Questions D4 Incident Response and Recovery Flashcards
Mika wants to analyze the contents of a drive without causing any changes to the drive. What method is best suited to ensuring this?
A. Set the read‐only jumper on the drive.
B. Use a write blocker.
C. Use a read blocker.
D. Use a forensic software package.
B. Use a write blocker.
Explanation
A hardware write blocker can ensure that connecting or mounting the drive does not cause any changes to occur on the drive. Mika should create one or more forensic images of the original drive and then work with the copy or copies as needed. She may then opt to use forensic software, possibly including a software write blocker.
Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage?
A. SNMP
B. Portmon
C. Packet sniffing
D. Netflow
B. Portmon
Explanation
SNMP, packet sniffing, and Netflow are commonly used when monitoring bandwidth consumption. Portmon is an aging Windows tool used to monitor serial ports, not exactly the sort of tool that you’d use to monitor network bandwidth!
The senior management of Kathleen’s company is concerned about rogue devices on the network. If Kathleen wants to identify rogue devices on her wired network, which of the following solutions will quickly provide the most accurate information?
A. Discovery scan with a port scanner
B. Router and switch‐based MAC address reporting
C. Physical survey
D. Reviewing a central administration tool, such as SCCM
B. Router and switch‐based MAC address reporting
Explanation
If Kathleen’s company uses a management system or inventory process to capture the MAC addresses of known systems, then a MAC address report from her routers and switches will show her devices that are connected to the network but not in the inventory. She can then track down where the devices are physically connected to a switch port and investigate the device.
During a forensic investigation, Charles discovers that he needs to capture a virtual machine that is part of the critical operations of his company’s website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow?
A. Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in.
B. Copy the virtual disk files and then use a memory capture tool.
C. Escalate to management to get permission to suspend the system to allow a true forensic copy.
D. Use a tool like the Volatility Framework to capture the live machine completely.
B. Copy the virtual disk files and then use a memory capture tool.
Explanation
If business concerns override his ability to suspend the system, the best option that Charles has is to copy the virtual disk files and then use a live memory imaging tool. This will give him the best forensic copy achievable under the circumstances. Snapshotting the system and booting it will result in a loss of live memory artifacts. Escalating may be possible in some circumstances, but the scenario specifies that the system must remain online. Finally, Volatility can capture memory artifacts, but is not designed to capture a full virtual machine.
Lauren is the IT manager for a small company and occasionally serves as the organization’s information security officer. Which of the following roles should she include as the leader of her organization’s CSIRT?
A. Her lead IT support staff technician
B. Her organization’s legal counsel
C. A third‐party IR team lead
D. She should select herself.
D. She should select herself.
Explanation
A CSIRT leader must have authority to direct the incident response process and should be able to act as a liaison with organizational management. While Lauren may not have deep incident response experience, she is in the right role to provide those connections and leadership. She should look at retaining third‐party experts for incidents if she needs additional skills or expertise on her IR team.
Because of external factors, Eric has only a limited time period to collect an image from a workstation. If he collects only specific files of interest, what type of acquisition has he performed?
A. Logical
B. Bit‐by‐bit
C. Sparse
D. None of the above
A. Logical
Explanation
A logical acquisition focuses on specific files of interest, such as a specific type of file, or files from a specific location. In Eric’s case, a logical acquisition meets his needs. A sparse acquisition also collects data from unallocated space. A bit‐by‐bit acquisition is typically performed for a full drive and will take longer.
As the CISO of her organization, Jennifer is working on an incident classification scheme and wants to base her design on NIST’s definitions. Which of the following options should she use to best describe a user accessing a file that they are not authorized to view?
A. An incident
B. An event
C. An adverse event
D. A security incident
C. An adverse event
Explanation
NIST describes events with negative consequences as adverse events. It might be tempting to immediately call this a security incident; however, this wouldn’t be classified that way until an investigation was conducted. If the user accidentally accessed the file, it would typically not change classification. Intentional or malicious access would cause the adverse event to become a security incident.
In his role as a forensic examiner, Lucas has been asked to produce forensic evidence related to a civil case. What is this process called?
A. Criminal forensics
B. eDiscovery
C. Cyber production
D. Civil tort
B. eDiscovery
Explanation
When forensic evidence or information is produced for a civil case, it is called eDiscovery. This type of discovery often involves massive amounts of data including email, files, text messages, and any other electronic evidence that is relevant to the case.
Darcy is designing a fault‐tolerant system and wants to implement RAID level 5 for her system. What is the minimum number of physical hard disks she can use to build this system?
A. One
B. Two
C. Three
D. Five
C. Three
Explanation
RAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate.
What important function do senior managers normally fill on a business continuity planning team?
A. Arbitrating disputes about criticality
B. Evaluating the legal environment
C. Training staff
D. Designing failure controls
A. Arbitrating disputes about criticality
Explanation
Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.
Which one of the following is not normally included in business continuity plan documentation?
A. Statement of accounts
B. Statement of importance
C. Statement of priorities
D. Statement of organizational responsibility
A. Statement of accounts
Explanation
Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.
Which one of the following is not normally considered a business continuity task?
A. Business impact assessment
B. Emergency response guidelines
C. Electronic vaulting
D. Vital records program
C. Electronic vaulting
Explanation
Electronic vaulting is a data backup task that is part of disaster recovery, not business continuity, efforts.
Who should receive initial business continuity plan training in an organization?
A. Senior executives
B. Those with specific business continuity roles
C. Everyone in the organization
D. First responders
C. Everyone in the organization
xplanation
Everyone in the organization should receive a basic awareness training for the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role‐specific training.
Which one of the following components should be included in an organization’s emergency response guidelines?
A. List of individuals who should be notified of an emergency incident
B. Long‐term business continuity protocols
C. Activation procedures for the organization’s cold sites
D. Contact information for ordering equipment
A. List of individuals who should be notified of an emergency incident
xplanation
The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency and secondary response procedures for first responders. They do not include long‐term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.
Which one of the following stakeholders is not typically included on a business continuity planning team?
A. Core business function leaders
B. Information technology staff
C. CEO
D. Support departments
C. CEO
Explanation
While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.
As part of his incident response process, Charles securely wipes the drive of a compromised machine and reinstalls the operating system (OS) from original media. Once he is done, he patches the machine fully and applies his organization’s security templates before reconnecting the system to the network. Almost immediately after the system is returned to service, he discovers that it has reconnected to the same botnet it was part of before. Where should Charles look for the malware that is causing this behavior?
A. The operating system partition
B. The system BIOS or firmware
C. The system memory
D. The installation media
B. The system BIOS or firmware
Explanation
The system Charles is remediating may have a firmware or BIOS infection, with malware resident on the system board. While uncommon, this type of malware can be difficult to find and remove. Since he used original media, it is unlikely that the malware came from the software vendor. Charles wiped the system partition, and the system would have been rebooted before being rebuilt, thus clearing system memory.
Karen’s organization has been performing system backups for years but has not used the backups frequently. During a recent system outage, when administrators tried to restore from backups, they found that the backups had errors and could not be restored. Which of the following options should Karen avoid when selecting ways to ensure that her organization’s backups will work next time?
A. Log review
B. MTD verification
C. Hashing
D. Periodic testing
B. MTD verification
Explanation
Karen can’t use MTD verification because MTD is the maximum tolerable downtime. Verifying it will only tell her how long systems can be offline without significant business impact. Reviewing logs, using hashing to verify that the logs are intact, and performing periodic tests are all valid ways to verify that the backups are working properly.
Which one of the following is not an example of a backup tape rotation scheme?
A.Grandfather/Father/Son
B. Meet‐in‐the‐middle
C. Tower of Hanoi
D. Six Cartridge Weekly
B. Meet‐in‐the‐middle
Explanation
The Grandfather/Father/Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns. Meet‐in‐the‐middle is a cryptographic attack against 2DES encryption.
Which one of the following is not a requirement for evidence to be admissible in court?
A. The evidence must be relevant.
B. The evidence must be material.
C. The evidence must be tangible.
D. The evidence must be competent.
C. The evidence must be tangible.
Explanation
Evidence provided in court must be relevant to determining a fact in question, material to the case at hand, and competently obtained. Evidence does not need to be tangible. Witness testimony is an example of intangible evidence that may be offered in court.
Tangible - perceptible by touch.
Florian is building a disaster recovery plan for his organization and would like to determine the amount of time that a particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating?
A. RTO
B. MTD
C. RPO
D. SLA
B. MTD
Explanation
The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization.
The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure.
The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort.
Service‐level agreements (SLAs) are written contracts that document service expectations.
Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an off‐site location each night. What type of database recovery technique is the consultant describing?
A. Remote journaling
B. Remote mirroring
C. Electronic vaulting
D. Transaction logging
C. Electronic vaulting
Explanation
In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily.
Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling.
Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly.
Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.
During what phase of the incident response process do administrators take action to limit the effect or scope of an incident?
A. Detection
B. Response
C. Mitigation
D. Recovery
C. Mitigation
Explanation
The Mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and or effectiveness of the incident.
Gordon suspects that a hacker has penetrated a system belonging to his company. The system does not contain any regulated information, andss Gordon wants to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true?
A. Gordon is legally required to contact law enforcement before beginning the investigation.
B. Gordon may not conduct his own investigation.
C. Gordon’s investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company.
D. Gordon may ethically perform “hack back” activities after identifying the perpetrator.
C. Gordon’s investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company.
Explanation
Gordon may conduct his investigation as he wants and use any information that is legally available to him, including information and systems belonging to his employer. There is no obligation to contact law enforcement. However, Gordon may not perform “hack back” activities because those may constitute violations of the law and/or (ISC)2 Code of Ethics.
