Incident Response & Forensics

Question 1

Incident Management Program

Answer 1

Program consisting of the monitoring and detection of security events on a computer network and the execution of proper response to those security events

Question 2

Incident Response Team

Answer 2

• Incident Response Manager
• Security Analyst
• Triage Analyst
• Forensic Analyst
• Threat Researcher
• Cross-functional Support

Question 3

Out-of-Band Communication

Answer 3

Signals that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices

Question 4

journalctl

Answer 4

A Linux command line utility used for querying and displaying logs from journald, the systemd logging service on Linux

Question 5

nxlog

Answer 5

A multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs

nxlog is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng

Question 6

netflow

Answer 6

A network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume and paths on the network

Question 7

sflow

Answer 7

Short for “sampled flow”, it provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring

Only a portion of actual network traffic (not technically a flow)
Lower resource requirements
Usually embedded in the infrastructure
Relatively accurate statistics

Question 8

IPfix

Answer 8

Internet Protocol Flow Information Export:
Newer netflow-based standard (evolved from Netflow v9)
Flexible data support
Templates are used to describe data

IETF standardization for how IPflow information gets formatted and transferred from an exporter to a collector

Question 9

Forensic Procedures

Answer 9

Identification
Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected

Collection
Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected

Analysis
Create a copy of evidence for analysis and use repeatable methods and tools during analysis

Reporting
Create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis

Legal Hold
A process designed to preserve all relevant information when litigation is reasonably expected to occur
A computer or server could be seized as evidence

Question 10

nmap

Answer 10

An open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses

Question 11

hping

Answer 11

An open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks

Send crafted frames
Modify all IP, TCP, UDP, & ICMP values

Question 12

netcat

Answer 12

Utility for reading from and writing to network connections using TCP or UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts

Can be used for Banner Grabbing; used for shell connections as well

Question 13

curl

Answer 13

A command line tool to transfer data to or from a server, using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)

Client URL
Retrieve data using a URL (web pages, FTP, emails, databases)
Grabs raw data (search, parse, automate)

Question 14

The Harvester

Answer 14

A python script that is used to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database

Gather OSINT
Scrape info from Google/Bing
List people on LinkedIn
DNS brute force
VPN, chat, mail

Question 15

sn1per

Answer 15

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network

Combines many recon tools into a single framework
Dnsenum, metasploit, nmap, theHarvester, & more
Both non-intrusive and very intrusive scanning options
Another tool that can cause problems (brute force, server scanning)

Question 16

scanless

Answer 16

Utility that is used to create an exploitation website that can perform open port scans in a more stealth-like manner

Stealth because you will appear as the web server, and not yourself

Question 17

dnsenum

Answer 17

Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization

Question 18

Nessus

Answer 18

A proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities

Question 19

Cuckoo

Answer 19

An open source software for automating analysis of suspicious files

A sandbox for malware
A virtualized environment (Windows/Linux/macOS/Android)
Track & trace
API calls, network traffic, memory analysis

Question 20

head

Answer 20

A command-line utility for outputting the first ten lines of a file provided to it

Question 21

tail

Answer 21

A command-line utility for outputting the last ten lines of a file provided to it

Question 22

cat

Answer 22

A command-line utility for outputting the contents of a file to the screen

Question 23

grep

Answer 23

A command-line utility for searching plain-text data sets for lines that match a regular expression or pattern

Question 24

logger

Answer 24

Utility that provides an easy way to add messages to the /var/log/syslog file from the command line or from other files

Question 25

OpenSSL

Answer 25

A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end

A toolkit & crypto library for SSL/TLS
Create X.509 certificates
Manage CSRs and CRLs
Message digests
Encryption/decryption

Question 26

tcpdump

Answer 26

A command line utility that allows you to capture and analyze network traffic going through your system

Question 27

tcpreplay

Answer 27

A suite of free open source utilities for editing and replaying previously captured network traffic

Test security devices
Check IPS signatures & firewall rules

Test & tune IPflow/NetFlow devices
Send hundreds of thousands of traffic flows per second

Evaluate the performance of security devices
Test throughput & flows per second

Question 28

Wireshark

Answer 28

A popular network analysis tool to capture network packets and display them at a granular level for real-time or offline analysis

Question 29

FTK Imager

Answer 29

A data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed

Question 30

Memdump

Answer 30

A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps

Question 31

WinHex

Answer 31

A commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics

Question 32

Autopsy

Answer 32

A digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools

Extract many different data times
Downloads, browser cache/history, emails, databases, etc

Question 33

Metasploit (MSF)

Answer 33

A computer security tool that offers information about software vulnerabilities, IDS signature development, and improves penetration testing

Question 34

BeEF

Answer 34

Browser Exploitation Framework:
A tool that can hook one or more browsers and can use them as a beachhead of launching various direct commands and further attacks against the system from within the browser context

Question 35

Cain & Abel

Answer 35

A password recovery tool that can be used through sniffing the network, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, and analyzing routing protocols

Question 36

John the Ripper

Answer 36

An open source password security auditing and password recovery tool available for many operating systems

Question 37

Incident Response Process

Answer 37

Preparation
Identification
Containment
Eradication
Recovery
Lesson Learned

Question 38

Exercises: Tabletop

Answer 38

Talking through a drill occurring instead of physically acting it out
Talk through a simulated disaster

Question 39

Exercises: Walkthrough

Answer 39

Include responders (a step beyond a tabletop exercise)

Test processes/procedures before an event
Walk through each step
Involve all groups
Reference actual response materials

Question 40

Exercises: Simulations

Answer 40

Testing a simulated event

Example: Phishing
Create a phishing email attack for your organization and see who falls for it
If someone fell for it, they need additional training

Question 41

Stakeholder Management

Answer 41

Keeping an ongoing relationship with IT customers (internal/external)
IT would not exist without the stakeholder

Most of this happens prior to an incident & continues after

Question 42

COOP

Answer 42

Continuity of Operations Planning:
An alternative in case technology fails
Manual transactions, paper receipts, phone calls for transaction approvals

Question 43

Retention Policies

Answer 43

Backup your data (how much? where?)
Lifecycle of data, purging old data

Regulatory compliance
A certain amount of data backup may be required

Differentiate by type & application

Question 44

Recording Time Offsets

Answer 44

The time zone determines how time is displayed
Document local device settings
Different file systems use different timestamp formats
Record the time offset form the OS

Question 45

Order of Volatility

Answer 45

(From most to least volatile)
CPU registers, CPU cache
Router table, ARP cache, process table, kernel stats, memory
Temporary file systems
Disk
Remote logging & monitoring data
Physical configuration, network topology
Archival media

Question 46

Checksums

Answer 46

Protect against accidental changes during transmission
Simple integrity check
Not designed to replace a hash

Question 47

Provenance

Answer 47

Documentation of authenticity
Chain of custody for data handling
Blockchain tech

Question 48

E-Discovery

Answer 48

Collect, prepare, review, interpret, & produce electronic documents
Gathering details & providing to legal authorities
Works together with digital forensics

Question 49

Non-Repudiation

Answer 49

Proof of data integrity & origin
You said it (or did it), you can’t deny it

MAC (Message Authentication Code)
Two parties verify non-repudiation
Digital signature (non-repudiation is publicly verified)