Patrick is doing a cyber forensic investigation. He is in the process of collecting physical evidence at the crime scene.
Which of the following elements he must consider while collecting physical evidence?
- A . Published nameservers and web application source code
- B . DNS information including domain and subdomains
- C . Removable media, cable, and publications
- D . Open ports, services, and operating system (OS) vulnerabilities
Eric works as a system administrator at ABC organization and previously granted several users with access privileges to the organizations systems with unlimited permissions. These privileged users could prospectively misuse their rights unintentionally, maliciously, or could be deceived by attackers that could trick them to perform malicious activities.
Which of the following guidelines would help incident handlers eradicate insider at tacks by privileged users?
- A . Do not allow administrators to use unique accounts during the installation process
- B . Do not use encryption methods to prevent administrators and privileged users from accessing backup tapes and sensitive information
- C . Do not control the access to administrators and privileged users
- D . Do not enable default administrative accounts to ensure accountability
Which of the following email security tools can be used by an incident handler to prevent the organization against evolving email threats?
- A . Mx Toolbox
- B . G Suite Toolbox
- C . Email Header Analyzer
- D . Gpg4win
Racheal is an incident handler working at an organization called Inception Tech. Recently, numerous employees have been complaining about receiving emails from unknown senders. In order to prevent employees from spoof ng emails and keeping security in mind, Racheal was asked to take appropriate actions in this matter. As a part of her assignment, she needs to analyze the email headers to check the authenticity of received emails.
Which of the following protocol/authentication standards she must check in email header to analyze the email authenticity?
- A . POP
- B . SNMP
- C . DKIM
- D . ARP
Bonney’s system has been compromised by a gruesome malware.
What is the primary step that is advisable to Bonney in order to contain the malware incident from spreading?
What is the cause of this issue?
- A . Complaint to police in a formal way regarding the incident
- B . Turnoff the infected machine
- C . Leave it to the network administrators to handle
- D . Call the legal department in the organization and info m about the incident
Which one of the following is Inappropriate Usage Incidents?
- A . Denial of Service Attack
- B . Reconnaissance Attack
- C . Access Control Attack
- D . Insider Threat
Rinni is an incident handler and she is performing memory dump analysis.
Which of following tools she can use in order to perform a memory dump analysis?
- A . iNetSim
- B . OllyDbg and IDA Pro
- C . Proc mon and Process Explorer
- D . Scylla and Olly DumpEx
Rose is an incident-handler and is responsible for detecting and eliminating any kind of scanning attempts over the network by malicious threat actors. Rose uses Wire shark to sniff the network and detect any malicious activities going on.
Which of the following Wireshark filters can be used by her to detect TCP Xmas scan attempt by the attacker?
- A . tcp.flags.reset== 1
- B . tcp.flags==0X 000
- C . tcp.flags==0X 029
- D . tcp.dstport== 7
Which of the following is not a countermeasure to eradicate cloud security incidents?
- A . Checking for data protection at both design and runtime
- B . Disabling security options such as two factor authentication and CAPTCHA
- C . Patching the database vulnerabilities and improving the isolation mechanism
- D . Removing the malware files and traces from the affected components
Who is mainly responsible for providing proper network services and handling network-related incidents in each cloud service model?
- A . Cloud brokers
- B . Cloud service provider
- C . Cloud consumer
- D . Cloud auditor
Johnson is an incident handler and is working on a recent web application attack faced by his organization. As part of this process, he performed data preprocessing in order to analyze and detect the watering hole attack. Johnson preprocessed the outbound network traffic data collected from firewalls and proxy servers. He then started analyzing the user activities within a certain time period to create time ordered domain sequences to perform further analysis on sequential patterns. Identify the data-preprocessing step performed by Johnson.
- A . User-specific sessionization
- B . Identifying unpopular domains
- C . Hostname normalization
- D . Filtering invalid hostnames
Michael is an incident handler at CyberTech Solutions. He is performing detection and analysis of a cloud security incident. He is also analyzing the file systems, slack spaces, and metadata within the storage units to find hidden malware and evidence of malice.
Identify the cloud security incident handled by Michael:
- A . Server-related incident
- B . Storage-related incident
- C . Application-related incident
- D . Network-related incident
Darwin is an attacker within an organization and is performing network sniffing by running his system in promiscuous mode. He is capturing and viewing all the network packets transmitted within the organization. Edwin is an incident handler in the same organization.
In the above situation, which of the following Nmap commands Edwin must use to detect Darwin’s system that is running in promiscuous mode?
- A . nmap –script=sniffer-detect [Target IP Address/Range of IP addresses]
- B . nmap –script host map
- C . nmap -sU -p 500
- D . nmap -sV -T4 -O -F -version-light
lkeo Corp. has hired an incident response team to assess the enterprise security. As a part of the incident handing and response process, the IR team is reviewing the current security policies implemented by the enterprise. The IR team finds out that employees of the organization do not have any restrictions on Internet access, which means that they are allowed to visit any site, download any application, and access a computer or a network from a remote location. Considering this as a main security threat, the IR team plans to change this policy as it can be easily exploited by the attackers. Identify the security policy that the IR team is planning to modify.
- A . Promiscuous pol cy
- B . Prudent policy
- C . Permissive policy
- D . Paranoid policy
An organization’s customers are experiencing either slower network communication or unavailability of services. In addition, network administrators are receiving alerts from security tools such as IDS/IPS and firewalls about a possible DoS/DDoS attack. In result, the organization requests the incident handling and response (IH&R) team further investigates the incident. The IH&R team decides to use manual techniques to detect DoS/DDoS attack.
Which of the following commands helps the IH&R team to manually detect DoS/DDoS attack?
- A . nbtstat /c
- B . nbtstat /S
- C . netstat -r
- D . netstat -an
Which of the following risk mitigation strategies involves the execution of controls to reduce the risk factor and bring it to an acceptable level, or accepts the potential risk and continues operating the IT system?
- A . Risk assumption
- B . Risk planning
- C . Risk transference
- D . Risk avoidance
Robert is an incident handler working for X security Inc. One day, his organization faced a massive cyberattack and all of the websites related to the organization went offline. Robert was on duty during the incident and he was responsible for handling the incident and maintaining business continuity. He immediately restored the web application service with the help of the existing backups.
According to the scenario, which of the following stages of incident handling and response (IH&R) process did Robert perform?
- A . Evidence gathering and forensics analysis
- B . Eradication
- C . Not if cation
- D . Recovery
Which of the following tools helps incident handlers to view the filesystem, retrieve deleted data, perform timeline analysis, web art facts, etc., during an incident response process?
- A . Process Explorer
- B . nbtstat
- C . Autopsy
- D . netstat
Joseph is an incident handling and response (IH&R) team lead in Toro Network Solutions Company. As a part of the IH&R process, Joseph alerted the service providers, developers, and manufacturers about the affected resources. Identify the stage of lH&R process Joseph is currently in.
- A . Eradication
- B . Containment
- C . Recovery
- D . Incident triage
Tibs on works as an incident responder for MNC based in Singapore. He is investigating a web application security incident recently faced by the company. The attack is performed on a MSSQL Server hosted by the company. In the detection and analysis phase, he used regular expressions to analyze and detect SQL meta-characters that led to SQL injection attack. Identify the regular expression used by Tibs on to detect SQL injection attack on MSSQL Server.
- A . ((.1%2E).1%2E)(V%2FN|%5C))
- B . ((A.W)(.A.V))
- C . ((%3C) <) (%2F) /) *(script) (%3E) >)
- D . /exec(s|+) +(s|x) pw+/ix
Alice is an incident handler and she has been informed by her lead that the data on affected systems must be backed up so that it can be retrieved if it is damaged during the incident response process. She was also told that the system backup can also be used for further investigation of the incident.
In which of the following stages of the incident handling and response (IH&R) process does Alice need to do a complete backup of the infected system?
- A . Containment
- B . Incident recording
- C . Incident triage
- D . Eradication
Clark, a professional hacker, successfully exploited the web application of a target organization by tampering the form and parameter values. In result, Clark gained access to the information assets of the organization. Identify the vulnerability in the web application exploited by the attacker.
- A . Security misconfiguration
- B . Sensitive data exposure
- C . SQL injection
- D . Broken access control
Clark is investigating a cybercrime at TechSoft Solutions. While investigating the case, he needs to collect volatile information such as running services, their process IDs, start mode, state, and status.
Which of the following commands will help Clark to collect such information from running services?
- A . netstat-ab
- B . net file
- C . Open files
- D . W mic
Sam, an employee from a multinational company, send se-mails to third-party organizations with a spoofed email address of his organization.
How can you categorize this type of incident?
- A . Inappropriate usage incident
- B . Network intrusion incident
- C . Unauthorized access incident
- D . Denial-of-service incident
Bob, an incident responder at CyberTech Solutions, is investigating a cybercrime attack that occurred in the client company. He acquired the evidence data, preserved it, and started performing analysis on the acquired evidentiary data to identify the source of the crime and the culprit behind the incident. Identify the forensic investigation phase in which Bob is currently in.
- A . Post-investigation phase
- B . Pre-investigation phase
- C . Vulnerability assessment phase
- D . Investigation phase
XYZ Inc. was affected by a malware attack and James, being the incident handling and response (IH&R) team personnel handling the incident, found out that the root cause of the incident is a backdoor that has bypassed the security perimeter due to an existing vulnerability in the deployed firewall. James had contained the spread of the infection and removed the malware completely. Now the organization asked him to perform an incident impact assessment to identify the impact of the incident over the organization and he was also asked to prepare a detailed report of the incident.
Which of the following stages in IH&R process is James working on?
- A . Notification
- B . Post-incident activities
- C . Eradication
- D . Evidence gathering and forensics analysis
James has been appointed as an incident handing and response (IH&R) team lead and was assigned to build an IH&R plan and his own team in the company. Identify the IH&R process step James is currently working on.
- A . Eradication
- B . Notification
- C . Preparation
- D . Recovery
Drake is an incident handler at Dark Cloud Inc. Heist asked with performing log analysis in order to detect traces of malicious activities within the network infrastructure.
Which of the following tools should Drake employ in order to view logs in real time and identify malware propagation within the network?
- A . Hydra
- B . Splunk
- C . HULK
- D . LOIC
Bran is an incident handler who is assessing the network of the organization. He wants to detect ping sweep attempts on the network using Wire shark.
Which of the following W re shark filters would Bran use to accomplish this task?
- A . icmp.type== 8
- B . icmp.redir_gw
- C . icmp.ident
- D . icmp.seq
Which of the following is a standard framework that provides recommendations for implementing information security controls for organizations that initiate, implement, or maintain information security management systems (ISMSs)?
- A . ISO/IEC27035
- B . RFC 2196
- C . PCI DSS
- D . ISO/IEC27002
John is performing a memory dump analysis in order to find traces of malware. He has employed Volatility tool in order to achieve his objective.
Which of the following volatility framework command she will use in order to analyze the running process from the memory dump?
- A . python vol.py hivelist-prof le=Win2008SP1x86 -f/root Desktop/memdump.mem
- B . python vol.py pslist-profile=Win2008SP1x86 -f/root/Desktop/memdump.mem
- C . python vol.py imageinfo -f/root/Desktop/memdump.mem
- D . python vol.py svcscan–profile=Win2008SP1x86 -f/root/Desktop/memdump.mem | more
Which of the following processes is referred to as an approach to respond to the security incidents that occur in an organization and enables the response team by ensuring that they know exactly what process to follow in case of security incidents?
- A . Vulnerability management
- B . Risk assessment
- C . Incident response orchestration
- D . Threat assessment
Which one of the following is the correct flow of the stages in an incident handling and response (IH&R) process?
- A . Preparation Incident recording Incident triage Containment Eradication Recovery Post-incident activities
- B . Incident recording Preparation Containment Incident triage Recovery Eradication Post-incident activities
- C . Containment Incident recording Incident triage Preparation Recovery Eradication Post-incident activities
- D . Incident t rage Eradication Containment Incident recording Preparation Recovery Post-incident activities
Which stage of the incident response and handling process involves auditing the system and network log files?
- A . Containment
- B . Incident disclosure
- C . Incident eradication
- D . Incident triage
Stanley is an incident handler working for TexaCorp., a United States based organization. With the growing concern of increasing emails from outside the organization, Stanley was asked to take appropriate actions to keep the security of the organization intact. In the process of detecting and containing malicious emails, Stanley was asked to check the validity of the emails received by employees. Identify the tool Stanley can use to accomplish this task.
- A . Email Dossier
- B . Point of Mail
- C . Polite Mail
- D . Event Log Analyzer
Which of the following is not the responsibility of first responders?
- A . Packaging and transporting the electronic evidence
- B . Protecting the crime scene
- C . Preserving temporary and fragile evidence and then shutdown or reboot the victim’s computer
- D . Identifying the crime scene
identify the network security incident where intended or authorized users are prevented from using system, network, or applications by flooding the network with a high volume of traffic that consumes all existing network resources.
- A . SQL injection
- B . URL manipulation
- C . XSS attack
- D . Denial-of-service
Multiple component incidents consist of a combination of two or more attacks in a system.
Which of the following is not a multiple component incident?
- A . An attacker infecting a machine to launch a DDoS attack
- B . An insider intentionally deleting files from a workstation
- C . An attacker redirecting user to a malicious website and infects his system with Trojan
- D . An attacker using email with malicious code to infect internal workstation
Otis is an incident handler working in the Delmont organization. Recently, the organization is facing several setbacks in the business and thereby its revenues are going down. Otis was asked to take charge and look into the matter. While auditing the enterprise security, he found the traces of an attack where proprietary information was stolen from the enterprise network and was passed on to their competitors.
Which of the following information security incidents did the Delmont organization face?
- A . Unauthorized access
- B . Network and resource abuses
- C . Email-based abuse
- D . Espionage
Which of the following methods help incident responders to reduce the false positive alert rates and further provide ben efts of focusing on top priority issues, thereby reducing potential risk and corporate liabilities?
- A . Threat contextualization
- B . Threat profiling
- C . Threat attribution
- D . Threat co relation
Which of the following types of insider threats involves an insider who is uneducated on potential security threats or simply bypasses general security procedures to meet workplace efficiency?
- A . Professional insider
- B . Malicious insider
- C . Compromised insider
- D . Negligent insider
Adam is an incident handler who intends to use DBCCLOG command to analyze a database and retrieve the active transaction logfiles for the specified database. The syntax of DBCC LG command is DBCC LOG (<database name>, <output>), where the output parameter specifies the level of information an incident handler wants to retrieve.
If Adam wants to retrieve the full information on each operation along with the hex dump of a current transaction row, which of the following output parameters should Adam use?
- A . 2
- B . 1
- C . 3
- D . 4
Eric works as an incident handler at Erinol software systems. He was assigned a task to protect the organization from any kind of DoS/DDoS attacks.
Which of the following tools can be used by Eric to achieve his objective?
- A . Incapsula
- B . Hydra
- C . Wire shark
- D . IDA
Which of the following encoding techniques replaces unusual ASCII characters with "%" followed by the character’s two-digit ASCII code expressed in hexadecimal?
- A . Unicode encoding
- B . URL encoding
- C . HTML encoding
- D . Base 64 encoding
Chandler is a professional hacker who is targeting an organization called Technote. He wants to obtain important organizational information that is being transmitted between different hierarchies. In the process, he is sniff ng the data packets transmitted through the network and then analyzing them to gather packet details such as network, ports, protocols, devices, issues in network transmission, and other network specifications.
Which of the following tools would Chandler employ to perform packet analysis?
- A . IDA Pro
- B . Omni peek
- C . BeEf
- D . Sharp
Eric is an incident responder and is working on developing incident-handling plans and procedures. As part of this process, he is performing an analysis on the organizational network to generate a report and develop policies based on the acquired results.
Which of the following tools will help him in analyzing his network and the related traffic?
- A . FaceNiff
- B . Burp Suite
- C . Wireshark
- D . Whois
Zaimasoft, a prominent IT organization, was attacked by perpetrators who directly targeted the hardware and caused irreversible damage to the hardware. In result, replacing or reinstalling the hardware was the only solution. Identify the type of denial-of-service attack performed on Zaimasoft.
- A . DDoS
- B . DRDoS
- C . PDoS
- D . DoS
A US Federal Agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to the agency’s reporting timeframe guidelines, this incident should be reported within 2h of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity.
Which incident category of US Federal Agency does this incident belong to?
- A . CAT 5
- B . CAT 6
- C . CAT 2
- D . CAT 1
Which of the following information security personnel handles incidents from management and technical point of view?
- A . Network administrators
- B . Incident manager (IM)
- C . Forensic investigators
- D . Threat researchers
Which of the following information security personnel handles incidents from management and technical point of view?
- A . Network administrators
- B . Incident manager (IM)
- C . Forensic investigators
- D . Threat researchers
Which of the following information security personnel handles incidents from management and technical point of view?
- A . Network administrators
- B . Incident manager (IM)
- C . Forensic investigators
- D . Threat researchers
Which of the following information security personnel handles incidents from management and technical point of view?
- A . Network administrators
- B . Incident manager (IM)
- C . Forensic investigators
- D . Threat researchers
Which of the following information security personnel handles incidents from management and technical point of view?
- A . Network administrators
- B . Incident manager (IM)
- C . Forensic investigators
- D . Threat researchers
Which of the following information security personnel handles incidents from management and technical point of view?
- A . Network administrators
- B . Incident manager (IM)
- C . Forensic investigators
- D . Threat researchers
Which of the following information security personnel handles incidents from management and technical point of view?
- A . Network administrators
- B . Incident manager (IM)
- C . Forensic investigators
- D . Threat researchers
Which of the following information security personnel handles incidents from management and technical point of view?
- A . Network administrators
- B . Incident manager (IM)
- C . Forensic investigators
- D . Threat researchers
Create a vulnerability scan report
Identify the correct sequence of vulnerability assessment steps performed by the incident responders.
- A . 4–>1–>2->3->6->5–>7
- B . 3–>6–>1->2->5->4–>7
- C . 1–>3–>2->4->5->6–>7
- D . 2–>1–>4->7->5->6–>3
In which of the following phases of incident handling and response (IH&R) process are the identified security incidents analyzed, validated, categorized, and prioritized?
- A . Incident triage
- B . Notification
- C . Incident recording and assignment
- D . Containment
Browser data can be used to access various credentials.
Which of the following tools is used to analyze the history data files in Microsoft Edge browser?
- A . MZ History View
- B . Browsing History View
- C . Chrome History View
- D . MZ Cache View
Eve is an incident handler in ABC organization. One day, she got a complaint about an email hacking incident from one of the employees of the organization. As a part of incident handling and response process, she must follow a number of recovery steps in order to recover from the incident impact and maintain business continuity.
What is the first step that she must do to secure the employee’s account?
- A . Disabling automatic filesharing between the systems
- B . Restore the email services and change the password
- C . Enable scanning of links and attachments in all the emails
- D . Enable two-factor authentication
John is a professional hacker who is performing an attack on the target organization where he tries to redirect the connection between the IP address and its target server such that when the users type in the Internet address, it redirects them to a rogue website that resembles the original website. He tries this attack using cache poisoning technique.
Identify the type of attack John is performing on the target organization.
- A . Pharming
- B . Skimming
- C . War driving
- D . Pre texting
Dash wants to perform a DoS attack over 256 target URLs simultaneously.
Which of the following tools can Dash employ to achieve his objective?
- A . Ollydbg
- B . IDA Pro
- C . HOIC
- D . Open VAS
Andrew, an incident responder, is performing risk assessment of the client organization. As a part of the risk assessment process, he identified the boundaries of the IT systems, along with the resources and the information that constitute the systems.
Identify the risk assessment step Andrew is performing.
- A . Likelihood determination
- B . System characterization
- C . Control analysis
- D . Control recommendations
Marley was asked by his incident handing and response (IH&R) team lead to collect volatile data such as system information and network information present in the registries, cache, and RAM of victim’s system.
Identify the data acquisition method Marley must employ to collect volatile data.
- A . Live data acquisition
- B . Validate data acquisition
- C . Remote data acquisition
- D . Static data acquisition
Marley was asked by his incident handing and response (IH&R) team lead to collect volatile data such as system information and network information present in the registries, cache, and RAM of victim’s system.
Identify the data acquisition method Marley must employ to collect volatile data.
- A . Live data acquisition
- B . Validate data acquisition
- C . Remote data acquisition
- D . Static data acquisition
Marley was asked by his incident handing and response (IH&R) team lead to collect volatile data such as system information and network information present in the registries, cache, and RAM of victim’s system.
Identify the data acquisition method Marley must employ to collect volatile data.
- A . Live data acquisition
- B . Validate data acquisition
- C . Remote data acquisition
- D . Static data acquisition
Marley was asked by his incident handing and response (IH&R) team lead to collect volatile data such as system information and network information present in the registries, cache, and RAM of victim’s system.
Identify the data acquisition method Marley must employ to collect volatile data.
- A . Live data acquisition
- B . Validate data acquisition
- C . Remote data acquisition
- D . Static data acquisition
Marley was asked by his incident handing and response (IH&R) team lead to collect volatile data such as system information and network information present in the registries, cache, and RAM of victim’s system.
Identify the data acquisition method Marley must employ to collect volatile data.
- A . Live data acquisition
- B . Validate data acquisition
- C . Remote data acquisition
- D . Static data acquisition
Marley was asked by his incident handing and response (IH&R) team lead to collect volatile data such as system information and network information present in the registries, cache, and RAM of victim’s system.
Identify the data acquisition method Marley must employ to collect volatile data.
- A . Live data acquisition
- B . Validate data acquisition
- C . Remote data acquisition
- D . Static data acquisition
Marley was asked by his incident handing and response (IH&R) team lead to collect volatile data such as system information and network information present in the registries, cache, and RAM of victim’s system.
Identify the data acquisition method Marley must employ to collect volatile data.
- A . Live data acquisition
- B . Validate data acquisition
- C . Remote data acquisition
- D . Static data acquisition
Marley was asked by his incident handing and response (IH&R) team lead to collect volatile data such as system information and network information present in the registries, cache, and RAM of victim’s system.
Identify the data acquisition method Marley must employ to collect volatile data.
- A . Live data acquisition
- B . Validate data acquisition
- C . Remote data acquisition
- D . Static data acquisition
Marley was asked by his incident handing and response (IH&R) team lead to collect volatile data such as system information and network information present in the registries, cache, and RAM of victim’s system.
Identify the data acquisition method Marley must employ to collect volatile data.
- A . Live data acquisition
- B . Validate data acquisition
- C . Remote data acquisition
- D . Static data acquisition
Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption
Identify the correct sequence of steps involved in forensic readiness planning.
- A . 2–>3–>1->4->6->5–>7–>8
- B . 3–>4–>8->7->6->1–>2–>5
- C . 3–>1–>4->5->8->2–>6–>7
- D . 1–>2–>3->4->5->6–>7–>8
Jacobi san employee in Dolphin Investment firm. While he was on his duty, he identified that his computer is facing some problems and he wanted to convey the issue to the respective authority in his organization.
But currently this organization does not have a ticketing system to address such types of issues.
In the above scenario, which of the following ticketing systems can be employed by the Dolphin Investment firm to allow Jacob to raise the issue in order to tell the respective team about the incident?
- A . ThreatConnec
- B . IBM XForce Exchange
- C . ManageEngine ServiceDesk Plus
- D . MISP
Identify the malicious program that is masked as a genuine harmless program and gives the attacker unrestricted access to the users information and system. These programs may unleash dangerous programs that may erase the unsuspecting user’s disk and send the victim’s credit card numbers and passwords to a stranger.
- A . Virus
- B . Adware
- C . Worm
- D . Trojan