Domain 4.0: Incident Response Exam | Questions
with 100% Correct Answers | Verified | Latest
Update 2026
Save
Terms in this set (110)
B. What info should be requested from a vendor in
order to validate the application files downloaded?
Only a verifiable MD5 hash is
needed to validate the files under A. File size and file creation date
most circumstances. B. MD5 hash
C. Private key and cryptographic hash
D. Public key and cryptographic hash
B. If a company compliant with PCI DSS experiences
a breach of credit card data, what type of
Organizations that process credit disclosure will they be required to provide?
cards work with acquiring banks to
handle their card processing, rather A. Notification to local law enforcement
than directly with the card providers. B. Notification to their acquiring bank
C. Notification to federal law enforcement
D. Notification to Visa and Mastercard
,A. Which option accomplishes a drive purge?
Purging requires complete removal A. Cryptographic erase
of data, and cryptographic erase is B. Reformat
the only option that will fully destroy C. Overwrite
the contents of a drive from this list. D. Repartition
Reformatting will leave the original
data in place, overwriting leaves the
potential for file remnants in slack
space, and repartitioning will also
leave data intact in the new
partitions.
C. A forensic team needs to send an image of a
compromised system in RAW format to the forensic
A general best practice when examiner. What step should be taken prior to
dealing with sensitive systems is to sending a drive containing the image?
encrypt copies of the drives before
they are sent to third parties. A. Encode in EO1 format and provide a has of the
original file on the drive
B. Encode in FTK format and provide a hash of the
new file on the drive
C. Encrypt the RAW file and transfer a hash and key
under separate cover
D. Decrypt the RAW file and transfer a hash under
separate cover
,B. An admin wants to use a system exhibiting
beaconing behavior to identify other infected
A temporary untrusted network systems. How can a fingerprint be created for the
segment can be created and a span beaconing without modifying the infected system?
port or tap can be used to see traffic
leaving the infection workstation. A. Plug the system in to the network and capture
Wireshark or tcpdump can be used the traffic quickly at the firewall using Wireshark or
to help build a fingerprint of the tcpdump
beaconing behavior. B. Plug the system into an isolated switch and use a
span port or tap and Wireshark/tcpdump to
capture traffic
C. Review the ARP cache for outbound traffic
D. Review the Windows firewall log for traffic logs
C. While investigating a system error, an admin runs
the 'df' command on a Linux box. What is the likely
When /var fills up, it is typically due problem and cause based on the following output:
to log files filling up all available
space. A. The var partition is full and needs to be wiped
B. Slack space has filled up and needs to be
purged
C. The var partition is full, and logs should be
checked
D. The system is operating normally and will fix the
problem after a reboot
, D. In order, which set of Linux permissions are least
permissive to most permissive?
Linux permissions are read
numerically as "owner, group, other". A. 777,444,111
The numbers stand for read:4, B. 544, 444, 545
write:2, and execute:1. Thus, a 7 C. 711, 717, 117
provides that person, group, or other D. 111, 734, 747
with read, write, and execute. A 4
means read-only; a 5 means read
and execute, without write. 777
provides the broadest set of
permissions, and 000 provides the
lease.
C. Which of the following threats can be most
effectively dealt with via awareness?
Improper usage, which results from
violations of an acceptable use A. Attrition
policy by authorized users, ca be B. Impersonation
reduced by implementing a strong C. Improper usage
awareness program. D. Web
with 100% Correct Answers | Verified | Latest
Update 2026
Save
Terms in this set (110)
B. What info should be requested from a vendor in
order to validate the application files downloaded?
Only a verifiable MD5 hash is
needed to validate the files under A. File size and file creation date
most circumstances. B. MD5 hash
C. Private key and cryptographic hash
D. Public key and cryptographic hash
B. If a company compliant with PCI DSS experiences
a breach of credit card data, what type of
Organizations that process credit disclosure will they be required to provide?
cards work with acquiring banks to
handle their card processing, rather A. Notification to local law enforcement
than directly with the card providers. B. Notification to their acquiring bank
C. Notification to federal law enforcement
D. Notification to Visa and Mastercard
,A. Which option accomplishes a drive purge?
Purging requires complete removal A. Cryptographic erase
of data, and cryptographic erase is B. Reformat
the only option that will fully destroy C. Overwrite
the contents of a drive from this list. D. Repartition
Reformatting will leave the original
data in place, overwriting leaves the
potential for file remnants in slack
space, and repartitioning will also
leave data intact in the new
partitions.
C. A forensic team needs to send an image of a
compromised system in RAW format to the forensic
A general best practice when examiner. What step should be taken prior to
dealing with sensitive systems is to sending a drive containing the image?
encrypt copies of the drives before
they are sent to third parties. A. Encode in EO1 format and provide a has of the
original file on the drive
B. Encode in FTK format and provide a hash of the
new file on the drive
C. Encrypt the RAW file and transfer a hash and key
under separate cover
D. Decrypt the RAW file and transfer a hash under
separate cover
,B. An admin wants to use a system exhibiting
beaconing behavior to identify other infected
A temporary untrusted network systems. How can a fingerprint be created for the
segment can be created and a span beaconing without modifying the infected system?
port or tap can be used to see traffic
leaving the infection workstation. A. Plug the system in to the network and capture
Wireshark or tcpdump can be used the traffic quickly at the firewall using Wireshark or
to help build a fingerprint of the tcpdump
beaconing behavior. B. Plug the system into an isolated switch and use a
span port or tap and Wireshark/tcpdump to
capture traffic
C. Review the ARP cache for outbound traffic
D. Review the Windows firewall log for traffic logs
C. While investigating a system error, an admin runs
the 'df' command on a Linux box. What is the likely
When /var fills up, it is typically due problem and cause based on the following output:
to log files filling up all available
space. A. The var partition is full and needs to be wiped
B. Slack space has filled up and needs to be
purged
C. The var partition is full, and logs should be
checked
D. The system is operating normally and will fix the
problem after a reboot
, D. In order, which set of Linux permissions are least
permissive to most permissive?
Linux permissions are read
numerically as "owner, group, other". A. 777,444,111
The numbers stand for read:4, B. 544, 444, 545
write:2, and execute:1. Thus, a 7 C. 711, 717, 117
provides that person, group, or other D. 111, 734, 747
with read, write, and execute. A 4
means read-only; a 5 means read
and execute, without write. 777
provides the broadest set of
permissions, and 000 provides the
lease.
C. Which of the following threats can be most
effectively dealt with via awareness?
Improper usage, which results from
violations of an acceptable use A. Attrition
policy by authorized users, ca be B. Impersonation
reduced by implementing a strong C. Improper usage
awareness program. D. Web
