CompTIA Cybersecurity CySA+ (CS0- 001): Practice Test #1 of 2 - Results

Which of the following statements best describes an audit file? ​ A.It updates lists of scanned hosts, to avoid unnecessarily rescanning these hosts. ​ B.It produces a list of vulnerabilities found on scanned hosts. ​ C.It produces a list of the hosts that are scanned. ​ D.It gives instructions used to assess the configuration of endpoints and network devices against a compliance policy. Correct answer- 1D.It gives instructions used to assess the configuration of endpoints and network devices against a compliance policy. Explanation Correct Answer: An audit file in Nessus gives the scan instructions used to assess the configuration of endpoints and network devices against a compliance policy. Incorrect Answers: An audit file is used prior to the scan and does not produce any lists or results after a scan. Which of the following are two types of requirements in the SDLC model? ​ A.Nonfunctional and performance requirements ​ B.Functional and nonfunctional requirements ​ C.Functional and performance requirements ​ D.Functional and security requirements Correct answer- B.Functional and nonfunctional requirements Explanation Correct Answer: Functional requirements describe what the software must do, and nonfunctional requirements describe how the software must do these things—or what the software must be like. Incorrect Answers: A.Performance requirements are nonfunctional requirements. Performance requirements dictate how well the software must function, which is a nonfunctional requirement. D.A security requirement defines the behaviors and characteristics a system must possess in order to achieve and maintain an acceptable level of security by itself, and in its interactions with other systems. Security requirements are also nonfunctional requirements. Which of the following is an effective way that attackers can use an organization's bandwidth to hide data exfiltration? ​ A.By exfiltrating data during periods of low use. ​ B.By hiding data exfiltration during periods of peak use. ​ C.By attaching sensitive data to otherwise innocuous data while exfiltrating it. ​ D.By downloading information quickly before getting caught Correct answer- B.By hiding data exfiltration during periods of peak use. Explanation Correct Answer: Patient attackers can hide data exfiltration during periods of peak use by using a low- and-slow approach that can make them exceptionally difficult to detect if administrators are just looking at network traffic. Most attackers, however, will attempt to download sensitive information quickly and thus generate distinctive signals. Incorrect Answers: Each of these other methods will typically trigger alarms and alert administrators to data leaving the network. All of the following are common vulnerabilities that plague most systems within an organization, EXCEPT: ​ A.Weak passwords ​ B.Misconfigured firewall rules ​ C.Missing patches or updates ​ D.Need for compensating controls Correct answer- D.Need for compensating controls Explanation Correct Answer: The need for compensating controls is not a vulnerability; it is actually a mitigation for vulnerabilities that are not adequately addressed. A compensating control is added to compensate for a weakness in an existing control, to make the control stronger. Incorrect Answers: All of these other choices are common vulnerabilities found in most organizations and affect a variety of systems. During a penetration test exercise, which type of team is responsible for defending the network against the penetration testers and simulated attacks? ​ A.Red team ​ B.Green team ​ C.Blue team ​ D.White team Correct answer- C.Blue team Explanation Correct Answer: The blue team is the focus of the exercise, as they are defending the network being tested. Their response capabilities and procedures reflect how effective the penetration testing team, also known as the red team, is in its attacks. Incorrect Answers: The red team is the penetration testing team, the blue team the defenders, the white team is composed of the exercise planners and coordinators, and green team is not a valid answer. A large number of ARP queries might indicate which of the following type of attack? ​ A.TCP SYN flood ​ B.Cross-site scripting (XSS) attack ​ C.Ping sweep ​ D.Man-in-the-middle (MITM) attack Correct answer- C.Ping sweep Explanation Correct Answer: A large amount of ARP queries could indicate that the organization's systems are being scanned, such as during a ping sweep, so the hosts' MAC addresses can be resolved to IP addresses. This is merely a reconnaissance activity designed to map out the network. Incorrect Answers: These other choices are active attacks not related to reconnaissance. D. A man-in-the-middle (MITM) attack involves an attacker inserting himself into an active conversation. A cross-site scripting (XSS) attack is a web-based attack and does not involve generating ARP traffic. A TCP SYN flood involves sending a large amount of TCP segments with the synchronize (SYN) flag set but never completing the three-way TCP handshake. This causes a denial of service (DoS) condition for some hosts. A routine vulnerability scan conducted weekly on different network segments is most likely to be performed by which the following? ​ A.Blue team ​ B.Red team ​ C.White team ​ D.Green team Correct answer- A.Blue team Explanation Correct Answer: A blue team consists of network defenders and security administrators, who would be responsible for routine security tasks such as patching and vulnerability scanning. Incorrect Answers: A red team is a penetration testing team, and a white team is responsible for planning and coordinating the penetration test. D.Finally, green team is an invalid answer. Which of the following best describes a situation in which a mitigation would be most likely to be selected to protect an asset from risk? ​ A.An asset that has a value of $10,000, which might incur $9,000 worth of damage in a given risk scenario, but can be protected by a mitigation that costs $11,000 ​ B.An asset that has a value of $10,000, which might incur $5000 worth of damage in a given risk scenario, but can be protected by a mitigation that costs $1000 (Correct) ​ C.An asset that has a value of $10,000, which might incur $5000 worth of damage in a given risk scenario, but can be protected by a mitigation that costs $10,000 ​ D.An asset that has a value of $10,000, which might incur $500 worth of damage in a given risk scenario, but can be protected by a mitigation that costs $1000 Correct answer- B.An asset that has a value of $10,000, which might incur $5000 worth of damage in a given risk scenario, but can be protected by a mitigation that costs $1000 All of the following are metrics associated with the Common Vulnerability Scoring System (CVSS), EXCEPT: ​ A.Security level ​ B.Temporal ​ C.Base ​ D.Groups Correct answer- A.Security level Explanation Correct Answer: Metrics associated with the Common Vulnerability Scoring System (CVSS) are groups, base, temporal, and environmental. Security level is not a metric in CVSS. Incorrect Answers: These other choices are all metrics associated with the Common Vulnerability Scoring System. Which authority reviews and certifies trusted foundry organizations? ​ A.National Security Agency ​ B.Department of Commerce ​ C.National Institute for Standards and Technology ​ D.Central Intelligence Agency Correct answer- A.National Security Agency Explanation Correct Answer: The National Security Agency (NSA) is the centralized authority for computer and communications security that certifies trusted foundry organizations. Incorrect Answers: None of these other agencies is charged with certifying trusted foundry manufacturers. Your organization has recently purchased several routers from a distributor with whom you have never done business. At various times, each of the devices has behaved strangely, sending traffic to unknown hosts on the Internet, or not functioning as they have been configured. You suspect that they are counterfeit devices, and possibly compromised. What should you do in the future to ensure that this issue does not occur again? ​ A.Source authenticity ​ B.Device certification ​ C.Firmware hashing ​ D.Hardware reverse engineering Correct answer- A.Source authenticity Explanation Correct Answer: Source authenticity means that you are verifying the distribution source, as well as the manufacturer of the product you are buying. This ensures that you are buying products that are not counterfeit, or compromised in any way. Incorrect Answers: C.Firmware hashing allows you to verify firmware upgrades for an existing device. D.Reverse engineering hardware is something that is done after the fact to determine how an attacker has compromised the device, from its manufacture through the final purchase and delivery. B.Device certification is a process from the manufacturer or an independent organization in which the product is verified as performing certain functions, or performs to a certain performance or security standard. This alone will not solve the problem of counterfeit or compromised devices, because they can be modified after they leave the manufacturer anywhere in the supply chain. You have just performed a vulnerability scan on a system and are reviewing the scan results. You want to immediately eliminate vulnerabilities that might not actually be present on the system. Which the following should you review first to ensure that you eliminate those types of vulnerabilities? ​ A.False exceptions ​ B.False negatives ​ C.False plug-ins ​ D.False positives Correct answer- D.False positives Explanation Correct Answer: False positives are those types of vulnerabilities that may be reported by the scanner but actually either don't exist or are not vulnerabilities. An example might be a Windows patch is not present on a Linux box, but is reported as a vulnerability on the box. Incorrect Answers: False negatives are actual vulnerabilities that were not discovered during a scan. False plug-ins and false exceptions are terms that do not exist. Which one of the following report formats from Nessus is the most useful when importing data into analysis databases or specialized applications? ​ A.Binary ​ B.CSV ​ C.PDF ​ D.HTML Correct answer- B.CSV Explanation Correct Answer: Comma Separated Value (CSV) format is a universally accepted text- based format that can be exported from and imported into most applications. Incorrect Answers: C.Not all applications accept PDF inputs, and then only as attached artifacts. Most applications cannot take data directly from PDF. D.Although HTML is sometimes used to generate reports for visual review, it is not a data format per se; it simply formats existing data for display. A.Not all applications can take direct binary data. Some SIEMs, for example, can only accept text-based data. Additionally, Nessus does not export its findings as binary data. Which of the following terms refers to a hardware vendor that can be counted on to produce trusted hardware? ​ A.Trusted foundry ​ B.Trusted producer ​ C.Trusted vendor ​ D.Trusted developer Correct answer- A.Trusted foundry Explanation Correct Answer: A hardware manufacturer that produces trusted hardware that isn't considered counterfeit or has not been tampered with is referred to as a trusted foundry. Incorrect Answers: None of these other terms refers to a trusted hardware manufacturer. D.A trusted developer produces software, not hardware. C.A trusted vendor may sell various types of hardware or software, but does not manufacture them. Trusted producer is not a valid term. You are securing a sensitive network. You want to set up a solution on the network that doesn't allow malicious traffic to return to a potential attacker. In addition to rule sets on intrusion detection systems, which of the following solutions would prevent ICMP responses from returning to a potential attacker's host machine? ​ A.Honeypot ​ B.DMZ ​ C.Black hole ​D.Honeynet Correct answer- C.Black hole Explanation Correct Answer: A black hole is a device that is configured to receive any and all packets with a specific protocol and source or destination address, and not respond to them at all. Usually network protocols will indicate that there is a failure, but with black holes there's no response at all because the packets are silently logged and dropped. Incorrect Answers: A.A honeypot attracts malicious intruders away from sensitive hosts. D.A honey net is a network composed of several honeypots. B.A DMZ is a separated network zone that provides a layer of protection between two or more networks. You suspect that you have a malware infection on a limited number of hosts on the network. You want to test the suspected malware but keep it isolated from other hosts in the network. Which of the following is the best technique in which to test suspected malware? ​ A.Test the malware on a sandbox, such as an isolated system or virtual machine, so you can monitor the malware's effects safely without it propagating. ​ B.Test the malware in a preproduction environment to see how it interacts with your test network. ​ C.Test the malware by installing it on noncritical hosts to monitor the effects. ​ D.Test the malware by installing it on critical hosts, and be prepared to restore from a backup if it affects them. Correct answer- A.Test the malware on a sandbox, such as an isolated system or virtual machine, so you can monitor the malware's effects safely without it propagating. Explanation Correct Answer: You should always test malware on an isolated system, which can be an isolated host or a virtual machine that in no way connects to other hosts or the network. Incorrect Answers: B. You do not want to test the malware on your preproduction environment, as it would be possible for the malware to eventually make it to the production network the next time you move upgraded or tested software or patches to the production network. C.You also do not want to test the malware by installing it on noncritical hosts, because the malware could propagate to critical ones. D.Finally, you do not want to test the malware on any critical hosts because of the downtime involved when you restore from a backup. Which of the following tools natively generates evidence in the E01 file format? ​ A.The Sleuth Kit ​ B.dd ​ C.EnCase ​ D.FTK Imager Correct answer- C.EnCase Explanation Correct Answer: EnCase natively generates evidence in the E01 file format. Incorrect Answers: Although in some cases these utilities can read the EO1 file format, none of the other choices generates evidence in that format. B&A.D..Both dd and The Sleuth Kit generate evidence in a raw format, and FTK Imager has its own proprietary format. Which of the following types of tests is one in which the participants are defending real or simulated information systems against real (though friendly) attackers? ​ A.Blue team B.Live-fire exercise (LFX) C.Red team ​ D.Tabletop exercise (TTX) Correct answer- B.Live-fire exercise (LFX) Explanation Correct Answer: A live-fire exercise (LFX) is one in which the participants are defending real or simulated information systems against real (though friendly) attackers. Incorrect Answers: D. A tabletop exercise is merely a procedural and documentation review. C.A red team is a penetration testing team. A.A blue team is a computer network defense team. Your software development team has developed an application that is currently being examined for security issues. During testing activities, the security team finds that potential users would be able to circumvent security controls and access more data than they should from the application. The security team believes that the cause for this is faulty data that the user can enter into the system. Which the following does the development team need to focus its attention on to resolve this issue? ​ A.Input validation ​ B.Encryption ​ C.Parameter validation ​ D.Authentication Correct answer- A.Input validation Explanation Correct Answer: Input validation involves checking the user's potential input to ensure that it meets the requirements of the data fields. This means that input should be checked against character type and length, and restricted to only the type of data being requested. Incorrect Answers: C.Parameter validation involves validating data that does not come from the user, but from the system. D.Authentication would not prevent faulty data from being entered into the system. Authentication only controls who is able to access an application and its data. B.Encryption would not prevent faulty data from being entered into the system either. Encryption only ensures that the transmission of data is secured. The Windows registry location HKLMSoftwareMicrosoftWindowsCurrentVersionRun is an example of what type of item that is of interest to forensics investigators? ​ A.Autorun locations ​ B.Most recently used (MRU) lists ​ C.Protected storage ​ D.Previously logged-in users Correct answer- A.Autorun locations Explanation Correct Answer: HKLMSoftwareMicrosoftWindowsCurrentVersionRun is an example of a registry entry that shows an autorun location. It lists programs that are designed to start up immediately and automatically when Windows starts. Malware often starts from this location. Incorrect Answers: The other registry location do not list any of these items. You are tasked with performing an external penetration test against an organization. In preparation for the test, you gather information about the organization, its infrastructure, its people, and so forth. What additional key piece of planning do you need to ensure you have in place before the test begins? ​ A.DNS names ​ B.Formal written authorization C.Network diagram ​ D.IP address space Correct answer- B.Formal written authorization Explanation Correct Answer: Above all else, you must have formal written authorization from the organization in order to perform a penetration test on it. This written authorization protects you from legal liability and ensures that details such as the schedule, scope, and limitations are spelled out clearly for both the organization and the test team. Incorrect Answers: Depending on the type of test, you may or may not receive technical details regarding the target organization, such as IP address space, DNS information, and infrastructure diagrams. They are not necessarily critical to the test, but the authorization is. Which of the following analysis techniques involves examining past data to predict future patterns? ​ A.Trend analysis ​ B.Historical analysis ​ C.Statistical analysis ​ D.Regression analysis Correct answer- A.Trend analysis Explanation Correct Answer: Trend analysis involves looking at past data to predict future trends or patterns. Incorrect Answers: B.Historical analysis involves looking at previous data and making adjustments to current baselines based on past performance. C&D.Regression and statistical analyses are simply other analysis techniques. Which of the following are advantages to using cloud computing to enhance endpoint protection? (Choose two.) ​ A.Corrupted data can be backed up to the cloud in the event of a malware infection. ​ B.Rapid file reputation determination and behavioral analysis. ​ C.Increased likelihood of malware transmitted to hosts from data stored in the cloud. ​ D.Automatic sharing of threat data across the infrastructure to minimize security risks. Correct answer- D.Automatic sharing of threat data across the infrastructure to minimize security risks. B.Rapid file reputation determination and behavioral analysis. Explanation Correct Answers: Cloud computing provides rapid file reputation determination and behavioral analysis, as well as threat data sharing across the entire infrastructure quickly, in order to prevent security incidents and lower risk. Incorrect Answers: A.Corrupted data should not be backed up to the cloud, as you risk maintaining corrupted data that will later be reintroduced back into the system. C.Additionally, an increased likelihood of malware being transmitted to hosts from cloud storage is a disadvantage rather than an advantage. Which of the following statements accurately describes hashing functions? ​ A.Hashing functions have been proven to be mathematically flawed. ​ B.Hashing functions are one-way mathematical functions that produce a digest or fingerprint of a piece of data. ​ C.Hashing functions use public and private keys to encrypt and decrypt data. ​ D.Hashing functions use single symmetric keys to encrypt and decrypt data. Correct answer- B.Hashing functions are one-way mathematical functions that produce a digest or fingerprint of a piece of data. Explanation Correct Answer: A hashing function is a one-way mathematical function in which a variable-length piece of data is processed and produces a unique fixed-length digest or fingerprint of that data. These digests typically cannot be reversed to produce the original plaintext. Incorrect Answers: Hashing does not use public and private keys; this describes public key cryptography. Hashing functions do not use symmetric keys to encrypt and decrypt data; the hash produced from hashing function cannot be reversed or decrypted. Although some legacy hashing functions have been proven to have some mathematical flaws, there are secure hashing functions currently in use for which there is no known attack. Which of the following tools is a fork of the original Nessus project, from before Nessus became a commercial product? ​ A.OpenNessus ​ B.OpenVAS C.Nikto ​ D.Nmap Correct answer- B.OpenVAS Explanation Correct Answer: OpenVAS is a fork of the original Nessus project that began shortly after Tenable closed development of the Nessus framework. OpenVAS is similar to Nessus in that it supports browser-based access to its OpenVAS Manager. The Manager uses the Open VASScanner to conduct assessments based on a collection of over 47,000 network vulnerability tests (NVTs). Incorrect Answers: None of these other products was forked from the community version of Nessus. Also, OpenNessus does not exist. You should only start unplugging devices and removing them from the scene of the crime after you have done which of the following? ​ A.Attempted to analyze running systems. ​ B.Interviewed the suspect. ​ C.Acquired data from all media. ​ D.Properly tagged, labeled, and inventoried everything. Correct answer- D.Properly tagged, labeled, and inventoried everything. Explanation Correct Answer: You should not remove anything from the scene of the crime unless it has been properly tagged, labeled, and inventoried. You should also photograph the scene as well. Incorrect Answers: C.You do not need to acquire data from the media at the scene of the crime; that should be done in a proper lab setting. B.You do not need to interview the suspect before removing items; as a digital forensics investigator, you might not be in charge of that particular aspect of investigating the crime. Your job is to secure and acquire evidence from digital assets. A.You should not attempt to analyze any running systems; acquire data if you can, such as volatile memory, but only perform a comprehensive analysis of the data once it has been acquired, and then in a lab setting. Which of the following terms describes the process of ensuring that only known-good software is allowed to execute on a system? ​ A.Software blacklisting ​ B.Data execution prevention ​ C.Group policy ​ D.Software whitelisting Correct answer- D.Software whitelisting Explanation Correct Answer: Software whitelisting is the process of ensuring that only known-good software is allowed to execute on a system. Incorrect Answers: A.The much more common alternative is software blacklisting, which is when you prevent known-bad (or suspected-bad) software from running. B.Data execution prevention is a Windows method for preventing malware, such as rootkits, to be loaded on boot. C.Although group policies can include software whitelisting, this is not confined to only software policies. Your organization is completing a new vulnerability management policy. The goal of the policy is to ensure that vulnerabilities that have the most impact to the organization are remediated the soonest, while still allowing time for configuration control board approval and testing. Which of the following types of vulnerabilities should be remediated first, and within what time frame? ​ A.Critical vulnerabilities, within one week. ​ B.Routine vulnerabilities, within 24 hours. ​ C.Critical vulnerabilities, within 48 hours. ​ D.Important vulnerabilities, within 24 hours. Correct answer- C.Critical vulnerabilities, within 48 hours. Explanation Correct Answer: Critical vulnerabilities have the most impact on the organization, so they should be remediated first. Also, 48 hours is an achievable timeframe because it allows for configuration control board approval time, as well as for testing any patches or configuration changes. Incorrect Answers: Neither important nor routine vulnerabilities are required to be remediated soonest because they don't have the largest impact on the organization. Additionally, 24 hours may be too short of a time frame to expect both configuration control board approval and time for testing patches or configuration changes. Also, critical vulnerabilities should be resolved quickly, and one week is too slow a remediation time frame for these types of vulnerabilities. Your organization wants to test some of its response capabilities. Response procedures have been recently written by individual functional areas and now need to be reviewed. Your CEO wants for everyone in the organization to conduct a full test of the procedures, but you disagree with this. Which of the following do you think is the best way to begin testing these procedures? ​ A.Conduct a live-fire exercise (LFX). ​ B.Employ a red team for an external test. ​ C.Conduct a tabletop exercise (TTX) ​ D.Conduct a penetration test. Correct answer- C.Conduct a tabletop exercise (TTX) Explanation Correct Answer: The first step should be to conduct a tabletop exercise, in which the participants sit in a conference room as a group and review the procedures to ensure that they are sound. Conducting a full exercise of any type without a procedural review and approval may be ineffective because the procedures might not mesh with each other very well as written. Incorrect Answers: A.A live-fire exercise is one in which the participants are defending real or simulated information systems against real (though friendly) attackers. D.A penetration test is one in which the network is tested from the perspective of a potential attacker who is discovering and exploiting vulnerabilities. This type of test should not be detected until response procedures have been thoroughly reviewed by all stakeholders. B.Red teams conduct penetration testing, which should not be performed until procedures have been vetted. You administer an Active Directory environment. You need to rapidly apply or push security configuration changes to all the hosts on your network. Which of the following can you use to push security configuration settings to hosts in your Active Directory environment? ​ A.Domain policy ​ B.Group policy ​ C.Host configurator ​ D.Software update services Correct answer- B.Group policy Explanation Correct Answer: Group policy is the mechanism through which administrators can push security configuration settings to multiple hosts in an Active Directory network at once. Incorrect Answers: Domain policies are part of group policy. Host configurator is a nonexistent tool. Software update services do not push configuration settings to Windows hosts; it is the mechanism through which Windows hosts can automatically update software and security patches. You are running an instance of OpenVAS to scan your network, but you are not getting any results back. Which tool could you run on the network to see if your scan is being sent over the network and how hosts are responding to the scan? ​ A.Use Nikto to determine if any target web servers are listening on port 9392. ​ B.Use Wireshark to determine if the IP addresses for the target hosts are blocking any traffic from port 9392. ​ C.Use nmap to scan hosts to determine if they are listening on port 9392. ​ D.Capture traffic with Wireshark and look for traffic over TCP port 9392. Correct answer- D.Capture traffic with Wireshark and look for traffic over TCP port 9392. Explanation Correct Answer: You should capture traffic with Wireshark and look for traffic over TCP port 9392. This is the default port that OpenVAS uses, and its presence in traffic indicates that it is actually scanning properly. Incorrect Answers: Target hosts would not be listening port 9392. Nikto is used to determine vulnerabilities from web servers, which should not be running on port 9392. B.Wireshark can't necessarily determine if a host is blocking traffic on a particular port. The host simply doesn't respond, and this can be caused by any other number of issues. You need to secure outside connections to segmented parts of the network. You want to keep special users from logging in to a particularly important host using the same workstation they use for everything else. Which of the following would provide a centralized, secure solution for this? ​ A.Jump box or server B.VLAN ​ C.VPN ​ D.Honeypot Correct answer- A.Jump box or server Explanation Correct Answer: A jump box serves as a jumping off point for external users to access protected parts of a network. Incorrect Answers: B.A VLAN logically separates sensitive hosts or networks. D.A honeypot attracts malicious intruders away from sensitive hosts. C.A VPN allows for secure connections to the internal network from an external network such as the Internet. Before you remediate any questionable vulnerabilities, which the following actions should you take to ensure that the vulnerability exists and is present on the system? ​ A.Verify the scanner has all the most current plug-ins. ​ B.If it is not a critical vulnerability, do not remediate it. ​ C.If it's questionable, declare it a false positive and do not remediate it. ​ D.Validate the results by reviewing the actual system configuration or its patch level, if there is any doubt about a vulnerability. Correct answer- D.Validate the results by reviewing the actual system configuration or its patch level, if there is any doubt about a vulnerability. Explanation Correct Answer: In the event of a question about a vulnerability, validate the results by reviewing the actual system configuration or its patch level. This way, you can ensure that this is a valid vulnerability. After that, you'll need to make a determination about whether or not you'll remediate it, based on the criticality, business exception, and priority. Incorrect Answers: C.Just because it is a questionable vulnerability does not mean it is a false positive. B.Although critical vulnerabilities should be remediated first, simply because a vulnerability is not a critical vulnerability does not mean that it does not need to be remediated. A.Verifying that the scanner has the most current plug-ins is something that should be done before the scan even starts. During a live response, what might you do to see what is in active memory before attempting to capture it on a running host? ​ A.View running processes. ​ B.Check Internet browsing history. ​ C.Check active logins. ​ Review files on the hard drive. Correct answer- A.View running processes. Explanation Correct Answer: When performing a live response on a running host, you might look at running processes in active memory. Take great care when performing any type of analysis on a live host, because you will certainly change evidence. Incorrect Answers: There is no need to review files in the hard drive; this can disturb the access times on a file, and this is best done during a lab analysis when the machine is powered off and the hard drive has been forensically imaged. You can check Internet browsing history from history files after the machine is powered off. It is not necessary to check them while the machine is running. You can review login history when the machine has been powered off and the data has been forensically copied from the hard drive. It is not necessary to review this in order to see what is in active memory. Which of the following is an effective tool for acquiring both volatile memory and file system content for a Windows host? ​ A.Linux Memory Grabber ​ B.Access Data's FTK Imager ​ C.Nessus ​ D.dd Correct answer- B.Access Data's FTK Imager Explanation Correct Answer: Access Data's FTK Imager is an effective tool for acquiring both volatile memory and file system content for a Windows host. Incorrect Answers: Linux Memory Grabber is unique to Linux, and it's open source. dd is also a Linux-based tool. Nessus is a vulnerability scanner and cannot acquire volatile memory or file system data.