Chapter 1: Intro to DFIR -
Chapter 1: Intro to Digital Forensics and
Incident Response (DFIR) Exam
Containing 450 Questions with Verified
Answers 2023-2024.
Digital Forensics (DF) - Answer: Examining and analyzing artifacts after a
cyberattack.
Incident Response (IR) - Answer: Performing actions when a security breach
occurs.
, Chapter 1: Intro to DFIR -
What are digital forensics? - Answer: Revealing and collecting all electronic data
without modifying or contaminating it.
Preserving evidence and reconstructing past pasts.
(After attack, Find evidence, Host and network, Tier 3 in SOC)
What is incident Response? - Answer: Confronting and managing a security
breach or attack.
Reducing damage and the cost of the recovery effort.
(During an attack, Reduce further damage, Host and network, Tier 2 in SOC)
What is threat hunting? - Answer: Active defense.
Proactively searching for threats.
(All the time, Find undetected threats, Host and network, Tier 3 in SOC)
DFIR Timeline - Answer: IR planning should be done prior to an attack.
The average time for an attack to be detected is 6 months.
Digital Forensics relies on data collected during IR.
Why do we need IR? - Answer: To contain threats and prevent them from
spreading and causing additional damage.
To help an organization recover after a breach occurs.
Incident Responder Responsibilities - Answer: Establish an effective incident
response plan (IRP) and maintain its effectiveness based on potential threats.
Investigate current and past incidents to analyze them.
, Chapter 1: Intro to DFIR -
Provide recommendations according to analyzed incident findings.
IR Execution: Successful IR - Answer: A good plan will provide a response for any
relevant issue.
IR Execution: Following the steps - Answer: The plan should include various steps,
such as containment and eradication.
IRP: Six stages - Answer: 1. Preparation
2. identification
3. containment
4. Eradication
5. Recovery
6. Lessons learned
DFIR Process - Answer: 1. Collect evidence
2. Examine collected data
3. Analyze important artifacts
4. Report the findings
DF Analysis Types: Dead Analysis - Answer: Analyzing powered-off computers.
May include analysis of cloned drives.
DF Analysis Types: Live Analysis - Answer: Analyzing powered-on computers.
, Chapter 1: Intro to DFIR -
Targeted Artifacts - Answer: Files on drive, Memory artifacts, Processes, Log files,
Cached data
DF Domains: Network Forensics - Answer: Focuses on gathering data about traffic
passing through network equipment
DF Domains: Host Forensics - Answer: Focuses on gathering data regarding hosts,
such as files or memory
What is evidence?: In court of law - Answer: Anything you saw, heard, or said, that
proves something occurred
What is evidence?: In digital forensics - Answer: Log records, files, processes, etc.
Example of Evidence - Answer: Autoruns identifies possible startup locations.
Startup programs can be evidence of persistent malware.
The programs reside in known folders and registry keys.
Acquisition Tools: dd (Data Dump): Drive Acquistion - Answer: A Linux utility for
managing and converting storage drives
Acquisition Tools: FTK Imager: Drive and Memory Acquistion - Answer: Advanced
forensic GUI-based program that enables multiple operations on images
Chapter 1: Intro to Digital Forensics and
Incident Response (DFIR) Exam
Containing 450 Questions with Verified
Answers 2023-2024.
Digital Forensics (DF) - Answer: Examining and analyzing artifacts after a
cyberattack.
Incident Response (IR) - Answer: Performing actions when a security breach
occurs.
, Chapter 1: Intro to DFIR -
What are digital forensics? - Answer: Revealing and collecting all electronic data
without modifying or contaminating it.
Preserving evidence and reconstructing past pasts.
(After attack, Find evidence, Host and network, Tier 3 in SOC)
What is incident Response? - Answer: Confronting and managing a security
breach or attack.
Reducing damage and the cost of the recovery effort.
(During an attack, Reduce further damage, Host and network, Tier 2 in SOC)
What is threat hunting? - Answer: Active defense.
Proactively searching for threats.
(All the time, Find undetected threats, Host and network, Tier 3 in SOC)
DFIR Timeline - Answer: IR planning should be done prior to an attack.
The average time for an attack to be detected is 6 months.
Digital Forensics relies on data collected during IR.
Why do we need IR? - Answer: To contain threats and prevent them from
spreading and causing additional damage.
To help an organization recover after a breach occurs.
Incident Responder Responsibilities - Answer: Establish an effective incident
response plan (IRP) and maintain its effectiveness based on potential threats.
Investigate current and past incidents to analyze them.
, Chapter 1: Intro to DFIR -
Provide recommendations according to analyzed incident findings.
IR Execution: Successful IR - Answer: A good plan will provide a response for any
relevant issue.
IR Execution: Following the steps - Answer: The plan should include various steps,
such as containment and eradication.
IRP: Six stages - Answer: 1. Preparation
2. identification
3. containment
4. Eradication
5. Recovery
6. Lessons learned
DFIR Process - Answer: 1. Collect evidence
2. Examine collected data
3. Analyze important artifacts
4. Report the findings
DF Analysis Types: Dead Analysis - Answer: Analyzing powered-off computers.
May include analysis of cloned drives.
DF Analysis Types: Live Analysis - Answer: Analyzing powered-on computers.
, Chapter 1: Intro to DFIR -
Targeted Artifacts - Answer: Files on drive, Memory artifacts, Processes, Log files,
Cached data
DF Domains: Network Forensics - Answer: Focuses on gathering data about traffic
passing through network equipment
DF Domains: Host Forensics - Answer: Focuses on gathering data regarding hosts,
such as files or memory
What is evidence?: In court of law - Answer: Anything you saw, heard, or said, that
proves something occurred
What is evidence?: In digital forensics - Answer: Log records, files, processes, etc.
Example of Evidence - Answer: Autoruns identifies possible startup locations.
Startup programs can be evidence of persistent malware.
The programs reside in known folders and registry keys.
Acquisition Tools: dd (Data Dump): Drive Acquistion - Answer: A Linux utility for
managing and converting storage drives
Acquisition Tools: FTK Imager: Drive and Memory Acquistion - Answer: Advanced
forensic GUI-based program that enables multiple operations on images
