380 Questions
What is the primary intention of a cyber-attack?
To gain unauthorized access to a computer system
What is the term used to describe the core principles of information security?
CIA Triad
Which type of cybercrime targets individuals?
Individual Cybercrimes
What is an example of a computer security incident?
Theft of personal information
What should be done with suspicious events?
View them as potential incidents until proven otherwise
What is the main target of Organization Cybercrimes?
Organizations
What is the most common type of cybercrime attack?
Ransomware Attack
What is the term for unauthorized access to private computers or networks?
Hacking
What is the goal of cyberstalking?
To control and intimidate
What is software piracy an example of?
Illegal use or copy of paid software
What is the primary use of the 'Dark Web'?
To buy and sell illegal goods
What is the purpose of digital forensics?
To identify and analyze cybercrime attacks
What is cyber extortion?
Demand for money by cybercriminals
What is the term for the violation of intellectual-property rights?
Intellectual-property Infringements
What is the purpose of online recruitment fraud?
To obtain financial benefits from applicants
What is the main aspect of digital evidence in digital forensics?
It's a component of criminal activities
What is the main goal of incident response?
To minimize the effects of an attack and contain damage
What is DFIR in the context of cybersecurity?
The process of collecting and analyzing electronic evidence
What type of data do analysts typically collect during an investigation?
Disk images, memory images, and application data
Why is it important to encrypt incident response data?
To keep it safe and protected
What is the purpose of a write blocker in incident response?
To enable data to be acquired from a hard disk without modifying the disk’s data
What is disk imaging in the context of incident response?
The imaging of a storage medium using forensic software or hardware
What is the purpose of a forensic examination suite in incident response?
To perform a detailed analysis of disk images and memory images
What is the main benefit of using virtual environments in incident response?
To keep the original data safe
What is the purpose of a boot disk in incident response?
To create a bootable environment for forensic analysis
What is the goal of log analysis in incident response?
To identify and analyze logs from various systems and applications
What type of data is stored in a raw image file format?
All data from the original medium
What is the purpose of AccessData FTK Imager?
To create accurate copies of the original evidence
What are the two leading hash functions used by FTK Imager?
MD5 and SHA-1
What is the importance of RAM dump in digital forensics investigation?
To preserve volatile data
What is the characteristic of RAM in digital forensics?
Volatile
What is the purpose of a Digital Forensics Lab (DFL)?
To examine computer systems
What are the two domains of computer forensics labs?
Active-system analysis and static media examination
What is the benefit of analyzing RAM dumps in digital forensics?
To access dynamic and live information
What is the significance of RAM in uncovering hidden or encrypted data?
It can reveal information about active malware
What is the difference between active-system analysis and static media examination?
Active-system analysis deals with forensic information and static media examination focuses on removable storage media
What is the primary purpose of gathering facts and additional information about an incident?
To establish a context for the incident
Why is it important to know the time zone of an incident?
To ensure accurate analysis of incident data
What is the purpose of an Incident Summary Checklist?
To provide a brief overview of the incident
What is included in the Incident Detection Checklist?
Individual system details and primary function
What is the purpose of preserving a copy of the malware?
To analyze its network and host indicators
What are the criteria for digital evidence to be classified as genuine and trustworthy?
Admissible, Authentic, Complete, Reliable, and Believable
What is the first step of analyzing digital evidence?
Determining what data needs to be analyzed
What is the purpose of examining the condition of the computer when it was seized?
To gather evidence for the investigation
What is included in the Network Details Checklist?
List of external malicious IP addresses and domain names
What is the purpose of inventorying the hardware on the suspect's computer?
To identify potential sources of digital evidence
What is the first step in handling digital evidence?
Examine the data from the root directory
What is the purpose of anti-static shielding bags in digital forensics?
To protect electronic items from damage due to electrostatic discharge
What is the term used to describe hiding sensitive information within an ordinary file or message?
Steganography
What is one of the methods used to detect steganography?
Stegdetect
What type of data do DF examiners need to extract from a computer?
A variety of data, including emails, office documents, pictures, and more
What is the purpose of Windows Event Logs in forensic analysis?
To provide information to administrators and users
What is one of the channels in Windows Event Logs?
Application
Why do investigators create a digital 'image' of the victim's hard drive?
To explore and test hypotheses without worrying about changing evidence
What type of events are captured in the Security log?
Login attempts, elevated privileges, and more
What is one of the methods hackers use to conceal their activities?
Steganography
What is the purpose of configuring adequate logging on Windows systems?
To support effective incident response using Incident Response tools
What is the format in which event logs are stored?
XML
What is the purpose of cryptographic hash values in digital forensics?
To verify the drive's authenticity
What is the name of the forensic tool that helps investigators quickly search, identify, and prioritize potential evidence?
EnCase
What is the main feature of EnCase that allows for customizable report templates?
Reporting
What type of data can be extracted from mobile devices using mobile digital forensics software?
Call logs, photos, messages, browsers history, geolocation data, and more
What is the primary goal of DF examiners when conducting mobile forensics?
To gather all passcodes, passwords, or patterns of the exhibit
What is the purpose of the Setup log?
To capture incidents of installation or upgrading of the Windows operating system
What is the most common method of data extraction that allows access to live and deleted data, operating system files, and areas of the device that are not normally accessible to the user?
Physical Extraction
What is the name of the folder where event logs are stored?
System32/winevt/Logs
What is the main benefit of using a SIEM or log aggregator?
To support effective incident response
What type of extraction retrieves the device's file system and interprets the data during the processing stage?
File System Dump (FSD)
What is the limitation of logical extraction?
It cannot be performed on locked or password-protected devices
What is the method of data extraction that involves accessing the device and recording data displayed on the screen with photographs or video, or by transcribing its data?
Manual Extraction
What is the method of data extraction that requires the stripping down of the device to its logical board and soldering a certain cable to a certain connection on the board?
JTAG Extraction
What is the limitation of chip-off method?
It damages the device and it cannot be used anymore
What type of data can be acquired through logical extraction?
Call and text logs, contact lists, and passwords
What is the purpose of bootloaders in mobile devices?
To allow the insertion of a small piece of code into the RAM during start-up
What is the advantage of physical extraction over logical extraction?
It can be performed on locked or password-protected devices
What is the limitation of forensic software?
It does not support certain models of mobile devices
A cyber-attack is defined as any attempt to gain unauthorized access to a computer system with the intent to cause damage.
True
Cyber-attacks aim to only disrupt or destroy computer systems.
False
A cyber incident refers to any event that compromises the confidentiality, integrity, or availability of data or information.
True
Individual Cybercrimes target organizations.
False
Property Cybercrimes target individuals' personal information.
False
Suspicious events should be ignored until proven otherwise.
False
FTK Imager is a closed-source software used for creating accurate copies of the original evidence.
False
Raw image file formats store only a part of the data from the original medium.
False
FTK Imager can create forensic images of only local hard drives and floppy disks.
False
Incident response is a disorganized approach to identify an attack, minimize its effects, and remediate the cause.
False
RAM dump is a process of capturing the contents of a computer's storage device.
False
DFIR specialists gather and inspect information to determine who attacked them, how they got in, and what tools were used to compromise their systems.
True
RAM is a non-volatile form of memory that holds data permanently.
False
Organizations do not need to provide proper training and create documentation for their IR process.
False
Hash reports are used to compare the integrity of the original evidence with the copied evidence.
True
Disk images are a bit-for-bit copy of a digital storage device, usually of a hard drive or hard disk.
True
Digital Forensics Lab (DFL) is used for storing digital evidence.
False
Memory images contain a wealth of information often available on the hard drive.
False
Active-system analysis deals with forensic information stored in non-volatile memory.
False
The most effective way to protect IR data is to encrypt it.
True
FTK Imager can create forensic images in only one format.
False
Write blockers allow write commands to be executed on the hard disk during the imaging process.
False
RAM dump is not essential for digital forensics investigation because it does not hold any valuable information.
False
IR teams use commercial software only for their investigation.
False
Disk imaging can be performed using hardware only.
False
Hash verification is not an important feature of imaging software.
False
Phishing is a type of cybercrime that targets users and trick them by sending fake messages and emails to get sensitive information.
True
Ransomware Attack is a type of cybercrime that prevents users from accessing their personal data on the system by decrypting them.
False
Identity Theft is a type of cybercrime that occurs when a cybercriminal uses their own personal data to commit a fraud or a crime.
False
Cyber Bullying is also known as offline or internet bullying.
False
Software Piracy is the legal use or copy of paid software with violation of copyrights or license restrictions.
False
Digital forensic is a branch of science that focuses on identifying, acquiring, processing, analyzing, and reporting on data stored electronically.
True
Cyber Extortion is the demand for money by cybercriminals to give back some unimportant data they've stolen.
False
Online Recruitment Fraud is a type of cybercrime that releases fake job opportunities for the purpose of obtaining a financial benefit from applicants or even making use of their personal data.
True
Internet Fraud is a type of cybercrime that makes use of the telephone, and it can be considered a general term that groups all the crimes that happen over the telephone.
False
Digital evidence is a component of criminal activities and digital forensics that is not crucial for law enforcement investigations.
False
An IP address is more helpful if you know the time zone it belongs to.
False
It is not necessary to gather facts and additional information about the incident.
False
The Incident Detection Checklist includes individual system details.
True
A copy of the malware should not be preserved during the investigation.
False
The Incident Summary Checklist includes the type of affected resources.
True
Network monitoring is not necessary during the investigation.
False
The primary function of the system is not important during the investigation.
False
The time zone of the incident is not important during the investigation.
False
The Malware Details Checklist includes the list of systems where the malware was found.
True
The Incident Summary Checklist includes the contact information of the person who detected the incident.
True
Digital evidence should be stored in an unsecured location to allow for easy access.
False
Steganography is a technique used to detect hidden information in files.
False
Windows Event Logs are structured in three channels.
False
DF examiners need to extract only emails and office documents from a computer.
False
Anti-static shielding bags are used to destroy electronic evidence.
False
Investigators should leave digital evidence unattended during an investigation.
False
The primary purpose of digital forensics is to delete data from a computer.
False
Cryptographic hash values are used to tamper with digital evidence.
False
Stegdetect is a tool used to create steganography.
False
Digital evidence should be labeled and sealed with a generic container.
False
Windows Security Event logs contain information about login attempts, elevated privileges, and more.
True
Error, audit success and failure logs are not important in terms of forensic investigations.
False
Logical extraction involves retrieving raw binary data from the media storage of the device.
False
SIEM or log aggregator is not necessary for effective incident response.
False
A physical extraction can retrieve deleted data, operating system files, and areas of the device that are not normally accessible to the user.
True
Event logs are stored in TXT format at System32/winevt/Logs folder.
False
Deleted files can be recovered through logical extraction.
False
JTAG and Chip-Off methods can be used to extract data from damaged or locked mobile devices.
True
EnCase Forensic helps investigators quickly search, identify, and prioritize potential evidence across computers, laptops, and mobile devices.
True
Manual extraction involves accessing the device and recording data displayed on the screen with photographs or video.
True
DF examiners do not need to extract all passcodes, passwords, or patterns of the exhibit before conducting the work.
False
Mobile digital forensics software can extract data from call logs, photos, and browsers history.
True
File System Dump (FSD) retrieves raw binary data from the media storage of the device.
False
Almost all extraction methods do not require phones to be unlocked.
False
Bootloaders are used to bypass system locks and passcodes for many devices.
True
Windows Event Forwarding is enabled by default on all Windows systems.
False
Chip-Off method does not damage the device.
False
Windows Event logs are categorized into four levels: information, warning, error, and critical.
False
Devices operating on Android version 7.0 onwards are encrypted by default.
True
Physical extraction can be performed on locked or password-protected devices.
True
A cyber-attack aims to only disable or disrupt computer systems.
False
Suspicious events should be viewed as potential incidents until proven otherwise.
True
Property Cybercrimes target individuals.
False
Cyber-attacks aim to alter, block, delete, manipulate, or steal the data held within computer systems.
True
Individual Cybercrimes target only organizations.
False
A cyber incident refers to any event that compromises the confidentiality, integrity, or availability of data or information.
True
Phishing is a type of social engineering attack that targets systems and trick them by sending fake messages and emails to get sensitive information.
False
Identity theft occurs when a cybercriminal uses another person's personal data with their permission to commit a fraud or a crime.
False
Ransomware Attack is a type of cybercrime that makes use of the internet.
False
Cyber bullying is a type of cybercrime that targets systems.
False
Software piracy is the legal use or copy of paid software with violation of copyrights or license restrictions.
False
Digital forensics is a branch of science that focuses on identifying, acquiring, processing, analyzing, and reporting on data stored electronically.
True
Cyber extortion is the demand for money by cybercriminals to give back some important data they've stolen or stop doing malicious activities.
True
Online drug trafficking is a type of cybercrime that is not commonly sold and traded online.
False
Intellectual-property Infringements is the violation or breach of any protected intellectual-property rights such as copyrights and industrial design.
True
Cybercrime includes cyber-terrorism.
True
Incident response is a coordinated and structured approach to respond to incidents.
True
DFIR specialists do not gather and inspect information to determine how to close security gaps.
False
Memory images contain a wealth of information often available on the hard drive.
False
Write blockers are devices that allow both read and write commands to be executed on the hard disk.
False
IR teams use only commercial software for their investigation.
False
Disk imaging can be performed using only hardware solutions.
False
The primary goal of incident response is to identify an attack and ignore its effects.
False
Organizations are not required to provide proper training and create documentation for their IR process.
False
Encrypting incident response data is not necessary.
False
IR teams can interface properly with specialized forensics tools using any type of laptop.
False
Gathering facts and additional information about the incident is not necessary to establish a context.
False
The IP address of the system is not important during the investigation.
False
The incident summary checklist includes the date and time the incident was reported and the nature of the incident.
True
The system's make and model is not important during the investigation.
False
Network monitoring is not necessary during the investigation.
False
The primary function of the system is important during the investigation.
True
The malware details checklist includes the date and time of the detection and the name of the malicious file.
True
The incident detection checklist includes individual system details and network details.
True
Digital evidence is not classified as genuine and trustworthy if it meets certain criteria.
False
The basic steps for computer forensics include inspecting the computer viruses and inventorying the hardware on the suspect's computer.
True
FTK Imager is an open-source software used for creating disk images.
True
RAW is not a format used for storing data in a raw file.
False
RAM dump is not a vital step in preserving volatile data for forensic examination.
False
FTK Imager cannot create forensic images in E01 format.
False
Digital Forensics Lab (DFL) is not a tightly controlled area for various levels of computer examination.
False
Active-system analysis deals with static media examination.
False
Error-Checks is not a feature found in Expert Witness Format (EWF).
False
FTK Imager uses only Secure Hash Algorithm (SHA-1) for generating hash reports.
False
FTK Imager can only create forensic images of local hard drives.
False
RAM is a non-volatile form of memory that holds data permanently.
False
Steganography involves encrypting sensitive information within an ordinary file or message.
False
Investigators should ensure physical security of the digital evidence to prevent it from being lost or compromised.
True
Digital evidence can be stored in a secure location and accessed later.
True
Anti-static shielding bags are used to destroy electronic evidence.
False
The imaging process generates cryptographic hash values to verify the drive's authenticity.
True
Emails are not typically extracted during digital forensic analysis.
False
Windows Event Logs are structured in four channels: Application, System, Security, and Setup.
False
Steganography can be used to hide text, video, images, or audio data.
True
The primary purpose of the Windows Event Logs is to provide information to administrators and users.
True
Digital forensic examiners typically begin by creating a physical copy of the victim's hard drive.
False
Windows Event Logs are structured in five categories/levels.
True
EnCase Forensic is a tool used to analyze evidence from computers and mobile devices.
True
Security logs contain login attempts, elevated privileges, and more.
True
Event logs are stored in CSV format at System32/winevt/Logs folder.
False
Configuring adequate logging on Windows systems is a critical step towards effective incident response.
True
Mobile digital forensics software can only extract data from call logs and photos.
False
DF examiners do not need to extract all passcodes, passwords, or patterns of the exhibit prior to conducting the work.
False
The primary goal of DF examiners is to delete data from a computer.
False
Incident response is a disorganized approach to identify an attack, minimize its effects, and remediate the cause.
False
Windows Event Forwarding is enabled by default on all Windows systems.
False
Logical extraction can recover deleted files.
False
Physical extraction retrieves the device's file system and interprets the data during the processing stage.
False
JTAG extraction is used to extract data from damaged or locked mobile devices.
True
Manual extraction involves accessing the device and recording data displayed on the screen with photographs or video.
True
Chip-Off extraction does not damage the device.
False
File System Dump (FSD) is a type of physical extraction.
False
Bootloaders are used to bypass system locks and passcodes for many devices.
True
_logical extraction can be performed on locked or password-protected devices.
False
A physical extraction can retrieve only live data.
False
Manual extraction is used when forensic software does not support the model of certain unique mobile devices.
True
A cyber-attack is defined as any attempt to gain unauthorized access to a computer, computing system or computer ______ with the intent to cause damage.
network
Cyber-attacks aim to disable, disrupt, destroy, or control computer systems or “device”, or to alter, block, delete, manipulate, or steal the data held within these ______.
systems
A cyber incident refers to any event that compromises the confidentiality, integrity, or availability of data or ______ – core principles of information security.
information
Common examples of computer security incidents are: - Data theft such as personal ______, email, and documents.
information
Cyber-attacks aim to disable, disrupt, destroy, or control computer systems or “device”, or to alter, block, delete, manipulate, or steal the data held within these systems, in another word, a cyber incident refers to any event that compromises the ______, integrity, or availability of data or information – core principles of information security.
confidentiality
The main categories of cybercrimes are: 1.Individual Cybercrimes, 2.Organization Cybercrimes, 3.______ Cybercrimes, and 4.
Property
Incident response (IR) is a _____________ approach to go from incident detection to resolution.
coordinated and structured
DFIR is a term used to refer to the process of collecting, preserving, and analyzing _____________ evidence in cyber security incidents.
electronic
Disk images may also be taken from other storage mediums, such as _____________ drives.
USB
The most effective way to keep information about the case safe and protected is to _____________ the data.
encrypt
A write blocker is a device that enables data to be acquired from a hard disk without modifying the disk's _____________.
data
The imaging software can include features such as recognition of hidden _____________.
areas
IR teams use virtual environments to make the analysis on the working _____________.
copies
Boot Disks Operating Systems (OS) are used as _____________ tools in IR investigation.
software
The imaging of a storage medium can be performed using forensic _____________ or hardware.
software
Incident response is the effort to quickly identify an attack, minimize its effects, contain _____________, and remediate the cause.
damage
Phishing is a type of ______ engineering attack that targets users and trick them by sending fake messages and emails to get sensitive information.
social
Identity theft occurs when a cybercriminal uses another person's ______ data like credit card numbers or personal pictures without their permission to commit a fraud or a crime.
personal
Ransomware attack is a type of cybercrime that targets users and trick them by sending fake messages and emails to get ______ information.
sensitive
Cyber bullying is a type of cybercrime that makes use of the internet, and it can be considered a general term that groups all the ______ that happen over the internet.
crimes
Cyberstalking can be defined as unwanted ______ content from someone targeting other individuals online with the aim of controlling and intimidating.
persistent
Software piracy is the illegal use or copy of ______ software with violation of copyrights or license restrictions.
paid
Social media frauds are the use of social media ______ accounts to perform any kind of harmful activities.
fake
Online drug trafficking is the illegal sale and trade of ______ drugs over the internet.
illegal
Electronic money laundering is based on unknown companies or online business that makes ______ payment methods and credit card transactions.
approvable
Cyber extremism is the demand for money by cybercriminals to give back some important data they've stolen or stop doing ______ activities.
malicious
Image file formats include raw or ______.
dd
Expert Witness Format (EWF) and Advanced Forensic Format (AFF) are ______ formats.
image
FTK Imager is a ______ software that is used for creating accurate copies of the original evidence.
open-source
FTK Imager can create forensic images of local hard drives, floppy disks, Zip disks, CDs, and ______.
DVDs
HASH REPORTS in FTK Imager generate hash reports for regular files and disk images using ______ hash functions.
two leading
RAM dump is the process of capturing the contents of a computer's ______.
memory
RAM is a ______ form of memory that holds data temporarily while a computer is powered on.
volatile
Digital Forensics Lab (DFL) is divided into two domains: active-system analysis and ______ media examination.
static
Static media examinations focus on removable flash drives, external and internal hard disks, and other types of ______ media.
storage
DF examiners usually divide computer forensics labs into two domains: active-system analysis and ______ media examination.
static
Without ______ it is easy to jump to wrong conclusions.
context
The date and the time the incident was ______ is important information.
reported
Investigators should ensure the physical security of the digital evidence so it doesn't get ____________ or compromised.
lost
To handle digital evidence, it must be uniquely ____________ and sealed with a proper container.
labeled
Security logs contain incidents related to ______ events according to the auditing policy of the Windows operating system.
security
A list of malwares detected, from the time of your investigation back to the ______.
beginning
Anti-static shielding bags are used to store, transport, and protect evidence from ____________ damage.
electrostatic
The critical information stored on the ______ is important to know.
system
Setup log captures incidents of ______ or upgrading of the Windows operating system.
installation
System log contains ______ generated by the Windows operating system.
messages
Whether the incident is currently ______ is important to know.
ongoing
The imaging process generates ____________ hash values to verify the drive's authenticity.
cryptographic
Steganography involves hiding sensitive information within an ordinary, non-secret file or ____________.
message
The primary function of the ______ is important to know.
system
Event logs are stored in ______ format at System32/winevt/Logs folder.
XML
Hackers can use steganography to hide data files or malware in otherwise ____________ documents.
innocent
EnCase Forensic helps investigators quickly search, identify, and prioritize potential ______ across computers, laptops, and mobile devices.
evidence
The type of affected ______ is important to know.
resources
New Supported Files in EnCase Forensic include.EXT4, HSFX, Microsoft Office ______ and iOS Physical Images.
2010
Digital Forensic examiners need to extract ____________ from a computer, including emails and office documents.
data
The incident detection checklist includes individual ______ details.
system
Windows Event Logs are structured in five ____________ (information, warning, error, critical, and success/failure audit).
levels
The primary function of the ______ log is to capture incidents of installation or upgrading of the Windows operating system.
Setup
The first step of analyzing the evidence is to determine what ______ needs to be analyzed.
data
Windows Event Logs are structured in five ____________ (Application, etc.).
channels
DF examiners try their best to extract ______ for the case.
evidence
Digital evidence to be classified as genuine and trustworthy should meet the following criteria: ______ in court.
Admissible
Almost all extraction methods require phones to be ______.
unlocked
The primary purpose of digital forensics is to analyze digital evidence and provide useful information to ____________ and users.
administrators
The aim of DF examiners is to gather all ______, passwords or patterns of the exhibit, prior to conducting the work.
passcodes
The File System Dump (FSD) is a hybrid of _____________ Extraction and Logical Extraction.
Physical
The ______ method accesses the device and records of the data displayed on the screen with photographs or video.
Manual
A physical extraction can retrieve deleted data, operating system files, and areas of the device that are not normally accessible to the ______.
user
The JTAG and Chip-Off methods can be used to extract the data from mobile devices that are ______ or locked with a password.
damaged
The primary goal of the DF Examiner is to retrieve information from the _____________ device.
mobile
Logical extraction involves receiving information from the mobile device and allowing the device to present the data for ______.
analysis
After the information has been extracted from the device, the SIM card and Micro SD are analyzed ______.
separately
Live data which can be acquired through logical extraction include call and text logs, contact lists, and ______ to active social media.
passwords
The ______ method typically allows the DF examiner to access live and deleted data, operating system files and areas of the device that are not normally accessible to the user.
Physical
Devices operating on Android version 7.0 onwards are ______ by default.
encrypted
Match the following cybercrime categories with their descriptions:
Individual Cybercrimes = Targeting individuals, including phishing, spoofing, spam, and cyberstalking. Organization Cybercrimes = Targeting organizations, including malware attacks and denial of service attacks. Property Cybercrimes = Targeting property, including credit cards and intellectual property rights.
Match the following concepts with their definitions in cyber security:
CIA triad = Core principles of information security, including confidentiality, integrity, and availability. Incident = Any event that compromises the confidentiality, integrity, or availability of data or information. Cyber-attack = Any attempt to gain unauthorized access to a computer or network. Malware = Software designed to harm or exploit a computer system.
Match the following types of cybercrimes with their targets:
Phishing = Users, to trick them into revealing sensitive information. Organization Cybercrimes = Organizations, to disrupt their operations. Property Cybercrimes = Property, such as credit cards or intellectual property. Cyberstalking = Individuals, to harass or intimidate them online.
Match the following concepts with their descriptions in cyber security:
Data theft = Theft of personal information, email, or documents. Unauthorized access = Unauthorized access to computer resources or systems. Malware = Presence of remote access tools or spyware. Suspicious events = Events that should be viewed as potential incidents until proven otherwise.
Match the following cybercrime categories with their examples:
Individual Cybercrimes = Phishing, spoofing, spam, and cyberstalking. Organization Cybercrimes = Malware attacks and denial of service attacks. Property Cybercrimes = Theft of funds, credit cards, or intellectual property.
Match the following concepts with their descriptions in cyber security:
Incident response = A organized approach to identify an attack, minimize its effects, and remediate the cause. Cyber-attack = An attempt to disable, disrupt, destroy, or control computer systems. Data theft = Theft of personal information, email, or documents. Cyber incident = An event that compromises the confidentiality, integrity, or availability of data or information.
Match the following types of cybercrime with their descriptions:
Phishing and Scam = Tricking users to get sensitive information or downloading malware Identity Theft = Using another person's personal data to commit fraud or a crime Ransomware Attack = Encrypting personal data and asking for a ransom to access it Hacking/Misusing Computer Networks = Unauthorized access to private computers or networks
Match the following incident response concepts with their definitions:
Incident Response (IR) = Coordinated and structured approach to go from incident detection to resolution DFIR = Process of collecting, preserving, and analyzing electronic evidence in cyber security incidents Disk imaging = Imaging of a storage medium using forensic software or hardware Write blocker = Device that enables data to be acquired from a hard disk without modifying the disk’s data
Match the following types of cybercrime with their descriptions:
Cyber Bullying = Sending or sharing harmful content to embarrass someone Cyber Stalking = Unwanted persistent content to control and intimidate others Software Piracy = Illegal use or copy of paid software with violation of copyrights Social Media Frauds = Using fake social media accounts to perform harmful activities
Match the following types of cybercrime with their descriptions:
Online Drug Trafficking = Selling and trading illegal drugs online Electronic Money Laundering = Making approvable payment methods with incomplete payment information Cyber Extortion = Demanding money to give back stolen data or stop malicious activities Intellectual-property Infringements = Violating protected intellectual-property rights
Match the following digital forensics data with their descriptions:
Disk images = Bit-for-bit copy of a digital storage device, usually of a hard drive or hard disk Memory images = Computer’s RAM, which can be recorded by special software Application data = Host logs, network device logs, and software-specific logs
Match the following types of digital forensics with their descriptions:
Cloud Forensics = Focusing on data stored electronically in the cloud Computer Forensics = Focusing on data stored electronically in computers Mobile Forensics = Focusing on data stored electronically in mobile devices Network Forensics = Focusing on data stored electronically in networks
Match the following hardware tools with their uses in IR investigation:
Forensics in the Field = Laptop to perform forensic work and interface with specialized tools Disk duplication and imaging systems = Create copies of the data and keep original data safe Write blockers = Acquire data from a hard disk without modifying the disk’s data Digital cameras = Document the evidence
Match the following software tools with their uses in IR investigation:
Boot Disks = Operating Systems (OS) for disk imaging Disk Imaging Tools = Imaging of a storage medium using forensic software or hardware Memory Capture and Analysis = Capture and analyze computer’s RAM Log Analysis Tools = Analyze logs from various devices and systems
Match the following cybercrime with its primary usage:
Phishing and Scam = Social engineering attack Ransomware Attack = The most common type of attack Hacking/Misusing Computer Networks = Unauthorized access to private computers or networks Society Cybercrimes = Cyber-terrorism
Match the following concepts with their importance in IR investigation:
Encryption = Keep information about the case safe and protected Hash verification = Verify the integrity of the data during the imaging process Time zone = Important to consider during the investigation System function = Important to know during the investigation
Match the following types of cybercrime with their descriptions:
Online Recruitment Fraud = Fake job opportunities to obtain financial benefit or personal data Cyber Extortion = Demanding money to give back stolen data or stop malicious activities Intellectual-property Infringements = Violating protected intellectual-property rights Electronic Money Laundering = Making approvable payment methods with incomplete payment information
Match the following digital forensic terms with their descriptions:
Digital Forensics = Identifying, acquiring, processing, analyzing, and reporting on electronic data Digital Evidence = A component of criminal activities and digital forensics Cloud Forensics = Focusing on data stored electronically in the cloud Cybercrime = A type of crime that involves computers or networks
Match the following resources with their uses in IR investigation:
Virtual environments = Make analysis on the working copies of the data Shared forensics equipment = Various tools for data acquisition and analysis Case-Opening Tools = Open and analyze the case Hard drives for evidence storage = Store evidence data
Match the following types of cybercrime with their descriptions:
Social Media Frauds = Using fake social media accounts to perform harmful activities Online Drug Trafficking = Selling and trading illegal drugs online Cyber Bullying = Sending or sharing harmful content to embarrass someone Cyber Stalking = Unwanted persistent content to control and intimidate others
Match the following concepts with their descriptions in IR investigation:
Cyber security incidents = Attacks, unauthorized access, or other security breaches Incident resolution = Effort to quickly identify an attack, minimize its effects, and remediate the cause IR team = Team or department responsible for carrying out incident response practices DFIR specialists = Specialists who gather and inspect information to determine the cause of an incident
Match the following types of cybercrime with their descriptions:
Software Piracy = Illegal use or copy of paid software with violation of copyrights Intellectual-property Infringements = Violating protected intellectual-property rights Cyber Extortion = Demanding money to give back stolen data or stop malicious activities Ransomware Attack = Encrypting personal data and asking for a ransom to access it
Match the following data with their uses in IR investigation:
User logs = Information about user activity Web server access logs = Information about web server access Firewall logs = Information about network traffic and security VPN audit logs = Information about VPN access and security
Match the following types of cybercrime with their descriptions:
Hacking/Misusing Computer Networks = Unauthorized access to private computers or networks Identity Theft = Using another person's personal data to commit fraud or a crime Cybercrime = A type of crime that involves computers or networks Society Cybercrimes = Cyber-terrorism
Match the following concepts with their importance in DFIR investigation:
Data protection = Keep information about the case safe and protected Data analysis = Analyze data to determine the cause of an incident Data collection = Collect data from various sources Data storage = Store evidence data securely
Match the following concepts with their uses in incident response:
IR process = Structured approach to incident detection, response, and resolution Training and documentation = Important for IR team to know the process and procedures Hardware and software solutions = Tools used to perform IR tasks Investigation = Process of gathering and analyzing evidence
Match the following incident response checks with their corresponding descriptions:
Incident Summary Checklist = Gathers information about the incident Incident Detection Checklist = Examines the system's details and the nature of the incident Network Details Checklist = Provides information about the external malicious IP addresses and network configurations Malware Details Checklist = Details about the malware's detection and analysis
Match the following with their primary purposes in incident response:
Incident Summary = To provide overall context about the incident System Administrator = To manage the system's resources and access Network Monitoring = To detect and track malicious activity on the network Data Preservation = To store evidence securely for further analysis
Match the following types of incident response checks with the information they collect:
Incident Detection = Time of incident detection and the person who detected it Network Details = List of external malicious IP addresses and domain names Malware Details = Name of the malicious file and its directory System Details = System's make, model, and primary function
Match the following factors with their roles in incident response:
Nature of the Case = Determines the scope of the investigation Amount of Data Collected = Influences the analysis and evidence collection Search Warrant and Court Orders = Provides legal authority for evidence collection Policies = Guides the incident response process
Match the following with their roles in computer forensics:
DF Examiner = Analyzes the evidence and provides reports System Administrator = Manages the system's resources and access Investigator = Collects and analyzes evidence IR Team = Responds to and resolves incidents
Match the following with their characteristics in digital forensics:
Authentic = Ensures the evidence is genuine Complete = Includes all relevant data Reliable = Proven to be accurate and trustworthy Believable = Supported by credible evidence
Match the following with their roles in digital forensics:
FTK Imager = Creates forensic images of local hard drives and other storage devices DFL = Analyzes digital evidence and provides reports Disk Imaging = Creates a bit-for-bit copy of a digital storage device RAM Dump = Captures the contents of a computer's RAM
Match the following with their purposes in incident response:
Incident Response = To respond to and resolve incidents effectively Evidence Collection = To gather facts and data for analysis Incident Detection = To identify potential incidents and prevent further damage System Analysis = To understand the system's behavior and performance
Match the following with their roles in incident response:
IR Team = Responds to and resolves incidents System Administrator = Manages the system's resources and access DF Examiner = Analyzes the evidence and provides reports Investigator = Collects and analyzes evidence
Match the following with their importance in incident response:
Context = Helps to understand the incident's scope and impact Data Preservation = Ensures the integrity of the evidence System Analysis = Provides insights into the system's behavior and performance Incident Detection = Identifies potential incidents and prevents further damage
Match the following disk imaging formats with their features:
RAW = Stores all data from the original medium EWF = Contains features like Compression of data and Error-Checks AFF = Can be used for creating perfect copies of the original evidence DD = Stores all data from the original medium
Match the following FTK Imager features with their descriptions:
HASH REPORTS = Generate hash reports for regular files and disk images RAM CAPTURE = Allows you to perform memory capture or registry capture on a live device DISK IMAGING = Create perfect copies of the original evidence without making any changes to original evidence CASE METADATA = Contains information about running processes, active network connections, open files, encryption keys, and passwords
Match the following RAM dump features with their descriptions:
Volatile nature = Holds data temporarily while a computer is powered on Dynamic and live information = Contains real-time information about running processes, active network connections, open files, encryption keys, and passwords Uncovering hidden data = Reveals information about active malware, hidden processes, encrypted data in memory, or remnants of deleted files Preserves data after shutdown = Capturing a RAM dump becomes essential to preserve valuable evidence
Match the following computer forensics lab domains with their descriptions:
Active-system analysis = Deals with forensic information, user activity and log reports based off an actively running operating system Static media examination = Focuses on removable flash drives, external and internal hard disks, and other types of storage media that persists after a computer is shut down Digital Forensics Lab = A tightly controlled area for various levels of computer examination DFIR = Divides computer forensics labs into two domains: active-system analysis and static media examination
Match the following tools with their descriptions:
FTK Imager = An open-source software used for creating accurate copies of the original evidence without making any changes to original evidence Magnet Ram Capturer = A tool used for RAM capture or registry capture on a live device Volatility Framework = An open-source framework used for RAM dump analysis EnCase Forensic = A tool used for searching, identifying, and prioritizing potential evidence across computers, laptops, and mobile devices
Match the following disk imaging features with their descriptions:
Compression of data = Reduces the size of the image file Encryption of data = Secures the image file with a password or encryption key Error-Checks = Verifies the integrity of the image file Splitting the image in chunks = Divides the image file into smaller manageable chunks
Match the following digital forensics concepts with their descriptions:
Tolerance of hardware errors = Allows for the creation of accurate copies of the original evidence despite hardware errors Hash sums = Verifies the integrity of the image file Case Metadata = Contains information about the case evidence Disk Imaging = Creates a perfect copy of the original evidence without making any changes to original evidence
Match the following digital forensics tools with their uses:
FTK Imager = Used for creating forensic images of local hard drives, floppy disks, Zip disks, CDs, and DVDs Magnet Ram Capturer = Used for RAM capture or registry capture on a live device Volatility Framework = Used for RAM dump analysis EnCase Forensic = Used for searching, identifying, and prioritizing potential evidence across computers, laptops, and mobile devices
Match the following digital forensics features with their descriptions:
HASH REPORTS = Generate hash reports for regular files and disk images RAM CAPTURE = Allows you to perform memory capture or registry capture on a live device CASE METADATA = Contains information about the case evidence DISK IMAGING = Creates a perfect copy of the original evidence without making any changes to original evidence
Match the following digital forensics concepts with their descriptions:
Volatile memory = Holds data temporarily while a computer is powered on Dynamic and live information = Contains real-time information about running processes, active network connections, open files, encryption keys, and passwords RAM dump = Captures the contents of a computer's memory Disk imaging = Creates a perfect copy of the original evidence without making any changes to original evidence
Match the following Windows event logs with their descriptions:
Security = contains incidents related to security events Setup = captures incidents of installation or upgrading of the Windows operating system System = contains messages generated by the Windows operating system Forwarded Events = contains events which are forwarded by other computers
Match the following steps with the guidelines for handling digital evidence:
Label and seal = Uniquely label and seal the evidence with a proper container Document = Details of the device including type, serial number, and manufacture Not left unattended = Keep the evidence away from any source of contamination Preservation = Keep the original evidence safe
Match the following steganography techniques with their descriptions:
Embedding text in a picture = Hiding sensitive information within an image file Backward masking a message in an audio file = Concealing information in an audio file Concealing information in metadata = Hiding data in file headers or metadata Hiding an image in a video = Concealing data in a video file
Match the following log levels with their descriptions:
Error = important in terms of forensic investigations Audit Success = important in terms of forensic investigations Audit Failure = important in terms of forensic investigations Information = provides insight about the incidents occurred on the system
Match the following incident response tools with their descriptions:
Splunk = is a critical step toward ensuring that your environment can support effective incident response LogRhythm = is a critical step toward ensuring that your environment can support effective incident response Varonis = is a critical step toward ensuring that your environment can support effective incident response EnCase = helps investigators quickly search, identify, and prioritize potential evidence
Match the following forensic tools with their purposes:
Stegdetect = Detecting steganography in digital files Xsteg = Identifying hidden information in files StegAlyzerAS = Analyzing digital files for steganography StegSpy = Detecting and extracting hidden data
Match the following EnCase features with their descriptions:
Acquisition = includes Smartphone and Tablet support Processing = automate common tasks associated with preparing evidence for investigation Deep Forensic Analysis = includes new supported files and encryption support Reporting = includes customizable templates and easy export options
Match the following data types with their extraction methods:
Emails = Extracting emails from digital devices Internet Browsers = Analyzing browser history and cache Pictures and Videos = Extracting multimedia files using hash comparison Software = Analyzing installed software and applications
Match the following Windows Event Logs channels with their descriptions:
Application = Contains information logged by applications on the system System = Stores system-level events and errors Security = Logs security-related events and activities Setup = Tracks system setup and configuration events
Match the following mobile digital forensics software features with their descriptions:
Call logs = can extract data Photos = can extract data Browsers history = can extract data Deleted files = can extract data
Match the following digital forensic tools with their descriptions:
EnCase Forensic = Helps investigators quickly search and identify potential evidence FTK Imager = Creates accurate copies of the original evidence StegAlyzerAS = Analyzes digital files for steganography StegSpy = Detects and extracts hidden data
Match the following digital forensics examiners' goals with their descriptions:
Extract all passcodes = prior to conducting the work Extract all passwords = prior to conducting the work Extract all patterns = prior to conducting the work Gather all evidence = prior to conducting the work
Match the following Windows event logs storage locations with their descriptions:
System32/winevt/Logs = stores event logs in XML format System32/Logs = stores event logs in XML format System/Winevt/Logs = stores event logs in XML format Winevt/Logs = stores event logs in XML format
Match the following digital forensic concepts with their descriptions:
Anti-static shielding bags = Protects electronic items from damage during transportation and storage Physical extraction = Retrieves the device's file system and interprets the data during processing Logical extraction = Recovers deleted files and data Disk images = A bit-for-bit copy of a digital storage device
Match the following incident response steps with their descriptions:
Gathering facts = Collecting information about the incident Log analysis = Analyzing logs to identify incident details Network monitoring = Monitoring network traffic for suspicious activity Incident detection = Identifying and reporting suspicious events
Match the following incident response activities with their descriptions:
Configuring adequate logging = is a critical step toward ensuring that your environment can support effective incident response Aggregating logs = is a critical step toward ensuring that your environment can support effective incident response Analyzing logs = is a critical step toward ensuring that your environment can support effective incident response Responding to incidents = is a critical step toward ensuring that your environment can support effective incident response
Match the following EnCase Forensic features with their descriptions:
Tagging = creates custom tags and applies to any file Unified Search = searches across the entire case from one easy to use interface Index = includes hash records and enables easy export of files Reporting = includes customizable templates and easy export options
Match the following cybercrime types with their descriptions:
Cyber extortion = Demanding money or favors in exchange for not causing harm Cyber bullying = Targeting individuals or systems with harmful activities Social media fraud = Using social media to commit fraud or harm Property Cybercrimes = Targeting individuals' personal information
Match the following log aggregator tools with their descriptions:
SIEM = is a critical step toward ensuring that your environment can support effective incident response ManageEngine = is a critical step toward ensuring that your environment can support effective incident response IBMQRadar = is a critical step toward ensuring that your environment can support effective incident response SolarWinds = is a critical step toward ensuring that your environment can support effective incident response
Match the following digital forensic techniques with their descriptions:
JTAG and Chip-Off = Extracting data from damaged or locked mobile devices Memory imaging = Capturing a snapshot of a device's memory Steganography = Hiding sensitive information within ordinary files Hash reports = Verifying the integrity of digital evidence
Match the following mobile device data extraction methods with their descriptions:
Logical Extraction = Receiving information from the mobile device and allowing it to present the data for analysis. File System Dump (FSD) = A hybrid of Physical Extraction and Logical Extraction, retrieving the device's file system and interpreting the data during processing. Physical Extraction = Acquiring raw binary data from the media storage of the device and analyzing it later. Manual Extraction = Accessing the device and recording data displayed on the screen with photographs or video.
Match the following data types with the methods that can extract them:
Live Data = Logical Extraction Deleted Files = Physical Extraction Databases holding deleted messages = File System Dump (FSD) Raw Binary Data = JTAG / Chip-Off / Rooting / Jail Breaking
Match the following limitations with the data extraction methods:
Cannot recover deleted files = Logical Extraction Does not retrieve all deleted data = File System Dump (FSD) Requires high technical skill = JTAG / Chip-Off / Rooting / Jail Breaking Limited by device model or recent launch = Manual Extraction
Match the following data extraction methods with their benefits:
Logical Extraction = Allows access to live data only Physical Extraction = Allows access to live and deleted data, operating system files, and areas not normally accessible to the user. File System Dump (FSD) = Retrieves databases holding deleted messages and may not be accessible during a physical extraction JTAG / Chip-Off / Rooting / Jail Breaking = Allows extraction of raw binary data from damaged or locked devices
Match the following data extraction methods with the devices they are suitable for:
Logical Extraction = All mobile devices Physical Extraction = Most mobile devices, except those with encryption File System Dump (FSD) = Most mobile devices, except those with encryption JTAG / Chip-Off / Rooting / Jail Breaking = Damaged or locked devices, and IOT devices
Match the following data extraction methods with the level of technical skill required:
Logical Extraction = Low technical skill Physical Extraction = Moderate technical skill File System Dump (FSD) = Moderate technical skill JTAG / Chip-Off / Rooting / Jail Breaking = High technical skill
Match the following data extraction methods with the type of data retrieved:
Logical Extraction = Live data only Physical Extraction = Live and deleted data, operating system files, and areas not normally accessible to the user File System Dump (FSD) = Databases holding deleted messages and live data Manual Extraction = Data displayed on the screen
Match the following data extraction methods with the limitations of forensic software:
Logical Extraction = Cannot recover deleted files Physical Extraction = Cannot access devices with encryption File System Dump (FSD) = Does not retrieve all deleted data Manual Extraction = Limited by device model or recent launch
Match the following data extraction methods with the risks involved:
Logical Extraction = No risk of data loss Physical Extraction = No risk of data loss File System Dump (FSD) = No risk of data loss Chip-Off = Device will be damaged and can no longer be used
Match the following data extraction methods with the level of data analysis required:
Logical Extraction = Minimal analysis required Physical Extraction = Moderate analysis required File System Dump (FSD) = Moderate analysis required JTAG / Chip-Off / Rooting / Jail Breaking = High analysis required
Test your knowledge of cyber attacks and incidents, including unauthorized access, damage, and data compromise. Learn about the different types of cyber attacks and their effects on computer systems and data.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free