GCEDPreview

At the start of an investigation on a Windows system, the lead handler executes the following commands after inserting a USB drive. What is the purpose of this command? C:\ >dir / s / a dhsra d: \ > a: \ IRCD.txt

An analyst will capture traffic from an air-gapped network that does not use DNS. The analyst is looking for unencrypted Syslog data being transmitted. Which of the following is most efficient for this purpose?

Which of the following is best defined as "anything that has the potential to target known or existing vulnerabilities in a system?"

Which type of media should the IR team be handling as they seek to understand the root cause of an incident?

An incident response team is handling a worm infection among their user workstations. They created an IPS signature to detect and block worm activity on the border IPS, then removed the worms artifacts or workstations triggering the rule. Despite this action, worm activity continued for days after. Where did the incident response team fail?

On which layer of the OSI Reference Model does the FWSnort utility function?

Which Unix administration tool is designed to monitor configuration changes to Cisco, Extreme and Foundry infrastructure devices?

If a Cisco router is configured with the "service config" configuration statement, which of the following tools could be used by an attacker to apply a new router configuration?

Michael, a software engineer, added a module to a banking customers code. The new module deposits small amounts of money into his personal bank account.
Michael has access to edit the code, but only code reviewers have the ability to commit modules to production. The code reviewers have a backlog of work, and are often willing to trust the software developers testing and confidence in the code.
Which technique is Michael most likely to engage to implement the malicious code?

Of the following pieces of digital evidence, which would be collected FIRST from a live system involved in an incident?

Which of the following attacks would use ".." notation as part of a web request to access restricted files and directories, and possibly execute code on the web server?

Why might an administrator not be able to delete a file using the Windows del command without specifying additional command line switches?

Why would the pass action be used in a Snort configuration file?

Which command tool can be used to change the read-only or hidden setting of the file in the screenshot?

Who is ultimately responsible for approving methods and controls that will reduce any potential risk to an organization?

An internal host at IP address 10.10.50.100 is suspected to be communicating with a command and control whenever a user launches browser window. What features and settings of Wireshark should be used to isolate and analyze this network traffic?

A company wants to allow only company-issued devices to attach to the wired and wireless networks. Additionally, devices that are not up-to-date with OS patches need to be isolated from the rest of the network until they are updated. Which technology standards or protocols would meet these requirements?

When attempting to collect data from a suspected system compromise, which of the following should generally be collected first?

Before re-assigning a computer to a new employee, what data security technique does the IT department use to make sure no data is left behind by the previous user?

What feature of Wireshark allows the analysis of one HTTP conversation?

From a security perspective, how should the Root Bridge be determined in a Spanning Tree Protocol (STP) environment?

Which tasks would a First Responder perform during the Identification phase of Incident Response?

What should happen before acquiring a bit-for-bit copy of suspect media during incident response?

How does the Cisco IOS IP Source Guard feature help prevent spoofing attacks?