Digital Forensics & Incident Response

A large organization's cybersecurity incident response team receives an alert indicating potential threat actor activity on one of its servers. What should be the team's immediate action based on the incident response lifecycle?

An organization's computer incident response team (CIRT) receives an alert that shows possible malicious activity on a critical server within the network, and they initiate the CompTIA incident response process. What order must the CIRT follow when performing the CompTIA incident response process?

The corporate network has been compromised by sophisticated attackers who have established persistence and may be monitoring email traffic and internal chat communications. The incident commander needs to coordinate the response team and share sensitive investigation details without alerting the intruders. What method of communication should be used?

A SOC is overwhelmed with thousands of daily alerts, the vast majority of which are false positives generated by legitimate scripts. To improve operational efficiency and reduce analyst burnout, they need to refine alerts. What process BEST addresses this calibration?

Security analysts notice suspicious patterns of outbound connections from internal workstations to external IP addresses at regular fifteen-minute intervals, strongly suggesting command and control beaconing activity. They need to analyze these communication patterns and data volumes to identify compromised hosts, without storing full packet payloads due to bandwidth and storage constraints. Which technology provides this essential network metadata?

In digital forensics, why is the order of volatility significant during the data acquisition process?

What is the primary risk when using the live acquisition method during a cybersecurity investigation?

First responders arrive at the desk of a suspected compromised workstation and observe a USB drive connected to the system with a suspicious script actively running in the terminal window, along with an unrecognized wireless adapter plugged into the back of the computer. Before taking any action that might alter the system, they photograph the screen and carefully video record all connected devices. What is the reason for this?

Security analysts working extended 12-hour shifts during a major ransomware incident are processing hundreds of low-priority informational alerts. This leads to tiredness, decreased attention to detail, slower response times, and missing critical indicators of lateral movement. What is this dangerous situation called?

Investigators discover that prior to the attack, an adversary spent weeks researching employee names on LinkedIn and social media, scanning the company's public IP address ranges, and harvesting corporate email addresses from public sources to craft convincing spearphishing messages. Which stage of the Cyber Kill Chain does this information gathering represent?

A CIRT needs to analyse thousands of files that form forensic evidence for a criminal case. Before doing this, they use software that checks which files are identical, and removes identical copies. This reduces the workload on the CIRT while preserving vital evidence. What is this process and how does it work?

Rather than waiting for security alerts to trigger investigations, the security team assumes sophisticated attackers are already present in the network. They proactively search for hidden threats using behavioral analytics, hypothesis-driven investigation, and IOC sweeps without relying on automated tools. What describes this proactive security methodology?

Which tool or concept used in cybersecurity monitoring gives a condensed overview of information from various data sources for daily incident response tasks?

When creating a forensic copy of a suspect hard drive for laboratory analysis, the investigator attaches a hardware device between the source drive and the target workstation that prevents any accidental or automated editing of the original media. This ensures evidence integrity and admissibility. What essential forensic tool is being used?

Which logs help detect any attempts made by a threat actor to attack a wireless network through disassociation events?

A law enforcement agency arrives at a corporate office to seize servers suspected of containing evidence of financial crimes. Before imaging the drives, they must ensure they have proper legal authority to conduct the search, to prevent evidence from being excluded in court later. What legal concept is this?

A corporation is notified that it is subject to legal action regarding a data breach. The legal team issues instructions to all employees to preserve any documents, emails, and data related to the incident. It forbids any deletion of potentially relevant information. What is this preservation order called?

A forensic investigator transports a seized laptop from the crime scene to the forensic laboratory, then passes it to a technician for imaging. The technician then gives the laptop to an officer in a storage facility. At each transfer, they document the date, time, location, and identity of everyone who handled the evidence. What is this form of documentation?

Investigators seize smartphones suspected of containing evidence of crimes. However, they fear the suspects may remotely wipe the devices via cellular signals or Wi-Fi once they realize the phones are compromised. They place the devices in specialized containers that block all Radio Frequency signals during transport to the forensic lab. What preservation tool prevents remote destruction of digital evidence?