Question 1

During the initial stages of a DFIR investigation, what is the primary purpose of calculating a cryptographic hash (such as SHA-256) of a captured forensic image?

Accepted Answer

To ensure the integrity of the evidence and prove it has not been altered

Answer

To compress the image file for faster transfer over the network

Answer

To identify the specific user account responsible for the files

Answer

To decrypt files that were locked by ransomware during the attack

Question 2

Which of the following describes the 'Live Response' methodology often employed during the initial phase of a DFIR investigation?

Accepted Answer

Collecting volatile data from a system while it is still powered on and running

Answer

Analyzing network traffic patterns using historical firewall logs

Answer

Restoring a system from a known-good backup during the remediation phase

Answer

Performing a bit-by-bit physical imaging of a powered-off hard drive

Question 3

Which component of the NIST Incident Response Life Cycle emphasizes the importance of 'Post-Incident Activity' such as lessons learned and improving future defenses?

Accepted Answer

Post-Incident Handling

Answer

Detection and Analysis

Answer

Containment

Answer

Preparation

Question 4

In a real-world case involving the 'NotPetya' ransomware outbreak, what was the primary initial infection vector used to compromise major international organizations?

Accepted Answer

A backdoored software update for the M.E.Doc accounting package

Answer

A zero-day exploit in the Windows Print Spooler service

Answer

Physical access via infected USB rubber ducky devices

Answer

Massive phishing campaigns targeting C-level executives via LinkedIn

Question 5

In the context of the SolarWinds Supply Chain attack (SUNBURST), how did the attackers maintain a low forensic profile during the initial execution of the malicious DLL?

Accepted Answer

The malware remained dormant for up to two weeks and performed checks for forensic analysis tools and anti-virus processes before initiating C2 communication

Answer

The malware utilized a BIOS/UEFI rootkit to remain invisible to the operating system's kernel

Answer

The malware immediately encrypted the entire hard drive to prevent forensic image acquisition

Answer

The malware deleted the Windows Event Log service (eventlog.exe) to stop all system logging

Question 6

In the forensic analysis of a major 2017 breach involving the credit reporting agency Equifax, what was the primary vulnerability exploited by attackers to exfiltrate the sensitive data of over 140 million individuals?

Accepted Answer

Exploitation of an unpatched Apache Struts vulnerability (CVE-2017-5638)

Answer

Credential stuffing attacks against employee legacy email accounts

Answer

A bypass of the multi-factor authentication on the corporate VPN

Answer

A misconfigured S3 bucket that was left open for public browsing

Question 7

In the forensic investigation of the 2016 Democratic National Committee (DNC) hack, which specific artifact indicated the presence of the APT28 (Fancy Bear) group, specifically regarding their 'X-Agent' malware deployment?

Accepted Answer

The use of a specific localized 'leaked' credentials method and the presence of a known C2 domain used in previous attacks against military targets

Answer

A massive increase in Bitcoin mining activity on the organization's SQL servers

Answer

The presence of North Korean language packs installed on the web servers

Answer

The discovery of a physical hardware keylogger attached to the primary domain controller

Question 8

In the forensic analysis of a real-world Business Email Compromise (BEC) case, an investigator finds that an attacker set up a 'Redirect' rule in the victim's Outlook account. What is the most common reason attackers use 'Forwarding Rules' rather than just changing the user's password?

Accepted Answer

To maintain persistence and monitor communications without alerting the victim via a password reset notification

Answer

Because Outlook rules are stored in the BIOS and survive a hard drive wipe

Answer

To automatically encrypt all outgoing attachments with the attacker's public key

Answer

Because forwarding rules bypass the need for an active Internet connection on the host machine

Question 9

In the forensic reconstruction of the 2011 RSA Security breach, how did investigators characterize the 'Initial Access' phase used by the attackers to penetrate the corporate network?

Accepted Answer

A spear-phishing email with a malicious Excel attachment targeting a small group of non-executive employees

Answer

A physical breach of the data center using cloned badges

Answer

The exploitation of a zero-day vulnerability in the internal HR portal

Answer

A brute-force attack against the primary VPN gateway

Question 10

In the forensic investigation of the 2012 'Shamoon' (Disttrack) attack against Saudi Aramco, what was the defining characteristic of the malware's final stage that hindered forensic recovery?

Accepted Answer

It overwrote the Master Boot Record (MBR) and system files with fragments of a JPEG image to render the machines unbootable.

Answer

It encrypted all user files and demanded a payment of

500

USD in Bitcoin.

Answer

It utilized a steganographic channel to hide administrative credentials inside the Windows Registry.

Answer

It exfiltrated the entire Active Directory database before self-deleting the RAM logs.

Question 11

In the context of Digital Forensics and Incident Response (DFIR), why is the concept of 'Chain of Custody' considered vital for professional practitioners?

Accepted Answer

To ensure the integrity of evidence by documenting the chronological history of who handled it and when.

Answer

To encrypted the forensic image so that the suspect cannot access their own data during trial.

Answer

To prioritize which server should be imaged first based on the hardware's financial value.

Answer

To provide a backup solution for data that might be deleted during the investigation process.

Question 12

Which principle is most critical to follow during the initial collection of volatile data from a running system in a DFIR investigation?

Accepted Answer

The Order of Volatility

Answer

The Rule of Proportionality

Answer

The Principle of Least Privilege

Answer

The Non-Repudiation Protocol

Question 13

In DFIR, what is the primary benefit of performing memory (RAM) analysis during an active incident response investigation?

Accepted Answer

It allows the investigator to identify rootkits, running processes, and socket connections that may not be visible on the disk.

Answer

It provides a permanent, non-volatile record of the file system's metadata for civil litigation.

Answer

It significantly reduces the total time required to perform a physical bit-stream image of the hard drive.

Answer

It automatically decrypts the entire operating system's registry hives without a recovery key.

Question 14

When performing an investigation into a suspected data breach, why is 'Anti-Forensics' identification an important skill for a DFIR professional?

Accepted Answer

To recognize when an attacker has intentionally manipulated or deleted logs and timestamps to hide their activity.

Answer

To automate the process of restoring deleted files back to their original production environment.

Answer

To ensure that the forensic workstation being used is running the latest antivirus signatures.

Answer

To verify that the legal team has signed off on the investigation's scope of work.

Question 15

In DFIR, how does the generation of a cryptographic hash (such as SHA-256) serve the goal of data integrity?

Accepted Answer

It provides a unique digital fingerprint used to verify that the forensic image is an exact bit-for-bit copy of the original source and has not been altered.

Answer

It is used to encrypt the evidence so that only the lead investigator can view the contents of the disk.

Answer

It acts as a compression algorithm to reduce the storage space required for large forensic images.

Answer

It is a method used to recover passwords from deleted user account profiles found on the target machine.

Question 16

In the context of Incident Response within DFIR, what is the primary purpose of the 'Post-Incident Activity' (also known as 'Lessons Learned') phase?

Accepted Answer

To identify improvements for security controls and the response process based on the findings of the investigation.

Answer

To immediately re-image all affected machines before documentation is complete to minimize downtime.

Answer

To assign blame to specific IT personnel who were on duty during the time of the breach.

Answer

To justify the purchase of more expensive hardware that was not involved in the incident.

Question 17

In DFIR, what is the primary purpose of using a hardware write-blocker during the acquisition of data from a physical hard drive?

Accepted Answer

To prevent any data from being written to the original evidence media while it is being read.

Answer

To bypass the need for a search warrant when collecting evidence from a private residence.

Answer

To automatically decrypt BitLocker partitions before the imaging process begins.

Answer

To increase the data transfer speed between the evidence drive and the forensic workstation.

Question 18

In DFIR, what is 'Timeline Analysis' primarily used for during an investigation?

Accepted Answer

To reconstruct the sequence of events and identify the 'patient zero' or initial point of compromise.

Answer

To calculate the total estimated cost of data loss based on the uptime of the infected server.

Answer

To synchronize the local system clocks of all workstations to match the server's BIOS time.

Answer

To schedule the shifts of forensic analysts to ensure

500

coverage of a crime scene.

Question 19

In DFIR, what is the 'Patient Zero' of a network-wide incident, and why is its identification important for forensic professionals?

Accepted Answer

The first system or account to be compromised, which is critical for understanding the initial entry vector used by the attacker.

Answer

The server that contains the most sensitive financial data in the organization.

Answer

The specific forensic tool used to perform the very first bit-stream image of a hard drive.

Answer

The primary domain controller that manages the authentication of all user accounts.

Question 20

In DFIR, why is the analysis of 'Artifacts of Execution' (such as Prefetch files or Shimcache) considered a high priority during a compromise assessment?

Accepted Answer

They provide evidence of which programs were run on a system, even if the original executable files have been deleted by the attacker.

Answer

They provide a real-time stream of the attacker's keystrokes through an encrypted tunnel.

Answer

They serve as the primary method for physical hardware identification in a court of law.

Answer

They allow the investigator to permanently delete the malware before the system is imaged.

Question 21

During the initial phase of an Incident Response process, what is the most critical first step to perform after an anomaly is detected?

Accepted Answer

Verification and Assessment

Answer

Format and Reinstall

Answer

Full System Restoration

Answer

Legal Prosecution

Question 22

When prioritizing multiple simultaneous security incidents, which metric should an Incident Response team evaluate first to determine the order of the response?

Accepted Answer

Business Impact and Data Sensitivity

Answer

Departmental Seniority

Answer

Ease of Resolution

Answer

Chronological Order of Detection

Question 23

In the context of the SANS Institute's Incident Handling process, what is the primary goal of the 'Preparation' phase, which is often considered the most important first step in long-term incident management?

Accepted Answer

Establishing policies, tools, and training before an incident occurs

Answer

Removing the root cause of the security breach

Answer

Identifying which specific attacker was responsible for the breach

Answer

Restoring systems to their original production state

Question 24

When an incident responder first arrives at a live system suspected of being compromised, which principle should guide the order in which data is collected?

Accepted Answer

Order of Volatility

Answer

Order of File Size

Answer

Order of Hardware Cost

Answer

Alphabetical Order of Directories

Question 25

Upon identifying a confirmed security breach, which objective should typically be the first priority for the incident response team to prevent further damage?

Accepted Answer

Containment

Answer

Eradication

Answer

Evidence Destruction

Answer

Public Relations Notification

Question 26

When first performing triage on a potentially compromised system, what is the primary purpose of identifying the 'Scope' of the incident?

Accepted Answer

To determine the extent of the spread and which specific assets are affected

Answer

To calculate the total financial cost for insurance purposes

Answer

To identify the specific geographic location of the attacker

Answer

To immediately delete the user accounts involved in the breach

Question 27

When documenting an incident for the first time during the 'Identification' phase, what is the most important characteristic the initial log entries should maintain?

Accepted Answer

Accuracy and a verifiable timeline of events

Answer

Complexity of technical jargon

Answer

Estimated cost of the potential hardware damage

Answer

Total anonymity of the reporting party

Question 28

When first analyzing network traffic for a potential incident, what is the 'first look' indicator often used to identify suspicious communication patterns without inspecting deep packet payloads?

Accepted Answer

Flow Data and Metadata

Answer

Employee Payroll Records

Answer

Power Consumption Logs

Answer

Hardware Serial Numbers

Question 29

When first performing evidence collection on a running server, why is 'Physical Memory (RAM)' prioritized over 'Hard Drive Images'?

Accepted Answer

Because of the Order of Volatility

Answer

Because RAM is easier to encrypt for legal purposes

Answer

Because Hard Drive data is more likely to be corrupted by the OS

Answer

Because RAM stores more total data than a Hard Drive

Question 30

When first performing an 'Immediate Post-Mortem' or 'Lessons Learned' session following an incident, what is the primary objective the response team should look at?

Accepted Answer

Identifying process gaps and improving future response capabilities

Answer

Increasing the budget for hardware without reviewing the current strategy

Answer

Publicly shaming the attacker on social media platforms

Answer

Assigning individual blame to the staff member who made the mistake

Question 31

In a professional incident response life cycle, which phase involves the actual identification of a security breach and the subsequent mobilization of the response team?

Accepted Answer

Detection and Analysis

Answer

Containment

Answer

Preparation

Answer

Post-Incident Activity

Question 32

During an active security breach, what is the primary objective of the

500

phase within the incident response framework?

Accepted Answer

To limit the scope and magnitude of an incident and prevent further damage

Answer

To completely restore all services to their pre-incident state

Answer

To conduct a final forensic audit for legal proceedings

Answer

To patch the initial vulnerability and delete all compromised user accounts

Question 33

Which of the following activities is a hallmark of the "Post-Incident Activity" phase, often referred to as Lesson Learned?

Accepted Answer

Conducting a formal meeting to identify process improvements and update response plans

Answer

Restoring data from clean backups to bring systems back online

Answer

Triaging alerts from a Security Information and Event Management (SIEM) system

Answer

Blocking compromised IP addresses at the firewall to stop an active attack

Question 34

Which component of an Incident Response plan defines the threshold for when an event is escalated to a formal 'incident' status and specifies who has the authority to declare it?

Accepted Answer

Classification and Escalation Procedures

Answer

The Patch Management Schedule

Answer

The Disaster Recovery Hot-Site Protocol

Answer

The Business Impact Analysis (BIA)

Question 35

In the context of the incident response life cycle, which action is specifically associated with the

500

phase?

Accepted Answer

Identifying all affected hosts and removing malicious components such as files or registry keys

Answer

Implementing a short-term isolation of a compromised VLAN to stop the spread

Answer

Performing the final 'Lessons Learned' debrief with stakeholders

Answer

Establishing an out-of-band communication channel for the response team

Question 36

Which of the following describes the proper sequence of the four main phases of the NIST Incident Response Life Cycle?

Accepted Answer

Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity

Answer

Detection; Containment; Preparation; Lessons Learned

Answer

Identification; Remediation; Containment; Eradication

Answer

Preparation; Recovery; Detection; Post-Incident Activity

Question 37

In the context of the incident response process, what is the primary difference between a 'Security Event' and a 'Security Incident'?

Accepted Answer

An event is any observable occurrence in a network or system, whereas an incident is a violation or imminent threat of violation of security policies.

Answer

An incident requires law enforcement notification, while an event only requires internal documentation.

Answer

An event relates only to hardware failures, while an incident relates specifically to malicious software.

Answer

An event is a successful breach, while an incident is a failed attempt to gain access.

Question 38

During the Recovery phase of an incident response, which action is performed to ensure that the environment is no longer vulnerable to the same attack vector?

Accepted Answer

Validating that systems are patched and configured correctly before returning them to production

Answer

Drafting the initial incident response policy for the organization

Answer

Gathering digital evidence for potential criminal prosecution

Answer

Performing a high-level triage of incoming firewall logs to find indicators of compromise

Question 39

In a professional incident response plan, what is the primary purpose of defining a "Communication Plan" during the Preparation phase?

Accepted Answer

To establish clear protocols for sharing information with internal stakeholders, external vendors, and the media

Answer

To automate the sending of marketing emails to reassure customers that no data was taken

Answer

To provide the attacker with a formal notification that their presence has been detected

Answer

To ensure that the response team has the latest smartphones and satellite communication devices

Question 40

Which metric is commonly used during the 'Detection and Analysis' phase of incident response to measure the time taken from the initial occurrence of an exploit to the moment the organization identifies it?

Accepted Answer

Mean Time to Detect (MTTD)

Answer

Mean Time to Repair (MTTR)

Answer

Mean Time Between Failures (MTBF)

Answer

Recovery Point Objective (RPO)

Related quizzes

Related quizzes