CCNA Cyber Ops FAQ: Forensics

CCNA Cyber Ops FAQ: Forensics

Q1. Which of the following are the three broad categories of cybersecurity investigations?
A. Public, private, and individual investigations
B. Judiciary, private, and individual investigations
C. Public, private, and corporate investigations
D. Government, corporate, and private investigations

Answer: A. The three broad categories of cybersecurity investigations are public, private, and individual.

Q2. In addition to cybercrime and attacks, evidence found on a system or network may be presented in a court of law to support accusations of crime or civil action, including which of the following?
A. Fraud, money laundering, and theft
B. Drug-related crime
C. Murder and acts of violence
D. All of the above

Answer: D. Evidence found on a system or network may be presented in a court of law to support accusations of crime or civil action, including all the options presented.

Q3. Which of the following is true about attribution in a cybersecurity investigation?
A. A suspect-led approach is often accepted in supreme courts.

B. A suspect-led approach is pejorative and often biased to the disadvantage of those being investigated.

C. A suspect-led approach is mostly used in corporate investigations.

D. A suspect-led approach is mostly used in private investigations.

Answer: B. A suspect-led approach is pejorative and often biased to the disadvantage of those being investigated.

Q4. Which of the following is not true regarding the use of digital evidence?
A. Digital forensics evidence provides implications and extrapolations that may assist in proving some key fact of the case.

B. Digital evidence helps legal teams and the court develop reliable hypotheses or theories as to the committer of the crime or threat actor.

C. The reliability of the digital evidence is vital to supporting or refuting any hypothesis put forward, including the attribution of threat actors.

D. The reliability of the digital evidence is not as important as someone’s testimony to supporting or refuting any hypothesis put forward, including the attribution of threat actors.

Answer: D. The reliability of the digital evidence is vital to supporting or refuting any hypothesis put forward, including the attribution of threat actors.

Q5. Which of the following statements is true about processes and threads?
A. Each thread starts with a single process, known as the primary process, but can also create additional processes from any of its services.

B. Each service starts with a single hive, known as the primary hive, but can also create additional threads from any of its hives.

C. Each process starts with a single thread, known as the primary thread, but can also create additional threads from any of its threads.

D. Each hive starts with a single thread, known as the primary thread, but can also create additional threads from any of its threads

Answer: C. Each process starts with a single thread, known as the primary thread, but can also create additional threads from any of its threads.

Q6. What is a job in Microsoft Windows?
A. A job is a group of threads.
B. A job is a group of hives.
C. A job is a group of services.
D. A job is a group of processes.

Answer: D. A job is a group of processes.

Q7. Which of the following file systems is more secure, scalable, and advanced?
A. FAT32
B. FAT64
C. uFAT
D. NTFS

Answer: D. NTFS is more secure, scalable, and advanced in comparison to FAT32. FAT64 and uFAT do not exist.

Q8. Which of the following Linux file systems not only supports journaling but also modifies important data structures of the file system, such as the ones destined to store the file data for better performance and reliability?
A. GRUB
B. LILO
C. Ext4
D. FAT32

Answer: C. Ext4 supports journaling and features for better performance. LILO and GRUB are not file systems; they are boot loaders.

Q9. Which of the following are examples of Linux boot loaders?
A. GRUB
B. ILOS
C. LILO
D. Ubuntu BootPro

Answer: A and C. GRUB and LILO are examples of commonly used Linux boot loaders.

Q10. Which of the following is true about journaling?
A. The journal is the least used part of the disk, making the blocks that form part of it more prone to hardware failure.

B. The journal is the most used part of the disk, making the blocks that form part of it less prone to hardware failure.

C. The journal is the most used part of the disk, making the blocks that form part of it more prone to hardware failure.

D. The journal is the least used part of the disk, making the blocks that form part of it less prone to hardware failure.

Answer: C. The journal is the most used part of the disk, making the blocks that form part of it more prone to hardware failure.

Q11. Which of the following is true about VirtualAlloc?
A. It is a specialized allocation of the Windows virtual memory system, meaning it allocates straight into virtual memory via reserved blocks of memory.

B. It is another name for swap space.

C. It is a specialized allocation of the Linux virtual memory system, meaning it allocates straight into virtual memory via reserved blocks of memory.

D. It is a specialized allocation of the Mac OS X virtual memory system, meaning it allocates straight into virtual memory via reserved blocks of memory.

Answer: A. VirtualAlloc is a specialized allocation of the Windows virtual memory system, meaning it allocates straight into virtual memory via reserved blocks of memory.

Q12. Which of the following is true about HeapAlloc?
A. It allocates any size of memory that is requested dynamically in Mac OS X. It is designed to be slow and used for special-purpose memory allocation.

B. It allocates any size of memory that is requested dynamically in Microsoft Windows. It is designed to be slow and used for special purpose memory allocation.

C. It allocates any size of memory that is requested dynamically in Linux-based operating systems. It is designed to be very fast and used for general-purpose allocation.

D. It allocates any size of memory that is requested dynamically in Microsoft Windows. It is designed to be very fast and used for general-purpose allocation.

Answer: D. HeapAlloc allocates any size of memory that is requested dynamically in Windows, and is a concept of Microsoft Windows.

Q13. In cyber forensics, the storage device you are investigating should immediately be write-protected before it is imaged and should be labeled to include which of the following? (Choose two.)
A. Investigator’s name
B. Victim’s name
C. The date when the image was created
D. NetFlow record ID

Answer: A and C. When you’re performing forensics, the storage device you are investigating should immediately be write-protected before it is imaged and should be labeled to include the investigator’s name and the date when the image was created.

Q14. Which of the following is a benefit in cyber forensics of being able to make an exact copy of the data being investigated?
A. The original device can be returned to the owner or stored for trial, normally without having to be examined repeatedly.

B. The original device can be returned to the owner or stored for trial, typically always having to be examined repeatedly.

C. A backup of the data can be performed so that the case manager and investigator can retrieve any lost records.

D. A backup of the data can be performed so that the victim can retrieve any lost records.

Answer: A. In cyber forensics, the original device can be returned to the owner or stored for trial, normally without having to be examined repeatedly.

Q15. What is best evidence?
A. Evidence that can be presented in court in the original form.

B. Evidence that tends to support a theory or an assumption deduced by some initial evidence. This best evidence confirms the proposition.

C. Evidence that cannot be presented in court in the original form.

D. Evidence that can be presented in court in any form.

Answer: A. Evidence that can be presented in court in the original form is referred to as “best evidence.”

Q16. Which of the following is extra memory on the hard disk drive or SSD that is an expansion of the system’s physical memory?
A. MBR
B. MFT
C. Swap
D. RAM partition

Answer: C. Swap is extra memory on the hard disk drive or SSD that is an expansion of the system’s physical memory.

Q17. Which of the following is true about journaling?
A. A journaling file system provides less security than the alternatives.

B. Journaling file systems are slow and should be avoided.

C. A journaling file system maintains a record of changes not yet committed to the file system’s main part.

D. A journaling file system does not maintain a record of changes not yet committed to the file system’s main part.

Answer: C. A file system that supports journaling maintains a record of changes not yet committed to the file system’s main part.

Q18. Which type of evidence relies on an extrapolation to a conclusion offact (such as fingerprints, DNA evidence, and so on)?
A. Indirect or circumstantial evidence
B. Secondary evidence
C. Corroborating evidence
D. Best evidence

Answer: A. Indirect or circumstantial evidence is a type of evidence that relies on an extrapolation to a conclusion offact.

Q19. Which of the following is one of the most used Linux file systems that has several improvements over its predecessors and that supports journaling?
A. NTFS
B. exFAT
C. Ext5
D. Ext4

Answer: D. Ext4 is one of the most used Linux file systems. It has several improvements over its predecessors and supports journaling. NTFS is typically used in Windows. Ext5 does not exist as of the time of writing, and exFAT does not support journaling.

Q20. Which of the following statements is true about heaps in Windows?
A. Heaps are set up by Malloc and are used to initially reserve allocation space from the operating system.

B. Heaps are set up by swap and are used to initially reserve allocation space at bootup from the operating system.

C. Heaps are set up by GRUB and are used to initially reserve allocation space from the operating system.

D. Heaps are set up by VirtualAlloc and are used to initially reserve allocation space from the operating system.

Answer: D. Heaps are set up by VirtualAlloc and are used to initially reserve allocation space from the operating system.

More Resources

About the author

Scott

Leave a Comment