Show:
DFIR Basics
Network Analysis
Malware Analysis
Digital Forensics
Incident Response
Threat & Techniques
100

What does EDR stand for?

Endpoint Detection and Response

100

Switches route packets based on what?

MAC addresses

100

Which tool type may be used for analyzing a file to determine if it is malicious without executing it?

Hexadecimal Editor

100

What does the MFT acronym mean in digital forensics?

Master File Table

100

How is the structure of the ATT&CK framework organized?

How is the structure of the ATT&CK framework organized?

100

What does nmap -sT do?

Full TCP scan.

200

What is a file signature?

Specific bytes at the start of a file to define its type

200

What functionality does the -sS switch in Nmap provide?

SYN scan

200

Which of the following is an example of a code obfuscation technique?

String encoding like Base64

200

What are inodes for?

Store metadata like permissions and pointers

200

What does the D3FEND framework do?

Maps defenses to attack techniques

200

What timing option reduces detection probability?

-T0

300

What does "carving a file" mean?

Extracting file contents without a file system.

300

How many usable host addresses are there in a subnet with a mask of 255.255.255.248 or /29?

6

300

Why is Base64 encoding performed?

To transmit binary data over text-only channel

300

Why analyze registry hives in memory forensics?

They store configuration and user settings

300

How does the "capability" element in the Diamond Model function?

Denotes tools used to execute attacks

300

What Wireshark feature analyzes Layer 7 flow?

Follow TCP stream

400

What does SIGINT involve in DFIR?

Intercepted signals and communications.

400

What does tcp.flags.syn==1 && tcp.flags.ack==0 in Wireshark isolate for viewing?

Initial SYN packets.

400

What describes a Portable Executable file?

Common Windows format (4D5A/MZ)

400

What is notable about the NTFS file system that no other file system has?

Alternate Data Streams.

400

What is an APT in a packet capture?

Random DNS domain

400

What does "half-open connection" mean in the context of SYN floods?

Incomplete TCP handshake

500

What does the concept of persistence mean in DFIR?

Malware persists in memory across reboots 

500

Routers route packets based on what?

IP addresses

500

How does packer-based obfuscation work in malware?

Compresses and encrypts code, unpacking at runtime.

500

What is winpmem?

Tool for capturing memory on Windows

500

What is the Finish phase in F3EAD?

Restores normal operations post-incident

500

What isolates HTTP traffic in Wireshark?

tcp port 80

600

What is the "Pyramid of Pain" in the context of Incident Response?

IoC-based model showing adversary disruption difficulty.

600

What does the -A switch in Nmap provide?

OS and version detection

600

What challenges does obfuscation create for dynamic analysis of malware?

Hides behavior during execution

600

What does the Volatility 3 command ‘vol -f dump.raw psscan’ do?

Finds hidden or terminated processes

600

What is the Exploit phase in F3EAD?

Using intelligence to meet objectives

600

What HTTP response code means permanent relocation?

301