312-49v11 Practice Questions

During a financial crime investigation at a credit union in Dallas, Texas, a forensic examiner is tasked with collecting evidence from a suspect ' s workstation. To ensure the evidence remains admissible in court and follows best practices, which rule of thumb must the examiner apply during data acquisition?

Detective Sarah, a skilled digital forensics investigator, begins probing a compromised computer system linked to a cybercrime ring. Prioritizing volatile data, she meticulously plans her evidence-collection strategy. Amidst the investigation, various data sources emerge, each holding potential clues to unraveling the illicit scheme.

Which data source should you prioritize for collection, considering the order of volatility outlined in the RFC 3227 guidelines?

In a large multinational organization, an advanced persistent threat (APT) has been detected. One of the Linux servers of the company seems to be communicating with a known malicious IP address. Alice, a cybersecurity analyst, has been given the task to analyze the situation. She collects volatile information from the server to examine active network connections and running processes. Alice is confused between three options: Redline, Volatility, and Rekall. Which tool should Alice use to perform the analysis most effectively?

An organization has successfully defined its eDiscovery strategy, focusing on managing data collection efficiently for a legal investigation. As part of this strategy, the legal team is tasked with ensuring that only the relevant data is gathered from the appropriate sources. The legal team is responsible for identifying the data sources that contain electronically stored information (ESI) necessary for the investigation. Which best practice for eDiscovery is the legal team following in this case?

Sophia, a forensic expert, is analyzing a system for signs of malware. She observes that the malware has been modifying Windows services and running processes to ensure its operation in the background without detection. She needs to determine which services are automatically starting when the system boots.

Which tool should Sophia use to examine the Windows services that are set to start automatically?

Lucas, a forensic investigator, has been tasked with analyzing the behavior of a malware sample that has infected a Linux-based system. After executing the malware, Lucas suspects that the malware is performing suspicious activities such as modifying system files, accessing restricted resources, and interacting with the kernel. In order to track the malware ' s interaction with the operating system, Lucas decides to monitor the system calls made by the malware during its execution. To gather this data, which of the following tools should Lucas use to effectively track and analyze the system calls initiated by the malware, providing insights into how the malware communicates with the OS and performs its malicious activities?

During a malware-persistence investigation on a Linux system, an analyst must verify whether a critical executable has been altered since deployment. The task requires generating a value from the file that can be compared against a trusted reference to validate its integrity using a Python-based forensic utility. Which script should be used to perform this verification?

While analyzing NTFS metadata artifacts from a workstation involved in an insider-sabotage investigation, analysts suspect that file timestamps were deliberately manipulated to misrepresent the sequence of events. To validate whether metadata overwriting has occurred, the analysts compare timestamp values maintained by different NTFS attributes. What observation most reliably indicates that timestomping has been performed?

Megan, a CHFI investigator, is examining a complicated breach at a cutting-edge IoT technology company that designs systems for smart homes. The company ' s IoT devices have experienced a massive scale breach, with numerous devices sending unauthorized data to an external server. The company uses a public cloudbased model to manage IoT devices. The unique problem Megan faces is that the breach did not occur via the traditional IoT vulnerabilities as the devices have been designed with state-of-the-art security features and yet the attacker has managed to bypass all security measures. Which of the following is the most plausible method the attacker could have used to compromise the IoT devices?

At a regional bank in Charlotte, North Carolina, investigators are processing a full packet capture obtained from a firewall span port during a suspected intrusion incident. The capture contains mixed inbound and outbound connections, and the team needs to apply community-maintained detection rules to the traffic to flag packets that match known exploit signatures or anomalous protocols before conducting manual analysis. Which tool should be selected for this processing step?