DFIR - Digital Forensics Incident Training
EXAM WITH COMPLETE SOLUTIONS
Hot site - ANSWER- A backup that is running continuously and ready for imediate
switchover
warm site - ANSWER- Servers & other resources for backup but not as ready for
switchover
cold site - ANSWER- Cheapest backup option does not always have the
necessary equipment to enable the resumption of normal operation
Connscan - ANSWER- Scans for identifiable TCP connections in older versions of
Windows
Sockets - ANSWER- Scans for all our sockets
NetScan - ANSWER- Can be used in more recent versions of Windows
Conscan should be used as a complimentary plugin with - ANSWER- Sockets
Static Binaries - ANSWER- use a minimal footprint on the system as they are not
dependent on libraries pre-install on the Linux OS. & Doesn't require other files to
run
Where can Linux logs be found? - ANSWER- /var/log
Where can you view Windows logs? - ANSWER- Event Viewer
What is that thing where Splunk finds related events? - ANSWER- Correlation
How are vulvectomies tracked? - ANSWER- By a CVE number
What should you focus on when threat hunting? - ANSWER- Anomalies
What is the purpose of intelligence? - ANSWER- To provide an advantage over
your adversary
Zeek is a tool for... - ANSWER- Analyzing network traffic
UBA, User behavior analytics knows what "normal " is for each user? - ANSWER-
True
Where does fileless malware get stored? - ANSWER- It doesn't
Which does NOT contain memory artifacts that can be analyzed? - ANSWER-
RAM disk
What contains memory artifacts that can be analyzed? - ANSWER- - Crash dump
file
- Page file
, - Hibernation file
When inspecting processes we look at all of the following: - ANSWER- - parent
process
- network connections
- DLLs used
What do we not look for when inspecting processes? - ANSWER- Process size
You can recover a computer's RAM only when it is turned .. - ANSWER- Off
Because Linux presents everything as a file, it makes it easier to: - ANSWER-
Analyze
What is in the swap file? - ANSWER- Stuff that wouldn't fit in RAM
When investigating a process in Linux we can get all of these Except for.. -
ANSWER- Where the process was downloaded from
What can we not get when the computer is turned off? - ANSWER- RAM
What tool is used to make a copy of a hard drive? - ANSWER- FTK Imager
What tool is used to analyze a hard drive after we copy it? - ANSWER- Autopsy
What is the first step in analyzing a drive? - ANSWER- Find the partitions
What file keeps a list of everything on a drive? - ANSWER- MFT - Master File
Table
What will prefetch help find the evidence of? - ANSWER- A process that had been
run
Where can a file be hidden in Windows? - ANSWER- In the Alternate Data Stream
What does a magic number do? - ANSWER- Identify the file type
What is the correct process used by APT groups? - ANSWER- OSINT>External
Takeover>Privilege Escalation >Lateral Movement and Internal Takeover>Hiding
Mechanism and Information Theft
To investigate a network attack in accordance with the network forensics
investigation flow process, what should be the first step? - ANSWER- Check for
malware signatures
To test company software and analyze its behavior in real-time, which of the
following should be used? - ANSWER- Dynamic analysis
Which of the following tools can check network connections? To investigate if
any network connections were established. - ANSWER- Netstat
A pop-up appears saying your computer files were infected, and offering to fix the
problem for free.. what of the following attacks did you encounter? - ANSWER-
Scareware
What is the difference between threat hunting and threat intelligence? - ANSWER-
Threat intelligence is a process within Threat Hunting and involves learning from
other sources
Why is it important to use logs? - ANSWER- They store records of potentially
important events.
EXAM WITH COMPLETE SOLUTIONS
Hot site - ANSWER- A backup that is running continuously and ready for imediate
switchover
warm site - ANSWER- Servers & other resources for backup but not as ready for
switchover
cold site - ANSWER- Cheapest backup option does not always have the
necessary equipment to enable the resumption of normal operation
Connscan - ANSWER- Scans for identifiable TCP connections in older versions of
Windows
Sockets - ANSWER- Scans for all our sockets
NetScan - ANSWER- Can be used in more recent versions of Windows
Conscan should be used as a complimentary plugin with - ANSWER- Sockets
Static Binaries - ANSWER- use a minimal footprint on the system as they are not
dependent on libraries pre-install on the Linux OS. & Doesn't require other files to
run
Where can Linux logs be found? - ANSWER- /var/log
Where can you view Windows logs? - ANSWER- Event Viewer
What is that thing where Splunk finds related events? - ANSWER- Correlation
How are vulvectomies tracked? - ANSWER- By a CVE number
What should you focus on when threat hunting? - ANSWER- Anomalies
What is the purpose of intelligence? - ANSWER- To provide an advantage over
your adversary
Zeek is a tool for... - ANSWER- Analyzing network traffic
UBA, User behavior analytics knows what "normal " is for each user? - ANSWER-
True
Where does fileless malware get stored? - ANSWER- It doesn't
Which does NOT contain memory artifacts that can be analyzed? - ANSWER-
RAM disk
What contains memory artifacts that can be analyzed? - ANSWER- - Crash dump
file
- Page file
, - Hibernation file
When inspecting processes we look at all of the following: - ANSWER- - parent
process
- network connections
- DLLs used
What do we not look for when inspecting processes? - ANSWER- Process size
You can recover a computer's RAM only when it is turned .. - ANSWER- Off
Because Linux presents everything as a file, it makes it easier to: - ANSWER-
Analyze
What is in the swap file? - ANSWER- Stuff that wouldn't fit in RAM
When investigating a process in Linux we can get all of these Except for.. -
ANSWER- Where the process was downloaded from
What can we not get when the computer is turned off? - ANSWER- RAM
What tool is used to make a copy of a hard drive? - ANSWER- FTK Imager
What tool is used to analyze a hard drive after we copy it? - ANSWER- Autopsy
What is the first step in analyzing a drive? - ANSWER- Find the partitions
What file keeps a list of everything on a drive? - ANSWER- MFT - Master File
Table
What will prefetch help find the evidence of? - ANSWER- A process that had been
run
Where can a file be hidden in Windows? - ANSWER- In the Alternate Data Stream
What does a magic number do? - ANSWER- Identify the file type
What is the correct process used by APT groups? - ANSWER- OSINT>External
Takeover>Privilege Escalation >Lateral Movement and Internal Takeover>Hiding
Mechanism and Information Theft
To investigate a network attack in accordance with the network forensics
investigation flow process, what should be the first step? - ANSWER- Check for
malware signatures
To test company software and analyze its behavior in real-time, which of the
following should be used? - ANSWER- Dynamic analysis
Which of the following tools can check network connections? To investigate if
any network connections were established. - ANSWER- Netstat
A pop-up appears saying your computer files were infected, and offering to fix the
problem for free.. what of the following attacks did you encounter? - ANSWER-
Scareware
What is the difference between threat hunting and threat intelligence? - ANSWER-
Threat intelligence is a process within Threat Hunting and involves learning from
other sources
Why is it important to use logs? - ANSWER- They store records of potentially
important events.
