312-49v11 Practice Questions

Nora, a forensic investigator, is examining the Windows Registry of a compromised system as part of her investigation into a potential insider threat. She wants to determine which folders were most recently accessed by the user. After reviewing the Registry, she discovers that a particular Registry key stores information about the folders the user recently accessed, including the folder names and their paths in the file system. Based on her findings, which of the following Registry keys contains this information?

During a ransomware investigation at a law firm in San Francisco, forensic analysts examine encrypted drive images from backups to identify the structure of user data. While examining the recovered disk, they note that the smallest unit of addressable data is 512 bytes and serves as the base element for higher organizational units like clusters and files. Which component of the logical disk structure are they analyzing?

During a forensic investigation, an examiner is analyzing a suspect ' s Windows machine and needs to locate the Windows shortcut files (LNK files) that might provide information about recently opened files. Which directory location should the examiner examine to find these LNK files?

After a recent security incident at a popular online retail store, an incident response team is conducting an investigation. They found that an attacker was able to make thousands of purchase attempts using different combinations of credit card information within just a few minutes. The team also discovered that the same IP address was responsible for all these transactions. As a computer hacking forensic investigator, what attack type are you most likely dealing with?

During a corporate insider threat investigation at a tech company in New York, forensic analysts review security event logs from a workstation to trace unauthorized access attempts. The logs indicate a successful authentication where the user physically entered credentials at the keyboard without network involvement. Which logon type corresponds to this local, in-person access method?

A cybersecurity firm has recently discovered a new strain of ransomware circulating on the internet, posing a significant threat to organizations worldwide. This ransomware is highly sophisticated and capable of evading traditional antivirus software. To effectively combat this threat, the cybersecurity firm decides to utilize a malware sandbox for detailed analysis.

Given the scenario described, what would be the primary objective of using a malware sandbox in this situation?

Following a suspected malware incident at a retail chain in Los Angeles, forensic investigators observe performance degradation on a compromised server alongside indicators suggesting unauthorized external communications. To substantiate the presence of malicious activity affecting the system, what evidence should investigators examine first to corroborate an active compromise?

Following a targeted ransomware campaign against a hospital network in Dallas, forensic investigators secure the executable responsible for encrypting medical records. Prior to disassembly or execution, the team evaluates the purpose of analyzing the sample as part of the broader investigation. What outcome of malware analysis most directly supports this effort?

A retail platform in Austin, Texas reports repeated bot traffic and injection attempts detected at its software-based gateway. As the incident team begins evidence collection, which step in the web-attack investigation methodology explicitly directs them to include output from that gateway as a primary evidence source?

An online banking system fell victim to a significant security breach. The attacker managed to access confidential customer data and the bank ' s internal communication. During the investigation, the forensic team noticed a pattern of unusual queries containing " & # x 0 0in the system logs. This led them to believe that an exploitation technique may have been used to bypass security filters and firewalls. Based on this information, which type of attack was most likely used?