SANS GCIH (SEC504) Correctly Answered Questions| UpToDate | Already Graded A+

Who should make the decision of when to put a system back into production? A) Systems administrators B) Business team C) Security team D) Data owner ☑: B) Business team Which command will display ASCII and Unicode strings within a malware sample? A) cat B) Get-Strings C) strings D) findstr ☑: C) strings Which type of system is most commonly used to investigate malware? EXCELLENCE 2 A) Virtual machine B) Day-to-day host C) Thick client D) Production system ☑: A) Virtual machine If you believe your system has been the victim of a rootkit attack, what is the most costeffective form of eradication? A) Restore the OS from the most recent backup. B) Reformat, reinstall, and patch the system from the original media. C) Patch and reboot the compromised system. D) Install applications from a different vendor. ☑: B) Reformat, reinstall, and patch the system from the original media. What tool is used to record the state of the registry before and after malware is executed on an analysis system? A) Regshot B) Ollydbg C) Wireshark D) Regripper EXCELLENCE 3 ☑: A) Regshot What method could be used to ensure that an asset under investigation is not put back into production without approval before the investigation is complete? A) Move the asset to a different cloud data center. B) Terminate the asset. C) Shut off all administrative access to the cloud environment so no admins can make changes. D) Add an "under investigation" tag to the asset. ☑: D) Add an "under investigation" tag to the asset. During the remediation phase of incident response, you remove a file from your infected web server. What is the most important additional thing to do to prevent being compromised again? A) Determine the root cause of the attack. B) Review your host-based firewall rules. C) Restore the host data from backups. D) Apply patches and harden the system. ☑: A) Determine the root cause of the attack.