CCNA Cyber Ops FAQ: Forensics
Q1. Which of the following are the three broad categories of cybersecurity investigations?
A. Public, private, and individual investigations
B. Judiciary, private, and individual investigations
C. Public, private, and corporate investigations
D. Government, corporate, and private investigations
Q2. In addition to cybercrime and attacks, evidence found on a system or network may be presented in a court of law to support accusations of crime or civil action, including which of the following?
A. Fraud, money laundering, and theft
B. Drug-related crime
C. Murder and acts of violence
D. All of the above
Q3. Which of the following is true about attribution in a cybersecurity investigation?
A. A suspect-led approach is often accepted in supreme courts.
B. A suspect-led approach is pejorative and often biased to the disadvantage of those being investigated.
C. A suspect-led approach is mostly used in corporate investigations.
D. A suspect-led approach is mostly used in private investigations.
Q4. Which of the following is not true regarding the use of digital evidence?
A. Digital forensics evidence provides implications and extrapolations that may assist in proving some key fact of the case.
B. Digital evidence helps legal teams and the court develop reliable hypotheses or theories as to the committer of the crime or threat actor.
C. The reliability of the digital evidence is vital to supporting or refuting any hypothesis put forward, including the attribution of threat actors.
D. The reliability of the digital evidence is not as important as someone’s testimony to supporting or refuting any hypothesis put forward, including the attribution of threat actors.
Q5. Which of the following statements is true about processes and threads?
A. Each thread starts with a single process, known as the primary process, but can also create additional processes from any of its services.
B. Each service starts with a single hive, known as the primary hive, but can also create additional threads from any of its hives.
C. Each process starts with a single thread, known as the primary thread, but can also create additional threads from any of its threads.
D. Each hive starts with a single thread, known as the primary thread, but can also create additional threads from any of its threads
Q6. What is a job in Microsoft Windows?
A. A job is a group of threads.
B. A job is a group of hives.
C. A job is a group of services.
D. A job is a group of processes.
Q7. Which of the following file systems is more secure, scalable, and advanced?
A. FAT32
B. FAT64
C. uFAT
D. NTFS
Q8. Which of the following Linux file systems not only supports journaling but also modifies important data structures of the file system, such as the ones destined to store the file data for better performance and reliability?
A. GRUB
B. LILO
C. Ext4
D. FAT32
Q9. Which of the following are examples of Linux boot loaders?
A. GRUB
B. ILOS
C. LILO
D. Ubuntu BootPro
Q10. Which of the following is true about journaling?
A. The journal is the least used part of the disk, making the blocks that form part of it more prone to hardware failure.
B. The journal is the most used part of the disk, making the blocks that form part of it less prone to hardware failure.
C. The journal is the most used part of the disk, making the blocks that form part of it more prone to hardware failure.
D. The journal is the least used part of the disk, making the blocks that form part of it less prone to hardware failure.
Q11. Which of the following is true about VirtualAlloc?
A. It is a specialized allocation of the Windows virtual memory system, meaning it allocates straight into virtual memory via reserved blocks of memory.
B. It is another name for swap space.
C. It is a specialized allocation of the Linux virtual memory system, meaning it allocates straight into virtual memory via reserved blocks of memory.
D. It is a specialized allocation of the Mac OS X virtual memory system, meaning it allocates straight into virtual memory via reserved blocks of memory.
Q12. Which of the following is true about HeapAlloc?
A. It allocates any size of memory that is requested dynamically in Mac OS X. It is designed to be slow and used for special-purpose memory allocation.
B. It allocates any size of memory that is requested dynamically in Microsoft Windows. It is designed to be slow and used for special purpose memory allocation.
C. It allocates any size of memory that is requested dynamically in Linux-based operating systems. It is designed to be very fast and used for general-purpose allocation.
D. It allocates any size of memory that is requested dynamically in Microsoft Windows. It is designed to be very fast and used for general-purpose allocation.
Q13. In cyber forensics, the storage device you are investigating should immediately be write-protected before it is imaged and should be labeled to include which of the following? (Choose two.)
A. Investigator’s name
B. Victim’s name
C. The date when the image was created
D. NetFlow record ID
Q14. Which of the following is a benefit in cyber forensics of being able to make an exact copy of the data being investigated?
A. The original device can be returned to the owner or stored for trial, normally without having to be examined repeatedly.
B. The original device can be returned to the owner or stored for trial, typically always having to be examined repeatedly.
C. A backup of the data can be performed so that the case manager and investigator can retrieve any lost records.
D. A backup of the data can be performed so that the victim can retrieve any lost records.
Q15. What is best evidence?
A. Evidence that can be presented in court in the original form.
B. Evidence that tends to support a theory or an assumption deduced by some initial evidence. This best evidence confirms the proposition.
C. Evidence that cannot be presented in court in the original form.
D. Evidence that can be presented in court in any form.
Q16. Which of the following is extra memory on the hard disk drive or SSD that is an expansion of the system’s physical memory?
A. MBR
B. MFT
C. Swap
D. RAM partition
Q17. Which of the following is true about journaling?
A. A journaling file system provides less security than the alternatives.
B. Journaling file systems are slow and should be avoided.
C. A journaling file system maintains a record of changes not yet committed to the file system’s main part.
D. A journaling file system does not maintain a record of changes not yet committed to the file system’s main part.
Q18. Which type of evidence relies on an extrapolation to a conclusion offact (such as fingerprints, DNA evidence, and so on)?
A. Indirect or circumstantial evidence
B. Secondary evidence
C. Corroborating evidence
D. Best evidence
Q19. Which of the following is one of the most used Linux file systems that has several improvements over its predecessors and that supports journaling?
A. NTFS
B. exFAT
C. Ext5
D. Ext4
Q20. Which of the following statements is true about heaps in Windows?
A. Heaps are set up by Malloc and are used to initially reserve allocation space from the operating system.
B. Heaps are set up by swap and are used to initially reserve allocation space at bootup from the operating system.
C. Heaps are set up by GRUB and are used to initially reserve allocation space from the operating system.
D. Heaps are set up by VirtualAlloc and are used to initially reserve allocation space from the operating system.
More Resources