WGU Digital Forensics in Cybersecurity - C840

WGU Digital Forensics in Cybersecurity - C840 Business Continuity Plan (BCP) Correct Answer: A plan for maintaining minimal operations until the business can return to full normal operations. Disaster Recovery Plan (DRP) Correct Answer: A plan for returning the business to full normal operations. International Organization for Standardization (ISO) 27001 standard Correct Answer: It is a code of practice for implementing an information security management system, against which organizations can be certified. National Institute of Standards and Technology (NIST) 800-34 standard Correct Answer: It is entitled Contingency Planning Guide for Information Technology Systems—thus it is clearly related to business continuity and disaster recovery. Business Impact Analysis (BIA) Correct Answer: An analysis of how specific incidents might impact the business operations. U.S. National Fire Protection Association (NFPA) 1600 Standard Correct Answer: This is formally titled Standard on Disaster/Emergency Management and Business Continuity Programs focused on responding to fire-related incidents. Maximum Tolerable Downtime (MTD) Correct Answer: The length of time a system can be down before the business cannot recover. Mean Time to Repair (MTTR) Correct Answer: The average time needed to repair a given piece of equipment. Mean time to failure (MTTF) Correct Answer: How long, on average, before a given piece of equipment will fail through normal use. Recovery Point Objective (RPO) Correct Answer: The amount of work that might need to be redone, or data lost. Recovery Time Objective (RTO) Correct Answer: The time that the system is expected to be back up. This must be less than MTD. Single Loss Expectancy (SLE) Correct Answer: The expected monetary loss every time a risk occurs. Single Loss Expectancy (SLE) formula Correct Answer: Asset Value (AV) x Exposure Factor (EF) Annualized Loss Expectancy (ALE) Correct Answer: Expected monetary loss for an asset due to a risk over a one-year period calculated by multiplying single loss expectancy by annualized rate of occurrence. Annualized Loss Expectancy (ALE) formula Correct Answer: Single Loss Expectancy (SLE) * Annual Rate of Occurrence (ARO) Annual Rate of Occurrence (ARO) Correct Answer: The number of times an incident is expected to occur in a year Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD) Correct Answer: It is a mnemonic for risk rating using five categories and an effective model for evaluating the impact of an attack. Remote Network MONitoring (RMON) Correct Answer: Developed by the Internet Engineering Task Force (IETF) in order to support network monitoring and protocol analysis. Mean squared deviation (MSD) formula Correct Answer: It is relatively simple and provides insight into how any system deviates from expectations. This is sometimes referred to as the mean squared error. Mean percentage error (MPE) formula Correct Answer: It is the arithmetic mean of errors from modeling. This metric compares expected values to actual values and calculates mean error. Ishikawa diagrams Correct Answer: Commonly used engineering tool in failure mode and effects analysis (FMEA) in engineering and are sometimes called "fish diagrams" full backup Correct Answer: Backup that copies all data from a system. differential backup Correct Answer: All changes since the last full backup incremental backup Correct Answer: Backup that copies only the changed data since the last backup. Detection step Correct Answer: 1st step in incident response Containment step Correct Answer: 2nd step in incident response Eradication step Correct Answer: 3rd step in incident response Recovery step Correct Answer: 4th step in incident response Follow-Up step Correct Answer: 5th step in incident response Malicious code, Denial of service, Unauthorized access, & Inappropriate usage Correct Answer: NIST 800-61 classifies incidents into the following events on a system or network. Hierarchical storage management (HSM) Correct Answer: Continuous online backup storage. Continuity of Operations Plan (COOP) Correct Answer: A predetermined set of instructions or procedures that describe how an organization's mission essential functions will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations. Contain the intrusion Correct Answer: Once an intrusion into your organization's information system has been detected, what action should be done next? Scope and Plan Initiation Correct Answer: Business Continuity Plan development depends most on. Moore's law or Moore's observation Correct Answer: The observation by Gordon Moore of Intel Corporation that capacity would double, and price would be cut in half roughly every 18 to 24 months for products based on computer chips and related technology. Cloud Computing Correct Answer: The practice of delivering hosted services over the internet. This can be software as a service, platform as a service, or infrastructure as a service. Speed of accessing data & Fault tolerance Correct Answer: What is the main advantage of cloud computing? Type# adb connect ipaddress Correct Answer: How would you connect to a smart TV with ADB? Adhere to the jurisdiction with the most restrictive requirements Correct Answer: When performing forensic analysis on devices from diverse jurisdictions, the proper approach is to: How fast computing power improves Correct Answer: Moore's law concerns which of the following? Chain of custody process Correct Answer: In a computer forensics investigation, this describes the route that evidence takes from the time you find it until the case is closed or goes to court Shut the computer down according to the recommended Secret Service procedure Correct Answer: What the secret service recommends you doing if a computer is turned on when you arrive In case other devices are connected Correct Answer: Why should you note all cable connections for a computer you want to seize as evidence? The essence of the Daubert standard Correct Answer: That only tools or techniques that have been accepted by the scientific community are admissible at trial Preserve evidence integrity Correct Answer: The primary goal when cataloging digital evidence Important to investigators regarding logging Correct Answer: Logging methods, log retention, and location of stored logs Anti-forensics Correct Answer: the actions that perpetrators take to conceal their locations, activities, or identities. Cell-phone forensics Correct Answer: The process of searching the contents of cell phones Chain of custody Correct Answer: the continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered. Computer forensics Correct Answer: The use of analytical and investigative techniques to identify, collect, examine, and preserve computer-based material for presentation as evidence in a court of law. Curriculum vitae (CV) Correct Answer: is a document that sets out information about one's experience, including qualifications, employment history and interests, similar to a resume but with more detail. In academia and expert work, a ____ is usually used rather than a resume. Daubert standard Correct Answer: The standard holding that only methods and tools widely accepted in the scientific community can be used in court. Demonstrative evidence Correct Answer: Information that helps explain other evidence. An example is a chart that explains a technical concept to the judge and jury. Digital evidence Correct Answer: information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination Disk forensics Correct Answer: The process of acquiring and analyzing information stored on physical storage media, such as computer hard drives or smartphones. Documentary evidence Correct Answer: Data stored in written form, on paper or in electronic files, such as e-mail messages, and telephone call-detail records. Investigators must authenticate documentary evidence. Email forensics Correct Answer: The study of the source and content of email as evidence, including the identification of the sender, recipient, date, time, and origination location of an email message. Expert report Correct Answer: A formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted as well as the specialist's own curriculum vitae (CV). Anything the specialist plans to testify about at a trial must be included in the expert report. Expert testimony Correct Answer: a formal written or spoken statement of an expert witness, one who testifies on the basis of scientific or technical knowledge relevant to a case, rather than personal experience Internet forensics Correct Answer: The process of piecing together where and when a user has been on the Internet Live system forensics Correct Answer: The process of searching memory in real time, typically for working with compromised hosts or to identify system abuse. Network forensics Correct Answer: The process of examining network traffic, including transaction logs and real-time monitoring. Real evidence Correct Answer: Physical objects that can be touched, held, or directly observed, such as a laptop with a suspect's fingerprints on it, or a handwritten note. Software forensics Correct Answer: The process of examining malicious computer code. Testimonial evidence Correct Answer: Information that forensic specialists use to support or interpret real or documentary evidence for example, to demonstrate that the fingerprints found on a keyboard are those of a specific individual Correct Answer: Volatile memory Correct Answer: Computer memory that requires power to maintain the data it holds and can be changed. For example, RAM is highly uncertain/unstable while EEPROM is very stable. Demonstrate the continual control of evidence Correct Answer: Why should an investigator maintain a chain of custody? Document the virus Correct Answer: The first step when investigating a virus Cyberstalking crime Correct Answer: This crime is mostly likely to leave email evidence In the logs of the server, look for the reboot of the system Correct Answer: This is where you would seek evidence that Ophcrack had been used on a Windows Server 2008 machine disgruntled employee Correct Answer: Logic bombs are often perpetrated by ________. Preludes to real-world violence Correct Answer: The primary reason to take cyberstalking seriously Tracing the packets Correct Answer: The starting point for investigating denial-of-service attack Cyberstalking Correct Answer: The use of electronic communications to harass or threaten another person Denial-of-service (DoS) attack Correct Answer: An attack designed to overwhelm the target system so it can no longer reply to legitimate requests for connection Fraud Correct Answer: A broad category of crime that can encompass many different activities, but essentially any attempt to gain financial reward through deception Identity theft Correct Answer: Any use of another person's identity Logic bomb Correct Answer: Malware that executes its damage or attack when specific conditions are met Example: an employee's name is removed from a company database Rainbow table Correct Answer: Type of password crackers that work with precalculated hashes of all passwords available within a certain character space. Three-way handshake Correct Answer: The process of connecting to a server that involves three packets being exchanged Virus Correct Answer: Any software that self-replicates Security Account Manager (SAM) database Correct Answer: C:windowssystem32 is the directory that stores the _______, which keeps a hash of a user's password. Protocols: IP, ICMP, & ARP Correct Answer: What protocols run at Layer 3 Network? Asymmetric cryptography Correct Answer: Cryptography wherein two keys are used: one to encrypt the message and another to decrypt it. Block cipher Correct Answer: A form of cryptography that encrypts data in blocks 64-bit blocks are quite common, although some algorithms (like AES) use larger blocks Brute-force attack Correct Answer: An attack in which the attacker tries to decrypt a message by simply applying every possible key in the keyspace. Caesar cipher Correct Answer: The method of cryptography in which someone chooses a number by which to shift each letter of a text in the alphabet and substitute the new letter for the letter being encrypted. For example, if your text is "A CAT," and you choose to shift by two letters, your encrypted text is "C ECV." This is also known as a monoalphabet, single-alphabet, or substitution cipher. Oldest known encryption method Correct Answer: What is Caesar cipher known for? Multialphabet Substitution Correct Answer: An improvement on the Caesar cipher that uses more than one shift Carrier Correct Answer: The signal, stream, or data file in which the data is hidden. Channel Correct Answer: The type of medium used to hide data in steganography. This may be photos, video, sound files, or Voice over IP. Cryptanalysis Correct Answer: A method of using techniques other than brute force to derive a cryptographic key. Euler's Totient Correct Answer: The total number of coprime numbers. Two numbers are considered coprime if they have no common factors. Feistel function Correct Answer: A cryptographic function that splits blocks of data into two parts. It is one of the most influential developments in symmetric block ciphers. Kasiski examination Correct Answer: A method of attacking polyalphabetic substitution ciphers by deducing the length of the keyword. Kasiski's test or Kasiski's method Correct Answer: Kasiski examination also known as ___________