GIAC GIAC Information Security GCED Questions & Answers

• Question 31:

  What does the following WMIC command accomplish?

  process where name='malicious.exe' delete

  A. Removes the `malicious.exe' process form the Start menu and Run registry key

  B. Stops current process handles associated with the process named `malicious.exe'

  C. Removes the executable `malicious.exe' from the file system

  D. Stops the `malicious.exe' process from running and being restarted at the next reboot

  Correct Answer: B

• Question 32:

  An analyst wants to see a grouping of images that may be contained in a pcap file. Which tool natively meets this need?

  A. Scapy

  B. NetworkMiner

  C. TCPReplay

  D. Wireshark

  Correct Answer: A

• Question 33:

  Which of the following is considered a preventative control in operational security?

  A. Smoke Sensors

  B. Fire Suppressant

  C. Voltage Regulators

  D. Vibration Alarms

  Correct Answer: B

  Explanation: A fire suppressant device is a preventive control. Smoke sensors, vibration alarms, and voltage regulators are part of detection controls.

• Question 34:

  Which command is the Best choice for creating a forensic backup of a Linux system?

  A. Run form a bootable CD: tar cvzf image.tgz /

  B. Run from compromised operating system: tar cvzf image.tgz /

  C. Run from compromised operating system: dd if=/ dev/hda1 of=/mnt/backup/hda1.img

  D. Run from a bootable CD: dd if=/dev/hda1 of=/mnt/backup/hda1.img

  Correct Answer: D

  Explanation: Using dd from a bootable CD is the only forensically sound method of creating an image. Using tar does not capture slack space on the disk. Running any command from a compromised operating system will raise integrity issues.

• Question 35:

  Which action would be the responsibility of the First Responder once arriving at the scene of a suspected incident as part of a Computer Security Incident Response Plan (CSIRP)?

  A. Making the decision of whether or not to notify law enforcement on behalf of the organization.

  B. Performing timeline creation on the system files in order to identify and remove discovered malware.

  C. Copying critical data from suspected systems to known good systems so productivity is not affected by the investigation.

  D. Conducting initial interviews and identifying the systems involved in the suspected incident.

  Correct Answer: D

  Explanation: The First Responder plays a critical role in the Incident Response process on the CSIRT

  (Computer Security Incident Response Team).

  Here is a list of some typical responder tasks:

  Make sure that the correct system is identified and photograph the scene, if necessary.

  Conduct an initial interview (not an interrogation) of any witnesses.

  The decision to notify law enforcement requires explicit approval and direction form management and/or

  counsel. While a First Responder may collect initial data while minimally intruding on the system, no major

  changes, or indepth media analysis should be performed by the First Responder when initially responding

  to a suspected incident.

• Question 36:

  A company classifies data using document footers, labeling each file with security labels "Public", "Pattern", or "Company Proprietary". A new policy forbids sending "Company Proprietary" files via email. Which control could help security analysis identify breaches of this policy?

  A. Monitoring failed authentications on a central logging device

  B. Enforcing TLS encryption for outbound email with attachments

  C. Blocking email attachments that match the hashes of the company's classification templates

  D. Running custom keyword scans on outbound SMTP traffic from the mail server

  Correct Answer: D

• Question 37:

  Although the packet listed below contained malware, it freely passed through a layer 3 switch. Why didn't the switch detect the malware in this packet?

  

  A. The packet was part of a fragmentation attack

  B. The data portion of the packet was encrypted

  C. The entire packet was corrupted by the malware

  D. It didn't look deeply enough into the packet

  Correct Answer: D

  Explanation: Routers, layer 3 switches, some firewalls, and other gateways are packet filtering devices that use access control lists (ACLs) and perform packet inspection. This type of device uses a small subset of the packet to make filtering decisions, such as source and destination IP address and protocol. These devices will then allow or deny protocols based on their associated ports. This type of packet inspection and access control is still highly susceptible to malicious attacks, because payloads and other areas of the packet are not being inspected. For example, application level attacks that are tunneled over open ports such as HTTP (port 80) and HTTPS (port 443).

• Question 38:

  In an 802.1x deployment, which of the following would typically be considered a Supplicant?

  A. A network switch

  B. A perimeter firewall

  C. A RADIUS server

  D. A client laptop

  Correct Answer: D

• Question 39:

  You have been tasked with searching for Alternate Data Streams on the following collection of Windows partitions; 2GB FAT16, 6GB FAT32, and 4GB NTFS. How many total Gigabytes and partitions will you need to search?

  A. 4GBs of data, the NTFS partition only.

  B. 12GBs of data, the FAT16, FAT32, and NTFS partitions.

  C. 6GBs of data, the FAT32 partition only.

  D. 10GBs of data, both the FAT32 and NTFS partitions.

  Correct Answer: C

• Question 40:

  What piece of information would be recorded by the first responder as part of the initial System Description?

  A. Copies of log files

  B. System serial number

  C. List of system directories

  D. Hash of each hard drive

  Correct Answer: B