Chapter 37 Quiz: Incident Response and Digital Forensics

Question 1

According to the NIST SP 800-61 framework, what are the four phases of incident response?

A) Detect, Analyze, Contain, Report B) Preparation, Detection and Analysis, Containment/Eradication/Recovery, Post-Incident Activity C) Planning, Response, Recovery, Lessons Learned D) Identification, Investigation, Remediation, Documentation

Answer: B NIST SP 800-61 defines four phases: Preparation (building capability before incidents), Detection and Analysis (identifying and validating incidents), Containment, Eradication, and Recovery (limiting damage and restoring operations), and Post-Incident Activity (learning and improving).

Question 2

According to the order of volatility, which type of evidence should be collected FIRST during an incident?

A) Disk images B) Memory (RAM) C) Log files D) Backup tapes

Answer: B Memory (RAM) is second only to CPU registers/cache in volatility. Memory contains running processes, network connections, encryption keys, and malware that may not exist on disk. It should be captured before any containment actions that might alter the system state.

Question 3

What is the primary purpose of maintaining chain of custody documentation?

A) To track the cost of forensic analysis B) To ensure evidence integrity and admissibility by documenting who handled evidence, when, and what they did with it C) To assign blame for the security incident D) To comply with software licensing requirements

Answer: B Chain of custody documentation ensures that evidence integrity can be verified and that the evidence would be admissible in legal proceedings. It records every person who handled the evidence, when they handled it, and what actions they took.

Question 4

Which Volatility 3 plugin would you use to detect process injection?

A) windows.pslist B) windows.netscan C) windows.malfind D) windows.hashdump

Answer: C The windows.malfind plugin detects suspicious memory regions that may indicate code injection. It looks for memory regions with executable permissions (PAGE_EXECUTE_READWRITE) that are not backed by files on disk, which is characteristic of process injection, reflective DLL loading, and process hollowing.

Question 5

What is the difference between windows.pslist and windows.psscan in Volatility?

A) pslist is faster; psscan is more accurate B) pslist traverses the linked list of processes; psscan scans memory for process pool tags, potentially finding hidden or terminated processes C) pslist shows Windows processes; psscan shows Linux processes D) pslist requires admin access; psscan does not

Answer: B windows.pslist follows the doubly-linked list of EPROCESS structures maintained by the kernel. A rootkit can unlink a process from this list to hide it. windows.psscan scans all of memory for EPROCESS pool tags, which can find processes that have been unlinked (hidden) or terminated.

Question 6

What does the Windows Prefetch system record?

A) User internet browsing history B) Applications that have been executed, including timestamps and referenced files C) Registry modifications D) Network connection history

Answer: B Windows Prefetch files (*.pf in C:\Windows\Prefetch) record information about executed applications: the application name and path, execution count, timestamps of the last several executions, and files and directories referenced during execution. This is valuable for proving program execution.

Question 7

What Windows Event ID indicates a successful logon?

A) 4625 B) 4624 C) 4720 D) 4688

Answer: B Event ID 4624 indicates a successful logon. Event ID 4625 indicates a failed logon attempt. Event ID 4720 indicates a user account was created. Event ID 4688 indicates a new process was created.

Question 8

What is the SANS PICERL framework?

A) A malware classification system B) A six-phase incident response framework: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned C) A physical security assessment methodology D) A programming language for forensic tools

Answer: B PICERL stands for Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. It is the SANS Institute's incident response framework, which separates the containment, eradication, and recovery phases that NIST combines into one phase.

Question 9

What is KAPE used for in digital forensics?

A) Encrypting forensic evidence for secure storage B) Rapidly collecting specific forensic artifacts from a system without requiring a full disk image C) Analyzing malware samples in a sandbox D) Managing incident response team communications

Answer: B KAPE (Kroll Artifact Parser and Extractor) is a triage tool that rapidly collects specific forensic artifacts (Registry hives, Event Logs, Prefetch files, browser history, etc.) from a system. It is much faster than full disk imaging and focuses on the most forensically valuable artifacts.

Question 10

What is the Amcache artifact in Windows forensics?

A) A cache of frequently accessed applications for faster loading B) A registry hive that records information about executed programs including SHA-1 hashes and file paths C) A temporary file used by antimalware programs D) A database of application compatibility settings

Answer: B The Amcache (stored in Amcache.hve) records information about programs that have been executed on the system, including SHA-1 hashes, file paths, file sizes, and publisher information. It is particularly valuable for identifying what tools an attacker used.

Question 11

In network forensics, what is a primary indicator of DNS tunneling?

A) Large numbers of DNS queries with unusually long subdomain labels B) DNS queries using TCP instead of UDP C) DNS responses with short TTL values D) DNS queries to well-known public DNS servers

Answer: A DNS tunneling encodes data in DNS queries, typically as long subdomain labels (e.g., aGVsbG8gd29ybGQ.evil.com). High volumes of DNS queries to a single domain with unusually long or encoded subdomain names are strong indicators of DNS tunneling for C2 or data exfiltration.

Question 12

What is the primary purpose of YARA rules in incident response?

A) To decrypt encrypted malware samples B) To identify and classify files based on pattern matching using strings, hex patterns, and conditions C) To repair corrupted forensic images D) To generate incident response reports automatically

Answer: B YARA rules enable pattern-matching across files to identify and classify malware, suspicious files, or specific artifacts. They use string matches, hex patterns, file properties, and Boolean conditions to create flexible detection rules.

Question 13

What is the difference between static and dynamic malware analysis?

A) Static analysis uses expensive tools; dynamic analysis uses free tools B) Static analysis examines the malware without executing it; dynamic analysis involves running the malware in a controlled environment C) Static analysis is faster; dynamic analysis is more thorough D) Static analysis works only on Windows malware; dynamic analysis works on all platforms

Answer: B Static analysis examines malware code, strings, headers, and structure without executing it. Dynamic analysis involves running the malware in an isolated environment while monitoring its behavior (file system changes, network communication, registry modifications, process creation).

Question 14

What is the significance of the Windows USN Journal ($UsnJrnl) in forensics?

A) It records all USB device connections B) It records file system changes including file creation, deletion, modification, and renaming C) It logs user network activity D) It stores system crash dumps

Answer: B The USN (Update Sequence Number) Journal records file system changes on NTFS volumes, including file creation, deletion, modification, renaming, and security changes. It provides a chronological record of file system activity that persists even after files are deleted.

Question 15

During an incident, when should you isolate an affected system from the network?

A) Immediately upon detecting any alert B) After collecting volatile evidence (memory) but before the attacker can cause further damage C) Only after completing a full forensic analysis D) Only if the system contains classified data

Answer: B The best practice is to capture volatile evidence (especially memory) before network isolation, since isolation may alert the attacker and cause them to destroy evidence or trigger destructive actions. However, isolation should happen promptly after evidence capture to prevent further lateral movement and data exfiltration.

Question 16

What cloud-native service provides API call logging for forensic investigation in AWS?

A) Amazon GuardDuty B) AWS CloudTrail C) Amazon Inspector D) AWS Config

Answer: B AWS CloudTrail records API calls made to AWS services, providing a detailed audit trail of who did what, when, and from where. It is the primary evidence source for investigating cloud security incidents in AWS environments.

Question 17

What is the Locard Exchange Principle in digital forensics?

A) Every digital file has a unique hash value B) Every contact leaves a trace -- every action on a computer system leaves artifacts C) Evidence must be exchanged between prosecution and defense D) Digital evidence must be stored in at least two locations

Answer: B The Locard Exchange Principle states that "every contact leaves a trace." In digital forensics, this means that every action an attacker takes on a system creates artifacts that can be discovered and analyzed, from log entries and file timestamps to memory artifacts and registry modifications.

Question 18

What is the recommended approach for handling a ransomware incident when backups are available?

A) Pay the ransom immediately to minimize downtime B) Restore from backups after verifying they are clean (pre-compromise), completing containment, and ensuring the attack vector is closed C) Restore from the most recent backup regardless of when the compromise occurred D) Format all systems and start fresh without investigating

Answer: B The recommended approach is to verify that backups pre-date the compromise, complete containment and eradication of the threat, close the attack vector that enabled the initial compromise, and then restore from verified-clean backups. Restoring without addressing the root cause risks re-compromise.

Question 19

What is the purpose of ShellBags in Windows forensics?

A) They record PowerShell command execution B) They record folder access and window placement, even for folders that have been deleted C) They store command-line shell history D) They contain configuration for the Windows shell (Explorer)

Answer: B ShellBags are registry artifacts that record how folders were accessed, displayed, and positioned in Windows Explorer. They persist even after folders are deleted, making them valuable for proving that an attacker browsed specific directories (such as network shares containing sensitive data).

Question 20

In the context of incident response metrics, what does MTTD stand for?

A) Mean Time to Deploy B) Mean Time to Detect C) Maximum Time to Deliver D) Minimum Time to Determine

Answer: B MTTD (Mean Time to Detect) measures the average time between when an incident begins and when it is detected by the organization. It is one of the most important incident response metrics, directly reflecting the organization's detection capabilities.