1.

Incident Response - Background

NIST SP 800-61 Revision 2 - Computer Security Incident Handling Guide

This guide provides best practices and recommendations for incident handling, especially the
organization, structure, and operation of incident response capabilities. It delves into the incident
response lifecycle, which includes preparation, detection and analysis, containment, eradication, and
recovery. It also offers insights into post-incident activity, such as lessons learned and evidence
retention. While NIST SP 800-61 R2 is the primary document focusing on incident response, several
other NIST publications touch on related areas and can be relevant depending on the context. For
example:

NIST SP 800-53 Revision 5 – Security and Privacy Controls for Federal Information Systems and
Organizations: It includes controls related to incident response among its catalog of security controls.

NIST SP 800-86 - Guide to Integrating Forensic Techniques into Incident Response: This guide offers
detailed guidance on how forensic techniques can be used as a part of the incident response to gather
evidence and insights about the incidents.

a. Incident Response Cycle

i. Preparation – Build: Team, tools, procedures (Called “Playbooks”) and detailed
procedures with technical configurations called “Runbooks”)
ii. Identification – Review events, look for Indicators of Compromise (IOC’s)
iii. Containment – Prevent further damage
iv. Eradication – Remove the artifacts relating to damage (while preserving
evidence)
v. Recovery – Resort the system
vi. Lessons Learned (“Hotwash” vs Final Report)
2. Incident Response Team
i. Management
ii. IT Staff
iii. Technical Experts (Sysadmins, developers)
iv. Public Relations
v. Legal and Human Resources
vi. Outside Consultants/Law Enforcement
3. Incident Response Exercises
i. Tabletop – Brainstorming/Management. Usually guided by a leader
ii. Walkthrough – Take the team through a procedures
iii. Simulation – Practice on a sample incident
4. Building IR Plans
i. Communication Plans
1. Prepare Off Grid Comms
2. Prepare Press Releases
ii. Management Plans
1. Determine Personnel Involved
 2. Determine Resources Needed
iii. Business Continuity Plans – Keep going when there is an incident
iv. Disaster Recovery Plans – Keep going when there is a disaster that destroys the
infrastructure
b. Continuity of Operations (COOP) – Set forth by FEMA
i. Phase 1 - Readiness and Preparedness
ii. Phase 2 – Activation and Relocation
iii. Phase 3 - Continuity of Operations
iv. Phase 4 – Reconstitution
5. Attack Frameworks
a. MITRE ATT&CK (which stands for "Adversarial Tactics, Techniques, & Common
Knowledge") is a curated knowledge base and framework used for describing the
actions that adversaries take while operating within enterprise networks. Developed
by MITRE, a not-for-profit organization, ATT&CK provides a comprehensive matrix of
tactics (objectives) and techniques (methods) that cyber threat actors use post-
compromise to achieve their goals. The framework is used by security professionals to
understand the lifecycle of cyberattacks, from initial access to the final objective, and
everything in between. This aids in identifying gaps in defenses, enhancing detection
capabilities, and improving overall cybersecurity posture. The ATT&CK matrix is
organized into columns of tactics (the "why" of an attack) and rows of techniques (the
"how" of an attack), providing a detailed map of adversary behavior.

b. Diamond Model of Intrusion Analysis (Can be complicated to follow if you look at the
original paper. I’ll include that with these notes.
i. Core Features:

The Diamond Model's core features consist of the fundamental entities involved in any cyber intrusion
event. These entities are represented as vertices on a diamond shape:

Adversary: This represents the individual or group responsible for the intrusion.
Understanding the adversary's tactics, techniques, and procedures (TTPs) can provide valuable insights
into the intrusion.

Capability: This encompasses the tools, techniques, malware, exploits, and any other
resources the adversary uses to conduct the intrusion.

Infrastructure: This refers to the hardware, software, networks, and other resources that the
adversary uses to facilitate the intrusion. Examples include command and control servers, proxies, and
domain names.

Victim: This represents the target of the intrusion. It can be an individual, an organization, a
server, or any other entity that the adversary seeks to compromise or affect.
 ii. Meta-Features

Meta-features describe attributes or characteristics of the core features and the relationships between
them. They provide additional context to the basic Diamond Model, offering a deeper understanding
of an intrusion event. Examples of meta-features include:

Timestamp: The specific time when an event or activity occurred.

Directionality: Indicates the flow or sequence of events, such as whether a particular activity
was inbound or outbound.

Result: Describes the outcome of an event, such as whether an exploit attempt was successful
or failed.

Methodology: Provides insights into the specific techniques or procedures used by the
adversary in the intrusion.

iii. Confidence Value

The confidence value is a measure of the analyst's certainty in the information being assessed within
the Diamond Model. By assigning a confidence value to each feature or relationship, analysts can
weigh the reliability of the information they have. This is particularly useful when dealing with partial
or potentially misleading data, as it helps in prioritizing responses and decisions based on the most
trustworthy information. Confidence values can be subjective and might be determined based on the
source of the information, corroborative evidence, or the analyst's expertise.

c. Lockheed Cyber Kill Chain

 i. Reconnaissance
ii. Weaponization
iii. Delivery
iv. Exploitation
v. Installation
vi. Command and Control (C2)
vii. Actions on Objective

6. Security Information and Event Management Systems (SIEM)

a. SIEM Dashboard – the GUI you interface with the SIEM
b. Sensors – The points where data is collected to send to the SIEM
i. Sensitivity and Thresholds -detect events and prevent false positives
ii. Trends
iii. Log Files
1. System Logs – (Everything) eg. In linux sent via syslog
2. Application Logs
3. Security Logs – (Authentication)
4. Vulnerability scan output logs (Virus scans, etc)
5. Network Logs – (Flow of traffic between systems)
6. Web Logs
7. DNS Logs
8. Dump files
9. VoIP, call manager logs, Session Initiation Protocol Logs (SIP)
 Above is how the Diamond Model is Mapped to the MITRE FRAMEWORK

7. Containment/Mitigation/Recovery
a. You may block the cause of the incident
i. Whitelist – Configure “endpoints” to only allow approved sites
ii. Blacklist – Configure to block known bad sites
iii. Eradicate – Delete the information/files/data. (Will prevent any further
investigation)
iv. Segmentation:

Definition: It refers to dividing a network into smaller subnetworks or segments. These segments often
have different access controls and communication permissions.

Purpose in Incident Response: Reducing the potential "blast radius" of an attack. By segmenting a
network, if one segment gets compromised, it doesn't necessarily mean that the entire network is
vulnerable.

v. Containment:

Definition: This involves stopping the spread of the intrusion and preventing it from causing further
damage.
Purpose in Incident Response: To act as a quick and immediate response to an identified threat. It's
usually a short-term action, which is later followed by long-term containment strategies like patching,
blocking certain IP addresses, or modifying access controls.

vi. Isolation:

Definition: Isolating involves completely cutting off a system, device, or network segment from others,
preventing any kind of communication.

Purpose in Incident Response: Used to remove a compromised system from a network to prevent
lateral movement of threats. This ensures that a malicious actor or malware can't spread or exfiltrate
data.

vii. Quarantine:

Definition: This involves placing suspicious or malicious files in a secure environment, separate from
the main system or network, where they cannot execute or cause harm.

Purpose in Incident Response: To safely store and analyze suspicious files or payloads. This is
commonly used with email systems where potentially harmful attachments are quarantined for
further inspection.

viii. Mitigation:

Definition: It refers to the process of reducing the severity of an incident or the risk associated with
potential incidents.

Purpose in Incident Response: To address vulnerabilities, enhance defenses, and reduce the overall
impact of an intrusion. It includes measures like patching software, revising permissions, improving
network security, and educating users.

Questions

1. Which stage of the Incident Response Cycle focuses on establishing procedures and acquiring
necessary tools?

A. Identification
B. Recovery
C. Preparation
D. Containment

Answer: C. Preparation

Explanation: The preparation stage involves building the team, tools, policy, and procedures necessary
for the entire incident response process.
2. During which phase of the Incident Response Cycle would an organization primarily search for
Indicators of Compromise (IOC's)?

A. Eradication
B. Identification
C. Containment
D. Recovery

Answer: B. Identification

Explanation: The identification stage involves reviewing events and looking for IOCs to identify security
incidents.

3. If an organization wants to prevent further damage after identifying a security incident, which phase
should it focus on?

A. Lessons Learned
B. Containment
C. Eradication
D. Preparation

Answer: B. Containment

Explanation: The containment phase is aimed at halting the spread of an incident and preventing further
damage.

4. In which phase of the Incident Response Cycle is it crucial to preserve evidence while removing any
malicious artifacts?

A. Identification
B. Recovery
C. Lessons Learned
D. Eradication

Answer: D. Eradication
Explanation: During the eradication phase, the artifacts relating to damage are removed, but it's
essential to preserve evidence for further analysis and potential legal actions.

5. After all malicious elements are removed from an environment, which phase ensures systems return
to their regular operational state?

A. Recovery
B. Containment
C. Preparation
D. Identification

Answer: A. Recovery

Explanation: The recovery phase focuses on restoring the system to its normal operational state after the
incident.

6. Which phase of the Incident Response Cycle emphasizes the review of the entire incident to
determine improvements for future responses?

A. Eradication
B. Lessons Learned
C. Identification
D. Containment

Answer: B. Lessons Learned

Explanation: The lessons learned phase involves analyzing the incident to understand what went well,
what didn't, and how to improve for future incidents.

7. In the event of a suspected security incident, what is the primary goal of the containment phase?

A. Removing the cause of the incident

B. Identifying the source of the breach
C. Preventing further damage or spread
D. Restoring systems to normal function

Answer: C. Preventing further damage or spread

Explanation: Containment aims to prevent the incident from causing more harm or spreading further
within the environment.

8. During which phase of the Incident Response Cycle would a team focus on creating and implementing
policies?

A. Preparation
B. Identification
C. Eradication
D. Recovery

Answer: A. Preparation

Explanation: The preparation phase is when policies and procedures are established to guide the
organization's response to incidents.

9. If an organization has just concluded their incident response efforts, which phase should they enter to
review and document the entire incident?

A. Identification
B. Containment
C. Lessons Learned
D. Recovery

Answer: C. Lessons Learned

Explanation: After resolving an incident, organizations should enter the lessons learned phase to review,
document, and improve their response process.

10. After identifying a malware outbreak on a workstation, a security analyst decides to disconnect the
machine from the network but leaves it powered on. This action is MOST closely associated with which
phase of the Incident Response Cycle?

A. Identification
B. Containment
C. Eradication
D. Recovery
Answer: B. Containment

11. Who on the incident response team is responsible for communicating with the media, stakeholders,
and other outside entities during a security incident?

A. Lead investigator
B. Forensic expert
C. Public relations
D. IT technician

Answer: C. Public relations

Explanation: The public relations role within an incident response team focuses on external
communications, ensuring clear and accurate information is conveyed to stakeholders, media, and
others.

12. Which member of the incident response team is typically tasked with analyzing and gathering
evidence from compromised systems?

A. Legal advisor
B. Threat analyst
C. Forensic expert
D. Public relations

Answer: C. Forensic expert

Explanation: Forensic experts specialize in collecting, preserving, and analyzing digital evidence from
compromised systems.

13. Who in the incident response team usually provides advice on legal implications and potential
liabilities during an incident?

A. Lead investigator
B. Legal advisor
C. Threat analyst
D. IT technician
Answer: B. Legal advisor

Explanation: The legal advisor provides guidance on legal issues, ensuring that all actions taken during
and after the incident are legally compliant.

14. In which phase of the incident response process is the incident response team most actively involved
in mitigating the effects of an incident?

A. Preparation
B. Identification
C. Containment
D. Recovery

Answer: C. Containment

Explanation: During the containment phase, the incident response team works actively to prevent the
incident from causing further damage.

15. Why is it crucial for an incident response team to conduct regular tabletop exercises?

A. To test malware detection tools

B. To evaluate the team's readiness and response strategies
C. To identify potential threat actors and evaluate the threat data and intelligence
D. To gather needed data used to update the company's policies, procedures and guidelines

Answer: B. To evaluate the team's readiness and response strategies

Explanation: Tabletop exercises allow the team to simulate incidents and evaluate their preparedness
and the effectiveness of their response strategies.

16. Which role in the incident response team would liaise with law enforcement if required during a
security incident?

A. Threat analyst
B. IT technician
C. Public relations
D. Legal advisor
Answer: D. Legal advisor

Explanation: The legal advisor would typically liaise with law enforcement to ensure compliance with
legal requirements and assist with any potential investigations.

17. When a new software vulnerability is discovered, who in the incident response team typically
evaluates the risk it poses to the organization?

A. Legal advisor
B. Threat analyst
C. Systems Administrator
D. IT technician

Answer: B. Threat analyst

Explanation: Threat analysts assess and evaluate threats to the organization, including new software
vulnerabilities.

18. Which of the following is NOT a typical role in an incident response team?

A. Forensic expert
B. Network architect
C. Public relations
D. Legal advisor

Answer: B. Network architect

Explanation: While network architects are crucial in designing secure networks, they are not typically
part of the core incident response team roles.

19. Who on the incident response team would ensure that evidence collection processes adhere to a
standard that is admissible in court?

A. Public relations
B. Threat analyst
C. Forensic expert
D. Legal advisor
Answer: C. Forensic expert

Explanation: Forensic experts ensure evidence is collected and handled correctly so that it can be used in
court if necessary.

20. Why is it essential for an incident response team to have a designated lead investigator?

A. To communicate with the media and all involved stakeholders

B. To ensure a centralized and coordinated response
C. To assess software vulnerabilities
D. To provide technical and other tactical advice needed by team members to understand the threat

Answer: B. To ensure a centralized and coordinated response

Explanation: A lead investigator ensures that the response is organized, decisions are made timely, and
all team members have clear direction.

21. Which of the following is a primary objective when building an incident response plan?

A. Tracking employee internet usage and other threats

B. Evaluating software vulnerabilities which, when combined with a threat, cause damage
C. Ensuring timely and effective response to security incidents
D. Conducting daily security audits and operational log analysis to locate threats

Answer: C. Ensuring timely and effective response to security incidents

Explanation: The main goal of an incident response plan is to provide a structured approach for
addressing and managing security incidents.

22. What is the FIRST step in creating an effective incident response plan?

A. Purchasing new security tools

B. Conducting a risk assessment
C. Hiring a public relations team
D. Conducting a network audit

Answer: B. Conducting a risk assessment

Explanation: A risk assessment helps in understanding potential threats and vulnerabilities, which is
essential for developing a tailored incident response plan.
23. Tabletop exercises for incident response are primarily designed to:

A. Test network hardware

B. Simulate real-life scenarios to evaluate the team's response
C. Update antivirus software
D. Identify network vulnerabilities

Answer: B. Simulate real-life scenarios to evaluate the team's response

Explanation: Tabletop exercises simulate potential incidents to assess and refine the team's readiness
and response strategies.

24. When should an incident response plan be reviewed and updated?

A. Only when a security incident occurs

B. At regular intervals and after significant organizational changes
C. Every five years
D. Only during onboarding of new employees

Answer: B. At regular intervals and after significant organizational changes

Explanation: Regular reviews and updates ensure that the plan remains current and effective, especially
as the organization evolves.

25. The main purpose of a communication plan within an incident response strategy is to:

A. Inform stakeholders and relevant parties during an incident

B. Purchase new communication tools
C. Monitor emails for phishing attempts
D. Train employees on how to communicate during an incident

Answer: A. Inform stakeholders and relevant parties during an incident

Explanation: A communication plan ensures that accurate information is relayed to the right parties in a
timely manner during a security incident.

26. Who is typically responsible for declaring a security event as a confirmed incident?

A. All employees have an equal stake and thus are permitted to declare an event as an incident
B. The senior IT technician
C. The incident response team lead
D. External auditors designated by the CIP

Answer: C. The incident response team lead

Explanation: The team lead is responsible for coordination and decision-making during the incident
response process.

27. What is the primary goal of conducting post-incident reviews?

A. Identify those responsible and ensure their actions are not repeated
B. Identify lessons learned and improve future responses
C. Buy new security products which can be used to mitigate similar damage
D. Train employees on incident response protocals

Answer: B. Identify lessons learned and improve future responses

Explanation: Post-incident reviews help in understanding what went well, what didn't, and how to refine
the response process for future incidents.

28. A hotwash meeting in incident response is conducted:

A. During the incident

B. Prior to the incident
C. Immediately after the incident
D. Every year

Answer: C. Immediately after the incident

Explanation: A hotwash is a debrief conducted immediately after the incident or exercise to capture
initial thoughts and feedback.

29. What is the PRIMARY purpose of incident response playbooks?

A. Provide general security guidelines

B. Offer step-by-step procedures for specific types of incidents
C. List down company employees
D. Recommend security software
Answer: B. Offer step-by-step procedures for specific types of incidents

Explanation: Playbooks provide detailed procedures on how to handle and respond to specific types of
security incidents.

30. Why is stakeholder involvement crucial when building an incident response plan?

A. To increase the budget for the IT department

B. To ensure completeness, relevance, and buy-in for the plan
C. To handle public relations
D. To manage employee vacation schedules

Answer: B. To ensure completeness, relevance, and buy-in for the plan

Explanation: Stakeholder involvement ensures that the incident response plan aligns with organizational
needs and has the support needed for effective implementation.

31. Which attack framework focuses on tactics, techniques, and procedures (TTPs) of adversaries?

A. NIST 800-53
B. ISO 27001
C. OWASP
D. MITRE ATT&CK

Answer: D. MITRE ATT&CK

Explanation: The MITRE ATT&CK framework specifically catalogs and describes adversary TTPs, helping
organizations understand and counter various threat actions.

32. In which framework would you most likely find a matrix of tactics used at different stages of a cyber
attack lifecycle?

A. CIS Critical Security Controls

B. Cyber Kill Chain
C. OWASP Top Ten
D. MITRE ATT&CK
Answer: D. MITRE ATT&CK

Explanation: The MITRE ATT&CK framework uses a matrix to describe tactics employed by adversaries at
various stages of an attack lifecycle.

33. The Cyber Kill Chain, is designed to represent the stages of what?

A. System development
B. Incident response
C. An attacker's progression
D. Network segmentation

Answer: C. An attacker's progression

Explanation: The Cyber Kill Chain describes the phases of a cyber attack, from initial reconnaissance to
data exfiltration.

34. Which of the following stages in the Cyber Kill Chain refers to the delivery of malware to a victim's
system?

A. Exploitation
B. Installation
C. Delivery
D. Command and Control

Answer: C. Delivery

Explanation: The "Delivery" stage in the Cyber Kill Chain specifically refers to the transmission of
malware to the victim, often via email, web, or other methods.

5. Which framework primarily focuses on web application security vulnerabilities?

A. Cyber Kill Chain

B. MITRE ATT&CK
C. NIST SP 800-61
D. OWASP Top Ten
Answer: D. OWASP Top Ten (See page 67 in your book)

Explanation: The OWASP Top Ten is a well-known list of the most critical web application security risks.

36. When considering the MITRE ATT&CK framework, what does the term "technique" specifically refer
to?

A. A broad adversary goal

B. The specific software used in an attack
C. A general type of action adversaries may take
D. The output of a successful attack

Answer: C. A general type of action adversaries may take

Explanation: In the MITRE ATT&CK framework, a "technique" is a way an adversary achieves their
objective, without regard to specific tools.

37. In incident response, understanding adversary TTPs is crucial for:

A. Predicting system log trends

B. Identifying and mitigating potential threats
C. Training IT personnel to detect and deter adversary methods
D. Implementing firewall rules designed to mitigate adverse events by adversaries

Answer: B. Identifying and mitigating potential threats

Explanation: Knowing TTPs allows organizations to detect, counteract, and prevent attacks more
effectively by understanding how adversaries operate.

8. Which stage of the Cyber Kill Chain focuses on taking advantage of vulnerabilities in a system?

A. Reconnaissance
B. Weaponization
C. Exploitation
D. Installation

Answer: C. Exploitation
Explanation: The "Exploitation" stage involves using vulnerabilities to gain access or a foothold in a
system.

39. A primary goal of referencing attack frameworks in incident response is to:

A. Increase the organization's IT budget to deal with adversary intentions

B. Understand and anticipate attacker behaviors
C. Mitigate adversary actions relating to cloud services
D. Reduce software development time to focus on incident response

Answer: B. Understand and anticipate attacker behaviors

Explanation: Attack frameworks provide insights into the tactics, techniques, and procedures used by
adversaries, helping organizations predict, identify, and counteract threats.

40. The tactic in the MITRE ATT&CK framework that refers to an adversary trying to maintain their
foothold within an environment is called:

A. Credential Access
B. Discovery
C. Persistence
D. Impact

Answer: C. Persistence

Explanation: The "Persistence" tactic in MITRE ATT&CK describes techniques an adversary might use to
maintain access to systems across restarts, changed credentials, and other interruptions.

41. In the Diamond Model, what represents the tools, malware, or methods used by the attacker?

A. Adversary
B. Infrastructure
C. Capability
D. Result

Answer: C. Capability

Explanation: "Capability" in the Diamond framework represents the tools, techniques, or malware
employed by the attacker.

42. In the Cyber Kill Chain, which phase is focused on pairing a payload with an exploit?
A. Reconnaissance
B. Weaponization
C. Delivery
D. Installation

Answer: B. Weaponization

Explanation: The "Weaponization" phase involves pairing a payload with an exploit to create a
weaponized payload.

43. Which framework emphasizes the relationships between features like adversary, infrastructure,
capability, and victim during an intrusion event?

A. Cyber Kill Chain

B. NIST SP 800-61
C. Diamond framework
D. MITRE ATT&CK

Answer: C. Diamond framework

Explanation: The Diamond Model of Intrusion Analysis focuses on analyzing and mapping out the
relationships between its core features.

44. As per NIST guidelines, which document provides guidance specifically on computer security incident
handling?

A. NIST SP 27001
B. NIST SP 27000 – Sub IR
C. NIST SP 800-53
D. NIST SP 800-61

Answer: D. NIST SP 800-61

Explanation: NIST SP 800-61, particularly its Revision 2, provides guidance on computer security incident
handling.

45. Which tool primarily aggregates and correlates logs from different sources to identify potential
security incidents?

A. Vulnerability Scanner
B. Firewall
C. Intrusion Detection System (IDS)
D. Security Information and Event Management (SIEM)

Answer: D. Security Information and Event Management (SIEM)

Explanation: SIEM tools aggregate, correlate, and analyze logs from various sources to detect anomalies
and potential security incidents.

46. When performing incident response, what is the primary reason for preserving original log files?

A. To save storage space

B. To ensure data integrity for forensic analysis
C. To improve SIEM performance
D. To accelerate incident detection

Answer: B. To ensure data integrity for forensic analysis

Explanation: Maintaining the original log files ensures that evidence remains intact and uncontaminated
for potential forensic investigations.

47. What information do logs typically NOT contain?

A. Timestamp
B. Source IP address
C. Specific user's browsing history
D. Event type

Answer: C. Specific user's browsing history

Explanation: Standard logs contain event metadata like timestamps, event types, and IP addresses, but
they do not typically detail a user's browsing history.

48. How do SIEM solutions primarily help in incident response?

A. By blocking malicious IPs

B. By providing real-time threat intelligence feeds
C. By correlating events and providing alerts on suspicious activities
D. By patching vulnerabilities in the network

Answer: C. By correlating events and providing alerts on suspicious activities

Explanation: The primary role of a SIEM is to aggregate and correlate logs to detect anomalies and alert
on potential security threats.

49. In the context of a SIEM, what does normalization of logs refer to?

A. Reducing the size of log files

B. Making all log entries consistent in format
C. Encrypting log entries for security
D. Deleting old and unnecessary logs

Answer: B. Making all log entries consistent in format

Explanation: Normalization involves converting various log formats into a consistent, standardized format
for easier analysis.

50. Which of the following is NOT a primary function of a SIEM system?

A. Data aggregation
B. Log correlation
C. Threat intelligence
D. Malware removal

Answer: D. Malware removal

Explanation: While SIEMs play a crucial role in identifying potential threats, they do not have
functionality for malware removal.

51. If an organization wants to keep logs for a minimum of one year for compliance reasons, what is this
an example of?

A. Data minimization
B. Data retention policy
C. Data normalization
D. Data encryption

Answer: B. Data retention policy

Explanation: A data retention policy specifies how long data items (like logs) should be stored before
they are discarded or archived.

52. Why might an incident responder query a SIEM for logs from a specific time period?

A. To update the SIEM software

B. To check for updates in threat intelligence feeds
C. To correlate with known indicators of compromise (IoC) during that period
D. To delete outdated logs

Answer: C. To correlate with known indicators of compromise (IoC) during that period

Explanation: Incident responders might query logs from specific time frames to investigate or correlate
events with known IoCs.

53. What is the primary reason for correlating logs from various sources in a SIEM?

A. To reduce storage requirements

B. To provide a holistic view of network activities and detect anomalies
C. To comply with data protection regulations
D. To back up log data

Answer: B. To provide a holistic view of network activities and detect anomalies

Explanation: By correlating logs from various sources, SIEMs offer a comprehensive view of activities,
making it easier to spot suspicious patterns or anomalies.

54. Which of the following is the most crucial characteristic of logs used for incident response?

A. The size of the log files

B. The age of the log files
C. The accuracy and integrity of the log data
D. The software that generated the log

Answer: C. The accuracy and integrity of the log data

Explanation: For incident response purposes, ensuring the accuracy and integrity of log data is crucial, as
logs may be used as evidence or to trace activities leading to the incident.

Digital Forensics

1. Acquisitions – Creation of Image File

a. Order of Volatility
i. RAM
ii. Hard Drive
iii. Remote Logs (SIEM)
iv. Backups
b. Write Blocker
c. Imaging
i. Definition
ii. Hash Value
d. Chain of Custody
i. Put original aside and work with a copy of the image
e. Tools
i. Command line: dd
ii. FTK Imager
iii. Cell Phones – Magnet
iv. Wireshark
f. Validation – Hash Values
2. Analysis – Forensic Suites
a. Autopsy
b. Commercial FTK, EnCase, Magnet
3. Final Report – Hashing Verification
4. Legal Holds/E-Discovery
5. Cloud Concerns (SLA)
a. Right to Audit Clauses
b. Jurisdiction Concerns
c. Data Breach Notification Laws

55. Which of the following is the FIRST step in a forensic acquisition?

a) Documenting chain of custody

b) Hashing the acquired data
c) Analyzing the evidence
d) Securing the original evidence

Answer: d) Securing the original evidence

Explanation: The first step in forensic acquisition is to secure the original evidence to ensure that it
remains intact and unchanged.

56. What does a hash value in digital forensics ensure?

a) Compression of the data

b) Encryption of the data
c) Integrity of the data
d) Analysis of the data

Answer: c) Integrity of the data

Explanation: Hash values are used to ensure the integrity of data, meaning the data hasn't been altered
since the hash was generated.

57. Which of the following best describes a bit-stream copy?

a) A copy of only the files on a disk

b) A text output of the disk's metadata
c) An exact clone of a physical disk
d) An abstract of the disk's contents

Answer: c) An exact clone of a physical disk

Explanation: A bit-stream copy is an exact duplicate of a physical disk, including all files, free space, and
slack space.

58. When performing a forensic acquisition, which of the following is crucial to avoid data alteration?

a) Using a network scanner

b) Mounting the drive as read-write
c) Utilizing a write-blocker
d) Booting the system normally

Answer: c) Utilizing a write-blocker

Explanation: A write-blocker ensures that the data on the original evidence disk cannot be modified,
thus preserving its integrity.

59. Chain of custody is essential in digital forensics. What is its primary purpose?

a) To ensure proper data encryption

b) To verify the evidence's source
c) To maintain evidence integrity and document its handling
d) To link evidence to a suspect

Answer: c) To maintain evidence integrity and document its handling

Explanation: Chain of custody documents who had possession of the evidence, when, and under what
circumstances, ensuring its integrity and credibility in court.

60. What type of data can be gathered from a RAM capture?

a) Recently accessed files

b) The disk's partition table
c) BIOS settings
d) A list of installed applications

Answer: a) Recently accessed files

Explanation: RAM (Random Access Memory) holds information about processes, files, and data that are
currently or were recently in use. A RAM capture can provide insights into these recent activities.

61. Which of the following is NOT a primary goal of forensic acquisitions?

a) Preserve original evidence

b) Analyze suspect motivations
c) Verify data integrity
d) Maintain a chain of custody

Answer: b) Analyze suspect motivations

Explanation: While understanding motivations can be helpful in an investigation, the primary goals of
forensic acquisitions involve securing and preserving the digital evidence, not psychoanalysis.

62. A forensic image of a disk:

a) Contains only the files and folders

b) Is the same as a regular backup
c) Contains both allocated and unallocated space
d) Excludes system files

Answer: c) Contains both allocated and unallocated space

Explanation: A forensic image captures everything on a disk, including files, metadata, slack space, and
unallocated space.

63. Which tool is commonly used for forensic imaging of hard drives?

a) netstat
b) Wireshark
c) dd
d) nmap

Answer: c) dd

Explanation: "dd" is a UNIX-based command-line utility often used to create bit-by-bit copies or images
of disks.

64. Before accessing the contents of an acquired digital evidence, a forensic expert should:

a) Share findings with the suspect

b) Validate the hash of the copy against the original
c) Store evidence in a magnetic field
d) Connect the evidence drive to the internet

Answer: b) Validate the hash of the copy against the original

Explanation: By validating the hash of the copied data against the original's hash, experts ensure that the
data hasn't been altered during the acquisition process.

65. The process of identifying and collecting electronic evidence is known as:

a) Forensic decryption
b) Forensic authentication
c) Forensic duplication
d) Forensic acquisition

Answer: d) Forensic acquisition

Explanation: Forensic acquisition refers to the process of identifying, collecting, and preserving electronic
evidence in its most original form.

66. Why is it essential to store a forensic duplicate and the original evidence separately?

a) To perform multiple analyses simultaneously

b) To prevent data corruption
c) To have backups of the evidence
d) To avoid accidental modification or contamination of the original

Answer: d) To avoid accidental modification or contamination of the original

Explanation: By storing the forensic duplicate and the original evidence separately, experts can ensure
the original remains uncontaminated and unchanged.

67. In the incident response lifecycle, during which phase would digital forensics primarily take place?

a) Preparation
b) Detection & Analysis
c) Containment
d) Post-Incident Activity

Answer: d) Post-Incident Activity

Explanation: During the post-incident activity phase, organizations analyze the incident in depth, often
involving digital forensics to understand the root cause and other details.

68. What primary concern does cloud computing introduce to digital forensics?

a) Decreased storage capacity

b) Multi-tenancy environments
c) Slow network speed
d) Local hardware maintenance

Answer: b) Multi-tenancy environments

Explanation: Cloud computing environments often have multiple clients (tenants) on shared resources.
This multi-tenancy can complicate forensic investigations due to potential data co-mingling.

69. During forensic analysis, why is it essential to work on a copy of the original evidence?

a) To ensure faster analysis

b) To prevent altering original data
c) To save storage space
d) To share with other teams
Answer: b) To prevent altering original data

Explanation: Working directly on original evidence risks altering or corrupting it. By working on a copy,
the integrity of the original data is preserved.

70. Legal hold is a mandate to:

a) Encrypt all sensitive data

b) Preserve specific data due to anticipated or ongoing litigation
c) Upgrade the system software
d) Notify all stakeholders of an incident

Answer: b) Preserve specific data due to anticipated or ongoing litigation

Explanation: Legal hold requires the preservation of pertinent records and information due to legal
reasons or anticipated legal proceedings.

71. Which of the following best describes "chain of custody" in the context of digital forensics?

a) A list of suspects
b) A series of commands used in analysis
c) A documentation detailing evidence handling and preservation
d) A hierarchy of the incident response team

Answer: c) A documentation detailing evidence handling and preservation

Explanation: Chain of custody is crucial for ensuring the integrity of evidence, showing who handled it,
when, where, and under what circumstances.

72. When dealing with cloud environments, which of the following is a potential barrier to effective
digital forensics?

a) Over-reliance on physical servers

b) Too much storage availability
c) Inability to access server logs due to provider restrictions
d) Decreased scalability

Answer: c) Inability to access server logs due to provider restrictions

Explanation: Cloud service providers might have restrictions on direct access to server logs and
infrastructure, which can hinder forensic activities.
73. In the context of forensic analysis, what is "data carving"?

a) Segmenting a network for better performance

b) Physically splitting a hard drive into parts
c) Retrieving and reassembling files from raw data
d) Marking specific data for deletion

Answer: c) Retrieving and reassembling files from raw data

Explanation: Data carving is a process used to extract data (like files) from raw disk images even if the
file's metadata or file system structures are corrupted or missing.

74. Why is it crucial to consider jurisdictional issues in cloud-based forensics?

a) Different countries have uniform data privacy laws

b) Cloud data can reside in multiple geographical locations with varying laws
c) Cloud providers operate only in their home country
d) Jurisdictional issues are not relevant in digital forensics

Answer: b) Cloud data can reside in multiple geographical locations with varying laws

Explanation: Cloud data can be stored across various data centers globally, each subject to different local
laws and regulations, impacting how and if the data can be accessed or analyzed.

75. Which of the following best describes "volatile memory" in digital forensics?

a) Permanent storage like hard drives

b) Memory that is user-accessible
c) Memory that loses its contents once power is off
d) Memory only used in mobile devices

Answer: c) Memory that loses its contents once power is off

Explanation: Volatile memory, such as RAM, retains information as long as it's powered on but loses its
content when power is turned off. This information can be crucial in forensics.

76. What is a common reason for implementing a legal hold in cloud environments?

a) Scheduled data backups

b) Anticipated or active legal proceedings
c) Routine system maintenance
d) Multi-factor authentication enforcement

Answer: b) Anticipated or active legal proceedings

Explanation: Legal hold in cloud environments is commonly triggered by the anticipation of or active
legal proceedings, ensuring data related to the case is not altered or deleted.

77. In digital forensics, "time-lining" in the analysis phase refers to:

a) Estimating the total investigation time

b) Charting the creation, access, and modification times of files
c) Setting future goals for the incident response team
d) Predicting future security incidents

Answer: b) Charting the creation, access, and modification times of files

Explanation: Time-lining helps investigators understand events leading up to, during, and after an
incident by looking at timestamps of various activities.

78. During forensic analysis of a cloud-based incident, it's vital to consider:

a) SLAs with the cloud provider

b) The make and model of user devices
c) The physical location of the user
d) The type of cooling system used in data centers

Answer: a) SLAs with the cloud provider

Explanation: Service Level Agreements (SLAs) may dictate the level of access, log retention, and support
a customer receives from a cloud provider during forensic investigations.

79. Which of the following is NOT typically a consideration when placing data on legal hold?

a) Duration of the hold

b) Cloud provider's market share showing acceptability by the legal community
c) Specific data types and locations
d) Preservation methods and procedures

Answer: b) Cloud provider's market share showing acceptability by the legal community

Explanation: While legal hold considerations involve determining the duration, locating specific data, and
methods of preservation, a cloud provider's stock prices are unrelated.

80. The main advantage of remote forensics in cloud environments is:

a) Reduced storage costs

b) Ability to investigate without physical access to hardware
c) Easier data deletion
d) Dependence on local power sources

Answer: b) Ability to investigate without physical access to hardware

Explanation: Remote forensics allows investigators to access and analyze cloud data without the need for
direct, physical access to underlying hardware.