SECURITY+ Module 4

1. Which of the following is a software tool used to examine hard drives and mobile devices for evidence recovery?
2. What is the term for tying individual events together to provide meaningful alerts?
3. Your rapid response team has been alerted about and identified a highly dangerous virus on a couple systems in one of your subnets. What step should your team take next?
4. Your organization was recently the victim of a large-scale phishing attack. Your manager has tasked you with automating response to quickly notify users and, if feasible, automatically block outbound requests to the attacker’s web page. Which of the following will accomplish this goal?
5. You have been tasked with setting up a remote logging facility to send logs from various applications and network devices. Which of the following is the best choice?
6. Which of the following provides information about other data?
7. A security analyst identifies malware that is traced back to the IP address 93.184.216.34. Which one of the following tools might the security analyst use to determine if an active connection to that IP address still resides on the infected system?
8. Which of the following commands would you use to look for failure or warning errors in /var/log/secure?
9. Which of the following stakeholders are typically notified first when a confirmed incident has occurred? (Select two.)
10. Your administrators remotely access web servers in the DMZ only from the internal network over SSH. However, these servers have come under attack via SSH from the IP address 93.184.216.34. Which of the following should you do to stop this attack?
11. What is the term given to a framework or model outlining the phases of attack to help security personnel defend their systems and respond to attacks?
12. Organize the following items from the most volatile to the least volatile: removable media, main memory, hard drive, and cache.
13. Evidence from a recent breach consists of marked tags that indicate who was in possession of evidence on a given date and time. Which of the following does this represent?
14. After seizing computer equipment alleged to have been involved in a crime, it is placed in a corridor unattended for ten minutes while officers subdue a violent suspect. The seized equipment is no longer admissible as evidence because of what violation?
15. Which of the following is a written document that defines how an organization will recover from a disaster and how to restore business with minimal delay?
16. A warrant has been issued to investigate a server believed to be used by organized crime to swap credit card information. Following the order of volatility, which data should you collect first?
17. While capturing network traffic, you notice an abnormally excessive number of outbound SMTP packets. To determine whether this is an incident that requires escalation or reporting, what else should you consult?
18. You decide to work late on a Saturday night to replace wiring in your server room. Upon arriving, you realize that a break-in has occurred and server backup tapes appear to be missing. What should you do as law enforcement officials arrive?
19. Which of the following best visually illustrates the state of a running computer at the time it was seized by law enforcement?
20. What are the five properties required for evidence to be useful?
21. Which of the following are benefits of application allow lists? (Select two.)
22. What type of evidence would be the most difficult for a perpetrator to forge?
23. Choose the correct order of volatility when collecting digital evidence:
24. What can be used to ensure that seized mobile wireless devices do not communicate with other devices?
25. You are preparing to gather evidence from a cell phone. Which of the following is false?
26. What is the purpose of disk forensic software? (Choose two.)
27. Robin works as a network technician at a stock brokerage firm. To test network forensic capturing software, she plugs her laptop into an Ethernet switch and begins capturing network traffic. During later analysis, she notices some broadcast and multicast packets as well as her own computer’s network traffic. Why was she unable to capture all network traffic on the switch?
28. What can a forensic analyst do to reduce the number of files that must be analyzed on a seized disk?
29. What must be determined by the first responder to an incident?
30. Which of the following best describes chain of custody?
31. A professional who is present at the time of evidence gathering can be summoned to appear in court or to prepare a report on her findings for use in court. This person referred to as what?
32. A network intrusion detection device captures network traffic during the commission of a crime on a network. You notice NTP and TCP packets from all network hosts in the capture. You must find a way to correlate captured packets to a date and time to ensure the packet captures will be considered admissible as evidence. What should you do? (Choose two.)
33. While working on an insider trading case, you are asked to prove that an e-mail message is authentic and was sent to another employee. Which of the following should you consider? (Choose two.)
34. Which Linux command is specifically designed to view systemd logs?
35. You arrive at a scene where a computer must be seized as evidence. The computer is powered off and has an external USB hard drive plugged in. What should you do first?
36. You are asked to examine a hard disk for fragments of instant messaging conversations as well as deleted files. How should you do this?
37. You must analyze data on a digital camera’s internal memory. You plan to connect your forensic computer to the camera using a USB cable. What should you do to ensure that you do not modify data on the camera?
38. Which of the following rules must be followed when performing forensic analysis? (Choose two.)
39. Which prevention and mitigation measures best protect against the impact of a ransomware attack? (Choose two.)
40. How can a forensic analyst benefit from analyzing metadata? (Choose three.)
41. You are reviewing existing network security controls and need to get up to speed on current lateral movement attacks commonly used by malicious users. What should you consult?
42. The IT director is creating the following year’s budget. You are asked to submit forensics dollar figures for your Cloud Security Incident Response Team (CSIRT). Which item should you not submit?
43. Which SOAR component is used to automate IT-related security incident response?
44. A company executive complains that her online banking credentials no longer work. After further investigation, you determine that the user clicked a link in a fraudulent e-mail meant to deceive bank customers. Which type of attack occurred?
45. At 9:30 a.m., users report that network performance has been severely degraded since the workday began at 8 a.m. After network analysis and a quick discussion with your IT security team, you conclude that a worm virus has infected your network. What should you do to contain the damage? (Choose two.)
46. A suspect deletes incriminating files and empties the Windows recycle bin. Which of the following statements are true regarding the deletion? (Choose two.)
47. Which built-in Linux operating system tool can be used to create an exact copy of a disk volume for forensic analysis?
48. Which type of attack involves an attacker injecting malicious executable code into a web site page that will be viewed by others?
49. Which of the following items can enforce the RTO for a failed server?
50. You need to review log files to determine whether network reconnaissance to learn of hostnames and IP addresses has occurred. Where will you most likely find this information?

 

Leave a comment