GCIH - Book 1 Questions and Verified Answers
System Center Configuration Manager (SCCM) Correct Answer: A software management suite provided
by Microsoft that allows users to manage a large number of Windows based computers. It features
remote control, patch management, operating system deployment, network protection and other various
services
Incident Handling Correct Answer: The action or plan for dealing with intrusions, cyber-theft, DoS and
other computer security related events
Incident Correct Answer: Refers to actions that result in harm or the significant threat of harm to your
computer systems or data
Event Correct Answer: Any observable occurrence in a system and/or network
Incident Handling - 6 Stages Correct Answer: 1. Preparation, 2. Identification, 3. Containment, 4.
Eradication, 5. Recovery, 6 Lessons Learned
Preparation Phase Correct Answer: The goal of this phase is to get the team ready to handle incidents
Sptoolkit and Phisme Correct Answer: Services that create phishing campaigns where you can track your
results
Suspicious Activity Report (SAR) Correct Answer: A report that must be filed whenever a firm suspects
that transactions of $5000 or more may be related to illegal activities
Reasons TO Notify Law Enforcement of an Incident Correct Answer: - Threat to public health or safety
- Substantial impact on third party
- legal requirement based on industry
War Room Correct Answer: A place where you can safely display information. It should have a lockable
door and lockable file cabinet
GRR Rapid Response Correct Answer: A tool for performing large-scale incident response and hunt
teaming. Currently maintained by Google and is free. Has the ability to perform memory analysis on
remote hosts when coupled with rekall and can pull in-depth forensic artifacts from multiple systems
Jump Bag Correct Answer: A portable kit containing items that are useful for handling an incident
, Sleuth Kit and Autopsy, EnCase, Forensics Toolkit, and X-Ways Forensics software Correct Answer:
Examples of Forensic Software
SANS Investigative Forensic Toolkit (SIFT) Correct Answer: VMware appliance that includes hundreds
of different tools you can use to analyze an incident. It includes Sleuth kit, log2timeline, wireshark,
Voatility, ssdeep and md5deep, etc
log2timeline Correct Answer: a tool for analyzing the relative times of different events recorded in logs
Volatility Correct Answer: A tool for analyzing memory images.
In terms of hardware, your jumpbag should include the following.... Correct Answer: - USB Token RAM
devices
- External Hard Drive
- Small Ethernet TAP
- Patch Cables
- laptop w/ multiple operating systems
Voice Over Misconfigured Internet Telephones (VOMIT) Correct Answer: A tool that can turn a sniffed
packet capture file of cleartext VoIP into an audio file
Tresorit and SecureSafe Correct Answer: Examples of Encrypted Cloud storage providers
Four Levels of Identification Correct Answer: Network, host, system-level and application-level
Network Perimeter Detection Correct Answer: Identification occurs on the network
-firewalls, routers, external facing network -based IDS, IPS, DMZ systems, etc
Host Perimeter Detection Correct Answer: Identification occurs when data enters or leaves a host
-personal firewalls/IPs, local firewalls, port sentry tools
System-level (host) detection Correct Answer: Identification occurs based on activity on the host itself
- antivirus tools, endpoint security suites, file integrity tools, user noticing strange behavior
System Center Configuration Manager (SCCM) Correct Answer: A software management suite provided
by Microsoft that allows users to manage a large number of Windows based computers. It features
remote control, patch management, operating system deployment, network protection and other various
services
Incident Handling Correct Answer: The action or plan for dealing with intrusions, cyber-theft, DoS and
other computer security related events
Incident Correct Answer: Refers to actions that result in harm or the significant threat of harm to your
computer systems or data
Event Correct Answer: Any observable occurrence in a system and/or network
Incident Handling - 6 Stages Correct Answer: 1. Preparation, 2. Identification, 3. Containment, 4.
Eradication, 5. Recovery, 6 Lessons Learned
Preparation Phase Correct Answer: The goal of this phase is to get the team ready to handle incidents
Sptoolkit and Phisme Correct Answer: Services that create phishing campaigns where you can track your
results
Suspicious Activity Report (SAR) Correct Answer: A report that must be filed whenever a firm suspects
that transactions of $5000 or more may be related to illegal activities
Reasons TO Notify Law Enforcement of an Incident Correct Answer: - Threat to public health or safety
- Substantial impact on third party
- legal requirement based on industry
War Room Correct Answer: A place where you can safely display information. It should have a lockable
door and lockable file cabinet
GRR Rapid Response Correct Answer: A tool for performing large-scale incident response and hunt
teaming. Currently maintained by Google and is free. Has the ability to perform memory analysis on
remote hosts when coupled with rekall and can pull in-depth forensic artifacts from multiple systems
Jump Bag Correct Answer: A portable kit containing items that are useful for handling an incident
, Sleuth Kit and Autopsy, EnCase, Forensics Toolkit, and X-Ways Forensics software Correct Answer:
Examples of Forensic Software
SANS Investigative Forensic Toolkit (SIFT) Correct Answer: VMware appliance that includes hundreds
of different tools you can use to analyze an incident. It includes Sleuth kit, log2timeline, wireshark,
Voatility, ssdeep and md5deep, etc
log2timeline Correct Answer: a tool for analyzing the relative times of different events recorded in logs
Volatility Correct Answer: A tool for analyzing memory images.
In terms of hardware, your jumpbag should include the following.... Correct Answer: - USB Token RAM
devices
- External Hard Drive
- Small Ethernet TAP
- Patch Cables
- laptop w/ multiple operating systems
Voice Over Misconfigured Internet Telephones (VOMIT) Correct Answer: A tool that can turn a sniffed
packet capture file of cleartext VoIP into an audio file
Tresorit and SecureSafe Correct Answer: Examples of Encrypted Cloud storage providers
Four Levels of Identification Correct Answer: Network, host, system-level and application-level
Network Perimeter Detection Correct Answer: Identification occurs on the network
-firewalls, routers, external facing network -based IDS, IPS, DMZ systems, etc
Host Perimeter Detection Correct Answer: Identification occurs when data enters or leaves a host
-personal firewalls/IPs, local firewalls, port sentry tools
System-level (host) detection Correct Answer: Identification occurs based on activity on the host itself
- antivirus tools, endpoint security suites, file integrity tools, user noticing strange behavior
