DFIR Test Review

Question 1

Define the CSIRT acronym

Answer 1

Computer Security Incident Response Team

Question 2

Let’s build an IR team, whom do we need?
A. Analyst – Does ALL the work! Like a paralegal to an attorney
B. IR Manager – Manages up, helps herd the cats, removes blockers
C. Researcher – Malware analysis, digs into vulnerabilities, etc.

• Do we need a technician?
• Technicians work on infrastructure gear
• We can request techs do something (spanning or mirroring)
• We would not want one on our team as they must have adequate access and
  tribal knowledge of the infrastructure. Our team member would have none
  of that.

Answer 2

Need A,B, and C

Question 3

What types of things do we do in Digital
Forensics
A. Collecting information – Collecting artifacts to analyze
B. Examining artifacts - Looking for malware and signs of compromise
C. Reporting – We write comprehensive technical reports

• During an DF or IR, do we ‘hack’?

Answer 3

We do A, B, and C

Question 4

Which of the following is a digital forensics
method?
A. Deleting files
B. Steganography
C. Live Analysis
D. All of the above

Answer 4

C, live analys

Question 5

What is the order of the IR lifecycle?

Answer 5

Preparation, Detection and Analysis, Containment, Eradication and
Recovery, and Post Incident Activity

• Note: No ‘identification’, ‘termination

Question 6

Which of the following tools can interface
with Windows OS and a RAM dump?
A. CAINE
B. Volatility
C. Wireshark
D. SIFT

Answer 6

RAM = Volatility , answer is B

A. CAINE Computer Aided Investigative Environment (KALI of forensics)

C. Wireshark - Protocol Analyzer
D. SIFT - SANS Incident (SANS Incident Forensics Toolkit) (KALI of forensics)

Question 7

How can malware be detected?
A. By scanning the system folder
B. It cannot be detected
C. By searching for abnormal activities
D. By changing folder permissions

Answer 7

C By searching for abnormal activities

Question 8

What is a sandbox used for?
A. Isolating an operating system to check files
B. Testing malware w/out affecting the host system
C. Running new apps
D. Clearing infected files from the host system

Answer 8

Testing malware w/out affecting the host system

Question 9

What is the difference between wireshark
and t-shark?

Answer 9

• T-shark does not have a GUI
• T-shark is more efficient than wireshark

Question 10

What is a disadvantage of a planned attack?
A. When an attack is planned, the AV cannot scan it
B. When an attack focuses on a company, it is harder to track it
C. When an attack is planned, the firewall does not monitor it
D. It is easier to bypass security measures when an attack is planned

Answer 10

When an attack focuses on a company, it is harder to track it

Question 11

What is TCPFLOW?

• https://www.tecmint.com/tcpflow-analyze-debug-network-traffic-in-linux/

Answer 11

• Free, open source, powerful command line based tool for analyzing network traffic on unix-like systems such as Linux. Captures data received or xferred over TCP connections and stores it in a file for later analysis.
• It breaks the data up by IP
• Does not capture all the header info (only the data)
• Does not capture the entire packet like TCPDUMP does

Question 12

What is TCPReplay?

Answer 12

TCPReplay allows a user to open a .pcap file and then replay it back onto the network.

Question 13

What is TCPDUMP?

Answer 13

• Packet capture tool that captures all the data in the packet
• Also called a packet sniffing tool
• Also called a Network Sniffing Tool

Question 14

What is the different between soft and hard filters in wireshark?

Answer 14

• Hard filters are set a ‘capture time’
• Remember that wireshark is a protocol analyzer and not a packet capture or sniffer tool.
• Hard filters set the packet sniffer wireshark is coupled with to ONLY capture what the filter tells it to.
• Soft filters are set in wireshark (protocol analyzer) not the packet capture tool
• Hard filters limit captures, not soft filters.
• Soft filters can be modified, hard filters are preset at the beginning of a capture

Question 15

What is the difference between captured
HTTP requests and HTTPS requests?

Answer 15

• All data transferred over an HTTPS connection is encrypted
• HTTPS requests are encrypted

Question 16

In what way is a file hidden when using
steganography?

Answer 16

• A file can be hidden inside of another file
• A command is typically hidden in images being posted to control
  posts (Indonesian malware posting to infected word press servers)

Question 17

What is FTK Imager?

Answer 17

FTK Imager is a tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as FTK is warranted.
* Forensic Tool Kit = FTK
* What is a forensic image?
* A forensic image is one in which during the copy no ability to write to the original disk/evidence was possible
* What is a byte by byte copy? (perfect copy)
* A byte by byte copy is one in which a byte is read, written, read again and verified
it was written as is the original byte. Each byte is checked. Versus a ‘group of
bytes’ copy (normal copy) where large sections are read, written, hash generated
of section – and hash pulled of section written. If the hash matches it is assumed
to be 100% accurate copy – not every byte is checked.
* Hashing algorithms do not check every single byte – just a LOT of them.

Question 18

What is HxD

Answer 18

Hexadecimal Editor
* a tool NOT USED IN NETWORK FORENSICS MONITORING!!!!

Question 19

What is wireshark?

Answer 19

• A protocol analyzer

Question 20

What is ntopng?

Answer 20

• High speed web based traffic analysis and flow collection
• ntopng is a high performance, low resource replacement for ‘ntop’.
• The name is derived by: ntop next generation.
• Provides persistent traffic statistics in RRD format.
• RRD=round robin database, or fixed in size. As one entry enters,
  another leaves.
• Layer 7 analysis by leveraging on nDPI (OS DPI framework)
• DPI=Deep Packet Inspection
• Can be used in forensics

Question 21

What is Explico?

Answer 21

Open source network forensic analysis tool (NFAT)
* https://www.xplico.org/

Question 22

Which statement is true?
* When data is erased from the operating system, it cannot be restored
* When data is erased from the OS, it remains on the HDD until it is
overwritten
* Data is kept only in RAM, and cannot be restored from the HDD
* Data is erased when the operating system reboots

Answer 22

When data is erased from the OS, it remains on the HDD until it is
overwritten

Question 23

Where is the file signature mentioned?
1. Only at the end of a file
2. It is not mentioned at all
3. After the first line of the file’s information section
4. At the beginning and end of a file
5. IRL it is at the first few bytes of the file

Answer 23

4. At the beginning and end of a file

Question 24

What is the event viewer?
A. A Windows interface that only displays login attempts
B. A Windows interface that saves computer logs
C. A Windows interface that collects logs from the network
D. A Windows interface that collects logs from remote computers

Answer 24

B. A Windows interface that saves computer logs

Question 25

what is mimikatz?

ttps://www.varonis.com/blog/what-is-mimikatz/

Answer 25

Mimikatz as a proof of concept to show Microsoft that their
authentication protocols were vulnerable to attack. Instead, he
inadvertently created one of the most widely used and downloaded
hacker tools of the past 20 years
* Credential theft tool for Windows networks, w00t!

Question 26

What is John the ripper

Answer 26

• Free password cracking tool

Question 27

what is LaZagne?

Answer 27

• A tool for recovering passwords from a system
• The LaZagne project is an open source application used to retrieve
  lots of passwords stored on a local computer. Each software stores its
  passwords using different techniques (plaintext, APIs, custom
  algorithms, databases, etc.).
• https://github.com/AlessandroZ/LaZagne#:~:text=The%20LaZagne%2
  0project%20is%20an,%2C%20databases%2C%20etc.).

Question 28

Which is a tool that can recover passwords
saved in a system?

Answer 28

laZagne

Question 29

What is binwalk?

Answer 29

A tool for hunting binary data for magic numbers
* It can walk through a file and find files within files by locating magic
#’s
* Just because it finds a magic # for a file, does it mean we will have
another file there?
* https://en.wikipedia.org/wiki/List_of_file_signatures

Question 30

What is Persistence?

Answer 30

When a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials.

Question 31

List two techniques that are commonly used for Malware Persistence?

Registry Keys (windows)
Services (windows / *nix)
Scheduled Tasks
Anti-debugging

Answer 31

• Registry Keys (windows)
• Services (windows / *nix)

–Scheduled Tasks? This is likely true on Windows and *nix systems, but NOT for the test unless it is multiple checkbox question!

–Anti-debugging? This is not related to persistence but for staying hidden a little longer.

Question 32

Which of the following is not an IR Role?

• Recovery
• Containment
• Stress Check
• Response

Answer 32

Stress Check
Is not related – this is for testing auto scaling or ECC (Elastic Cloud
Computing)

Question 33

Which tool can be used for dynamically
investigating malware?
* Debugger
* Packer
* UPX
* Disassembler

Answer 33

Debugger – Used by software engineers to slow code down and troubleshoot it. Also used by reverse engineers analyzing malware.

• Packer – Tool used to obfuscate code (makes it difficult to RE)
• UPX – Name of the most popular packer (Ultimate Packer for
  Executables)
• Disassembler – Static Analysis tool for taking apart a malware binary

Question 34

Which is not included in Digital Forensics
Process?
* Collection
* Examination
* Reporting
* Penetration Testing

Answer 34

Penetration Testing

Question 35

Which of the following is not a body section
of a PE (Portable Executable) File?
* .rdata
* .data
* .header
* .text

Answer 35

header

Question 36

Which of the following is not a file systems
used by Windows OS?
* Ext4
* NTFS
* FAT32
* exFAT

Answer 36

Ext4

Question 37

Which of the following are anti-forensics techniques?
Steganography
Debugging
APT
Tunneling

Answer 37

Steganography
Tunneling

Question 38

Which of the following is not a feature of
wireshark?
* Stream Inspection
* Object Export
* Display Filters
* Replacing à Network Traffic

Answer 38

Replacing à Network Traffic

Question 39

Which of the following tools can be used to
obfuscate malware code?
* NASM
* PEiD
* NMAP
* UPX

Answer 39

UPX

• NASM is an assembler (Netwide Assembler)
• PEiD is Portable Executable Identifier (profiles PE files and identifies them)
• NMAP is a Network Mapping tool

Question 40

Which of the following can be used to identify a file as malicious?
* XFS Analyzer
* Autoruns
* Encryption
* Hash

Answer 40

Hash – Can be used to check VT for prior malicious
behaviour w/out exposing the file to thousands of people.
(answer)

• XFS Analyzer - profiles extended file system
• Autoruns – Locations in windows where files can be put to automatically run when the computer is rebooted. The programs ‘automatically run or autorun’.
• Encryption – Prevents the data from being read or modified.

Question 41

Which of the following is used to hide
persistent malware?
* Autoruns
* Wireshark
* Volatility
* HxD

Answer 41

• Autoruns – Used to make malware persistent by having it ‘auto run’
  anytime the computer reboots. (answer)
• Wireshark – Protocol analyzer
• Volatility - Memory Analyzer and has tools that can run natively in
  Windows OS. (used to research RAM dumps)
• HxD – Hexadecimal editor

Question 42

Which of the following can be used to
research RAM dumps?
* PhotoREC
* Exif Tool
* Dd
* Volatility

Answer 42

Volatility – Used to research RAM dumps, also has an installer
to interact w/the Windows OS.

• PhotoREC – Hunts for magic numbers related to images in
  binary data, extracts any image files it finds.
• Exif Tool – Extract exif data (meta data) from image files.
• dd – Used to perform byte by byte copies of files, partitions,
  and disk images.

Question 43

Which of the following tools can be used to
look for embedded executable code?
* Binwalk
* FTK Imager
* Sigcheck
* Certutil

Answer 43

• Binwalk – Used to hunt for files embedded in other files by looking for magic numbers.
• FTK Imager – Creates forensic images of files.
• Sigcheck – Compares 2 files signatures to verify that they are
  the same.
• Certutil – Tool used for managing and working with certificate
  files.

Question 44

Which of the following is not a tool used for
data carving?
* DumpIt
* Bulk Extractor
* HxD
* PhotoRec

Answer 44

• DumpIt – Used to create RAM (Random Access Memory) dumps for later analysis.
• Bulk Extractor – Used to extract files via magic numbers from binary data.
• HxD – Hexadecimal Editor (hex editor)
• PhotoRec – Used to extract all types of images from binary data.

Question 45

Which of the following will not create a log by default?
* None of these Choices
* Web Servers
* Proxy Servers
* Linux authentication Process

Answer 45

None of these Choices

Note: All programs, process, daemons, everything creates logs!

Question 46

Which of the following is not CPU architecture?
* NASM
* ARM
* Pi
* MIPS

Answer 46

• Pi – Is an embedded System Architecture (not a CPU), it is the entire ‘system’, board and all vs just a CPU architecture like x86,
  x64 and MIPS.
• NASM – Netwide Assembler for generating CPU code
• ARM – Acorn RISC Machine (CPU Architecture)
• MIPS – MIPS is also the name of the company that designed it.
  It is a CPU architecture. Name = Million Instructions Per Second

Question 47

Which of the following can be used to research RAM dumps?
* Volatility
* dd
* Exif tool
* PhotoREC

Answer 47

Volatility

Question 48

Linux systems?
* XFS
* Ext4
* FAT32
* NTFS

Answer 48

Ext4

Question 49

Which of the following should be monitored during dynamic malware analysis?
File System Changes
Executable file strings
Registry Changes
Network Activity

Answer 49

File System Changes
Registry Changes
Network Activity

Question 50

What is the responsibility of a CISO?
To make sure the physical security of an organization is adequate
To manage IT employees and search for quality recruits
To create a strategy for data and IT asset protection and maintain it
To manage the business model of an organization

Answer 50

To create a strategy for data and IT asset protection and maintain it

Question 51

Persistent malware = autoruns!!!!!

Answer 51

Anytime you see the words ‘persistent malware’, ‘autoruns’ is going to
be the answer.

Question 52

Which of the following is a windows event
viewer classification?
Alert
Error
Debug
IOC

Answer 52

Alert
Error
Debug

Question 53

Which of the following tools can be used for drive cloning?
* dd
* None of these choices
* Volatility
* FTK Imager

Answer 53

FTK Imager
dd

Question 54

What is the difference between wireshark
and tcpdump?
* Tcpdump is a dumping tool; wireshark monitors system files
* Tcpdump can only capture packets that use tcp
* Tcpdump is command-based; wireshark has a GUI interface
* Wireshark is a network monitoring tool; tcpdump is used as an IDS

Answer 54

Tcpdump is command-based; wireshark has a GUI interface

Question 55

Which of the following is not a containment
strategy?
* Host isolation
* Updating IDS rules
* Segmentation of networks
* Blocklist filtering

Answer 55

Updating IDS rules