Stanley works as an incident responder at a top MNC based in Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company. While investigating the incident, he collected evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of a jury so that the evidence clarifies the facts and further helps in obtaining an expert opinion on the incident to confirm the investigation process. In the above scenario, which of the following characteristics of the digital evidence did Stanley attempt to preserve?
Correct Answer: B
In the scenario described, Stanley's effort to present evidence in a clear and comprehensible manner to the members of a jury, with the intention of clarifying facts and aiding in obtaining expert opinion, aligns with the characteristic of admissibility. The admissibility of digital evidence pertains to its acceptability in a court of law, which hinges on the evidence being collected, handled, and presented in a manner that complies with legal standards and procedures. This includes ensuring the evidence is relevant, reliable, and not overly prejudicial. By preparing to present the evidence in a way that the jury can understand and use to confirm the investigation process, Stanley is focusing on ensuring that the evidence meets the criteria for admissibility in the legal proceedings. Completeness, believability, and authenticity are also important characteristics of digital evidence, but the context provided indicates that Stanley's primary focus is on meeting the legal requirements for the evidence to be considered valid in court. References:The Incident Handler (ECIH v3) certification materials cover the legal aspects of incident response, including the importance of ensuring the admissibility of evidence in legal proceedings as a fundamental objective of the evidence collection and presentation process.
212-89 Exam Question 117
Which of the following risk mitigation strategies involves the execution of controls to reduce the risk factor and bring it to an acceptable level, or accepts the potential risk and continues operating the IT system?
Correct Answer: B
212-89 Exam Question 118
Liam, a senior incident responder at a manufacturing company, is alerted to an email campaign distributing malware through fake invoice attachments. He confirms that some users opened the attachment, resulting in system slowdown and unauthorized access attempts. He disconnects affected machines, scans and removes malware, disables compromised accounts, restores systems from clean backups, and documents file hashes, sender IPs, and malicious domains. Which of the following best describes Liam's objective?
Correct Answer: D
This scenario clearly aligns with the eradication phase of the ECIH malware incident handling lifecycle. After detection and containment, eradication focuses on completely removing malicious artifacts and ensuring the threat cannot re-emerge. Option D is correct because Liam's actions-malware removal, account disabling, system restoration, and IOC documentation-are all aimed at fully eliminating the malware and attacker footholds. ECIH emphasizes that eradication must address malware binaries, persistence mechanisms, compromised credentials, and residual indicators. Option B (forensic preservation) would avoid system changes, which Liam does not do. Option A is a training activity unrelated to response. Option C is infrastructure improvement, not incident handling. ECIH explicitly states that failure to eradicate all traces often leads to reinfection or continued attacker access. Liam's comprehensive approach ensures the environment is returned to a trusted state and prepares detection systems for future prevention.
212-89 Exam Question 119
Which of the following types of digital evidence is temporarily stored in a digital device that requires constant power supply and is deleted if the power supply is interrupted?
Correct Answer: B
Process memory (RAM) is a type of digital evidence that is temporarily stored and requires a constant power supply to retain information. If the power supply is interrupted, the information stored in process memory is lost. This type of evidence can include data about running programs, user actions, system events, and more, making it crucial for forensic analysis, especially in identifying actions taken by both users and malware. Collecting data from process memory helps incident responders understand the state of the system at the time of an incident and can reveal valuable information that is not persisted elsewhere on the device. References:Incident handling and response training, such as the ECIH v3 program, emphasize the importance of collecting and analyzing volatile data, including process memory, to effectively investigate and respond to cybersecurity incidents.
212-89 Exam Question 120
Eric is an incident responder and is working on developing incident-handling plans and procedures. As part of this process, he is performing an analysis on the organizational network to generate a report and develop policies based on the acquired results. Which of the following tools will help him in analyzing his network and the related traffic?
Correct Answer: D
Wireshark is a widely used network protocol analyzer that helps in capturing and interactively browsing the traffic on a network. It is an essential tool for incident responders like Eric who are developing incident- handling plans and procedures. By analyzing network traffic, Wireshark allows users to see what is happening on their network at a microscopic level, making it invaluable for troubleshooting network problems, analyzing security incidents, and understanding network behavior. Whois is used for querying databases that store registered users or assignees of an Internet resource. Burp Suite is a tool for testing web application security, and FaceNiff is used for session hijacking within a WiFi network, which makes Wireshark the best choice for analyzing network traffic. References:ECIH v3 certification materials often reference Wireshark as a fundamental tool for network analysis, crucial for incident handlers in the analysis phase of incident response.