What is a Cyber Attack or Incident?

Questions and Answers

What is the primary intention of a cyber-attack?

• To improve computer system security
• To facilitate data sharing
• To gain unauthorized access to a computer system (correct)
• To enhance user experience

What is the term used to describe the core principles of information security?

• Data Security Triangle
• Security Breach Protocol
• CIA Triad (correct)
• Information Protection Framework

Which type of cybercrime targets individuals?

• Individual Cybercrimes (correct)
• Cyber warfare
• Property Cybercrimes
• Organization Cybercrimes

What is an example of a computer security incident?

Theft of personal information (B)

What should be done with suspicious events?

View them as potential incidents until proven otherwise (B)

What is the main target of Organization Cybercrimes?

Organizations (C)

What is the most common type of cybercrime attack?

Ransomware Attack (A)

What is the term for unauthorized access to private computers or networks?

Hacking (B)

What is the goal of cyberstalking?

To control and intimidate (B)

What is software piracy an example of?

Illegal use or copy of paid software (D)

What is the primary use of the 'Dark Web'?

To buy and sell illegal goods (B)

What is the purpose of digital forensics?

To identify and analyze cybercrime attacks (D)

What is cyber extortion?

Demand for money by cybercriminals (B)

What is the term for the violation of intellectual-property rights?

Intellectual-property Infringements (B)

What is the purpose of online recruitment fraud?

To obtain financial benefits from applicants (C)

What is the main aspect of digital evidence in digital forensics?

It's a component of criminal activities (D)

What is the main goal of incident response?

To minimize the effects of an attack and contain damage (A)

What is DFIR in the context of cybersecurity?

The process of collecting and analyzing electronic evidence (D)

What type of data do analysts typically collect during an investigation?

Disk images, memory images, and application data (D)

Why is it important to encrypt incident response data?

To keep it safe and protected (D)

What is the purpose of a write blocker in incident response?

To enable data to be acquired from a hard disk without modifying the disk’s data (C)

What is disk imaging in the context of incident response?

The imaging of a storage medium using forensic software or hardware (D)

What is the purpose of a forensic examination suite in incident response?

To perform a detailed analysis of disk images and memory images (C)

What is the main benefit of using virtual environments in incident response?

To keep the original data safe (A)

What is the purpose of a boot disk in incident response?

To create a bootable environment for forensic analysis (A)

What is the goal of log analysis in incident response?

To identify and analyze logs from various systems and applications (D)

What type of data is stored in a raw image file format?

All data from the original medium (D)

What is the purpose of AccessData FTK Imager?

To create accurate copies of the original evidence (B)

What are the two leading hash functions used by FTK Imager?

MD5 and SHA-1 (D)

What is the importance of RAM dump in digital forensics investigation?

To preserve volatile data (A)

What is the characteristic of RAM in digital forensics?

Volatile (A)

What is the purpose of a Digital Forensics Lab (DFL)?

To examine computer systems (C)

What are the two domains of computer forensics labs?

Active-system analysis and static media examination (C)

What is the benefit of analyzing RAM dumps in digital forensics?

To access dynamic and live information (A)

What is the significance of RAM in uncovering hidden or encrypted data?

It can reveal information about active malware (B)

What is the difference between active-system analysis and static media examination?

Active-system analysis deals with forensic information and static media examination focuses on removable storage media (B)

What is the primary purpose of gathering facts and additional information about an incident?

To establish a context for the incident (D)

Why is it important to know the time zone of an incident?

To ensure accurate analysis of incident data (C)

What is the purpose of an Incident Summary Checklist?

To provide a brief overview of the incident (D)

What is included in the Incident Detection Checklist?

Individual system details and primary function (B)

What is the purpose of preserving a copy of the malware?

To analyze its network and host indicators (A)

What are the criteria for digital evidence to be classified as genuine and trustworthy?

Admissible, Authentic, Complete, Reliable, and Believable (D)

What is the first step of analyzing digital evidence?

Determining what data needs to be analyzed (D)

What is the purpose of examining the condition of the computer when it was seized?

To gather evidence for the investigation (D)

What is included in the Network Details Checklist?

List of external malicious IP addresses and domain names (B)

What is the purpose of inventorying the hardware on the suspect's computer?

To identify potential sources of digital evidence (B)

What is the first step in handling digital evidence?

Examine the data from the root directory (D)

What is the purpose of anti-static shielding bags in digital forensics?

To protect electronic items from damage due to electrostatic discharge (B)

What is the term used to describe hiding sensitive information within an ordinary file or message?

Steganography (D)

What is one of the methods used to detect steganography?

Stegdetect (D)

What type of data do DF examiners need to extract from a computer?

A variety of data, including emails, office documents, pictures, and more (D)

What is the purpose of Windows Event Logs in forensic analysis?

To provide information to administrators and users (C)

What is one of the channels in Windows Event Logs?

Application (B)

Why do investigators create a digital 'image' of the victim's hard drive?

To explore and test hypotheses without worrying about changing evidence (D)

What type of events are captured in the Security log?

Login attempts, elevated privileges, and more (A)

What is one of the methods hackers use to conceal their activities?

Steganography (B)

What is the purpose of configuring adequate logging on Windows systems?

To support effective incident response using Incident Response tools (D)

What is the format in which event logs are stored?

XML (B)

What is the purpose of cryptographic hash values in digital forensics?

To verify the drive's authenticity (D)

What is the name of the forensic tool that helps investigators quickly search, identify, and prioritize potential evidence?

EnCase (C)

What is the main feature of EnCase that allows for customizable report templates?

Reporting (C)

What type of data can be extracted from mobile devices using mobile digital forensics software?

Call logs, photos, messages, browsers history, geolocation data, and more (B)

What is the primary goal of DF examiners when conducting mobile forensics?

To gather all passcodes, passwords, or patterns of the exhibit (C)

What is the purpose of the Setup log?

To capture incidents of installation or upgrading of the Windows operating system (A)

What is the most common method of data extraction that allows access to live and deleted data, operating system files, and areas of the device that are not normally accessible to the user?

Physical Extraction (D)

What is the name of the folder where event logs are stored?

System32/winevt/Logs (C)

What is the main benefit of using a SIEM or log aggregator?

To support effective incident response (D)

What type of extraction retrieves the device's file system and interprets the data during the processing stage?

File System Dump (FSD) (A)

What is the limitation of logical extraction?

It cannot be performed on locked or password-protected devices (C)

What is the method of data extraction that involves accessing the device and recording data displayed on the screen with photographs or video, or by transcribing its data?

Manual Extraction (B)

What is the method of data extraction that requires the stripping down of the device to its logical board and soldering a certain cable to a certain connection on the board?

JTAG Extraction (A)

What is the limitation of chip-off method?

It damages the device and it cannot be used anymore (D)

What type of data can be acquired through logical extraction?

Call and text logs, contact lists, and passwords (A)

What is the purpose of bootloaders in mobile devices?

To allow the insertion of a small piece of code into the RAM during start-up (B)

What is the advantage of physical extraction over logical extraction?

It can be performed on locked or password-protected devices (D)

What is the limitation of forensic software?

It does not support certain models of mobile devices (D)

A cyber-attack is defined as any attempt to gain unauthorized access to a computer system with the intent to cause damage.

True (A)

Cyber-attacks aim to only disrupt or destroy computer systems.

False (B)

A cyber incident refers to any event that compromises the confidentiality, integrity, or availability of data or information.

True (A)

Individual Cybercrimes target organizations.

False (B)

Property Cybercrimes target individuals' personal information.

False (B)

Suspicious events should be ignored until proven otherwise.

False (B)

FTK Imager is a closed-source software used for creating accurate copies of the original evidence.

False (B)

Raw image file formats store only a part of the data from the original medium.

False (B)

FTK Imager can create forensic images of only local hard drives and floppy disks.

False (B)

Incident response is a disorganized approach to identify an attack, minimize its effects, and remediate the cause.

False (B)

RAM dump is a process of capturing the contents of a computer's storage device.

False (B)

DFIR specialists gather and inspect information to determine who attacked them, how they got in, and what tools were used to compromise their systems.

True (A)

RAM is a non-volatile form of memory that holds data permanently.

False (B)

Organizations do not need to provide proper training and create documentation for their IR process.

False (B)

Hash reports are used to compare the integrity of the original evidence with the copied evidence.

True (A)

Disk images are a bit-for-bit copy of a digital storage device, usually of a hard drive or hard disk.

True (A)

Digital Forensics Lab (DFL) is used for storing digital evidence.

False (B)

Memory images contain a wealth of information often available on the hard drive.

False (B)

Active-system analysis deals with forensic information stored in non-volatile memory.

False (B)

The most effective way to protect IR data is to encrypt it.

True (A)

FTK Imager can create forensic images in only one format.

False (B)

Write blockers allow write commands to be executed on the hard disk during the imaging process.

False (B)

RAM dump is not essential for digital forensics investigation because it does not hold any valuable information.

False (B)

IR teams use commercial software only for their investigation.

False (B)

Disk imaging can be performed using hardware only.

False (B)

Hash verification is not an important feature of imaging software.

False (B)

Phishing is a type of cybercrime that targets users and trick them by sending fake messages and emails to get sensitive information.

True (A)

Ransomware Attack is a type of cybercrime that prevents users from accessing their personal data on the system by decrypting them.

False (B)

Identity Theft is a type of cybercrime that occurs when a cybercriminal uses their own personal data to commit a fraud or a crime.

False (B)

Cyber Bullying is also known as offline or internet bullying.

False (B)

Software Piracy is the legal use or copy of paid software with violation of copyrights or license restrictions.

False (B)

Digital forensic is a branch of science that focuses on identifying, acquiring, processing, analyzing, and reporting on data stored electronically.

True (A)

Cyber Extortion is the demand for money by cybercriminals to give back some unimportant data they've stolen.

False (B)

Online Recruitment Fraud is a type of cybercrime that releases fake job opportunities for the purpose of obtaining a financial benefit from applicants or even making use of their personal data.

True (A)

Internet Fraud is a type of cybercrime that makes use of the telephone, and it can be considered a general term that groups all the crimes that happen over the telephone.

False (B)

Digital evidence is a component of criminal activities and digital forensics that is not crucial for law enforcement investigations.

False (B)

An IP address is more helpful if you know the time zone it belongs to.

False (B)

It is not necessary to gather facts and additional information about the incident.

False (B)

The Incident Detection Checklist includes individual system details.

True (A)

A copy of the malware should not be preserved during the investigation.

False (B)

The Incident Summary Checklist includes the type of affected resources.

True (A)

Network monitoring is not necessary during the investigation.

False (B)

The primary function of the system is not important during the investigation.

False (B)

The time zone of the incident is not important during the investigation.

False (B)

The Malware Details Checklist includes the list of systems where the malware was found.

True (A)

The Incident Summary Checklist includes the contact information of the person who detected the incident.

True (A)

Digital evidence should be stored in an unsecured location to allow for easy access.

False (B)

Steganography is a technique used to detect hidden information in files.

False (B)

Windows Event Logs are structured in three channels.

False (B)

DF examiners need to extract only emails and office documents from a computer.

False (B)

Anti-static shielding bags are used to destroy electronic evidence.

False (B)

Investigators should leave digital evidence unattended during an investigation.

False (B)

The primary purpose of digital forensics is to delete data from a computer.

False (B)

Cryptographic hash values are used to tamper with digital evidence.

False (B)

Stegdetect is a tool used to create steganography.

False (B)

Digital evidence should be labeled and sealed with a generic container.

False (B)

Windows Security Event logs contain information about login attempts, elevated privileges, and more.

True (A)

Error, audit success and failure logs are not important in terms of forensic investigations.

False (B)

Logical extraction involves retrieving raw binary data from the media storage of the device.

False (B)

SIEM or log aggregator is not necessary for effective incident response.

False (B)

A physical extraction can retrieve deleted data, operating system files, and areas of the device that are not normally accessible to the user.

True (A)

Event logs are stored in TXT format at System32/winevt/Logs folder.

False (B)

Deleted files can be recovered through logical extraction.

False (B)

JTAG and Chip-Off methods can be used to extract data from damaged or locked mobile devices.

True (A)

EnCase Forensic helps investigators quickly search, identify, and prioritize potential evidence across computers, laptops, and mobile devices.

True (A)

Manual extraction involves accessing the device and recording data displayed on the screen with photographs or video.

True (A)

DF examiners do not need to extract all passcodes, passwords, or patterns of the exhibit before conducting the work.

False (B)

Mobile digital forensics software can extract data from call logs, photos, and browsers history.

True (A)

File System Dump (FSD) retrieves raw binary data from the media storage of the device.

False (B)

Almost all extraction methods do not require phones to be unlocked.

False (B)

Bootloaders are used to bypass system locks and passcodes for many devices.

True (A)

Windows Event Forwarding is enabled by default on all Windows systems.

False (B)

Chip-Off method does not damage the device.

False (B)

Windows Event logs are categorized into four levels: information, warning, error, and critical.

False (B)

Devices operating on Android version 7.0 onwards are encrypted by default.

True (A)

Physical extraction can be performed on locked or password-protected devices.

True (A)

A cyber-attack aims to only disable or disrupt computer systems.

False (B)

Suspicious events should be viewed as potential incidents until proven otherwise.

True (A)

Property Cybercrimes target individuals.

False (B)

Cyber-attacks aim to alter, block, delete, manipulate, or steal the data held within computer systems.

True (A)

Individual Cybercrimes target only organizations.

False (B)

A cyber incident refers to any event that compromises the confidentiality, integrity, or availability of data or information.

True (A)

Phishing is a type of social engineering attack that targets systems and trick them by sending fake messages and emails to get sensitive information.

False (B)

Identity theft occurs when a cybercriminal uses another person's personal data with their permission to commit a fraud or a crime.

False (B)

Ransomware Attack is a type of cybercrime that makes use of the internet.

False (B)

Cyber bullying is a type of cybercrime that targets systems.

False (B)

Software piracy is the legal use or copy of paid software with violation of copyrights or license restrictions.

False (B)

Digital forensics is a branch of science that focuses on identifying, acquiring, processing, analyzing, and reporting on data stored electronically.

True (A)

Cyber extortion is the demand for money by cybercriminals to give back some important data they've stolen or stop doing malicious activities.

True (A)

Online drug trafficking is a type of cybercrime that is not commonly sold and traded online.

False (B)

Intellectual-property Infringements is the violation or breach of any protected intellectual-property rights such as copyrights and industrial design.

True (A)

Cybercrime includes cyber-terrorism.

True (A)

Incident response is a coordinated and structured approach to respond to incidents.

True (A)

DFIR specialists do not gather and inspect information to determine how to close security gaps.

False (B)

Memory images contain a wealth of information often available on the hard drive.

False (B)

Write blockers are devices that allow both read and write commands to be executed on the hard disk.

False (B)

IR teams use only commercial software for their investigation.

False (B)

Disk imaging can be performed using only hardware solutions.

False (B)

The primary goal of incident response is to identify an attack and ignore its effects.

False (B)

Organizations are not required to provide proper training and create documentation for their IR process.

False (B)

Encrypting incident response data is not necessary.

False (B)

IR teams can interface properly with specialized forensics tools using any type of laptop.

False (B)

Gathering facts and additional information about the incident is not necessary to establish a context.

False (B)

The IP address of the system is not important during the investigation.

False (B)

The incident summary checklist includes the date and time the incident was reported and the nature of the incident.

True (A)

The system's make and model is not important during the investigation.

False (B)

Network monitoring is not necessary during the investigation.

False (B)

The primary function of the system is important during the investigation.

True (A)

The malware details checklist includes the date and time of the detection and the name of the malicious file.

True (A)

The incident detection checklist includes individual system details and network details.

True (A)

Digital evidence is not classified as genuine and trustworthy if it meets certain criteria.

False (B)

The basic steps for computer forensics include inspecting the computer viruses and inventorying the hardware on the suspect's computer.

True (A)

FTK Imager is an open-source software used for creating disk images.

True (A)

RAW is not a format used for storing data in a raw file.

False (B)

RAM dump is not a vital step in preserving volatile data for forensic examination.

False (B)

FTK Imager cannot create forensic images in E01 format.

False (B)

Digital Forensics Lab (DFL) is not a tightly controlled area for various levels of computer examination.

False (B)

Active-system analysis deals with static media examination.

False (B)

Error-Checks is not a feature found in Expert Witness Format (EWF).

False (B)

FTK Imager uses only Secure Hash Algorithm (SHA-1) for generating hash reports.

False (B)

FTK Imager can only create forensic images of local hard drives.

False (B)

RAM is a non-volatile form of memory that holds data permanently.

False (B)

Steganography involves encrypting sensitive information within an ordinary file or message.

False (B)

Investigators should ensure physical security of the digital evidence to prevent it from being lost or compromised.

True (A)

Digital evidence can be stored in a secure location and accessed later.

True (A)

Anti-static shielding bags are used to destroy electronic evidence.

False (B)

The imaging process generates cryptographic hash values to verify the drive's authenticity.

True (A)

Emails are not typically extracted during digital forensic analysis.

False (B)

Windows Event Logs are structured in four channels: Application, System, Security, and Setup.

False (B)

Steganography can be used to hide text, video, images, or audio data.

True (A)

The primary purpose of the Windows Event Logs is to provide information to administrators and users.

True (A)

Digital forensic examiners typically begin by creating a physical copy of the victim's hard drive.

False (B)

Windows Event Logs are structured in five categories/levels.

True (A)

EnCase Forensic is a tool used to analyze evidence from computers and mobile devices.

True (A)

Security logs contain login attempts, elevated privileges, and more.

True (A)

Event logs are stored in CSV format at System32/winevt/Logs folder.

False (B)

Configuring adequate logging on Windows systems is a critical step towards effective incident response.

True (A)

Mobile digital forensics software can only extract data from call logs and photos.

False (B)

DF examiners do not need to extract all passcodes, passwords, or patterns of the exhibit prior to conducting the work.

False (B)

The primary goal of DF examiners is to delete data from a computer.

False (B)

Incident response is a disorganized approach to identify an attack, minimize its effects, and remediate the cause.

False (B)

Windows Event Forwarding is enabled by default on all Windows systems.

False (B)

Logical extraction can recover deleted files.

False (B)

Physical extraction retrieves the device's file system and interprets the data during the processing stage.

False (B)

JTAG extraction is used to extract data from damaged or locked mobile devices.

True (A)

Manual extraction involves accessing the device and recording data displayed on the screen with photographs or video.

True (A)

Chip-Off extraction does not damage the device.

False (B)

File System Dump (FSD) is a type of physical extraction.

False (B)

Bootloaders are used to bypass system locks and passcodes for many devices.

True (A)

_logical extraction can be performed on locked or password-protected devices.

False (B)

A physical extraction can retrieve only live data.

False (B)

Manual extraction is used when forensic software does not support the model of certain unique mobile devices.

True (A)

A cyber-attack is defined as any attempt to gain unauthorized access to a computer, computing system or computer ______ with the intent to cause damage.

network

Cyber-attacks aim to disable, disrupt, destroy, or control computer systems or “device”, or to alter, block, delete, manipulate, or steal the data held within these ______.

systems

A cyber incident refers to any event that compromises the confidentiality, integrity, or availability of data or ______ – core principles of information security.

information

Common examples of computer security incidents are: - Data theft such as personal ______, email, and documents.

information

Cyber-attacks aim to disable, disrupt, destroy, or control computer systems or “device”, or to alter, block, delete, manipulate, or steal the data held within these systems, in another word, a cyber incident refers to any event that compromises the ______, integrity, or availability of data or information – core principles of information security.

confidentiality

The main categories of cybercrimes are: 1.Individual Cybercrimes, 2.Organization Cybercrimes, 3.______ Cybercrimes, and 4.

Property

Incident response (IR) is a _____________ approach to go from incident detection to resolution.

coordinated and structured

DFIR is a term used to refer to the process of collecting, preserving, and analyzing _____________ evidence in cyber security incidents.

electronic

Disk images may also be taken from other storage mediums, such as _____________ drives.

USB

The most effective way to keep information about the case safe and protected is to _____________ the data.

encrypt

A write blocker is a device that enables data to be acquired from a hard disk without modifying the disk's _____________.

data

The imaging software can include features such as recognition of hidden _____________.

areas

IR teams use virtual environments to make the analysis on the working _____________.

copies

Boot Disks Operating Systems (OS) are used as _____________ tools in IR investigation.

software

The imaging of a storage medium can be performed using forensic _____________ or hardware.

software

Incident response is the effort to quickly identify an attack, minimize its effects, contain _____________, and remediate the cause.

damage

Phishing is a type of ______ engineering attack that targets users and trick them by sending fake messages and emails to get sensitive information.

social

Identity theft occurs when a cybercriminal uses another person's ______ data like credit card numbers or personal pictures without their permission to commit a fraud or a crime.

personal

Ransomware attack is a type of cybercrime that targets users and trick them by sending fake messages and emails to get ______ information.

sensitive

Cyber bullying is a type of cybercrime that makes use of the internet, and it can be considered a general term that groups all the ______ that happen over the internet.

crimes

Cyberstalking can be defined as unwanted ______ content from someone targeting other individuals online with the aim of controlling and intimidating.

persistent

Software piracy is the illegal use or copy of ______ software with violation of copyrights or license restrictions.

paid

Social media frauds are the use of social media ______ accounts to perform any kind of harmful activities.

fake

Online drug trafficking is the illegal sale and trade of ______ drugs over the internet.

illegal

Electronic money laundering is based on unknown companies or online business that makes ______ payment methods and credit card transactions.

approvable

Cyber extremism is the demand for money by cybercriminals to give back some important data they've stolen or stop doing ______ activities.

malicious

Image file formats include raw or ______.

dd

Expert Witness Format (EWF) and Advanced Forensic Format (AFF) are ______ formats.

image

FTK Imager is a ______ software that is used for creating accurate copies of the original evidence.

open-source

FTK Imager can create forensic images of local hard drives, floppy disks, Zip disks, CDs, and ______.

DVDs

HASH REPORTS in FTK Imager generate hash reports for regular files and disk images using ______ hash functions.

two leading

RAM dump is the process of capturing the contents of a computer's ______.

memory

RAM is a ______ form of memory that holds data temporarily while a computer is powered on.

volatile

Digital Forensics Lab (DFL) is divided into two domains: active-system analysis and ______ media examination.

static

Static media examinations focus on removable flash drives, external and internal hard disks, and other types of ______ media.

storage

DF examiners usually divide computer forensics labs into two domains: active-system analysis and ______ media examination.

static

Without ______ it is easy to jump to wrong conclusions.

context

The date and the time the incident was ______ is important information.

reported

Investigators should ensure the physical security of the digital evidence so it doesn't get ____________ or compromised.

lost

To handle digital evidence, it must be uniquely ____________ and sealed with a proper container.

labeled

Security logs contain incidents related to ______ events according to the auditing policy of the Windows operating system.

security

A list of malwares detected, from the time of your investigation back to the ______.

beginning

Anti-static shielding bags are used to store, transport, and protect evidence from ____________ damage.

electrostatic

The critical information stored on the ______ is important to know.

system

Setup log captures incidents of ______ or upgrading of the Windows operating system.

installation

System log contains ______ generated by the Windows operating system.

messages

Whether the incident is currently ______ is important to know.

ongoing

The imaging process generates ____________ hash values to verify the drive's authenticity.

cryptographic

Steganography involves hiding sensitive information within an ordinary, non-secret file or ____________.

message

The primary function of the ______ is important to know.

system

Event logs are stored in ______ format at System32/winevt/Logs folder.

XML

Hackers can use steganography to hide data files or malware in otherwise ____________ documents.

innocent

EnCase Forensic helps investigators quickly search, identify, and prioritize potential ______ across computers, laptops, and mobile devices.

evidence

The type of affected ______ is important to know.

resources

New Supported Files in EnCase Forensic include.EXT4, HSFX, Microsoft Office ______ and iOS Physical Images.

2010

Digital Forensic examiners need to extract ____________ from a computer, including emails and office documents.

data

The incident detection checklist includes individual ______ details.

system

Windows Event Logs are structured in five ____________ (information, warning, error, critical, and success/failure audit).

levels

The primary function of the ______ log is to capture incidents of installation or upgrading of the Windows operating system.

Setup

The first step of analyzing the evidence is to determine what ______ needs to be analyzed.

data

Windows Event Logs are structured in five ____________ (Application, etc.).

channels

DF examiners try their best to extract ______ for the case.

evidence

Digital evidence to be classified as genuine and trustworthy should meet the following criteria: ______ in court.

Admissible

Almost all extraction methods require phones to be ______.

unlocked

The primary purpose of digital forensics is to analyze digital evidence and provide useful information to ____________ and users.

administrators

The aim of DF examiners is to gather all ______, passwords or patterns of the exhibit, prior to conducting the work.

passcodes

The File System Dump (FSD) is a hybrid of _____________ Extraction and Logical Extraction.

Physical

The ______ method accesses the device and records of the data displayed on the screen with photographs or video.

Manual

A physical extraction can retrieve deleted data, operating system files, and areas of the device that are not normally accessible to the ______.

user

The JTAG and Chip-Off methods can be used to extract the data from mobile devices that are ______ or locked with a password.

damaged

The primary goal of the DF Examiner is to retrieve information from the _____________ device.

mobile

Logical extraction involves receiving information from the mobile device and allowing the device to present the data for ______.

analysis

After the information has been extracted from the device, the SIM card and Micro SD are analyzed ______.

separately

Live data which can be acquired through logical extraction include call and text logs, contact lists, and ______ to active social media.

passwords

The ______ method typically allows the DF examiner to access live and deleted data, operating system files and areas of the device that are not normally accessible to the user.

Physical

Devices operating on Android version 7.0 onwards are ______ by default.

encrypted

Match the following cybercrime categories with their descriptions:

Individual Cybercrimes = Targeting individuals, including phishing, spoofing, spam, and cyberstalking. Organization Cybercrimes = Targeting organizations, including malware attacks and denial of service attacks. Property Cybercrimes = Targeting property, including credit cards and intellectual property rights.

Match the following concepts with their definitions in cyber security:

CIA triad = Core principles of information security, including confidentiality, integrity, and availability. Incident = Any event that compromises the confidentiality, integrity, or availability of data or information. Cyber-attack = Any attempt to gain unauthorized access to a computer or network. Malware = Software designed to harm or exploit a computer system.

Match the following types of cybercrimes with their targets:

Phishing = Users, to trick them into revealing sensitive information. Organization Cybercrimes = Organizations, to disrupt their operations. Property Cybercrimes = Property, such as credit cards or intellectual property. Cyberstalking = Individuals, to harass or intimidate them online.

Match the following concepts with their descriptions in cyber security:

Data theft = Theft of personal information, email, or documents. Unauthorized access = Unauthorized access to computer resources or systems. Malware = Presence of remote access tools or spyware. Suspicious events = Events that should be viewed as potential incidents until proven otherwise.

Match the following cybercrime categories with their examples:

Individual Cybercrimes = Phishing, spoofing, spam, and cyberstalking. Organization Cybercrimes = Malware attacks and denial of service attacks. Property Cybercrimes = Theft of funds, credit cards, or intellectual property.

Match the following concepts with their descriptions in cyber security:

Incident response = A organized approach to identify an attack, minimize its effects, and remediate the cause. Cyber-attack = An attempt to disable, disrupt, destroy, or control computer systems. Data theft = Theft of personal information, email, or documents. Cyber incident = An event that compromises the confidentiality, integrity, or availability of data or information.

Match the following types of cybercrime with their descriptions:

Phishing and Scam = Tricking users to get sensitive information or downloading malware Identity Theft = Using another person's personal data to commit fraud or a crime Ransomware Attack = Encrypting personal data and asking for a ransom to access it Hacking/Misusing Computer Networks = Unauthorized access to private computers or networks

Match the following incident response concepts with their definitions:

Incident Response (IR) = Coordinated and structured approach to go from incident detection to resolution DFIR = Process of collecting, preserving, and analyzing electronic evidence in cyber security incidents Disk imaging = Imaging of a storage medium using forensic software or hardware Write blocker = Device that enables data to be acquired from a hard disk without modifying the disk’s data

Match the following types of cybercrime with their descriptions:

Cyber Bullying = Sending or sharing harmful content to embarrass someone Cyber Stalking = Unwanted persistent content to control and intimidate others Software Piracy = Illegal use or copy of paid software with violation of copyrights Social Media Frauds = Using fake social media accounts to perform harmful activities

Match the following types of cybercrime with their descriptions:

Online Drug Trafficking = Selling and trading illegal drugs online Electronic Money Laundering = Making approvable payment methods with incomplete payment information Cyber Extortion = Demanding money to give back stolen data or stop malicious activities Intellectual-property Infringements = Violating protected intellectual-property rights

Match the following digital forensics data with their descriptions:

Disk images = Bit-for-bit copy of a digital storage device, usually of a hard drive or hard disk Memory images = Computer’s RAM, which can be recorded by special software Application data = Host logs, network device logs, and software-specific logs

Match the following types of digital forensics with their descriptions:

Cloud Forensics = Focusing on data stored electronically in the cloud Computer Forensics = Focusing on data stored electronically in computers Mobile Forensics = Focusing on data stored electronically in mobile devices Network Forensics = Focusing on data stored electronically in networks

Match the following hardware tools with their uses in IR investigation:

Forensics in the Field = Laptop to perform forensic work and interface with specialized tools Disk duplication and imaging systems = Create copies of the data and keep original data safe Write blockers = Acquire data from a hard disk without modifying the disk’s data Digital cameras = Document the evidence

Match the following software tools with their uses in IR investigation:

Boot Disks = Operating Systems (OS) for disk imaging Disk Imaging Tools = Imaging of a storage medium using forensic software or hardware Memory Capture and Analysis = Capture and analyze computer’s RAM Log Analysis Tools = Analyze logs from various devices and systems

Match the following cybercrime with its primary usage:

Phishing and Scam = Social engineering attack Ransomware Attack = The most common type of attack Hacking/Misusing Computer Networks = Unauthorized access to private computers or networks Society Cybercrimes = Cyber-terrorism

Match the following concepts with their importance in IR investigation:

Encryption = Keep information about the case safe and protected Hash verification = Verify the integrity of the data during the imaging process Time zone = Important to consider during the investigation System function = Important to know during the investigation

Match the following types of cybercrime with their descriptions:

Online Recruitment Fraud = Fake job opportunities to obtain financial benefit or personal data Cyber Extortion = Demanding money to give back stolen data or stop malicious activities Intellectual-property Infringements = Violating protected intellectual-property rights Electronic Money Laundering = Making approvable payment methods with incomplete payment information

Match the following digital forensic terms with their descriptions:

Digital Forensics = Identifying, acquiring, processing, analyzing, and reporting on electronic data Digital Evidence = A component of criminal activities and digital forensics Cloud Forensics = Focusing on data stored electronically in the cloud Cybercrime = A type of crime that involves computers or networks

Match the following resources with their uses in IR investigation:

Virtual environments = Make analysis on the working copies of the data Shared forensics equipment = Various tools for data acquisition and analysis Case-Opening Tools = Open and analyze the case Hard drives for evidence storage = Store evidence data

Match the following types of cybercrime with their descriptions:

Social Media Frauds = Using fake social media accounts to perform harmful activities Online Drug Trafficking = Selling and trading illegal drugs online Cyber Bullying = Sending or sharing harmful content to embarrass someone Cyber Stalking = Unwanted persistent content to control and intimidate others

Match the following concepts with their descriptions in IR investigation:

Cyber security incidents = Attacks, unauthorized access, or other security breaches Incident resolution = Effort to quickly identify an attack, minimize its effects, and remediate the cause IR team = Team or department responsible for carrying out incident response practices DFIR specialists = Specialists who gather and inspect information to determine the cause of an incident

Match the following types of cybercrime with their descriptions:

Software Piracy = Illegal use or copy of paid software with violation of copyrights Intellectual-property Infringements = Violating protected intellectual-property rights Cyber Extortion = Demanding money to give back stolen data or stop malicious activities Ransomware Attack = Encrypting personal data and asking for a ransom to access it

Match the following data with their uses in IR investigation:

User logs = Information about user activity Web server access logs = Information about web server access Firewall logs = Information about network traffic and security VPN audit logs = Information about VPN access and security

Match the following types of cybercrime with their descriptions:

Hacking/Misusing Computer Networks = Unauthorized access to private computers or networks Identity Theft = Using another person's personal data to commit fraud or a crime Cybercrime = A type of crime that involves computers or networks Society Cybercrimes = Cyber-terrorism

Match the following concepts with their importance in DFIR investigation:

Data protection = Keep information about the case safe and protected Data analysis = Analyze data to determine the cause of an incident Data collection = Collect data from various sources Data storage = Store evidence data securely

Match the following concepts with their uses in incident response:

IR process = Structured approach to incident detection, response, and resolution Training and documentation = Important for IR team to know the process and procedures Hardware and software solutions = Tools used to perform IR tasks Investigation = Process of gathering and analyzing evidence

Match the following incident response checks with their corresponding descriptions:

Incident Summary Checklist = Gathers information about the incident Incident Detection Checklist = Examines the system's details and the nature of the incident Network Details Checklist = Provides information about the external malicious IP addresses and network configurations Malware Details Checklist = Details about the malware's detection and analysis

Match the following with their primary purposes in incident response:

Incident Summary = To provide overall context about the incident System Administrator = To manage the system's resources and access Network Monitoring = To detect and track malicious activity on the network Data Preservation = To store evidence securely for further analysis

Match the following types of incident response checks with the information they collect:

Incident Detection = Time of incident detection and the person who detected it Network Details = List of external malicious IP addresses and domain names Malware Details = Name of the malicious file and its directory System Details = System's make, model, and primary function

Match the following factors with their roles in incident response:

Nature of the Case = Determines the scope of the investigation Amount of Data Collected = Influences the analysis and evidence collection Search Warrant and Court Orders = Provides legal authority for evidence collection Policies = Guides the incident response process

Match the following with their roles in computer forensics:

DF Examiner = Analyzes the evidence and provides reports System Administrator = Manages the system's resources and access Investigator = Collects and analyzes evidence IR Team = Responds to and resolves incidents

Match the following with their characteristics in digital forensics:

Authentic = Ensures the evidence is genuine Complete = Includes all relevant data Reliable = Proven to be accurate and trustworthy Believable = Supported by credible evidence

Match the following with their roles in digital forensics:

FTK Imager = Creates forensic images of local hard drives and other storage devices DFL = Analyzes digital evidence and provides reports Disk Imaging = Creates a bit-for-bit copy of a digital storage device RAM Dump = Captures the contents of a computer's RAM

Match the following with their purposes in incident response:

Incident Response = To respond to and resolve incidents effectively Evidence Collection = To gather facts and data for analysis Incident Detection = To identify potential incidents and prevent further damage System Analysis = To understand the system's behavior and performance

Match the following with their roles in incident response:

IR Team = Responds to and resolves incidents System Administrator = Manages the system's resources and access DF Examiner = Analyzes the evidence and provides reports Investigator = Collects and analyzes evidence

Match the following with their importance in incident response:

Context = Helps to understand the incident's scope and impact Data Preservation = Ensures the integrity of the evidence System Analysis = Provides insights into the system's behavior and performance Incident Detection = Identifies potential incidents and prevents further damage

Match the following disk imaging formats with their features:

RAW = Stores all data from the original medium EWF = Contains features like Compression of data and Error-Checks AFF = Can be used for creating perfect copies of the original evidence DD = Stores all data from the original medium

Match the following FTK Imager features with their descriptions:

HASH REPORTS = Generate hash reports for regular files and disk images RAM CAPTURE = Allows you to perform memory capture or registry capture on a live device DISK IMAGING = Create perfect copies of the original evidence without making any changes to original evidence CASE METADATA = Contains information about running processes, active network connections, open files, encryption keys, and passwords

Match the following RAM dump features with their descriptions:

Volatile nature = Holds data temporarily while a computer is powered on Dynamic and live information = Contains real-time information about running processes, active network connections, open files, encryption keys, and passwords Uncovering hidden data = Reveals information about active malware, hidden processes, encrypted data in memory, or remnants of deleted files Preserves data after shutdown = Capturing a RAM dump becomes essential to preserve valuable evidence

Match the following computer forensics lab domains with their descriptions:

Active-system analysis = Deals with forensic information, user activity and log reports based off an actively running operating system Static media examination = Focuses on removable flash drives, external and internal hard disks, and other types of storage media that persists after a computer is shut down Digital Forensics Lab = A tightly controlled area for various levels of computer examination DFIR = Divides computer forensics labs into two domains: active-system analysis and static media examination

Match the following tools with their descriptions:

FTK Imager = An open-source software used for creating accurate copies of the original evidence without making any changes to original evidence Magnet Ram Capturer = A tool used for RAM capture or registry capture on a live device Volatility Framework = An open-source framework used for RAM dump analysis EnCase Forensic = A tool used for searching, identifying, and prioritizing potential evidence across computers, laptops, and mobile devices

Match the following disk imaging features with their descriptions:

Compression of data = Reduces the size of the image file Encryption of data = Secures the image file with a password or encryption key Error-Checks = Verifies the integrity of the image file Splitting the image in chunks = Divides the image file into smaller manageable chunks

Match the following digital forensics concepts with their descriptions:

Tolerance of hardware errors = Allows for the creation of accurate copies of the original evidence despite hardware errors Hash sums = Verifies the integrity of the image file Case Metadata = Contains information about the case evidence Disk Imaging = Creates a perfect copy of the original evidence without making any changes to original evidence

Match the following digital forensics tools with their uses:

FTK Imager = Used for creating forensic images of local hard drives, floppy disks, Zip disks, CDs, and DVDs Magnet Ram Capturer = Used for RAM capture or registry capture on a live device Volatility Framework = Used for RAM dump analysis EnCase Forensic = Used for searching, identifying, and prioritizing potential evidence across computers, laptops, and mobile devices

Match the following digital forensics features with their descriptions:

HASH REPORTS = Generate hash reports for regular files and disk images RAM CAPTURE = Allows you to perform memory capture or registry capture on a live device CASE METADATA = Contains information about the case evidence DISK IMAGING = Creates a perfect copy of the original evidence without making any changes to original evidence

Match the following digital forensics concepts with their descriptions:

Volatile memory = Holds data temporarily while a computer is powered on Dynamic and live information = Contains real-time information about running processes, active network connections, open files, encryption keys, and passwords RAM dump = Captures the contents of a computer's memory Disk imaging = Creates a perfect copy of the original evidence without making any changes to original evidence

Match the following Windows event logs with their descriptions:

Security = contains incidents related to security events Setup = captures incidents of installation or upgrading of the Windows operating system System = contains messages generated by the Windows operating system Forwarded Events = contains events which are forwarded by other computers

Match the following steps with the guidelines for handling digital evidence:

Label and seal = Uniquely label and seal the evidence with a proper container Document = Details of the device including type, serial number, and manufacture Not left unattended = Keep the evidence away from any source of contamination Preservation = Keep the original evidence safe

Match the following steganography techniques with their descriptions:

Embedding text in a picture = Hiding sensitive information within an image file Backward masking a message in an audio file = Concealing information in an audio file Concealing information in metadata = Hiding data in file headers or metadata Hiding an image in a video = Concealing data in a video file

Match the following log levels with their descriptions:

Error = important in terms of forensic investigations Audit Success = important in terms of forensic investigations Audit Failure = important in terms of forensic investigations Information = provides insight about the incidents occurred on the system

Match the following incident response tools with their descriptions:

Splunk = is a critical step toward ensuring that your environment can support effective incident response LogRhythm = is a critical step toward ensuring that your environment can support effective incident response Varonis = is a critical step toward ensuring that your environment can support effective incident response EnCase = helps investigators quickly search, identify, and prioritize potential evidence

Match the following forensic tools with their purposes:

Stegdetect = Detecting steganography in digital files Xsteg = Identifying hidden information in files StegAlyzerAS = Analyzing digital files for steganography StegSpy = Detecting and extracting hidden data

Match the following EnCase features with their descriptions:

Acquisition = includes Smartphone and Tablet support Processing = automate common tasks associated with preparing evidence for investigation Deep Forensic Analysis = includes new supported files and encryption support Reporting = includes customizable templates and easy export options

Match the following data types with their extraction methods:

Emails = Extracting emails from digital devices Internet Browsers = Analyzing browser history and cache Pictures and Videos = Extracting multimedia files using hash comparison Software = Analyzing installed software and applications

Match the following Windows Event Logs channels with their descriptions:

Application = Contains information logged by applications on the system System = Stores system-level events and errors Security = Logs security-related events and activities Setup = Tracks system setup and configuration events

Match the following mobile digital forensics software features with their descriptions:

Call logs = can extract data Photos = can extract data Browsers history = can extract data Deleted files = can extract data

Match the following digital forensic tools with their descriptions:

EnCase Forensic = Helps investigators quickly search and identify potential evidence FTK Imager = Creates accurate copies of the original evidence StegAlyzerAS = Analyzes digital files for steganography StegSpy = Detects and extracts hidden data

Match the following digital forensics examiners' goals with their descriptions:

Extract all passcodes = prior to conducting the work Extract all passwords = prior to conducting the work Extract all patterns = prior to conducting the work Gather all evidence = prior to conducting the work

Match the following Windows event logs storage locations with their descriptions:

System32/winevt/Logs = stores event logs in XML format System32/Logs = stores event logs in XML format System/Winevt/Logs = stores event logs in XML format Winevt/Logs = stores event logs in XML format

Match the following digital forensic concepts with their descriptions:

Anti-static shielding bags = Protects electronic items from damage during transportation and storage Physical extraction = Retrieves the device's file system and interprets the data during processing Logical extraction = Recovers deleted files and data Disk images = A bit-for-bit copy of a digital storage device

Match the following incident response steps with their descriptions:

Gathering facts = Collecting information about the incident Log analysis = Analyzing logs to identify incident details Network monitoring = Monitoring network traffic for suspicious activity Incident detection = Identifying and reporting suspicious events

Match the following incident response activities with their descriptions:

Configuring adequate logging = is a critical step toward ensuring that your environment can support effective incident response Aggregating logs = is a critical step toward ensuring that your environment can support effective incident response Analyzing logs = is a critical step toward ensuring that your environment can support effective incident response Responding to incidents = is a critical step toward ensuring that your environment can support effective incident response

Match the following EnCase Forensic features with their descriptions:

Tagging = creates custom tags and applies to any file Unified Search = searches across the entire case from one easy to use interface Index = includes hash records and enables easy export of files Reporting = includes customizable templates and easy export options

Match the following cybercrime types with their descriptions:

Cyber extortion = Demanding money or favors in exchange for not causing harm Cyber bullying = Targeting individuals or systems with harmful activities Social media fraud = Using social media to commit fraud or harm Property Cybercrimes = Targeting individuals' personal information

Match the following log aggregator tools with their descriptions:

SIEM = is a critical step toward ensuring that your environment can support effective incident response ManageEngine = is a critical step toward ensuring that your environment can support effective incident response IBMQRadar = is a critical step toward ensuring that your environment can support effective incident response SolarWinds = is a critical step toward ensuring that your environment can support effective incident response

Match the following digital forensic techniques with their descriptions:

JTAG and Chip-Off = Extracting data from damaged or locked mobile devices Memory imaging = Capturing a snapshot of a device's memory Steganography = Hiding sensitive information within ordinary files Hash reports = Verifying the integrity of digital evidence

Match the following mobile device data extraction methods with their descriptions:

Logical Extraction = Receiving information from the mobile device and allowing it to present the data for analysis. File System Dump (FSD) = A hybrid of Physical Extraction and Logical Extraction, retrieving the device's file system and interpreting the data during processing. Physical Extraction = Acquiring raw binary data from the media storage of the device and analyzing it later. Manual Extraction = Accessing the device and recording data displayed on the screen with photographs or video.

Match the following data types with the methods that can extract them:

Live Data = Logical Extraction Deleted Files = Physical Extraction Databases holding deleted messages = File System Dump (FSD) Raw Binary Data = JTAG / Chip-Off / Rooting / Jail Breaking

Match the following limitations with the data extraction methods:

Cannot recover deleted files = Logical Extraction Does not retrieve all deleted data = File System Dump (FSD) Requires high technical skill = JTAG / Chip-Off / Rooting / Jail Breaking Limited by device model or recent launch = Manual Extraction

Match the following data extraction methods with their benefits:

Logical Extraction = Allows access to live data only Physical Extraction = Allows access to live and deleted data, operating system files, and areas not normally accessible to the user. File System Dump (FSD) = Retrieves databases holding deleted messages and may not be accessible during a physical extraction JTAG / Chip-Off / Rooting / Jail Breaking = Allows extraction of raw binary data from damaged or locked devices

Match the following data extraction methods with the devices they are suitable for:

Logical Extraction = All mobile devices Physical Extraction = Most mobile devices, except those with encryption File System Dump (FSD) = Most mobile devices, except those with encryption JTAG / Chip-Off / Rooting / Jail Breaking = Damaged or locked devices, and IOT devices

Match the following data extraction methods with the level of technical skill required:

Logical Extraction = Low technical skill Physical Extraction = Moderate technical skill File System Dump (FSD) = Moderate technical skill JTAG / Chip-Off / Rooting / Jail Breaking = High technical skill

Match the following data extraction methods with the type of data retrieved:

Logical Extraction = Live data only Physical Extraction = Live and deleted data, operating system files, and areas not normally accessible to the user File System Dump (FSD) = Databases holding deleted messages and live data Manual Extraction = Data displayed on the screen

Match the following data extraction methods with the limitations of forensic software:

Logical Extraction = Cannot recover deleted files Physical Extraction = Cannot access devices with encryption File System Dump (FSD) = Does not retrieve all deleted data Manual Extraction = Limited by device model or recent launch

Match the following data extraction methods with the risks involved:

Logical Extraction = No risk of data loss Physical Extraction = No risk of data loss File System Dump (FSD) = No risk of data loss Chip-Off = Device will be damaged and can no longer be used

Match the following data extraction methods with the level of data analysis required:

Logical Extraction = Minimal analysis required Physical Extraction = Moderate analysis required File System Dump (FSD) = Moderate analysis required JTAG / Chip-Off / Rooting / Jail Breaking = High analysis required