Digital Forensics and Incident Response

Questions and Answers

What is the primary purpose of restoring data after an incident of malicious deletion?

To ensure data integrity and availability. (correct)

To prevent future attacks.

To monitor the system more effectively.

To increase server performance.

Which step is critical when restoring a system after a DDoS attack?

Patch the operating system immediately.

Upgrade the web server software.

Manually reboot and check the system health. (correct)

Reconfigure firewall settings.

What action should be taken if malware persists after initial remediation efforts?

Ignore it and monitor the system.

Invest in new antivirus software.

Run a system check to find vulnerabilities.

Wipe the entire drive and reinstall the operating system. (correct)

What is essential for ensuring a system is not vulnerable after a security incident?

Patch any software or firmware vulnerabilities.

Why might some systems fail to automatically install patches?

There may be a misconfiguration or human error.

What is a necessary action following an incident that might affect logging systems?

Verify that scanning and monitoring functions are operational.

What does system hardening primarily focus on?

Reducing the attack surface.

What should be done to review permissions after a security incident?

Check for permission elevation and enforce proper authorization.

What is a major drawback of using a sleep state during forensic analysis?

It may alert malware, enabling anti-forensics.

What happens during virtual memory usage when physical memory is low?

The OS writes inactive memory pages to disk.

Which method of disk image acquisition poses the least risk of altering data?

Static acquisition by pulling the power plug.

What is the primary function of write blockers in digital forensics?

To prevent the tampering of data on the source disk.

Which statement about static acquisition by shutting down the computer is true?

It risks malware performing anti-forensics during the shutdown.

What may happen if the image acquisition is performed live?

It may change data on the disks, affecting legal admissibility.

Why is a page file not easily interpretable by analysis tools?

It stores data in a non-structured way.

What should always be done regardless of the method used for image acquisition?

Document the steps taken and create a timeline.

What is one possible outcome for a company if they discover significant security vulnerabilities in a software application they are selling?

They may withdraw the software from sale due to the cost of maintaining security.

What does risk transference involve?

Assigning risks to a third party, such as an insurance company.

In risk acceptance, what should a company do regarding identified risks?

Continue to monitor the risk without implementing countermeasures.

What is essential for communicating risk factors to business stakeholders?

Articulating the risks in a manner that defines cause and effect clearly.

What does a risk register typically document?

The results of risk assessments in a structured format.

What should be included in a risk register aside from risk descriptions?

Impacts, likelihood ratings, and countermeasures.

When might an organization choose to stop using a software application?

When its use introduces major security vulnerabilities after they are discovered.

What is a major component of effectively communicating a DoS risk?

Providing clear explanations of how the risk affects business operations.

Which method is considered to be on the decline for Command and Control communications?

Internet Relay Chat (IRC)

What should be done with vulnerabilities that fit within an organization's risk appetite?

They can be marked as exceptions.

What advantage does DNS have for Command and Control channels?

It allows evading detection through unfiltered traffic.

What technique can be used to mitigate malicious HTTP and HTTPS traffic in a network?

Implementing an intercepting proxy at the network edge.

What is a common characteristic of compliance scans compared to standard vulnerability scans?

They measure systems against best-practice frameworks.

When analyzing vulnerability scan results, what should one primarily rely on to draw conclusions?

Personal judgement and experience.

How can attackers utilize social media for Command and Control operations?

By issuing commands via messaging functionality or profiles.

What is the overall goal of remediation or risk mitigation?

To reduce exposure to risk factors.

What is a key characteristic of HTTP and HTTPS as C2 channels?

Malicious traffic can be difficult to distinguish from legitimate traffic.

What is a required condition for a bot to utilize DNS for receiving control messages?

It only needs to connect to a local DNS resolver.

What factor is often overlooked in scanner reports that is important for remediation prioritization?

The unique contextual factors of an environment.

What potential risk is associated with blocking HTTP and HTTPS protocols?

It may cause significant disruption to organizational productivity.

What example illustrates a common vulnerability that might be accepted despite its risks?

Keeping port 80 open on a webserver.

Why are command communications through IRC becoming less common?

Due to their high detectability and blocking by organizations.

Which term refers to the methods that can reduce the likelihood or impact of a risk incident?

Risk deterrence.

What do vulnerability assessments provide suggestions for?

Fixing detected security issues.

What does an RPO of 24 hours imply about data recovery?

Data can be recovered to a point not more than 24 hours before the database was affected.

Which of the following scenarios might require a higher RPO than standard backup solutions?

An order processing system where immediate capture of orders is critical.

How does risk deterrence differ from risk reduction?

Deterrence prevents risks from happening while reduction lessens their impact.

Which risk response strategy involves stopping a risk-bearing activity entirely?

Risk Avoidance

What would be a suitable risk countermeasure if your RPO is measured in minutes?

An automatic server cluster backup and redundancy solution.

What is the function of maximum tolerable downtime (MTD) in relation to business functions?

To determine the maximum time a function can be offline without recovery.

Which example illustrates risk impact reduction in a physical safety context?

Implementing a fire suppression system and alarms.

Which of the following is an example of a risk mitigation strategy?

Installing antivirus software to manage malware threats.

Study Notes

Digital Forensics Techniques

• Identify and analyze network, host, and application-related Indicators of Compromise (IOCs).
• Analyze lateral movement and pivot techniques.
• Digital forensics is the science of collecting and presenting evidence from computer systems to meet legal standards.
• Digital evidence is often latent, meaning it's not visible without analysis.
• Cybersecurity analysts may be involved in incident response, including reconstructing events and ensuring evidence is protected.

Digital Forensics Procedures

• Important to have written procedures for handling cybersecurity incidents, adhering to regulations and organizational obligations.
• Forensic investigations follow phases: Identification, Collection, Analysis, Reporting.
• Identification phase focuses on securing the scene to prevent contamination and documenting evidence.

Digital Forensics Procedures (Collection)

• Methods for collecting evidence must withstand legal scrutiny.
• Securely store evidence in tamper-evident packaging.

Digital Forensics Procedures (Analysis)

• Create a copy of the evidence for analysis, relating it to the original source.
• Use repeatable methods and tools to analyze the evidence.

Digital Forensics Procedures (Reporting)

• Present findings and conclusions using the methods and tools used.
• Legal holds are important for preserving relevant information in court cases.
• Security audits ensure process and tool adherence, and data protection.

Forensic Analyst Ethics

• Analysts must act without bias, using repeatable analysis methods.
• Evidence should not be altered, and any necessary manipulation must be documented.
• Defense might try to dismiss findings based on ethical or professional deviations.

Data Acquisition

• Data acquisition creates a forensic copy of non-volatile storage (HDDs, SSDs, flash drives).
• Ensure nothing alters the data or metadata (properties) during acquisition.
• Live acquisition copies data while the system runs; static acquisition involves shutting down the system.
• Critical to document the steps and timeline for any actions taken.

Hashing

• Creates a cryptographic hash (fingerprint) for disk contents or images.
• Ensure the same algorithm is used. Important for verifying data integrity.

File Carving

• A process for extracting data from images when no associated file system metadata exists.

Chain of Custody

• Records evidence handling for presentation in court. Documents evidence handling.

Incident Response

• Cybersecurity Incident response involves these phases:
  • Preparation
  • Detection and Analysis
  • Containment
  • Eradication and Recovery
  • Post-Incident Activity
• Procedures are guidelines for response actions.

Incident Response: Preparation

• Make systems resilient to attacks before they occur.
• Establish policies, procedures, and confidential communication channels.

Incident Response: Detection and Analysis

• Detect incidents, analyze the scope and magnitude of the damage.

Incident Response: Containment

• Limit the scope and impact of the incident.
• Protect data from additional breaches.

Incident Response: Eradication and Recovery

• Remove problems, return the system to normal operation.

Incident Response: Post-Incident Activity

• Document all details of the incident and lessons learned.
• Report findings.

Data Criticality and Prioritization

• Assess asset severity, prioritize affected systems.
• Critical data types: Personally Identifiable Information (PII), Sensitive Personal Information (SPI), Protected Health Information (PHI), and financial information.

Risk Assessment

• Identify, measure, and mitigate risks that affect business operations.
• Establish a risk management framework.
• Assess potential risks through risk analysis and evaluation.

Risk Calculation

• Probability and magnitude form the product of the risk.
• Risk calculation processes often involve quantifying elements of risk: asset value, exposure factor.
• Use quantitative risk approaches for assigning numeric values to risk factors.

Vulnerability Management

• Vulnerability scanning identifies vulnerabilities in systems.
• Tools often color-code vulnerabilities by criticality.
• Report validation and analysis are critical parts of the process to ensure the accuracy of the findings.
• Reconcile findings with existing systems' knowledge of the environment.
• Compare results to best practices. Identify exceptions to best practices.

Description

Test your knowledge on digital forensics and incident response strategies. This quiz covers essential concepts such as data restoration, system hardening, and the effects of various attacks. Challenge yourself with questions that evaluate your understanding of maintaining security and integrity in digital environments.