Answer(s): C

Explanation:

The user has become an insider threat by downloading software that contains malware onto a
computer that eventually infects numerous other systems. An insider threat is a person or entity that
has legitimate access to an organization's systems, networks, or resources and uses that access to
cause harm or damage to the organization. An insider threat can be intentional or unintentional,
malicious or negligent, and can result from various actions or behaviors, such as downloading
unauthorized software, violating security policies, stealing data, sabotaging systems, or collaborating
with external attackers.

QUESTION: 62

An organization has activated the CSIRT. A security analyst believes a single virtual server was
compromised and immediately isolated from the network.

Which of the following should the CSIRT conduct next?

A Take a snapshot of the compromised server and verify its integrity

A. Restore the affected server to remove any malware

Answer(s): A

Explanation:
The next action that the CSIRT should conduct after isolating the compromised server from the
network is to take a snapshot of the compromised server and verify its integrity. Taking a snapshot of
the compromised server involves creating an exact copy or image of the server's data and state at a
specific point in time. Verifying its integrity involves ensuring that the snapshot has not been altered,
corrupted, or tampered with during or after its creation. Taking a snapshot and verifying its integrity
can help preserve and protect any evidence or information related to the incident, as well as prevent
any tampering, contamination, or destruction of evidence.
QUESTION: 63

During an incident, an analyst needs to acquire evidence for later investigation.

Which of the following must be collected first in a computer system, related to its volatility level?

A. Disk contents
B. Backup data
C. Temporary files
D. Running processes

Answer(s): D

Explanation:

The most volatile type of evidence that must be collected first in a computer system is running
processes. Running processes are programs or applications that are currently executing on a
computer system and using its resources, such as memory, CPU, disk space, or network bandwidth.
Running processes are very volatile because they can change rapidly or disappear completely when
the system is shut down, rebooted, logged off, or crashed. Running processes can also be affected by
other processes or users that may modify or terminate them. Therefore, running processes must be
collected first before any other type of evidence in a computer system.

QUESTION: 64

A security analyst is trying to identify possible network addresses from different source networks
belonging to the same company and region.

Which of the following shell script functions could help achieve the goal?

A. function w() { a=$(ping -c 1 $1 | awk-F "/" 'END{print $1}') && echo "$1 | $a" }
B. function x() { b=traceroute -m 40 $1 | awk 'END{print $1}') && echo "$1 | $b" }
C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print
$1}').origin.asn.cymru.com TXT +short }
D. function z() { c=$(geoiplookup$1) && echo "$1 | $c" }

Answer(s): C

Explanation:
The shell script function that could help identify possible network addresses from different source
networks belonging to the same company and region is:

function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print
$1}').origin.asn.cymru.com TXT +short }

This function takes an IP address as an argument and performs two DNS lookups using the dig
command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname
associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the
autonomous system number (ASN) and other information related to the IP address, such as the
country code, registry, or allocation date. The function then prints the IP address and the ASN
information, which can help identify any network addresses that belong to the same ASN or region

QUESTION: 65

A security analyst is writing a shell script to identify IP addresses from the same country.

Which of the following functions would help the analyst achieve the objective?

A. function w() { info=$(ping -c 1 $1 | awk -F "/" `END{print $1}') && echo "$1 | $info" }
B. function x() { info=$(geoiplookup $1) && echo "$1 | $info" }
C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo "$1 | $info" }
D. function z() { info=$(traceroute -m 40 $1 | awk `END{print $1}') && echo "$1 | $info" }

Answer(s): B

Explanation:

The function that would help the analyst identify IP addresses from the same country is:

function x() { info=$(geoiplookup $1) && echo "$1 | $info" } This function takes an IP address as an
argument and uses the geoiplookup command to get the geographic location information associated
with the IP address, such as the country name, country code, region, city, or latitude and longitude.
The function then prints the IP address and the geographic location information, which can help
identify any IP addresses that belong to the same country.

QUESTION: 66
A security analyst obtained the following table of results from a recent vulnerability assessment that
was conducted against a single web server in the environment:

Which of the following should be completed first to remediate the findings?

A. Ask the web development team to update the page contents

Answer(s): D

Explanation:

The first action that should be completed to remediate the findings is to perform proper sanitization
on all fields. Sanitization is a process that involves validating, filtering, or encoding any user input or
data before processing or storing it on a system or application. Sanitization can help prevent various
types of attacks, such as cross-site scripting (XSS), SQL injection, or command injection, that exploit
unsanitized input or data to execute malicious scripts, commands, or queries on a system or
application. Performing proper sanitization on all fields can help address the most critical and
common vulnerability found during the vulnerability assessment, which is XSS.

QUESTION: 67
A user reports a malware alert to the help desk. A technician verities the alert, determines the
workstation is classified as a low-severity device, and uses network controls to block access. The
technician then assigns the ticket to a security analyst who will complete the eradication and
recovery processes.

Which of the following should the security analyst do next?

A. Document the procedures and walk through the incident training guide.
B. Reverse engineer the malware to determine its purpose and risk to the organization.
C. Sanitize the workstation and verify countermeasures are restored.
D. Isolate the workstation and issue a new computer to the user.

Answer(s): C

Explanation:

Sanitizing the workstation and verifying countermeasures are restored are part of the eradication
and recovery processes that the security analyst should perform next. Eradication is the process of
removing malware or other threats from the affected systems, while recovery is the process of
restoring normal operations and functionality to the affected systems. Sanitizing the workstation can
involve deleting or wiping any malicious files or programs, while verifying countermeasures are
restored can involve checking and updating any security controls or settings that may have been
compromised.

Reference:

https://www.cynet.com/incident-response/incident-response-sans-the-6-steps-in-depth/

QUESTION: 68

A digital forensics investigator works from duplicate images to preserve the integrity of the original
evidence.

Which of the following types of media are most volatile and should be preserved? (Select two).

A. Memory cache
B. Registry file
C. SSD storage
D. Temporary filesystems
 E. Packet decoding
F. Swap volume

Answer(s): A,F

Explanation:

Memory cache and swap volume are types of media that are most volatile and should be preserved
during a digital forensics investigation. Volatile media are those that store data temporarily and lose
their contents when the power is turned off or interrupted. Memory cache is a small and fast
memory that stores frequently used data or instructions for faster access by the processor. Swap
volume is a part of the hard disk that is used as an extension of the memory when the memory is full
or low.

Reference:

https://www.techopedia.com/definition/10339/memory-dump