Domain 4

Question 1

A network security analyst for a large company is testing system vulnerabilities by capturing system memory live while simultaneously attempting different methods of penetration and simulated attacks. The network consists of both Windows and Linux machines. Assess the tools that the analyst could employ in this process for capturing system memory on either OS

Answer 1

The Linux-based tool memdump can run against the /dev/mem device file provided a kernel driver, such as pmem or fmem, is installed.
WinHex is a hex and disk editor for Windows that, when preinstalled on the host system, allows live capture of system memory.
The common Linux tool dd is a file conversion and copying tool that can copy entire disks, including hard disk images and memory dump files such as the /dev/mem device file. This makes it useful for easily and simply obtaining captures of a system’s memory.

Question 2

A hacker has scanned the network for vulnerabilities and plans to inject malicious software into an unprotected server. The hacker wants to use this server as a jump server to gain access to the network and execute more code in the future. However, the hacker does not want to leave any trace behind, if caught. Which of the following tools would the hacker most likely use?

Answer 2

Meterpreter is a very advanced and dynamic exploit module (or payload) that uses in-memory DLL injection stagers. Stagers create a network connection between the hacker and the target. Since the stagers are in memory and never written to disk, any trace can be removed with a restart of the server.

Question 3

Nexpose

Answer 3

Managed by Rapid7 along with Metasploit, Nexpose is a vulnerability scanner that is similar to Nessus. and can find open ports

Question 4

Kali

Answer 4

or Kali Linux is a Debian-derived Linux distribution designed for system forensics and penetration testing. The Metasploit framework is included in this operating system image.

Question 5

Nessus

Answer 5

is a vulnerability scanner from Tenable. A hacker may use a vulnerability scanner to seek out easy targets (e.g., open ports) to plan for an attack.

Question 6

-t

Answer 6

switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.

Question 7

-n

Answer 7

switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.

Question 8

-S

Answer 8

switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from.

Question 9

-r

Answer 9

switch records the route for count hops. This is for IPv4 addresses.

Question 10

-O flag

Answer 10

following the target IP is the standard method of enabling OS detection in the scan.

Question 11

-A flag

Answer 11

following the target IP will enable OS detection as well as version detection, script scanning, and traceroute.

Question 12

-T0 flag

Answer 12

is a timing switch that enables ‘paranoid’ intrusion detection system evasion, attempting to evade detection by the host.

Question 13

-oG - flag

Answer 13

following the target IP and followed by a filename will enable Nmap to output ‘grepable’ scan results to the screen. While this can be used alongside OS detection flags, it will not by itself perform OS detection by default.

Question 14

hping

Answer 14

is an open-source tool that has packet sniffing and injection as well as Denial of Service (DoS) testing features built right in. It does not gather OSINT data.

Question 15

netstat

Answer 15

is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics.

Question 16

netcat

Answer 16

is a computer networking utility for reading from and writing to network connections using TCP or UDP.

Question 17

Active KillDisk

Answer 17

is a disk wiping sanitization software tool that can purge data on disk by overwriting data with 1s and 0s. Overwriting might also be performed in multiple passes. The disk can be recycled after using this software.

Question 18

FTK Imager

Answer 18

is a commercial suite of Windows-compatible forensic investigation software and includes the capability for live memory capture and saves the data in a proprietary .eo1 file format.

Question 19

A public key infrastructure (PKI) is being set up for a logistics company, utilizing OpenSSL. Which of the following commands can the team use, when setting up the PKI, to create an encrypted RSA key pair?

Answer 19

The openssl genrsa -out server.key 1024 command generates an RSA key and will output as server.key. 1024 represents the key size.

Question 20

The openssl rsa -in server.key -pubout

Answer 20

command will only print the public key of server.key, if it already exists.

Question 21

The openssl rsa -check -in server.key

Answer 21

command checks the private RSA key and prompts for the passphrase if one exists. This assumes a private RSA key already exists.

Question 22

The openssl x509 -x509toreq -in cert.pem -out server.csr -signkey server.key

Answer 22

command outputs a certificate signing request (CSR) from an existing certificate and private key. This assumes a private RSA key and certificate already exist.

Question 23

During an interview, a security analyst is presented with four code blocks and asked to identify which one correctly defines and calls a function to search a keyword in a file using PowerShell on Windows. Validate the analyst’s choice.

Answer 23

The Select-String -Path C:\temp\sample.txt -Pattern “Test” command will search for the “Test” string in the entire file called sample.txt. The command works similarly to the grep command.

Question 24

A new cybersecurity analyst is working at his first job. The analyst requires a penetration test reporting and evidence gathering framework that can run automated tests through integration with Metasploit. Recommend a framework that will fulfill the analyst’s needs.

Answer 24

Sn1per is a framework designed for penetration test reporting and evidence gathering and can integrate with other tools, such as Metasploit, to run automated tests.

Question 25

Autopsy

Answer 25

is a digital forensics platform with a graphical user interface (GUI). It investigates events on a device.

Question 26

An administrator of a Linux network is writing a script to transfer a list of local host names, contained in a file called hostnames, directly into the syslog file. Predict the CLI command the admin is likely to use to accomplish this.

Answer 26

The logger command writes input to the local system log or to a remote syslog server. This example writes the contents of the file hostnames to the syslog file.

Question 27

A systems administrator recently hardened two servers (Linux and Windows), disabling unused ports and setting up a software firewall to specific port connections and protocols. These servers support employees at an external branch that operates on wireless network connections and laptops. Which of the following tools will help audit the server’s security settings with the least amount of effort?

Answer 27

tcpdump is a command-line packet capture utility built-in to most Linux distributions that output a description of the contents of each packet received on a network interface.
tshark is a terminal version of Wireshark that also captures and displays packet information from any network interface. This can run on a Windows computer.

Question 28

A wireless scanner

Answer 28

scans for SSIDs (security set identifiers), frequency band, channel usage, and things of that nature. It is not applicable to this situation.

Question 29

AirPcap

Answer 29

is a wireless adapter designed specifically for packet capture. It is not applicable to this situation.

Question 30

FireELF

Answer 30

is a fileless open source Linux malware framework that enables customers to build and manage payloads quickly.

Question 31

During an interview, a security analyst is presented with four code blocks and asked to identify which one correctly defines and calls a function that uses grep to search a file in Python. Validate the analyst’s choice.

Answer 31

filename= “sample.txt”

pattern = “test”

def search_file(name_of_file, grep_pattern)

file = open(filename, “r”)

for line in file:

if re.search(pattern, line):

  print(line)

search_file(filename, pattern)
The correct Python script correctly defines its variables, uses def to indicate a function is being defined, uses proper indentation, and calls the function after it has been defined.

Question 32

A cybersecurity investigator is investigating a breach, and the method of entry is not yet known. The investigator decides to begin by checking for suspicious entries in the routing table. Select the command-line tool that will enable the investigator to directly access the table.

Answer 32

The route command views and configures the host’s local routing table. Entries that are unfamiliar or that are not routers can be considered suspicious.

Question 33

tracert command

Answer 33

uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network on Windows.

Question 34

traceroute

Answer 34

command performs route discovery from a Linux host using UDP probes rather than ICMP.

Question 35

A forensics analyst is attempting a live acquisition of the contents of the memory of a running Linux device. In order to copy the blocked /dev/mem file with memdump or dd, the analyst must install a kernel driver. Recommend a framework that will enable the analyst to install a kernel driver.

Answer 35

The Volatility Framework is widely used for system memory analysis and can install the pmem kernel driver, allowing tools such as memdump or dd to access the /dev/mem device memory file on Linux.

Question 36

A malware expert wants to examine a new worm that is infecting Windows devices. Verify the sandbox tool that will enable the expert to contain the worm and study it in its active state.

Answer 36

Cuckoo is a security product designed to analyze malware as it runs in an isolated sandbox environment. It does not scan for vulnerabilities.

Question 37

A white-hat penetration tester is simulating an attack to check for vulnerabilities. The first step is to determine if the pen tester can scan for ports or services that have been left open, without being detected by the Intrusion Prevention System (IPS). Recommend a tool that fits the pen tester’s requirements.

Answer 37

The scanless tool is a port scanner that runs its scans through third-party websites to evade detection. This allows for stealthy port scanning.

Question 37

A security administrator prepares to eavesdrop on the network and determine if there are any open ports. The admin will analyze the ports to determine if they are legitimate connections and if they should be open. Which tool will the admin most likely use?

Answer 37

Wireshark is both a sniffer and protocol analyzer tool. It is capable of parsing (interpreting) the headers of hundreds of network protocols and listing the contents of the data packets in plain view, if available. It can eavesdrop and scan open networks.

Question 37

tshark

Answer 37

is a terminal version of Wireshark that also captures and displays packet information from any network interface. This can run on a Windows computer.

Question 38

tcpdump

Answer 38

is a command-line packet capture utility built-in to most Linux distributions that output a description of the contents of each packet received on a network interface.

Question 39

Nmap

Answer 39

is a versatile tool, allowing users to perform a Denial of Service (DoS) attack (for testing purposes) by using the Nmap Scripting Engine (NSE). The packet-sniffing library Npcap can be added to Nmap to provide packet sniffing and injection capability.

Question 40

SIEM (Security Information and Event Management) software

Answer 40

collects and collates security and log data from across a network in real-time, and organizes it for efficient threat analysis, with the ability to link events and related data into alertable reports.

Question 41

NXlog (nxlog.co)

Answer 41

is an open-source centralized log collection tool. It has similar features of a SIEM like alerting, normalization, aggregation, correlation, and retention. NXlog is multi-platform compatible.

Question 42

Syslog

Answer 42

is an industry-standard logging tool, commonly used to collect logs in a central location, but lacks advanced features like normalization or aggregation.

Question 43

journalctl utility

Answer 43

is for querying and displaying logs in Linux systems. Although it can be scripted, journalctl lacks any advanced normalization or aggregation features.

Question 44

An attacker has defaced a simple and up-to-date WordPress website running on a fully-patched Ubuntu Server that a web developer administers. The forensics team has taken the computer down after the developer reached out for assistance. The forensics team has isolated the server to preserve the current status of the device and its records. They blocked remote access to the attacker, preventing interaction with all other devices on the network. In continuing the investigation, what is the most appropriate next step to determine how or where the attack was initiated?

Answer 44

Checking network logs will provide clues to the attack. Logs may show external IP addresses representing the attacker’s location. Logs may also show protocols and actions used to carry out specific attacks to deface the website.

Question 45

What are the main features that distinguish a Test Access Point (TAP) from a switched port analyzer (SPAN)?

Answer 45

test access point (TAP) is a hardware device that copies signals from the physical layer and the data link layer, while SPAN (switched port analyzer) is simply ports being mirrored.

Question 46

A cybersecurity specialist working for an Internet Service Provider (ISP) noticed some unusual indicators of malicious activity and suspects that there may be a remote-access trojan or botnets present in the network. The specialist will begin looking at some Domain Name System (DNS) servers. Prescribe next steps that will assist in the investigation.

Answer 46

OSSEC is a host intrusion detection system (HIDS) that can collect DNS server logs for trend analysis. OSSEC can crosscheck these DNS server logs against a list of known malicious domains.
Wireshark can capture packets sniffing network ports and save that traffic to a .pcap file. tcpreplay can then replay the saved information to determine if there is malicious activity.
OSSEC can perform frequency-based trend analysis on NXDOMAIN errors received by comparing it to a baseline. Trends outside of the baseline may allude to malicious activity.

Question 47

A cybersecurity analyst is using a header analyzer to examine the headers of classified emails retained according to the organization’s email retention policy. What types of information might the analyst find in email headers?

Answer 47

The origin and authenticity of a message can be determined by reading the header. The header contains the email address of the sender.
Between the mail user agent (MUA), mail delivery agent (MDA), and the message transfer agent (MTA), the server information is added at every step. This information can be helpful in tracing the geographic origin of an email.
Spam checks are often performed by additional message transfer agents (MTAs), for instance, at mail security gateways. The results of these checks are then added to the header.

Question 48

Sinkhole

Answer 48

routing means suspicious traffic that is flooding a specific IP address routes to another network for analysis. This is a form of segmentation because it maintains the connection to other networks.

Question 49

A mortgage company’s firewall access control list blocks all traffic from bogon networks and a specific private address range but allows any HTTP, HTTPS, or SMTP traffic from any other source. Implicit denial occurs when traffic does not match any rule. At which point in the processing of an access control list is an implicit denial likely found?

Answer 49

The rules in the ACL of a firewall process top to bottom. Traffic will continue to be checked down the list of rules to determine if it may pass or not. Best practice is to set the implicit denial rule at the end, to block all traffic left unmatched.

Question 50

Blackholes

Answer 50

correspond to locations in the network that quietly discard (or “drop”) incoming or outgoing messages, without notifying the source that it did not reach its intended recipient. Blackholes are an isolation technique because they isolate the attacker from the network.

Question 51

Air gapping

Answer 51

indicates the physical isolation of a system from all network resources, often by being physically disconnected. The exploit becomes isolated to the disconnected device and cannot “escape.”

Question 52

A computer system was breached at a medium-sized business. IT personnel began an investigation immediately. Some steps taken included a virus scan and a reboot. What has this breach compromised?

Answer 52

Volatile storage (for example, system or cache RAM) is storage that is usually temporary and is easily erased or lost. Powering down a system will remove any potential evidence that is contained in volatile storage. The order of volatility can be used during an investigation, and is a general outline of components arranged from more to less volatile.

Question 53

After a recent incident, investigators are performing forensics on a Windows server. While using various tools to examine damaged data, they discover the timestamps on an NT file system (NTFS) volume do not seem correct and are a few hours different from local time. What determination should the experts conclude as the reason for the timestamp discrepancy?

Answer 53

Different file systems use different methods to identify the time when something occurred. NTFS uses UTC “internally,” but many file systems record timestamps as the local system time. In forensics, it is vital to note the offset between the local system time and UTC.