Free Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR) Exam 300-215 Exam Practice Test

What is the function of a disassembler?A . aids performing static malware analysisB . aids viewing and changing the running stateC . aids transforming symbolic language into machine codeD . aids defining breakpoints in program execution

A security team detected an above-average amount of inbound tcp/135 connection attempts from unidentified senders. The security team is responding based on their incident response playbook. Which two elements are part of the eradication phase for this incident? (Choose two.)A . anti-malware softwareB . data and workload isolationC . centralized user managementD . intrusion prevention systemE . enterprise block listing solution

An organization uses a Windows 7 workstation for access tracking in one of their physical data centers on which a guard documents entrance/exit activities of all personnel. A server shut down unexpectedly in this data center, and a security specialist is analyzing the case. Initial checks show that the previous two days of entrance/exit logs are missing, and the guard is confident that the logs were entered on the workstation. Where should the security specialist look next to continue investigating this case?A . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonB . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileListC . HKEY_CURRENT_USER\Software\Classes\WinlogD . HKEY_LOCAL_MACHINES\SOFTWARE\Microsoft\WindowsNT\CurrentUser

A scanner detected a malware-infected file on an endpoint that is attempting to beacon to an external site. An analyst has reviewed the IPS and SIEM logs but is unable to identify the file's behavior. Which logs should be reviewed next to evaluate this file further?A . email security applianceB . DNS serverC . Antivirus solutionD . network device

An engineer is investigating a ticket from the accounting department in which a user discovered an unexpected application on their workstation. Several alerts are seen from the intrusion detection system of unknown outgoing internet traffic from this workstation. The engineer also notices a degraded processing capability, which complicates the analysis process. Which two actions should the engineer take? (Choose two.)A . Restore to a system recovery point.B . Replace the faulty CPU.C . Disconnect from the network.D . Format the workstation drives.E . Take an image of the workstation.

A security team receives reports of multiple files causing suspicious activity on users' workstations. The file attempted to access highly confidential information in a centralized file server. Which two actions should be taken by a security analyst to evaluate the file in a sandbox? (Choose two.)A . Inspect registry entriesB . Inspect processes.C . Inspect file hash.D . Inspect file type.E . Inspect PE header.

An ''unknown error code'' is appearing on an ESXi host during authentication. An engineer checks the authentication logs but is unable to identify the issue. Analysis of the vCenter agent logs shows no connectivity errors. What is the next log file the engineer should check to continue troubleshooting this error?A . /var/log/syslog.logB . /var/log/vmksummary.logC . var/log/shell.logD . var/log/general/log

An investigator is analyzing an attack in which malicious files were loaded on the network and were undetected. Several of the images received during the attack include repetitive patterns. Which anti- forensic technique was used?A . spoofingB . obfuscationC . tunnelingD . steganography

An organization recovered from a recent ransomware outbreak that resulted in significant business damage. Leadership requested a report that identifies the problems that triggered the incident and the security team's approach to address these problems to prevent a reoccurrence. Which components of the incident should an engineer analyze first for this report?

• impact and flow
• cause and effect
• risk and RPN
• motive and factors

A network host is infected with malware by an attacker who uses the host to make calls for files and shuttle traffic to bots. This attack went undetected and resulted in a significant loss. The organization wants to ensure this does not happen in the future and needs a security solution that will generate alerts when command and control communication from an infected device is detected. Which network security solution should be recommended?A . Cisco Secure Firewall ASAB . Cisco Secure Firewall Threat Defense (Firepower)C . Cisco Secure Email Gateway (ESA)D . Cisco Secure Web Appliance (WSA)