QUESTION: 1
Of the following pieces of digital evidence, which would be col ected FIRST from a live system involved in
an incident?
A. Event logs from a central repository
B. Directory listing of system files
C. Media in the CDrom drive
D. Swap space and page files
Answer(s): D
Explanation:
Best practices suggest that live response should follow the order of volatility, which means that you want
to collect data which is changing the most rapidly. The order of volatility is:
Memory
Swap or page file
Network status and current / recent network connections
Running processes
Open files
QUESTION: 2
Who is ultimately responsible for approving methods and controls that will reduce any potential risk to an
organization?
A. Senior Management
B. Data Owner
C. Data Custodian
D. Security Auditor
Answer(s): D
QUESTION: 3
Why might an administrator not be able to delete a file using the Windows del command without
specifying additional command line switches?
A. Because it has the read-only attribute set
B. Because it is encrypted
C. Because it has the nodel attribute set
D. Because it is an executable file
Answer(s): A
QUESTION: 4
Which of the following would be used in order to restrict software form performing unauthorized
operations, such as invalid access to memory or invalid calls to system access?
A. Perimeter Control
B. User Control
C. Application Control
D. Protocol Control
E. Network Control
Answer(s): C
QUESTION: 5
What information would the Wireshark filter in the screenshot list within the display window?