Cisco (300-215-CBRFIR) Exam Questions And Answers page 5
What is the tool used for reverse engineering malware?
Single Choice
Which tool is used for reverse engineering malware?
SNORT
Wireshark
NMAP
Malware Analysis
Incident Response
Refer to the exhibit. Which encoding technique is represented by this HEX string?
Unicode
Binary
Base64
Charcode
Network Forensics
Malware Analysis
Refer to the exhibit. Which two actions should be taken based on the intelligence information? (Choose two.)
Block network access to all .shop domains
Add a SIEM rule to alert on connections to identified domains.
Use the DNS server to block hole all .shop requests.
Block network access to identified domains.
Route traffic from identified domains to block hole.
Introduction to Forensic Analysis and Incident Response
Incident Response
A website administrator has an output of an FTP session that runs nightly to download and unzip files to a local staging server. The download includes thousands of files, and the manual process used to find how many files failed to download is time-consuming. The administrator is working on a PowerShell script that will parse a log file and summarize how many files were successfully downloaded versus ones that failed. Which script will read the contents of the file one line at a time and return a collection of objects?
Get-Content-Folder \\Server\FTPFolder\Logfiles\ftpfiles.log | Show-From ERROR , SUCCESS
Get-Content ifmatch \\Server\FTPFolder\Logfiles\ftpfiles.log | Copy-Marked ERROR , SUCCESS
Get-Content Directory \\Server\FTPFolder\Logfiles\ftpfiles.log | Export-Result ERROR , SUCCESS
Get-Content Path \\Server\FTPFolder\Logfiles\ftpfiles.log | Select-String ERROR , SUCCESS
Introduction to Forensic Analysis and Incident Response
Host Forensics
An employee receives an email from a trusted person containing a hyperlink that is malvertising. The employee clicks the link and the malware downloads. An information analyst observes an alert at the SIEM and engages the cybersecurity team to conduct an analysis of this incident in accordance with the incident response plan. Which event detail should be included in this root cause analysis?
phishing email sent to the victim
alarm raised by the SIEM
information from the email header
alert identified by the cybersecurity team
Introduction to Forensic Analysis and Incident Response
Incident Response
A security team received reports of users receiving emails linked to external or unknown URLs that are non-returnable and non-deliverable. The ISP also reported a 500% increase in the amount of ingress and egress email traffic received. After detecting the problem, the security team moves to the recovery phase in their incident response plan. Which two actions should be taken in the recovery phase of this incident? (Choose two.)
verify the breadth of the attack
collect logs
request packet capture
remove vulnerabilities
scan hosts with updated signatures
Introduction to Forensic Analysis and Incident Response
Incident Response
Refer to the exhibit. An employee notices unexpected changes and setting modifications on their workstation and creates an incident ticket. A support specialist checks processes and services but does not identify anything suspicious. The ticket was escalated to an analyst who reviewed this event log and also discovered that the workstation had multiple large data dumps on network shares. What should be determined from this information?
log tampering
data obfuscation
reconnaissance attack
brute-force attack
Introduction to Forensic Analysis and Incident Response
Incident Response
Refer to the exhibit. According to the Wireshark output, what are two indicators of compromise for detecting an Emotet malware download? (Choose two.)
Domain name:iraniansk.com
Server: nginx
Hash value: 5f31ab113af08=1597090577
filename= Fy.exe
Content-Type: application/octet-stream
Network Forensics
Malware Analysis
Refer to the exhibit. What should be determined from this Apache log?
A module named mod_ssl is needed to make SSL connections.
The private key does not match with the SSL certificate.
The certificate file has been maliciously modified
The SSL traffic setup is improper
Introduction to Forensic Analysis and Incident Response
Incident Response
Refer to the exhibit. Which two actions should be taken as a result of this information? (Choose two.)
Update the AV to block any file with hash cf2b3ad32a8a4cfb05e9dfc45875bd70 .
Block all emails sent from an @state.gov address.
Block all emails with pdf attachments.
Block emails sent from [email protected] with an attached pdf file with md5 hash cf2b3ad32a8a4cfb05e9dfc45875bd70 .
Block all emails with subject containing cf2b3ad32a8a4cfb05e9dfc45875bd70 .
Introduction to Forensic Analysis and Incident Response
Incident Response
Comments