DFIR JEOPARDY

Incident Types

IR Phases

DFIR Tools

Detection

Pot Pourri

200

This type of malware encrypts a victim's data and demands a ransom for the decryption key.

What is Ransomware?

200

The initial phase of the Incident Response life cycle where plans and preparations are made.

What is Preparation?

200

Cellebrite and Oxygen are types of these that extract data from Android and iOS devices.

What are mobile forensic tools?

200

The process of continuously monitoring systems and networks for unusual activity that could indicate a security incident.

What is Event Monitoring?

200

A strategy used to prevent the spread of an infection by isolating affected systems.

What is Quarantine?

400

The installation of malicious software on a system without consent, which can lead to data theft or system disruption.

What is Malware Infection?

400

The phase where potential security incidents are identified and reported.

What is Detection?

400

An open-source digital forensic tool used for data analysis and recovery.

What is Autopsy?

400

This process of effectively responding to security breaches by determining the breach's extent and prioritizing response activities like containment and system restoration.

What is Incident Scoping?

400

The person who disseminates information about an incident to staff, stakeholders, or the public.

Who is the Communications or PR Specialist?

600

Unauthorized access to sensitive information leading to its exposure or theft.

What is a Data Breach?

600

Activities conducted after an incident to improve future response efforts and prevent recurrence.

What is Post-Incident Activity?

600

Software used for packet analysis and network troubleshooting

What is Wireshark?

600

A method to confirm that an event or series of events constitutes a security incident and not a false positive.

What is Incident Validation?

600

This refers to indicators that warn an incident has occurred or is currently occurring, such as unscheduled login attempts.

What are Indicators of Compromise (IoCs)?

800

Manipulating individuals into divulging confidential information through tactics like impersonation.

What is Social Engineering?

800

The process of removing the threat and restoring systems to normal operation.

What is Eradication and Recovery?

800

A freely available hex editor used for manually carving data from files and images.

What is HxD?

800

In this step of the Incident Response process, teams aim to preserve evidence, assess the breach's extent, and identify IOCs by gathering logs, network traffic, system images, process memory, and configuration files.

What is Data Collection?

800

The role identified as the first to detect the SolarWinds Hack, showcasing the importance of external threat intelligence.

Who is FireEye?

1000

This attack overwhelms a system with excessive traffic, rendering it inaccessible to legitimate users.

What is a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack?

1000

This phase involves stopping the spread of the incident and isolating affected systems.

What is Containment?

1000

This freely available tool is used for creating forensic images of digital media.

What is FTK Imager?

1000

This component of the IR detection process utilizes tools like SIEM systems, and techniques such as log, traffic, and endpoint analysis, to identify security incidents that event monitoring might miss.

What is Event Correlation?

1000

A type of exercise used to simulate incident response scenarios to test and refine the IR plan.

What are tabletop exercises?