Why would an incident handler acquire memory on a system being investigated?
A . To determine whether a malicious DLL has been injected into an application
B . To identify whether a program is set to auto-run through a registry hook
C . To list which services are installed on they system
D . To verify which user accounts have root or admin privileges on the system
Answer: C
Before re-assigning a computer to a new employee, what data security technique does the IT department use to make sure no data is left behind by the previous user?
A . Fingerprinting
B . Digital watermarking
C . Baselining
D . Wiping
Answer: D
Why might an administrator not be able to delete a file using the Windows del command without specifying additional command line switches?
A . Because it has the read-only attribute set
B . Because it is encrypted
C . Because it has the nodel attribute set
D . Because it is an executable file
Answer: A
Which tool uses a Snort rules file for input and by design triggers Snort alerts?
A . snot
B . stick
C . Nidsbench
D . ftester
Answer: C
What feature of Wireshark allows the analysis of one HTTP conversation?
A . Follow UDP Stream
B . Follow TCP Stream
C . Conversation list > IPV4
D . Setting a display filter to ‘tcp’
Answer: B
Explanation:
Follow TCP Stream is a feature of Wireshark that allows the analysis of a single TCP conversation between two hosts over multiple packets. Filtering packets using tcp in the filter box will return all TCP packets, not grouping by a single TCP conversation. HTTP is TCP not UDP, so you cannot follow a HTTP stream over UDP.
An incident response team is handling a worm infection among their user workstations. They created an IPS signature to detect and block worm activity on the border IPS, then removed the worm’s artifacts or workstations triggering the rule. Despite this action, worm activity continued for days after. Where did the incident response team fail?
A . The team did not adequately apply lessons learned from the incident
B . The custom rule did not detect all infected workstations
C . They did not receive timely notification of the security event
D . The team did not understand the worm’s propagation method
Answer: B
Explanation:
Identifying and scoping an incident during triage is important to successfully handling a security incident. The detection methods used by the team didn’t detect all the infected workstations.
Which Unix administration tool is designed to monitor configuration changes to Cisco, Extreme and Foundry infrastructure devices?
A . SNMP
B . Netflow
C . RANCID
D . RMON
Answer: C
Explanation:
RANCID is a Unix tool which can be used to monitor changes to the following networked devices and more: IOS, CatOS, PIX, Juniper, Foundry, HP ProCurve, Extreme.
Of the following pieces of digital evidence, which would be collected FIRST from a live system involved in an incident?
A . Event logs from a central repository
B . Directory listing of system files
C . Media in the CDrom drive
D . Swap space and page files
Answer: D
Explanation:
Best practices suggest that live response should follow the order of volatility, which means that you want to collect data which is changing the most rapidly.
The order of volatility is:
Memory
Swap or page file
Network status and current / recent network connections
Running processes
Open files
A company wants to allow only company-issued devices to attach to the wired and wireless networks. Additionally, devices that are not up-to-date with OS patches need to be isolated from the rest of the network until they are updated.
Which technology standards or protocols would meet these requirements?
A . 802.1x and Network Access Control
B . Kerberos and Network Access Control
C . LDAP and Authentication, Authorization and Accounting (AAA)
D . 802.11i and Authentication, Authorization and Accounting (AAA)
Answer: A
To detect worms and viruses buried deep within a network packet payload, Gigabytes worth of traffic content entering and exiting a network must be checked with which of the following technologies?
A . Proxy matching
B . Signature matching
C . Packet matching
D . Irregular expression matching
E . Object matching
Answer: C