DFIR - DIGITAL FORENSICS INCIDENT TRAINING UPDATED
QUESTIONS AND ANSWERS
Hot site - CORRECT ANSWER✅✅✅A backup that is running continuously and ready for imediate
switchover
warm site - CORRECT ANSWER✅✅✅Servers & other resources for backup but not as ready for
switchover
cold site - CORRECT ANSWER✅✅✅Cheapest backup option does not always have the necessary
equipment to enable the resumption of normal operation
Connscan - CORRECT ANSWER✅✅✅Scans for identifiable TCP connections in older versions of
Windows
Sockets - CORRECT ANSWER✅✅✅Scans for all our sockets
NetScan - CORRECT ANSWER✅✅✅Can be used in more recent versions of Windows
Conscan should be used as a complimentary plugin with - CORRECT ANSWER✅✅✅Sockets
Static Binaries - CORRECT ANSWER✅✅✅use a minimal footprint on the system as they are not
dependent on libraries pre-install on the Linux OS. & Doesn't require other files to run
Where can Linux logs be found? - CORRECT ANSWER✅✅✅/var/log
Where can you view Windows logs? - CORRECT ANSWER✅✅✅Event Viewer
What is that thing where Splunk finds related events? - CORRECT ANSWER✅✅✅Correlation
, How are vulvectomies tracked? - CORRECT ANSWER✅✅✅By a CVE number
What should you focus on when threat hunting? - CORRECT ANSWER✅✅✅Anomalies
What is the purpose of intelligence? - CORRECT ANSWER✅✅✅To provide an advantage over your
adversary
Zeek is a tool for... - CORRECT ANSWER✅✅✅Analyzing network traffic
UBA, User behavior analytics knows what "normal " is for each user? - CORRECT ANSWER✅✅✅True
Where does fileless malware get stored? - CORRECT ANSWER✅✅✅It doesn't
Which does NOT contain memory artifacts that can be analyzed? - CORRECT ANSWER✅✅✅RAM
disk
What contains memory artifacts that can be analyzed? - CORRECT ANSWER✅✅✅- Crash dump file
- Page file
- Hibernation file
When inspecting processes we look at all of the following: - CORRECT ANSWER✅✅✅- parent
process
- network connections
- DLLs used
What do we not look for when inspecting processes? - CORRECT ANSWER✅✅✅Process size
You can recover a computer's RAM only when it is turned .. - CORRECT ANSWER✅✅✅Off
QUESTIONS AND ANSWERS
Hot site - CORRECT ANSWER✅✅✅A backup that is running continuously and ready for imediate
switchover
warm site - CORRECT ANSWER✅✅✅Servers & other resources for backup but not as ready for
switchover
cold site - CORRECT ANSWER✅✅✅Cheapest backup option does not always have the necessary
equipment to enable the resumption of normal operation
Connscan - CORRECT ANSWER✅✅✅Scans for identifiable TCP connections in older versions of
Windows
Sockets - CORRECT ANSWER✅✅✅Scans for all our sockets
NetScan - CORRECT ANSWER✅✅✅Can be used in more recent versions of Windows
Conscan should be used as a complimentary plugin with - CORRECT ANSWER✅✅✅Sockets
Static Binaries - CORRECT ANSWER✅✅✅use a minimal footprint on the system as they are not
dependent on libraries pre-install on the Linux OS. & Doesn't require other files to run
Where can Linux logs be found? - CORRECT ANSWER✅✅✅/var/log
Where can you view Windows logs? - CORRECT ANSWER✅✅✅Event Viewer
What is that thing where Splunk finds related events? - CORRECT ANSWER✅✅✅Correlation
, How are vulvectomies tracked? - CORRECT ANSWER✅✅✅By a CVE number
What should you focus on when threat hunting? - CORRECT ANSWER✅✅✅Anomalies
What is the purpose of intelligence? - CORRECT ANSWER✅✅✅To provide an advantage over your
adversary
Zeek is a tool for... - CORRECT ANSWER✅✅✅Analyzing network traffic
UBA, User behavior analytics knows what "normal " is for each user? - CORRECT ANSWER✅✅✅True
Where does fileless malware get stored? - CORRECT ANSWER✅✅✅It doesn't
Which does NOT contain memory artifacts that can be analyzed? - CORRECT ANSWER✅✅✅RAM
disk
What contains memory artifacts that can be analyzed? - CORRECT ANSWER✅✅✅- Crash dump file
- Page file
- Hibernation file
When inspecting processes we look at all of the following: - CORRECT ANSWER✅✅✅- parent
process
- network connections
- DLLs used
What do we not look for when inspecting processes? - CORRECT ANSWER✅✅✅Process size
You can recover a computer's RAM only when it is turned .. - CORRECT ANSWER✅✅✅Off
