You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection.
Which two pieces of information from the analysis report are needed or required to investigate the callouts? (Choose two.)
Answer : BE
Reference:
https://digital-forensics.sans.org/blog/2012/07/26/four-focus-areas-of-malware-analysis
A CMS plugin creates two filters that are accessible from the Internet: myplugin.html and exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability in exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific variables to exploitable.php. You see traffic to your webserver that consists of only HTTP GET requests to myplugin.html.
Which category best describes this activity?
Answer : B
During which phase of the forensic process are tools and techniques used to extract the relevant information from the collective data?
Answer : A
Explanation:
Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data. Forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and manual processes.
Reference:
http://resources.infosecinstitute.com/computer-forensics-investigation-case-study/#gref
Which feature is used to find possible vulnerable services running on a server?
Answer : D
Which element can be used by a threat actor to discover a possible opening into a target network and can also be used by an analyst to determine the protocol of the malicious traffic?
Answer : B
Which of the following is not a metadata feature of the Diamond Model?
Answer : C
Which of the following has been used to evade IDS and IPS devices?
Answer : D
Which of the following can be identified by correlating DNS intelligence and other security events? (Choose two.)
Answer : AC
Which of the following is an example of a managed security offering where incident response experts monitor and respond to security alerts in a security operations center (SOC)?
Answer : B
Which of the following is not an example of weaponization?
Answer : A
Which of the following are core responsibilities of a national CSIRT and CERT?
Answer : B
Which of the following is one of the main goals of the CSIRT?
Answer : C
Which of the following are examples of some of the responsibilities of a corporate CSIRT and the policies it helps create? (Select all that apply.)
Answer : BCD
Which of the following is one of the main goals of data normalization?
Answer : B