1 $Which of the following represents the correct order of the NIST Incident Response Lifecycle?$

A.

Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident Activity

B.

Detection, Preparation, Recovery, Eradication, Post-Incident Activity

C.

Preparation, Mitigation, Analysis, Containment, Reporting

D.

Analysis, Preparation, Eradication, Containment, Recovery

2 $In Digital Forensics, what is the primary purpose of a Chain of Custody ?$

A.

To encrypt the data so it cannot be read by unauthorized users

B.

To document the chronological history of evidence handling to ensure its admissibility in court

C.

To compress the data to save storage space during analysis

D.

To permanently delete malware found on the system

3 $Which of the following data sources provides the most detailed information about network traffic payload?$

A.

NetFlow

B.

Syslog

C.

Full Packet Capture (PCAP)

D.

SNMP Traps

4 $What is the specific goal of the Eradication phase in Incident Response?$

A.

To restore systems to normal operation

B.

To limit the spread of the attack

C.

To identify the root cause and remove the malicious artifacts (e.g., malware, breached accounts)

D.

To train employees on future prevention

5 $When collecting digital evidence, the Order of Volatility dictates which data should be collected first. Which of the following is the most volatile?$

A.

Hard Drive Data

B.

CPU Registers and Cache

C.

Archived Backup Tapes

D.

System Logs on Disk

6 $Which tool is primarily designed to aggregate, correlate, and analyze log data from various sources to detect security incidents?$

A.

Wireshark

B.

SIEM (Security Information and Event Management)

C.

Nmap

D.

Metasploit

7 $An analyst notices a large number of SYN packets sent to a target server without completing the TCP handshake (no final ACK). This is an indicator of which type of attack?$

A.

SQL Injection

B.

SYN Flood (DoS)

C.

Cross-Site Scripting

D.

Phishing

8 $Which of the following is an indicator of a Buffer Overflow application attack?$

A.

The application crashes and the error log shows an instruction pointer overwriting memory at an unexpected address

B.

The browser executes a script alert popup unexpectedly

C.

The URL contains UNION SELECT statements

D.

Network traffic shows large outbound file transfers

9 $What is the primary function of a Write Blocker in digital forensics?$

A.

To prevent the forensic workstation from writing data to the seized evidence drive

B.

To block malware from writing to the system registry

C.

To stop hackers from accessing the network

D.

To prevent log files from being overwritten by new logs

10 $In the context of malware indicators, what is Beaconing ?$

A.

The malware encrypts files and demands a ransom

B.

The malware sends regular, periodic signals to a Command and Control (C2) server

C.

The malware spreads rapidly to other devices on the LAN

D.

The malware deletes system logs to hide its tracks

11 $Mathematically, a cryptographic hash function used in forensics, such as SHA-256, maps data of arbitrary size to a bit string of a fixed size. If is the hash function, which property ensures that it is computationally infeasible to find given ?$

A.

Collision Resistance

B.

Pre-image Resistance

C.

Avalanche Effect

D.

Bitwise XOR

12 $Which monitoring tool operates by comparing network traffic against a database of known attack signatures?$

A.

Anomaly-based IDS

B.

Signature-based IDS

C.

Heuristic Analysis

D.

Behavioral Monitoring

13 $A user reports their computer performance has degraded significantly. You find a process using 99% CPU and communicating with a mining pool. What is the likely indicator?$

A.

Ransomware

B.

Cryptojacking

C.

Logic Bomb

D.

Spyware

14 $Which Windows log file would you examine to find successful and failed login attempts?$

A.

Application Log

B.

System Log

C.

Security Log

D.

Setup Log

15 $What is the difference between an Event and an Incident ?$

A.

An event is a negative occurrence; an incident is a positive one.

B.

An event is any observable occurrence in a system; an incident is an event that violates security policies.

C.

An incident is a minor issue; an event is a major catastrophe.

D.

There is no difference; the terms are interchangeable.

16 $In the context of Data Sources, what is NetFlow data primarily composed of?$

A.

Full email contents and attachments

B.

IP headers and payload data

C.

Metadata including source IP, destination IP, ports, and byte counts

D.

Operating system registry keys

17 $Which of the following describes a False Positive in monitoring?$

A.

Malicious activity is present but the system fails to detect it

B.

Benign (harmless) activity is flagged as malicious

C.

Malicious activity is correctly identified

D.

Benign activity is correctly ignored

18 $During the Post-Incident Activity (Lessons Learned) phase, what is the primary objective?$

A.

To assign blame to the employee who caused the breach

B.

To improve the incident response process and prevent recurrence

C.

To restore the backup data

D.

To collect forensic evidence for court

19 $Which of the following is a clear indicator of Ransomware ?$

A.

Slow internet speed

B.

Mass modification of file extensions (e.g., to .locked or .cry) and a text file containing payment instructions

C.

Unexpected pop-up ads in the browser

D.

The computer restarting automatically after an update

20 $Which technology helps automate the response to low-level security incidents without human intervention?$

A.

SOAR (Security Orchestration, Automation, and Response)

B.

VPN (Virtual Private Network)

C.

NAT (Network Address Translation)

D.

Wireshark

21 $What is the Preparation phase of Incident Response primarily concerned with?$

A.

Scanning the network for active attackers

B.

Establishing policies, tools, and training before an incident occurs

C.

Restoring systems from backups

D.

Removing malware from infected hosts

22 $If an attacker injects the following string into a login field:' OR '1'='1, what type of attack is being attempted?$

A.

Cross-Site Scripting (XSS)

B.

SQL Injection (SQLi)

C.

Buffer Overflow

D.

Directory Traversal

23 $Which of the following is a Physical Attack Indicator ?$

A.

Unusual outbound UDP traffic

B.

Broken tamper seals on a server chassis or bypassed locks

C.

Multiple failed SSH login attempts

D.

A spike in HTTP 404 errors

24 $What does EDR stand for in the context of endpoint monitoring?$

A.

Endpoint Data Recovery

B.

Endpoint Detection and Response

C.

External Defense Relay

D.

Encrypted Digital Records

25 $In network forensics, what does ARP Poisoning typically indicate?$

A.

A Man-in-the-Middle (MitM) attack

B.

A brute force attack on a password

C.

A physical theft of a device

D.

A SQL injection attack

26 $What is a Playbook in Incident Response?$

A.

A list of all employee passwords

B.

A predefined set of procedures and steps to handle specific types of incidents

C.

A log file containing network traffic

D.

A software tool for decrypting ransomware

27 $Which of the following best describes Steganography as an indicator of malicious activity?$

A.

Hiding data within another file, such as embedding a secret message inside an image

B.

Encrypting a hard drive to prevent access

C.

Deleting log files to cover tracks

D.

Overwriting memory buffers

28 $What is the purpose of Isolation during the Containment phase?$

A.

To permanently delete the compromised system

B.

To disconnect the infected system from the network to prevent lateral movement

C.

To monitor the hacker's activity without them knowing

D.

To backup the data on the system

29 $Which HTTP status code spike might indicate a Directory Traversal or scanning attempt where an attacker is guessing file paths?$

A.

200 OK

B.

302 Found

C.

404 Not Found

D.

503 Service Unavailable

30 $Which file system artifact is useful for determining which programs have been executed on a Windows system?$

A.

Prefetch files

B.

Hosts file

C.

SAM database

D.

Boot sector

31 $What is the CSIRT ?$

A.

Computer System Internal Repair Team

B.

Computer Security Incident Response Team

C.

Cyber Security International Regulations Treaty

D.

Central Server Internet Routing Table

32 $Which of the following is a Network-based indicator of compromise (IOC)?$

A.

A specific MD5 hash of a file on a hard drive

B.

Communication with a known malicious IP address or domain

C.

A registry key modification

D.

A disabled antivirus service

33 $What is Data Exfiltration ?$

A.

The unauthorized transfer of data from a computer to an outside party

B.

The process of backing up data to the cloud

C.

The encryption of data at rest

D.

The deletion of data to free up space

34 $Which command is commonly used by attackers to establish Persistence via the Windows Registry?$

A.

Adding an entry to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

B.

Running ping localhost

C.

Viewing the systeminfo

D.

Clearing the browser cache

35 $In the context of IDS/IPS, what is a False Negative ?$

A.

An alarm is raised for legitimate traffic

B.

An attack occurs, but the system fails to detect and alert on it

C.

The system blocks an attack successfully

D.

The system is turned off

36 $Which of the following is an example of Social Engineering leading to an incident?$

A.

An attacker exploits an unpatched software vulnerability

B.

An employee receives a call from 'IT Support' and gives away their password

C.

A server crashes due to a power outage

D.

A firewall blocks an incoming packet

37 $What is the primary difference between IDS and IPS ?$

A.

IDS is for hardware, IPS is for software

B.

IDS detects and alerts; IPS detects and actively blocks/prevents

C.

IDS is more expensive than IPS

D.

IPS monitors logs; IDS monitors traffic

38 $When analyzing a web server log, you see entries containing <script>alert('pwned')</script> . What attack vector is this?$

A.

SQL Injection

B.

Cross-Site Scripting (XSS)

C.

Brute Force

D.

Rootkit

39 $Which forensic process creates a bit-for-bit copy of a drive?$

A.

File backup

B.

Forensic Imaging / Cloning

C.

Copy and Paste

D.

Disk Defragmentation

40 $A sudden, massive spike in inbound traffic originating from thousands of different IP addresses targeting a specific web server indicates:$

A.

A successful marketing campaign

B.

A Distributed Denial of Service (DDoS) attack

C.

A DNS poisoning attack

D.

A privilege escalation attack

41 $What is Volatility in the context of digital data?$

A.

The cost of the storage media

B.

How easily data is lost when power is removed

C.

The speed of data transfer

D.

The encryption level of the data

42 $Which of the following is an indicator of a Rootkit ?$

A.

Files appearing on the hard drive that are invisible to the operating system's file explorer

B.

A forgotten password

C.

A phishing email in the inbox

D.

An expired SSL certificate

43 $What does the equation have to do with Cybersecurity?$

A.

It is used to calculate Wi-Fi signal coverage area

B.

It is the formula for RSA encryption

C.

It is irrelevant to this subject

D.

It calculates the area of a hard disk platter

44 $Which Windows Event ID is commonly monitored to detect Brute Force attacks?$

A.

Event ID 4624 (Successful Logon)

B.

Event ID 4625 (Failed Logon)

C.

Event ID 6005 (Event Log Service Started)

D.

Event ID 7036 (Service Control Manager)

45 $Which of the following represents a Heuristic detection method?$

A.

Matching a file hash against a known virus database

B.

Analyzing code execution in a sandbox to see if it behaves like malware (e.g., modifying system files)

C.

Blocking port 80 on the firewall

D.

Whitelisting specific applications

46 $What is the primary purpose of Log Retention Policies ?$

A.

To ensure logs are deleted immediately to save space

B.

To define how long logs must be kept to satisfy compliance and support forensic investigations

C.

To encrypt logs for transport

D.

To translate logs into different languages

47 $What is a Rogue Access Point ?$

A.

An unauthorized Wi-Fi access point installed on a secure network

B.

A firewall rule that denies access

C.

A user who forgot their password

D.

A software update server

48 $Which of the following is a sign of Lateral Movement ?$

A.

An employee checking their email from home

B.

A user account utilizing PsExec or RDP to connect to multiple other internal servers in quick succession

C.

Updating the Windows operating system

D.

A single failed login attempt

49 $In a Man-in-the-Middle (MitM) attack involving SSL/TLS, what warning might a user see?$

A.

The internet speed increases

B.

An invalid or untrusted certificate warning in the browser

C.

The computer screen turns blue

D.

The mouse cursor moves on its own

50 $What is the role of NTP (Network Time Protocol) in Incident Response?$

A.

It encrypts network traffic

B.

It ensures all logs across different devices have synchronized timestamps for accurate correlation

C.

It routes packets between subnets

D.

It prevents malware installation

Unit 5 - Practice Quiz

Send Feedback

Thank You!