CCT 063: Digital Forensics CISSP Exam Questions (Domain 7.1)

Ever wonder which types of evidence are considered most reliable in court? Or why using a write blocker is crucial during a forensic analysis? Well, you're in for a treat! Join me, Sean Gerber, as we unravel the intricacies of the CISSP exam. We'll shed light on concepts like digital forensics, chain of custody, and the crucial role of data acquisition. Not just that, we'll also demystify the workings of a honeypot and its role in diverting attackers from critical systems.

But that's not all! We will step into the realm of CISSP Cyber Training, and provide you with tips and guidance that could be a game changer for your success. We'll walk through the formulation and execution of a well-structured plan, discussing three, four, and five-month plans specifically designed to keep you on track. So if you're feeling lost or overwhelmed with your exam prep, don't fret! Let's navigate the CISSP exam labyrinth together, armed with knowledge and a solid plan.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning everybody. This is Sean Gerber with CISSP Cyber Training, and today is Thursday, the CISSP exam question day. We are going to be covering some CISSP exam questions that you potentially could see on the CISSP exam, but, more importantly, we're going to talk about concepts and things that are important that you should understand when you are studying and taking the CISSP exam. So if you haven't yet gone out to CISSP Cyber Training, we have free exam questions that are available for you to go out and just try. If you sign up, you will get 30 free CISSP exam questions every month, so you'll get that every month while you're in there studying, and that's a total of 360 questions. So you'll get that just by signing up on my email list. And that's the beginning. If you get signed up, you actually will also be able to see other deals and products that come your way and as well as other questions, podcasts and so forth that are all available to you just by signing up at CISSP Cyber Training. So we're going to get into today digital forensics and this is domain seven. We're going to get 7.1 as it relates to security operations, now the podcast that just came out. I'd like to set this up, that the podcast comes out usually on a well, it does come out on a Monday and then the CISSP questions will come out on a Thursday and they usually mirror each other not always, but in most cases they do. So if you have domain seven that comes out on Monday, you'll have CISSP questions that come out around domain seven as well on Thursday. So we're going to talk about 7.1 and security operations to digital forensics. So these will cover the questions. Question number one in the context of digital forensics, what does the term chain of custody refer to? A a sequence of events in a hacking attempt. B the path that data takes from sources to the destination. C the documented and unbroken transfer of evidence. Or D the decision-making process for handling security incidents. If you look at those, two of the four are not the ones that are definitely not correct and the other two are pretty close. So again, the context of digital forensics. What does the term chain of custody refer to? And the answer is C the documented and unbroken transfer of evidence between documents. Right, you're basically moving it from one point to the other and you want to make sure that it's transferable and that you can understand how the evidence went from one point to the next. Next question is around when dealing with security incidents, what should be the first no, the key factor there first step in according to the most incident-resposed I can't even speak. What should be the first step according to most incident-response procedures? A eradicate the threat, b prepare a report, d identification of the incident or D containment of the incident. Okay, so when dealing with a security incident, what should be the first step in according to most incident-response procedures? And the answer is C identification of the incident. The first step in this entire process is understanding the incident, what has actually occurred, and identifying you actually have a problem, and then from there, usually, you will work with containment. Eradication and recovery will take place thereafter, and so it's important for you to identify you do have a problem, right. You can't really start to go fix something unless you realize Houston, we have a problem. Alright, next question what is of the following best describes the purpose of data acquisition in digital forensics? A to verify the integrity of the data. B to restore the data of the lost or damaged data. C to create a binary copy of the original data. Or D remove the sensitive data from the device. Again, which of the following best describes the purpose of data acquisition in digital forensics? And the answer is C to create a binary copy of the original data. So when you're dealing with any sort of digital forensics aspects, you want to create a binary copy of the original, and the process is done so that you don't have modifications to the original evidence. And you'll see this especially as you're getting into more of a forensics background. You'll know that you want to make a copy of that specific device, the data or the system itself that is operating on. What is the purpose of a honeypot in cybersecurity investigations? A to distribute security patches. B to divert attackers from critical systems. C to authenticate users. Or D to encrypt sensitive data. And the answer is well, let me go back to the first question. What is the main purpose of a honeypot in a cybersecurity investigation Again, in a cybersecurity investigation. And the answer is B to divert attackers from critical systems. So one thing of the honeypot that's important is it's designed to basically sit out there and lure people to potentially click on or try to run exploits against that device. The ultimate goal, then, is that in an investigation is to divert people away from the most critical systems. It's also to help determine do you actually have a problem as well which of the following types of evidence is considered the most reliable in court. Again, which of the following types of evidence is considered the most reliable in court? A direct evidence. B corroborative evidence. C circumstantial evidence or D conclusive evidence. So which of the following types of evidence is considered the most reliable in court? And the answer is direct evidence. Okay, direct evidence, again, if believed proves the existence of the fact without any interference or presumption. It's basically really straightforward and it's the strongest type of evidence you can present in a court. Next question during a forensics analysis. Why is it important to use a right blocker? Again, during forensic analysis, why is it important for you to use a right blocker? A to prevent the original evidence from alteration. B to prevent the deletion of logs. C to prevent the data leakage. Or D to speed up the analysis process During the forensics analysis. Why is it important to ensure you have a right blocker in place? And the answer is A to protect the original evidence from alteration. So the right blocker is designed to protect it from accidentally fat fingering. I call it. In the we used to fly airplanes. You fat finger put something in the wrong place From you, potentially adding something to the document or the information that's out there, so you do not want to write to it. So for you're trying to protect that overall information as much as you possibly can. Next question in a cybersecurity investigation, what is the primary purpose of using log files? A to reverse engineer malware. B to identify patterns of activity or specific actions that have occurred. C to distribute security patches or D to prevent future attacks. Okay, so in a cybersecurity investigation, what is the primary purpose of using log files? And the answer is B to identify patterns of activity or specific actions that have occurred. They usually are designed for specifically Well, they're not designed specifically for that, but that's where they're really good in a investigation is because if you see log files that follow a trend, that will start to lead you down the breadcrumb path to find out where potentially they came in and what systems were they going after? And you're looking for that malicious activity, potentially based on trends that you see in the log files In the incident response process. Next question in the incident response process, what does the recovery phase involve? A identifying the security incident. B creating a backup of the data. C restoring systems to normal operations and hardening them against future incidents of a similar type. Or D preventing the spread of the incident. Okay. So, in the incident response process, what does the recovery phase involve? And the answer is C restoring system to normal operations and hardening them against future incidents of a similar type. Okay. So when your recovery phase, you want to bring these back up, that's, bringing them up to normal operations, and you must ensure and you'll confirm during that timeframe, that they are functioning normally so you can prevent the same type of incident from reoccurring. What is the hash value in the context of digital forensics? A it is unique identifier for a piece of data. B it is the location of the file in the system. C it is a value used to decrypt the data. Or D it's a type of malware. Okay. So what is the hash value in the context of digital forensics? And the answer is A a unique identifier for a specific piece of data. The hash value is a unique data that does correspond to a specific set of data and that is unique specifically to that data. It does not. It doesn't. You can't just create hash values that are identical. It is specific to that piece of data and then what it does is it's also used to help the evidence to ensure that it wasn't identified or it wasn't tampered with when you actually were trying to create or when you're producing that value. There's various hashes that are created within the security space MD5 hashes are one, and they are again used for to ensure that the integrity of the data remains. So, in the process of digital friendly. Next question in the process of digital forensics, what is data carving? So, again, digital forensics. What is data carving? A process of removing sensitive data from a device. B the process of creating a binary copy of the original data. C the process of searching for files or pieces of files in raw data. Or D the process of analyzing network traffic. Okay, the process of digital forensics. What is data carving? And the answer is C the process of searching for files or pieces of files in raw data. Okay, so data carving is a process of extracting a collection of data from larger data sets. Basically, they're carved out of that data set and analyzed for file content. It's typically used when metadata that's required to locate the files has been deleted or corrupted. So basically, they're going in there carving out a specific piece. Next question which of the filing tools would you primarily use to collect volatile data during a cyber security incident? A A network scanner, b A vulnerability scanner, c A protocol analyzer or D A live response tool. Okay, the question then comes into is which of the following tools would you primarily use to collect volatile data during a cyber security incident? And the answer is D A live response tool. These are typically used in collecting volatile data during a cyber security incident, and a volatile data basically is information that would be lost when a system is shut down. It can be found in RAM and other areas that are running processes, logged in users and so forth. So you want a live response tool that's actually collecting that data on the fly. It's happening immediately. Next question which step in the forensics process ensures that the data evidence remains the same state as it was discovered? Which step of the forensics process ensures that digital evidence remains the same state as it was discovered A Preservation, b Collection, c Analysis or D Reporting. Again, which step of the process ensures digital evidence remains in the same state as it was discovered? And the answer is A Preservation. Preservation is a step that ensures the digital evidence remains in the same state in which it was found. So voids the altering of the data to maintain its admissibility in court. Again, we want to make sure that we show that this data has not been tampered with, modified or changed. Next question what does the post-incident activity phase involve in the incident response process? A Analyzing the incident to prevent future occurrences. B Detecting and analyzing the incident. C Containing the incident to limit the damage. Or. D Eradicating the incident by removing the cause of the incident. So what does the post-incident activity phase involve in an incident response plan? A Analyzing the incident to prevent future occurrences. At the end of all of this, you want to ensure that what has occurred one, you've cleaned up. But two, what were the lessons learned? How did this malware get into your environment? And then from there you can implement corrective actions to fix it? Again, you want to understand that lessons learned phase because you want to be able to go in and go. Well, okay, how did they get in? They got in through a web server that was not properly patched. Well, you're going to want to go in and fix that. And then from there, what did they do? You wouldn't focus just on the web server itself, you would focus on the web server and then the path of entry and the path of escalation throughout your network. Next question I think it's the last question which principle of digital forensic states that when two pieces of data come into contact, a data exchange will take place? Okay, the principle of digital forensic states that when two pieces of data come into contact, a data exchange will take place. A the principle of exchange, b the principle of integrity, c the principle of original evidence or D the principle of validity. Okay, so those are lots of principles and they could be easy to grab on and one and glob onto and go. Well, that sounds original evidence, sounds correct. Well, no, the answer is principle of exchange. Try to keep it simple. If you don't know, go with the most, the most logical answer that makes sense. It may still be wrong, but at least you don't try to bite off on something that sounds really complex and collugy, because in most cases, that will be the wrong answer not always, but in most cases. So the principle of exchange is also known as low cards exchange principle, named after Dr Edmund Lowcard. Now it's L O C A R D. Yeah, in this principle stating when two objects come in contact, a transfer of material will take place, and basically, in the context of digital forensics, this refers to the transfer of data. Okay, that would be one that would be a gotcha question. The principle of exchange. All right, that's all I have for today. Go to CISSP, cyber training. If you like these questions, you can go there and you can get more questions that are similar to it. You also can help you with the blueprint that's at the CISSP cyber training. That will walk you through this process step by step. There's a three month, a four month and a five month plan that will help guide you and direct you in what you need to pass the CISSP. Now again, the key thing around this is having a good plan and then executing the plan. I'm well I know is when I studied for the CISSP, I grabbed a book and started just going through it and didn't really know what I was looking for and I failed. So I recommend you go check out the CISSP cyber training blueprint. It will help you out immensely and it'll help give you some guidance and direction on which way to go so you can study for the exam. All right, hope you all have a wonderful day and we will catch you on the flip side, see you.