A forensic analyst is asked to respond to an ongoing network attack on a server. Place the items in the list below in the correct order in which the forensic analyst should preserve them.

Correct Answer:

Explanation

When dealing with multiple issues, address them in order of volatility (OOV); always deal with the most volatile first. Volatility can be thought of as the amount of time that you have to collect certain data before a window of opportunity is gone. Naturally, in an investigation you want to collect everything, but some data will exist longer than others, and you cannot possibly collect all of it once. As an example, the OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts.
Order of volatility: Capture system images as a snapshot of what exists, look at network traffic and logs, capture any relevant video/screenshots/hashes, record time offset on the systems, talk to witnesses, and track total man-hours and expenses associated with the investigation.

Comment: *

Name: *

Email: *

Verification: *

Which of the following attacks can be used to exploit a vulnerability that was created by untrained users?

• A.A spear-phishing email with a file attachment.
• B.An evil twin wireless access point
• C.A domain hijacking of a bank website
• D.A DoS using IoT devices

Comment: *

Name: *

Email: *

Verification: *

Which of the following would be considered multifactor authentication?

• A.Voice recognition and retina scan
• B.Hardware token and smart card
• C.Strong password and fingerprint
• D.PIN and security question

Comment: *

Name: *

Email: *

Verification: *

A system's administrator has finished configuring firewall ACL to allow access to a new web server.

The security administrator confirms form the following packet capture that there is network traffic from the internet to the web server:

The company's internal auditor issues a security finding and requests that immediate action be taken. With which of the following is the auditor MOST concerned?

• A.Implicit deny
• B.Misconfigured firewall
• C.Clear text credentials
• D.Default configuration

Comment: *

Name: *

Email: *

Verification: *

A security administrator suspects that a DDoS attack is affecting the DNS server. The administrator accesses a workstation with the hostname of workstation01 on the network and obtains the following output from the ipconfig command:

The administrator successfully pings the DNS server from the workstation. Which of the following commands should be issued from the workstation to verify the DDoS attack is no longer occuring?

• A.dig 192.168.1.26
• B.dig workstation01.com
• C.dig 192.168.1.254
• D.dig www.google.com

Comment: *

Name: *

Email: *

Verification: *