An analyst is examining a PCAP file and notices a series of TCP packets with the same sequence number, but different payloads, sent to a target host in a short period. Which specific traffic characteristic or attack method is most likely being observed?

When performing forensic analysis on a network capture, which of the following best describes the 'Flow Record' (such as NetFlow) compared to a full packet capture (PCAP)?

Which member of the Incident Response ecosystem is primarily responsible for proactively searching through datasets to identify malicious activity that has bypassed existing security controls, rather than waiting for an automated alert?

In the context of an Incident Response team, which group is uniquely responsible for maintaining the chain of custody for digital evidence to ensure it remains admissible in a court of law during a criminal investigation?

Which group of stakeholders is typically brought into the incident response process when the investigation requires legal authority for external search warrants or when the organization decides to pursue a formal criminal prosecution against an attacker?

Which role within the incident response framework primarily focuses on high-level administrative tasks, such as coordinating resources, communicating with executive leadership, and ensuring the response team adheres to regulatory compliance and organizational policy?

Which category of professionals within an Incident Response framework is primarily responsible for performing real-time monitoring of security consoles, initial triage of security events, and determining if a detected anomaly warrants escalation to a specialized response team?

During a large-scale security incident, which specific role is primarily tasked with modifying firewall rules, rerouting traffic to isolated VLANs, and ensuring that the underlying communication infrastructure supports the 'containment' phase of incident response?

Which specific group of professionals is primarily responsible for the practical implementation of system-level remediation, such as patching vulnerable servers, restoring backups, and hardening operating systems after a security incident has been contained?

In a complex incident response scenario, which role is most likely to be tasked with reverse-engineering a discovered malware sample to determine its capabilities, persistence mechanisms, and command-and-control (C2) infrastructure?

When an organization must decide whether to 'pull the plug' on a compromised system or maintain its state for live volatile memory capture, which member of the response team primarily provides the technical guidance to ensure that digital artifacts like running processes and active network connections are not lost?

Which specific team member is primarily responsible for establishing and maintaining the 'Order of Volatility' during the initial phases of an evidence collection process to ensure that data such as CPU cache, routing tables, and RAM are captured before they are lost?

During a routine audit, a security analyst discovers a workstation communicating with a known malicious command-and-control (C2) server. Following the SANS Incident Response handler's guide, what should be the analyst's immediate next step after confirming the threat (Identification phase)?

An organization experiences a ransomware attack that has encrypted several file servers. The incident response team has successfully isolated the infected hosts. Before moving to the Eradication phase to remove the malware, which action is most critical to ensure a successful Recovery phase?

An Incident Response team is currently analyzing a server to determine how an attacker gained unauthorized access. They are documenting the system state, capturing volatile memory (RAM), and creating disk images. According to the standard incident response lifecycle, which phase are they currently in?

An incident responder has successfully contained a malware outbreak by disconnecting affected laptops from the wireless network. The responder is now identifying and removing all traces of the malicious code, including deleting temporary files and registry keys created by the malware. Which phase of the Incident Response process is being described?

Two weeks after a significant data breach is remediated, the Incident Response team meets to document what went well and what failed during the response. They produce a report with recommendations for improving the firewall rules and training the staff. Which phase of the incident response lifecycle does this meeting represent?

An incident responder is investigating a potential compromise on a Linux database server. Before shutting down the system, the responder captures the contents of the physical memory (RAM). Which concept of digital forensics is the responder following by prioritizing memory over the hard drive?

A web administrator notices an unusual spike in outbound traffic from a web server to an unknown IP address. After determining that an unauthorized script is exfiltrating data, the administrator decides to redirect the traffic to a 'black hole' or a sandbox environment rather than shutting the server down entirely. This action is best described as part of which phase?

An Incident Response team is responding to a suspected SQL Injection attack on a backend server. To maintain the 'Chain of Custody' while collecting evidence from the system, which of the following must be documented?

An incident response team is performing a post-incident analysis on a server that was compromised via an unpatched vulnerability. The team discovers that while the 'Identification' and 'Containment' phases were successful, the server was reinfected within hours of being put back online because the original vulnerability was not patched. Which phase of the incident response lifecycle was performed inadequately?

An Incident Response team has successfully wiped a set of infected laptops and is now restoring user data from verified clean backups. They are also implementing enhanced monitoring logs to ensure the malware does not reappear as users begin to log back in. Which phase of the Incident Response lifecycle are they currently executing?

Which component of the CIA Triad focuses on ensuring that data is not modified or tampered with by unauthorized parties?

In the context of the Principle of Least Privilege (PoLP), what is the primary objective when assigning access rights to users or processes?

Which of the following describes a 'Social Engineering' attack where an attacker attempts to obtain sensitive information by masquerading as a trustworthy entity in an electronic communication?

Which of the following describes the 'Availability' component of the CIA Triad?

Which of the following describes the 'Multi-Factor Authentication' (MFA) requirement for a user to provide something they 'are'?

An information security professional is implementing a 'Defense in Depth' strategy. What is the primary goal of this approach?

Which of the following describes a 'Risk' in the context of information security management?

Which security concept ensures that a sender cannot later deny having sent a specific message or performing a specific action?

What is the primary difference between a 'Vulnerability' and a 'Threat' in an information security context?

Which type of access control model facilitates data security by assigning sensitivity labels to objects and clearance levels to subjects?

The GNFA certification, which is mapped to the SANS FOR572 course, primarily validates a professional's expertise in which area of digital forensics?

In the context of SANS FOR572 and the GNFA certification, which of the following best describes the 'Evidence Intake' phase of the NetFlow analysis process?

In network forensics, which principle states that a perpetrator of a crime will bring something into the crime scene and leave with something from it, creating a cross-transfer of physical or digital evidence?

Which of the following refers to the process of observing and logging all traffic on a network segment to detect anomalies or gather evidence of malicious activity?

Which of the following processes involves creating a cryptographic hash of a digital evidence file to ensure that the data has not been altered during the forensic investigation?

Which of the following describes the 'Order of Volatility' when collecting digital evidence from a live network server?

In the context of network security and the OSI model, which layer is primarily analyzed when investigating a Distributed Denial of Service (DDoS) attack involving SYN Flood packets?

When conducting network forensics, what is the primary purpose of maintaining a 'Chain of Custody' document?

In network forensics, what is the term used for the practice of concealing a file, message, image, or video within another file, often used by attackers to exfiltrate data without triggering data loss prevention (DLP) alerts?

Which of the following describes the difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) from a forensic perspective?

Which of the following describes 'Data Carving' in the context of network security forensics?

In network forensics, which technique involves analyzing the frequency, size, and timing of network packets to identify patterns of communication even when the payload is encrypted?