CompTIA Security+ Question B-61

Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools?

A. Identify user habits
B. Disconnect system from network
C. Capture system image
D. Interview witnesses

Answer: C

Explanation:
Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. Very much as helpful in same way that a virus sample is kept in laboratories to study later after a breakout. Also you should act in the order of volatility which states that the system image capture is first on the list of a forensic analysis.

CompTIA Security+ Question B-34

A set of standardized system images with a pre-defined set of applications is used to build end-user workstations. The security administrator has scanned every workstation to create a current inventory of all applications that are installed on active workstations and is documenting which applications are out-of-date and could be exploited. The security administrator is determining the:

A. attack surface.
B. application hardening effectiveness.
C. application baseline.
D. OS hardening effectiveness.

Answer: A

Explanation:
In this question, we have out-of-date applications that could be exploited. The out-of-date applications are security vulnerabilities. The combination of all vulnerabilities that could be exploited (or attacked) is known as the attack surface.

The attack surface of a software environment is the sum of the different points (the “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment. The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, and eliminate services requested by relatively few users. One approach to improving information security is to reduce the attack surface of a system or software. By turning off unnecessary functionality, there are fewer security risks. By having less code available to unauthorized actors, there will tend to be fewer failures. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.

CompTIA Security+ Simulation 9

DRAG DROP
A forensic analyst is asked to respond to an ongoing network attack on a server. Place the items in the list below in the correct order in which the forensic analyst should preserve them.

Select and Place:

Correct Answer:


Section: Compliance and Operational Security

When dealing with multiple issues, address them in order of volatility (OOV); always deal with the most volatile first. Volatility can be thought of as the amount of time that you have to collect certain data before a window of opportunity is gone. Naturally, in an investigation you want to collect everything, but some data will exist longer than others, and you cannot possibly collect all of it once. As an example, the OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts.

Order of volatility: Capture system images as a snapshot of what exists, look at network traffic and logs, capture any relevant video/screenshots/hashes, record time offset on the systems, talk to witnesses, and track total man-hours and expenses associated with the investigation.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sybex, Indianapolis

CompTIA A+ Core 2 Question E-98

A technician is tasked with repairing a Windows 7 system including the removal of recently installed files and software. Which of the following system restoration methods would be the LEAST destructive way to achieve this?

A. System Restore
B. System Image Recovery
C. CHKDSK
D. Windows Memory Diagnostic