CYSA TEST EXAM QUESTIONS AND ANSWERS
VERIFIED 100% CORRECT
What type of visualization is most suitable for identifying traffic spikes? - ANSWER A
line graph is a good way of showing changes in volume over time.
You need to analyze the destination IP address and port number from some firewall
data. The data in the iptables file is in the following format:
DATE,FACILITY,CHAIN,IN,SRC,DST,LEN,TOS,PREC,TTL,ID,PROTO,SPT,DPT
Jan 11 05:33:59,lx1 kernel:
iptables,INPUT,eth0,10.1.0.102,10.1.0.1,52,0x00,0x00,128,2242,TCP,2564,21
Write the command to select only the necessary data, and sort it by destination port
number. - ANSWER The following command selects columns 6 (destination IP
address) and 14 (destination port) and then sorts by column 2—remember that the
piped output to the sort command has two columns, not 14. The -n switch makes the
sort order numeric rather than alphabetical.
cut -d "," -f6,14 iptables | sort -t "," -k2 -n
Working with the same data file, write the command to show only the lines where the
destination IP address is 10.1.0.10 and the destination port is 21. - ANSWER The
easiest way to do this is to pipe the result from one grep command into another.
Remember that you need to escape characters such as periods and commas. The $
operator in the second command is a handy way of selecting the destination port, which
is at the end of the line.
grep "10\.1\.0\.10\," iptables-csv | grep "21$"
Note that you need to include the comma delimiter to avoid selecting partial source IP
addresses. The regex "10\.1\.0\.10" would match 10.1.0.102.
Which four phases outline the procedures involved in a forensics investigation? -
ANSWER Identification, collection, analysis, and reporting.
Why might a forensics investigator need to be hired on a work product retention basis? -
ANSWER To protect analysis of evidence from disclosure to opposing counsel, should
a court case be involved.
, To preserve evidence of a temporary file system mounted to a host, which system
device must you target for evidence collection? - ANSWER System memory (RAM)
You must contain a host that is suspected of effecting a violation of security policy. No
methods of live evidence acquisition are available. What is your best course of action to
preserve the integrity of evidence? - ANSWER Using a software shut-down routine
risks changing data on the host disk, so if live memory acquisition cannot be performed,
pulling the plug to terminate processes is the best course of action. This process should
ideally be video recorded with an explanation as to why this course of action is being
taken.
A hard disk has been removed from a computer so that it can be subjected to forensic
evidence collection. What steps should you take to complete this process? - ANSWER
Ideally, record or document the process. Attach the disk to a forensic workstation, using
a write blocker to prevent contaminating the source-disk contents. Make a cryptographic
hash of the disk contents. Make an image of the disk contents. Make a cryptographic
hash of the image and verify it matches the source disk hash. Make a copy of the image
and validate with a cryptographic hash. Perform analysis on the copy of the image.
What two types of space on a disk are analyzed by file-carving tools? - ANSWER
Unallocated space (clusters marked as free for use in file-write operations) and slack
space (cluster portions that were not overwritten when a new file was created).
Which network-related potential indicator of compromise has been omitted from the
following list? Bandwidth consumption, irregular peer-to-peer communication, rogue
device on the network, scan/sweep, unusual traffic spike, common protocol over
nonstandard port. - ANSWER Beaconing.
PKI (Public Key Infrastructure) - ANSWER enables users of a public network such as
the Internet to securely and privately exchange data through the use of a pair of keys—
a public one and a private one—that is obtained from a trusted authority and shared
through that authority.
Which two main classes of attack would you suspect if you observe a bandwidth
consumption IoC from a client workstation on the local network to a host on the
Internet? - ANSWER You are most likely to suspect a data exfiltration attack, but it is
also possible that the host has been infected with a bot and is being used for DDoS or
spam.
What steps would you take to investigate irregular peer-to-peer communication? -
ANSWER Start an incident response ticket and log all actions taken. Identify the IP
addresses involved. On a LAN, work out the identity of each host and the accounts and
services running on them. On the Internet, use IP reputation services and geolocation to
identify the host(s). Raise the logging and packet capture level to monitor the
VERIFIED 100% CORRECT
What type of visualization is most suitable for identifying traffic spikes? - ANSWER A
line graph is a good way of showing changes in volume over time.
You need to analyze the destination IP address and port number from some firewall
data. The data in the iptables file is in the following format:
DATE,FACILITY,CHAIN,IN,SRC,DST,LEN,TOS,PREC,TTL,ID,PROTO,SPT,DPT
Jan 11 05:33:59,lx1 kernel:
iptables,INPUT,eth0,10.1.0.102,10.1.0.1,52,0x00,0x00,128,2242,TCP,2564,21
Write the command to select only the necessary data, and sort it by destination port
number. - ANSWER The following command selects columns 6 (destination IP
address) and 14 (destination port) and then sorts by column 2—remember that the
piped output to the sort command has two columns, not 14. The -n switch makes the
sort order numeric rather than alphabetical.
cut -d "," -f6,14 iptables | sort -t "," -k2 -n
Working with the same data file, write the command to show only the lines where the
destination IP address is 10.1.0.10 and the destination port is 21. - ANSWER The
easiest way to do this is to pipe the result from one grep command into another.
Remember that you need to escape characters such as periods and commas. The $
operator in the second command is a handy way of selecting the destination port, which
is at the end of the line.
grep "10\.1\.0\.10\," iptables-csv | grep "21$"
Note that you need to include the comma delimiter to avoid selecting partial source IP
addresses. The regex "10\.1\.0\.10" would match 10.1.0.102.
Which four phases outline the procedures involved in a forensics investigation? -
ANSWER Identification, collection, analysis, and reporting.
Why might a forensics investigator need to be hired on a work product retention basis? -
ANSWER To protect analysis of evidence from disclosure to opposing counsel, should
a court case be involved.
, To preserve evidence of a temporary file system mounted to a host, which system
device must you target for evidence collection? - ANSWER System memory (RAM)
You must contain a host that is suspected of effecting a violation of security policy. No
methods of live evidence acquisition are available. What is your best course of action to
preserve the integrity of evidence? - ANSWER Using a software shut-down routine
risks changing data on the host disk, so if live memory acquisition cannot be performed,
pulling the plug to terminate processes is the best course of action. This process should
ideally be video recorded with an explanation as to why this course of action is being
taken.
A hard disk has been removed from a computer so that it can be subjected to forensic
evidence collection. What steps should you take to complete this process? - ANSWER
Ideally, record or document the process. Attach the disk to a forensic workstation, using
a write blocker to prevent contaminating the source-disk contents. Make a cryptographic
hash of the disk contents. Make an image of the disk contents. Make a cryptographic
hash of the image and verify it matches the source disk hash. Make a copy of the image
and validate with a cryptographic hash. Perform analysis on the copy of the image.
What two types of space on a disk are analyzed by file-carving tools? - ANSWER
Unallocated space (clusters marked as free for use in file-write operations) and slack
space (cluster portions that were not overwritten when a new file was created).
Which network-related potential indicator of compromise has been omitted from the
following list? Bandwidth consumption, irregular peer-to-peer communication, rogue
device on the network, scan/sweep, unusual traffic spike, common protocol over
nonstandard port. - ANSWER Beaconing.
PKI (Public Key Infrastructure) - ANSWER enables users of a public network such as
the Internet to securely and privately exchange data through the use of a pair of keys—
a public one and a private one—that is obtained from a trusted authority and shared
through that authority.
Which two main classes of attack would you suspect if you observe a bandwidth
consumption IoC from a client workstation on the local network to a host on the
Internet? - ANSWER You are most likely to suspect a data exfiltration attack, but it is
also possible that the host has been infected with a bot and is being used for DDoS or
spam.
What steps would you take to investigate irregular peer-to-peer communication? -
ANSWER Start an incident response ticket and log all actions taken. Identify the IP
addresses involved. On a LAN, work out the identity of each host and the accounts and
services running on them. On the Internet, use IP reputation services and geolocation to
identify the host(s). Raise the logging and packet capture level to monitor the
