Chapter 1: Intro to Digital Forensics and Incident Response (DFIR) Exam Containing 450 Questions with Verified Answers .

Chapter 1: Intro to DFIR -




Chapter 1: Intro to Digital Forensics and
Incident Response (DFIR) Exam
Containing 450 Questions with Verified
Answers 2023-2024.
Digital Forensics (DF) - Answer: Examining and analyzing artifacts after a
cyberattack.


Incident Response (IR) - Answer: Performing actions when a security breach
occurs.

, Chapter 1: Intro to DFIR -

What are digital forensics? - Answer: Revealing and collecting all electronic data
without modifying or contaminating it.
Preserving evidence and reconstructing past pasts.
(After attack, Find evidence, Host and network, Tier 3 in SOC)


What is incident Response? - Answer: Confronting and managing a security
breach or attack.
Reducing damage and the cost of the recovery effort.
(During an attack, Reduce further damage, Host and network, Tier 2 in SOC)


What is threat hunting? - Answer: Active defense.
Proactively searching for threats.
(All the time, Find undetected threats, Host and network, Tier 3 in SOC)


DFIR Timeline - Answer: IR planning should be done prior to an attack.
The average time for an attack to be detected is 6 months.
Digital Forensics relies on data collected during IR.


Why do we need IR? - Answer: To contain threats and prevent them from
spreading and causing additional damage.
To help an organization recover after a breach occurs.


Incident Responder Responsibilities - Answer: Establish an effective incident
response plan (IRP) and maintain its effectiveness based on potential threats.
Investigate current and past incidents to analyze them.

, Chapter 1: Intro to DFIR -

Provide recommendations according to analyzed incident findings.


IR Execution: Successful IR - Answer: A good plan will provide a response for any
relevant issue.


IR Execution: Following the steps - Answer: The plan should include various steps,
such as containment and eradication.


IRP: Six stages - Answer: 1. Preparation
2. identification
3. containment
4. Eradication
5. Recovery
6. Lessons learned


DFIR Process - Answer: 1. Collect evidence
2. Examine collected data
3. Analyze important artifacts
4. Report the findings


DF Analysis Types: Dead Analysis - Answer: Analyzing powered-off computers.
May include analysis of cloned drives.


DF Analysis Types: Live Analysis - Answer: Analyzing powered-on computers.

, Chapter 1: Intro to DFIR -

Targeted Artifacts - Answer: Files on drive, Memory artifacts, Processes, Log files,
Cached data


DF Domains: Network Forensics - Answer: Focuses on gathering data about traffic
passing through network equipment


DF Domains: Host Forensics - Answer: Focuses on gathering data regarding hosts,
such as files or memory


What is evidence?: In court of law - Answer: Anything you saw, heard, or said, that
proves something occurred


What is evidence?: In digital forensics - Answer: Log records, files, processes, etc.


Example of Evidence - Answer: Autoruns identifies possible startup locations.
Startup programs can be evidence of persistent malware.
The programs reside in known folders and registry keys.


Acquisition Tools: dd (Data Dump): Drive Acquistion - Answer: A Linux utility for
managing and converting storage drives


Acquisition Tools: FTK Imager: Drive and Memory Acquistion - Answer: Advanced
forensic GUI-based program that enables multiple operations on images