SANS GCIH (SEC504) EXAM QUESTIONS AND
ACCURATE ANSWERS
Which of the following groups should decide when a system is put back into production?
A) Systems administrators
B) Business team
C) Security team
D) Data owner - Answer B) Business team
Which of the following would display ASCII and Unicode strings in a malware sample?
A) cat
B) Get-Strings
C) strings
D) findstr - Answer C) strings
Which of the following is typically used to carry out an investigation by most malware
investigators?
A) Virtual machine
B) Day-to-day host
C) Thick client
D) Production system - Answer A) Virtual machine
If you believe your system has been subjected to a rootkit attack, which of the following
is the least expensive form of removal?
A) Restore the OS from the most recent backup.
B) Reformat, reinstall, and patch the system from the original media.
C) Patch and reboot the compromised system.
,D) Install applications from a different vendor. - Answer B) Reformat, reinstall, and
patch the system from the original media.
What tool can be utilized to document the registry state both before and after malware
has been executed on an analysis system?
A) Regshot
B) Ollydbg
C) Wireshark
D) Regripper - Answer A) Regshot
What can be done to make sure that an asset that is under investigation is not returned
to production prior to an investigation being completed?
A) The asset should be moved to a different cloud data center.
B) The asset should be terminated.
C) Lock down all administrative access to the cloud environment so none of the admins
can make changes.
D) Apply an "under investigation" tag to the asset. - Answer D) Apply an "under
investigation" tag to the asset.
At the remediation phase of incident response, you have just deleted a file from your
infected web server. What's the most important additional thing to do in order not to get
compromised again?
A) Determine the root cause of the attack.
B) Rule analysis of your host-based firewall
C) Host data recovery using backup.
D) System hardening and patching. -Answer A) Determine the root cause of the attack.
Why RAM image analysis is a must for investigations?
,A) There could be some valuable information in RAM, which may not exist on-disk.
b) Speed - A RAM image would contain the same information as disk.
c) RAM produces more reliable images than disk
d) Historical data is easier to find in RAM than searching disk. -Answer A) There is useful
data in RAM that may not be stored on disk.
An investigator encounters the following POST. What Log type captured this activity?
1583050850.951 185 192.168.40.123 TCP_MISS/200 1856 POST
https://update.googleapis.com/service/update2? -ORIGINAL_DST/172.219.10.153
text/xml
A) Switch access log
B) Regshot event log
C) Proxy access log
D) Windows event log - Answer C) Proxy access log
What are two general methods usually undertaken in malware analysis?
A) Carrying out a penetration test and carrying out a vulnerability scan.
B) Observing the environment and performing code analysis.
C) Taking down the environment and restoring from backups.
D) Performing a risk assessment and checking on a potential exploit type. - Answer B)
Observing the environment and performing code analysis.
What should be very well the first step of an incident?
A) To identify which systems are unpatched.
B) Verify whether an incident occurred
, C) Identify which threat intelligence feeds to query
D) Identify which systems need to be rebuilt. Answer: B Verify whether an incident
occurred.
Your logging of API access to a cloud environment is a major incident response benefit
in what way?
A) It helps out with giving really detailed insight into the network activity to analyze.
B) It helps to understand the scope of the breach and actions taken by an attacker.
C) It provides verification of access to breached data.
D) It provides full packet capture visibility. - Answer B) It helps to understand the scope
of the breach and the actions taken by an attacker.
The API access logs record all programmatic access to cloud services, identity and key
use, and a record of the attacker tactics used to exploit the cloud. These are, in fact, the
most useful data for understanding the scope of a breach and the actions taken by the
attacker.
What type of behavior is possibly occurring if, during a packet capture, an analyst sees
that a system sent a frequent, small, outbound communication to a known bad IP, over a
seven-day period?
A) Ack scan
B) Fragmentation
C) Beaconing
D) Traceroute - Answer C) Beaconing
What is the order of phases, in the classic six-step incident response process?
A) Preparation, identification, containment, eradication, recovery, and lessons learned.
B) Preparation, containment, eradication, recovery, retaliation, and lessons learned.
C) Preparation, identification, recovery, encapsulation, eradication and lessons
learned. -Answer A) Preparation, identification, containment, eradication, recovery, and
lessons learned.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Stetson. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $11.99. You're not tied to anything after your purchase.