
D. Exiftool nasa.jpg

A

A. nc -w 180 -p 12345 -l < shadow.txt

25
Q

Recent activity has eld to an investigation being launched against a recent hire in the research team. Intellectual property has been identified as part of code now being sold by a competitor. UBA has identified a significant amount of JPEG image uploads to a social networking site. The payloads are now being analyzed by forensics. What techniques will allow them to search for evidence in the JPEG files?

A. The Steganalysis Tool
B, The Cryptanalysis tool
C. The Binary Analysis Tool
D. The Memory Analysis Tool,.

A

A. The Steganalysis Tool

CASP+ Prepare for ISSAP (23 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions