The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response?
A. Recovery
B. Follow-up
C. Validation
D. Identification
E. Eradication
F. Containment
Correct Answer: D
To be able to respond to the incident of malware infection you need to know what type of malware was used since there are many types of malware around. This makes identification critical in this case.
Incorrect Answers:
A: Recovering from the malware incident can only happen after you identified the type of malware involved.
B: Follow-up is exactly that following the incident and not a first response.
C: Validation is not an appropriate first response when dealing with a malware infection. Validation only comes into effect as a prevention measure to LDAP Injection attacks.
E: Eradication of malware infections can only be done successfully after the malware involved has been identified. Thus the best first response would be identification and not eradication.
F: Containment if akin to quarantine and is usually a last resort when one cannot eradicate the malware from the systems.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 301-309, 338, 429 http://www.certiguide.com/secplus/cg_sp_SixStepIncidentResponseProcess.htm
Question 472:
The Chief Technical Officer (CTO) has tasked The Computer Emergency Response Team (CERT) to develop and update all Internal Operating Procedures and Standard Operating Procedures documentation in order to successfully respond to future incidents. Which of the following stages of the Incident Handling process is the team working on?
A. Lessons Learned
B. Eradication
C. Recovery
D. Preparation
Correct Answer: D
Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/ reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Developing and updating all internal operating and standard operating procedures documentation to handle future incidents is preparation.
Incorrect Answers:
A: Lessons learned presumes that the incident already occurred and developing and updating procedures for handling future incidents means that the incident has not occurred yet.
B: Eradication assumes that the incident already occurred.
C: Recovery is a phase that happens after the incident occurred.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 429
Question 473:
During which of the following phases of the Incident Response process should a security administrator define and implement general defense against malware?
A. Lessons Learned
B. Preparation
C. Eradication
D. Identification
Correct Answer: B
Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/ reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. It is important to stop malware before it ever gets hold of a system thus you should know which malware is out there and take defensive measures - this means preparation to guard against malware infection should be done.
Incorrect Answers:
A: Lessons learned is one of the latter phases in incident response after the event occurred this means that general defense has not been observed.
C: Eradication is done after the infection already occurred and can thus not be considered general defense.
D: Incident Identification presumes that the incident already occurred thus it cannot be considered general defense against malware.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 121-122, 429
Question 474:
Which of the following is the MOST important step for preserving evidence during forensic procedures?
A. Involve law enforcement
B. Chain of custody
C. Record the time of the incident
D. Report within one hour of discovery
Correct Answer: B
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you're open to dispute about possible evidence tampering. Thus to preserve evidence during a forensic procedure the chain of custody is of utmost importance.
Incorrect Answers:
A: Law enforcement can only come to fruition if the chain of custody is properly observed.
C: Recording the time of the incident is part of the forensic procedure and not necessarily the preservation of evidence.
D: Reporting an incident an hour after discovery violates the Acting in Oder of Volatility measures.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 448
Question 475:
The security manager received a report that an employee was involved in illegal activity and has saved data to a workstation's hard drive. During the investigation, local law enforcement's criminal division confiscates the hard drive as evidence. Which of the following forensic procedures is involved?
A. Chain of custody
B. System image
C. Take hashes
D. Order of volatility
Correct Answer: A
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.
Incorrect Answers:
B: A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. In this case the evidence has been confiscated which means that the chain of custody comes into the procedure that was followed.
C: Taking hashes is part of collecting data to be able to liiustrate the situation if the need arises. In this case evidence has been confiscated and the chain of custody becomes the important issue.
D: Act in Order of Volatility is of importance when dealing with multiple issues. Then you should address them in order of volatility (OOV); always deal with the most volatile first. In this case there is only one incident and one piece of evidence that has been confiscated which means that the chain of custody must be observed.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 448, 453, 454
Question 476:
A compromised workstation utilized in a Distributed Denial of Service (DDOS) attack has been removed from the network and an image of the hard drive has been created. However, the system administrator stated that the system was left unattended for several hours before the image was created. In the event of a court case, which of the following is likely to be an issue with this incident?
A. Eye Witness
B. Data Analysis of the hard drive
C. Chain of custody
D. Expert Witness
Correct Answer: C
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you're open to dispute about possible evidence tampering.
Incorrect Answers:
A: An eye witness is clearly not the issue here since it is mentioned that the system was left unattended for several hours.
B: Data analysis of the hard drive is not the issue since in the court case the biggest problem would be that the system in question was left unattended for several hours before the network image was taken.
D: An expert witness is not a problem in the event of a court case since the chain of custody was broken as mentioned by the system administrator.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 448, 454 http://en.wikipedia.org/wiki/Chain_of_custody
Question 477:
Computer evidence at a crime scene is documented with a tag stating who had possession of the evidence at a given time.
Which of the following does this illustrate?
A. System image capture
B. Record time offset
C. Order of volatility
D. Chain of custody
Correct Answer: D
Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.
Incorrect Answers:
A: A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.
B: Record Time Offset - It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation.
C: Act in Order of Volatility is of importance when dealing with multiple issues. Then you should address them in order of volatility (OOV); always deal with the most volatile first.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 448, 453 http://en.wikipedia.org/wiki/Chain_of_custody
Question 478:
A recent intrusion has resulted in the need to perform incident response procedures. The incident response team has identified audit logs throughout the network and organizational systems which hold details of the security breach. Prior to this incident, a security consultant informed the company that they needed to implement an NTP server on the network. Which of the following is a problem that the incident response team will likely encounter during their assessment?
A. Chain of custody
B. Tracking man hours
C. Record time offset
D. Capture video traffic
Correct Answer: C
It is quite common for workstation as well as server times to be off slightly from actual time. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system. There is no mention that this was done by the incident response team.
Incorrect Answers:
A: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it
has been. The evidence must always be within your custody, or you're open to dispute about possible evidence tampering. In this case there is no mention that the chain of evidence is in question.
B: Tracking man hours and Expenses go hand-in-hand. In this case the incident response team already has the evidence.
D: The incident response already has the audit logs pertaining to the incident identified and there is thus no problem regarding capturing video traffic that might be encountered.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 453, 448, 454
Question 479:
A system administrator is responding to a legal order to turn over all logs from all company servers. The system administrator records the system time of all servers to ensure that:
A. HDD hashes are accurate.
B. the NTP server works properly.
C. chain of custody is preserved.
D. time offset can be calculated.
Correct Answer: D
It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system.
Incorrect Answers:
A: Recording the system time of all the servers is not hoe one checks whether hashes are accurate.
B: Recording the system time of all the servers is not the way to check whether a server works properly.
C: Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you're open to dispute about possible evidence tampering. In this case the logs from all the company servers have to be turned over which means this is not a chain of custody issue.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 453, 448
Question 480:
The incident response team has received the following email message.
A copyright infringement alert was triggered by IP address 13.10.66.5 at 09: 50: 01 GMT. After reviewing the following web logs for IP 13.10.66.5, the team is unable to correlate and identify the incident.
Which of the following is the MOST likely reason why the incident response team is unable to identify and correlate the incident?
A. The logs are corrupt and no longer forensically sound.
B. Traffic logs for the incident are unavailable.
C. Chain of custody was not properly maintained.
D. Incident time offsets were not accounted for.
Correct Answer: D
It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow
events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that
this was done and the time associated with it on the system.
Incorrect Answers:
A: Corrupted logs would indicate that it had been tampered with and in this case there is no mention of logs being corrupted, in fact it can still be reviewed successfully.
B: The logs have been reviewed is mentioned in the question thus it is not a matter of it being unavailable.
C: The chain of custody in forensics refers to how evidence is secured, where it is stored, and who has access to it. In this case the evidence is clearly available, etc.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 453, 448
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.