CCNA Incident First Response Questions

23 questions · Incident First Response topic · All types, answers revealed

1
Matchingmedium

Match each file system to its typical maximum volume size (as commonly encountered).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2 TB

256 TB

128 PB

1 EB

8 EB

Why these pairings

These are approximate maximum volume sizes for each file system.

2
MCQmedium

A security team suspects a data breach via an external attacker. The incident response plan requires preservation of evidence for legal proceedings. Which order of volatility should the first responder follow?

A.Capture disk image, then memory, then network connections.
B.Record network connections, capture disk image, then memory.
C.Capture memory, record network connections, acquire disk image, then collect backups.
D.Collect backups first, then disk image, then memory.
AnswerC

This follows the correct order of volatility from most to least volatile.

Why this answer

Option C is correct because the order of volatility (OOV) dictates that the most volatile data (memory/registers) must be captured first, followed by network connections, then disk images, and finally backups. This sequence minimizes data loss and ensures evidence integrity for legal proceedings, as volatile data is lost when power is removed.

Exam trap

EC-Council often tests the misconception that disk images are the most critical evidence, leading candidates to prioritize them over volatile memory and network state, which is the exact opposite of the correct order of volatility.

How to eliminate wrong answers

Option A is wrong because it starts with capturing a disk image, which is less volatile than memory and network connections; memory and network state would be lost or altered before the disk is imaged. Option B is wrong because it captures network connections before memory, but memory (RAM) is more volatile and must be acquired first to preserve transient data like running processes and encryption keys. Option D is wrong because it collects backups first, which are the least volatile and can be acquired later; starting with backups risks losing volatile evidence in memory and network connections.

3
MCQeasy

Refer to the exhibit. A first responder runs the netstat command on a compromised Windows workstation. Which of the following conclusions is BEST supported by the output?

A.The connection to 192.168.1.1:80 is suspicious because it is in TIME_WAIT state.
B.The UDP listener on port 5353 indicates a malware infection.
C.A process with PID 1234 is likely communicating with a remote C2 server at 10.2.3.4.
D.The workstation is running multiple virtual machines based on the local addresses.
AnswerC

Process 1234 has two established connections to the same remote IP on different ports.

Why this answer

Option C is correct because an established TCP connection (ESTABLISHED state) from the workstation to a remote IP on a high ephemeral port (49152) with PID 1234 strongly indicates active communication. This is a classic indicator of a beaconing C2 channel, as legitimate outbound connections typically use well-known ports or are short-lived. The netstat output shows PID 1234 has a persistent connection to 10.2.3.4:4444, which is a common port for malware command and control.

Exam trap

EC-Council often tests the misconception that TIME_WAIT or UDP listeners are inherently malicious, when in fact they are normal TCP/IP behaviors; the trap here is to recognize that ESTABLISHED connections to unusual ports with a specific PID are the strongest indicator of active C2 communication.

How to eliminate wrong answers

Option A is wrong because TIME_WAIT state is normal for TCP connections that have been closed; it is not inherently suspicious and is expected after a client finishes an HTTP request to 192.168.1.1:80. Option B is wrong because UDP port 5353 is used by mDNS (RFC 6762) for local network service discovery, a legitimate Windows service, and is not a reliable indicator of malware. Option D is wrong because local addresses like 127.0.0.1 and 0.0.0.0 are loopback and wildcard addresses, not evidence of virtual machines; virtual machines typically have distinct IP addresses on separate virtual network adapters.

4
MCQmedium

You are responding to a suspected malware infection on a Windows 10 system. The system is still running. Which of the following should you collect FIRST?

A.Acquire a memory dump using a tool like WinPmem.
B.Collect the Windows Event Logs.
C.Export the contents of the Windows Registry.
D.Create a forensic image of the hard drive.
AnswerA

Memory is the most volatile and must be captured first.

Why this answer

When a system is still running and suspected of malware infection, the first priority is to capture volatile data, which includes the contents of RAM. WinPmem is a tool designed to acquire a memory dump from a live Windows system, preserving critical evidence such as running processes, network connections, and injected code that would be lost on shutdown. This follows the order of volatility (RFC 3227), which mandates collecting memory before any non-volatile data like logs, registry, or disk images.

Exam trap

EC-Council often tests the order of volatility (OOV) principle, and the trap here is that candidates mistakenly prioritize persistent data (logs, registry, disk image) over volatile memory, thinking they are more stable or easier to collect first.

How to eliminate wrong answers

Option B is wrong because Windows Event Logs are stored on disk and are non-volatile; collecting them first would risk losing volatile memory evidence if the system crashes or is shut down. Option C is wrong because the Windows Registry is also stored on disk (in hive files like SAM, SYSTEM, SOFTWARE) and is non-volatile; exporting it before memory acquisition violates the order of volatility. Option D is wrong because creating a forensic image of the hard drive is a time-intensive process that captures only non-volatile data, and performing it first would allow volatile evidence (e.g., running malware processes, network connections) to be lost.

5
Multi-Selecthard

Which TWO actions are essential for a first responder when securing an incident scene involving a compromised server? (Select exactly two.)

Select 2 answers
A.Run antivirus scans to identify and remove any malware present.
B.Document the system’s date and time settings for accurate timeline reconstruction.
C.Photograph the physical setup, including all cables and peripheral connections.
D.Reboot the system into safe mode to prevent further damage.
E.Connect an external hard drive to create a backup of important files.
AnswersB, C

Time settings are crucial for correlating events.

Why this answer

Option B is correct because the system's date and time settings are critical for establishing a reliable timeline of events during forensic analysis. The first responder must document these settings (e.g., from the BIOS or operating system) before any changes occur, as they directly affect the timestamps of file system metadata (MAC times) and log entries. Without this baseline, correlating events across multiple sources becomes unreliable, potentially invalidating the entire investigation.

Exam trap

EC-Council often tests the misconception that proactive remediation (like scanning or backing up) is part of first responder duties, when in fact the priority is preservation of volatile and non-volatile evidence without any alteration.

6
MCQeasy

An analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?

A.Capture a full memory dump using a tool like FTK Imager (Memory Capture) or DumpIt.
B.Immediately disconnect the system from the network to contain the threat.
C.Check the Windows Event Logs for related entries.
D.Reboot the system to clear any malicious processes from memory.
AnswerA

Memory capture preserves running processes, network connections, and other volatile data crucial for analysis.

Why this answer

Capturing a full memory dump (option A) is the most appropriate first responder action because it preserves the volatile state of the suspicious process (PID 3342) and its associated artifacts (e.g., network connections, loaded DLLs, encryption keys) before any further system changes occur. This allows forensic analysis to identify the malware's behavior, such as command-and-control (C2) communication over port 443 (HTTPS), without altering evidence. Tools like FTK Imager (Memory Capture) or DumpIt acquire a raw .mem file that can be analyzed with Volatility or Rekall to extract process details, network sockets, and injected code.

Exam trap

EC-Council often tests the principle that volatile data (memory) must be captured before any containment or analysis steps, and the trap here is that candidates mistakenly prioritize network containment (option B) over evidence preservation, forgetting that disconnecting the network can destroy critical volatile artifacts like active connections and encryption keys.

How to eliminate wrong answers

Option B is wrong because immediately disconnecting the system from the network may destroy volatile evidence (e.g., active TCP connections, ARP cache, and network session data) and could alert the attacker, potentially triggering anti-forensic measures like process termination or data encryption. Option C is wrong because checking Windows Event Logs is a secondary step that should occur after memory capture; event logs may not contain real-time process details (e.g., memory-resident code) and can be tampered with or cleared by the malware. Option D is wrong because rebooting the system destroys all volatile memory (RAM), including the suspicious process (PID 3342), network connections, and any decrypted payloads, making forensic recovery of the attack impossible.

7
MCQeasy

A first responder arrives at a scene where a computer is powered on and a user is logged in. An incident is suspected. What should the responder do FIRST?

A.Begin capturing a memory dump using a forensic tool.
B.Power off the computer immediately to preserve the disk.
C.Photograph the screen to document the current state.
D.Ask the user to log off so the system can be imaged.
AnswerC

Documentation of the live state is critical before any collection.

Why this answer

Option C is correct because the first priority at a live incident scene is to preserve volatile evidence. Photographing the screen captures the current state of the system, including open applications, network connections, and user activity, which can be lost if the system is altered or powered down. This documentation provides a baseline for the investigation and ensures that critical volatile data is recorded before any forensic acquisition begins.

Exam trap

EC-Council often tests the misconception that immediate memory capture or power-off is the correct first step, but the trap here is that the first responder must first document the volatile state of the screen to preserve evidence that can be lost the instant any action is taken.

How to eliminate wrong answers

Option A is wrong because while capturing a memory dump is important, it should not be the first action; the responder must first document the current state of the screen to preserve volatile evidence that may be lost during the memory capture process. Option B is wrong because powering off the computer immediately can destroy volatile data (e.g., RAM contents, network connections, running processes) and may trigger anti-forensic mechanisms or cause data corruption; the proper procedure is to follow a live response approach. Option D is wrong because asking the user to log off can alter the system state, potentially destroying evidence such as open files, registry keys, or network sessions, and may also trigger cleanup scripts that delete volatile data.

8
MCQeasy

Refer to the exhibit. During incident response, a first responder runs 'netstat -ano' on a compromised Windows system. Which connection is most likely to be the command-and-control (C2) channel and should be prioritized for isolation?

A.192.168.1.100:1045 to 203.0.113.5:4444 (ESTABLISHED)
B.192.168.1.100:1047 to 10.0.0.1:22 (ESTABLISHED)
C.192.168.1.100:1046 to 192.168.1.1:443 (ESTABLISHED)
D.192.168.1.100:1048 to 198.51.100.7:80 (TIME_WAIT)
AnswerA

Port 4444 is a well-known C2 port; the external IP suggests communication with an attacker.

Why this answer

Option A shows an established connection from the internal host (192.168.1.100) to an external IP (203.0.113.5) on TCP port 4444, which is commonly associated with Metasploit reverse shells and other C2 frameworks. The ESTABLISHED state indicates an active, ongoing session, making it the highest priority for isolation during incident response.

Exam trap

EC-Council often tests the misconception that any external connection is suspicious, but the trap here is that candidates overlook the significance of the ESTABLISHED state and the specific port 4444, instead focusing on the IP address alone or mistaking a TIME_WAIT connection for an active threat.

How to eliminate wrong answers

Option B is wrong because port 22 is SSH, which is typically used for legitimate remote administration; while it could be abused, it is less likely than a non-standard high port like 4444 to be a C2 channel. Option C is wrong because 192.168.1.1:443 is a local gateway HTTPS connection, likely normal web traffic to the default gateway or a local proxy, not an external C2. Option D is wrong because the connection is in TIME_WAIT state, meaning it has already been closed and is not actively communicating, so it cannot be an active C2 channel.

9
MCQmedium

During the initial response to a suspected data breach, a first responder discovers a live system with active network connections. The responder needs to preserve evidence while minimizing alteration. Which of the following is the MOST appropriate first step?

A.Use a memory acquisition tool to capture the contents of RAM.
B.Run a full disk imaging tool to capture the hard drive contents.
C.Disconnect the network cable to isolate the system from the network.
D.Immediately shut down the system by pulling the power cord.
AnswerA

Capturing RAM preserves volatile data, which is the most critical first step.

Why this answer

A is correct because in a live system with active network connections, the most volatile evidence is in RAM (e.g., running processes, network connections, encryption keys). Using a memory acquisition tool (like FTK Imager or WinPmem) captures this volatile data before any other action, preserving evidence that would be lost on shutdown or disconnection. This aligns with the order of volatility (RFC 3227), which prioritizes memory over disk.

Exam trap

Cisco often tests the misconception that disconnecting the network or shutting down is the safest first step, but the trap here is that volatile memory is the most critical evidence and must be captured before any action that could alter or destroy it.

How to eliminate wrong answers

Option B is wrong because running a full disk imaging tool first would overwrite unallocated space and modify system metadata (e.g., last access times), altering evidence; it also ignores the higher volatility of RAM. Option C is wrong because disconnecting the network cable may terminate active connections and cause the system to lose volatile data (e.g., network state, encryption keys), and it can trigger anti-forensic scripts that wipe evidence. Option D is wrong because immediately shutting down by pulling the power cord destroys all volatile memory (RAM), including running processes and network connections, and can corrupt disk data due to unclean shutdown.

10
Matchingmedium

Match each log type to its typical content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Login attempts, privilege use

Driver failures, system crashes

Application errors and events

Allowed/blocked network connections

HTTP requests, IP addresses, user agents

Why these pairings

These logs record different categories of events.

11
MCQhard

During an incident response, a first responder needs to preserve the integrity of evidence. Which action ensures the best chain of custody?

A.Use a write blocker when acquiring the disk image.
B.Compute a SHA-256 hash of the acquired image immediately after collection and record it in the chain of custody form.
C.Document every person who handled the evidence.
D.Place the evidence in an evidence bag and lock it in a secure room.
AnswerB

Hashing provides a verifiable integrity check.

Why this answer

Option B is correct because computing a SHA-256 hash immediately after acquisition creates a cryptographic fingerprint of the image. This hash, when recorded in the chain of custody form, provides verifiable integrity: any subsequent alteration of the image will produce a different hash, proving tampering. While other steps are important, only hashing directly ties the evidence's integrity to a mathematical proof that can be independently verified later.

Exam trap

EC-Council often tests the distinction between evidence preservation techniques (write blockers, secure storage) and evidence integrity verification (hashing), leading candidates to confuse physical protection with cryptographic proof of integrity.

How to eliminate wrong answers

Option A is wrong because using a write blocker preserves the integrity of the source drive during acquisition, but it does not establish or document the chain of custody for the acquired image; chain of custody requires tracking who handled the evidence and verifying its integrity after acquisition. Option C is wrong because documenting every person who handled the evidence is a necessary part of chain of custody, but it does not by itself ensure the integrity of the evidence; without a cryptographic hash, a handler could tamper with the image and the documentation alone would not detect it. Option D is wrong because placing evidence in a bag and locking it in a secure room is a physical security measure that prevents unauthorized access, but it does not provide a verifiable, mathematical proof of integrity; if the evidence is later removed and replaced, physical security alone cannot prove the original data was unchanged.

12
Multi-Selecthard

Which THREE of the following are essential steps in the incident response process as defined by NIST SP 800-61? (Select exactly 3.)

Select 3 answers
A.Vulnerability Assessment
B.Post-Incident Activity
C.Preparation
D.Detection and Analysis
E.Penetration Testing
AnswersB, C, D

This phase includes lessons learned and evidence retention.

Why this answer

Option B is correct because Post-Incident Activity is one of the four core phases in the NIST SP 800-61 incident response lifecycle. This phase includes lessons learned, evidence retention, and report generation to improve future response efforts. Without this step, the organization cannot close the loop on security incidents or refine their detection and response capabilities.

Exam trap

EC-Council often tests the distinction between proactive security activities (like vulnerability assessments and penetration testing) and the reactive incident response phases defined in NIST SP 800-61, leading candidates to mistakenly select those proactive options as part of the incident response process.

13
MCQmedium

During incident response, a first responder discovers a compromised system with signs of an active command-and-control (C2) connection. What is the MOST important immediate action to preserve evidence and prevent further damage?

A.Create a full disk image before taking any other action.
B.Disconnect the network cable to isolate the system from the network.
C.Immediately shut down the system to prevent further data exfiltration.
D.Run a full antivirus scan to remove the malware.
AnswerB

Disconnecting the network cable stops C2 communication, preserves volatile data, and allows for a controlled forensic acquisition.

Why this answer

Option B is correct because disconnecting the network cable immediately stops the active C2 communication, preventing further data exfiltration and command injection while preserving the current state of memory and disk. This action maintains the integrity of volatile evidence (e.g., network connections, running processes) and avoids the data loss that would occur with a shutdown or the evidence contamination that would result from running a scan.

Exam trap

EC-Council often tests the misconception that a full disk image is always the first priority, but in an active C2 scenario, network isolation must come first to prevent ongoing damage and preserve volatile evidence.

How to eliminate wrong answers

Option A is wrong because creating a full disk image before isolating the system allows the active C2 connection to continue exfiltrating data and potentially destroying evidence during the imaging process. Option C is wrong because immediately shutting down the system destroys volatile evidence (e.g., network connections, running processes, memory-resident malware) and may trigger anti-forensic mechanisms that wipe logs or encrypt data. Option D is wrong because running a full antivirus scan modifies the system state (e.g., file access times, registry keys) and may alert the attacker, causing them to terminate the C2 session or trigger a kill switch, thereby losing evidence of the active connection.

14
MCQhard

You are a first responder for a medium-sized company with 500 employees. The incident response team has been alerted to a possible data breach involving the CEO's laptop, which is a Windows 10 system. The CEO reports that the laptop has been acting strangely, with unusual pop-ups and slow performance. The laptop is currently powered on and connected to the corporate network via Wi-Fi. The CEO is logged in and has several applications open, including email and a web browser. The security team suspects malware may be exfiltrating sensitive documents. As the first responder, you must decide the best course of action to preserve evidence and contain the threat while minimizing impact on business operations. Which action should you take FIRST?

A.Capture a full memory dump using a forensic tool like FTK Imager or WinPmem.
B.Disconnect the laptop from the corporate network immediately to stop any ongoing data exfiltration.
C.Create a forensic image of the hard drive using a write blocker.
D.Shut down the laptop to prevent further damage and preserve the disk.
AnswerA

Memory capture preserves the most volatile evidence and should be the first step.

Why this answer

The correct first action is to capture a full memory dump using a forensic tool like FTK Imager or WinPmem. Since the laptop is powered on and malware is suspected, volatile data (including running processes, network connections, and encryption keys) is at risk of being lost. Preserving RAM is the highest priority in live incident response because it contains evidence of active malware and ongoing exfiltration that would be lost upon shutdown or disconnection.

Exam trap

EC-Council often tests the principle of 'order of volatility' (RFC 3227), where candidates mistakenly prioritize network disconnection or disk imaging over capturing volatile memory, which is the most fragile and time-sensitive evidence.

How to eliminate wrong answers

Option B is wrong because disconnecting the network immediately may alert the attacker, cause the malware to trigger anti-forensic routines (e.g., wiping memory or encrypting files), and does not preserve volatile evidence. Option C is wrong because creating a forensic image of the hard drive with a write blocker is a disk-focused step that should occur after memory capture; it does not address the immediate need to preserve volatile data and may be hindered by active malware. Option D is wrong because shutting down the laptop destroys all volatile data (RAM, network state, running processes) and may cause the malware to lose its persistence mechanism or trigger destructive actions, making forensic analysis impossible.

15
Drag & Dropmedium

Drag and drop the steps to perform a forensic analysis of a USB drive to identify the connected computer using Windows artifacts into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

USB forensics involves registry keys, device logs, and correlation with event logs.

16
MCQeasy

A first responder is called to investigate a potential insider threat. The suspect's computer is turned off. What is the BEST procedure?

A.Compute a hash of the hard drive using a live CD.
B.Check the power cord and peripherals for tampering.
C.Seize the computer and transport it to a forensic lab for imaging.
D.Turn on the computer to see if it boots normally.
AnswerC

Proper procedure is to seize and preserve the system for controlled analysis.

Why this answer

When a suspect's computer is already turned off, the best procedure is to seize it and transport it to a forensic lab for imaging. This preserves the integrity of the evidence by preventing any accidental modification of the hard drive's contents, which could occur if the system is powered on or booted from a live CD. In forensic best practices, the first responder should never boot a suspect's computer, as doing so can alter critical system files, timestamps, and volatile data, compromising the chain of custody and admissibility of evidence.

Exam trap

EC-Council often tests the misconception that booting from a live CD is safe because it doesn't touch the hard drive, but in reality, even a live CD can modify the system's registry, page file, or metadata through normal operation, which is why seizing the computer for lab imaging is the only forensically sound option.

How to eliminate wrong answers

Option A is wrong because computing a hash of the hard drive using a live CD requires booting the suspect's computer, which alters the system state (e.g., writes to the page file, updates last access times) and violates the forensic principle of not modifying evidence. Option B is wrong because checking the power cord and peripherals for tampering is a physical inspection step that, while potentially useful, is not the best procedure; the priority is to secure the digital evidence by seizing the computer intact. Option D is wrong because turning on the computer to see if it boots normally will immediately alter the hard drive's contents (e.g., writing to the registry, updating logs, modifying file timestamps), destroying potential evidence and violating the forensic requirement to preserve the original state.

17
Drag & Dropmedium

Drag and drop the steps to capture network traffic with Wireshark for forensic analysis into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Network capture requires admin rights, interface selection, optional filters, and saving the capture.

18
MCQhard

Refer to the exhibit. A first responder runs netstat -ano on a Windows system. Which connection is MOST likely indicative of a potential C2 communication?

A.TCP 0.0.0.0:3389 LISTENING PID 668
B.TCP 192.168.1.10:49154 to 192.168.1.1:53 TIME_WAIT PID 2016
C.TCP 192.168.1.10:49153 to 203.0.113.50:443 TIME_WAIT PID 1204
D.TCP 192.168.1.10:49152 to 10.0.0.5:80 ESTABLISHED PID 3342
AnswerC

The foreign IP is external and the PID is not a standard Windows process; TIME_WAIT may indicate recent C2 communication.

Why this answer

Option C is correct because the connection from a high ephemeral port (49153) to an external IP (203.0.113.50) over HTTPS (port 443) with a short-lived TIME_WAIT state is a classic indicator of potential C2 beaconing. C2 communications often use HTTPS to blend with legitimate traffic, and the TIME_WAIT state suggests brief, periodic connections typical of beaconing, rather than sustained data transfer. The external IP is also in a documentation/test range (203.0.113.0/24), which is commonly used for examples but in a real scenario would be suspicious as an unknown external destination.

Exam trap

EC-Council often tests the misconception that any ESTABLISHED connection is suspicious, but here the trap is that TIME_WAIT to an external HTTPS port is more indicative of C2 beaconing than an ESTABLISHED connection to an internal HTTP server.

How to eliminate wrong answers

Option A is wrong because TCP port 3389 (RDP) listening on all interfaces (0.0.0.0) is a standard Windows Remote Desktop service, not C2 traffic; it is a legitimate administrative service that is expected to be in LISTENING state. Option B is wrong because the connection to 192.168.1.1:53 (DNS) is a normal DNS resolution from a local client to a local DNS server, and TIME_WAIT is typical after a short query-response; this is not C2. Option D is wrong because the connection to 10.0.0.5:80 (HTTP) is to a private IP address (RFC 1918), which is internal network traffic, and an ESTABLISHED state indicates an ongoing legitimate session (e.g., web browsing to an internal server), not C2.

19
Multi-Selecthard

During the initial response to a suspected data exfiltration, which THREE pieces of volatile data should be collected first? (Choose three.)

Select 3 answers
A.Current network connections.
B.List of running processes.
C.Contents of system memory (RAM).
D.Windows registry hives.
E.Forensic image of the hard drive.
AnswersA, B, C

Network connections are transient and may disappear.

Why this answer

Current network connections (A) are volatile because they show active communication channels that could indicate data exfiltration in progress. If the system is shut down or disconnected, this evidence is lost immediately, making it a top priority for collection during initial response.

Exam trap

EC-Council often tests the Order of Volatility principle, and the trap here is that candidates mistakenly prioritize persistent data like registry hives or disk images over transient evidence that disappears immediately upon shutdown.

20
Multi-Selectmedium

A first responder is responding to a ransomware incident on a Windows server. Which TWO actions should be performed to preserve evidence? (Choose two.)

Select 2 answers
A.Run an antivirus scan to remove the ransomware.
B.Power off the server to prevent further data encryption.
C.Restore the system from backup to minimize downtime.
D.Capture a memory dump using a forensic tool.
E.Disconnect the network cable immediately.
AnswersB, D

Powering off stops the ransomware and preserves the disk state.

Why this answer

Option B is correct because powering off the server preserves the encrypted state of the disk and prevents the ransomware from continuing to encrypt additional files or communicate with its command-and-control server. In a ransomware incident, immediate shutdown halts the encryption process and preserves the volatile evidence on disk, such as the ransomware binary and encrypted files, for forensic analysis.

Exam trap

The trap here is that candidates often confuse 'disconnecting the network' (Option E) as sufficient to stop encryption, but ransomware runs locally and continues encrypting until the process is terminated or the system is powered off.

21
MCQhard

During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?

A.Use dd if=/dev/sda of=/mnt/evidence/image.dd conv=noerror,sync
B.Use dd if=/dev/sda of=/mnt/evidence/image.dd bs=4M
C.Use dd if=/dev/mapper/root of=/mnt/evidence/image.dd
D.Use dd if=/dev/sda1 of=/mnt/evidence/image.dd
AnswerB

dd copying the entire disk (/dev/sda) creates a complete forensic image.

Why this answer

Option B is correct because it uses dd with a 4M block size, which improves acquisition speed while still producing a bit-for-bit forensic image of the entire disk (/dev/sda). The conv=noerror,sync option in A is unnecessary for a live acquisition from a healthy disk and can mask read errors, while B's larger block size is more efficient for imaging a running system without shutdown.

Exam trap

EC-Council often tests the misconception that conv=noerror,sync is always required for forensic imaging, but in a live, healthy server scenario, it can introduce artifacts and is not the best practice.

How to eliminate wrong answers

Option A is wrong because conv=noerror,sync pads bad blocks with zeros, which can hide read errors and corrupt the forensic integrity of the image; it is typically used for failing disks, not for a live, healthy server. Option C is wrong because /dev/mapper/root targets a logical volume (LVM) rather than the physical disk, missing partition tables, boot sectors, and unallocated space essential for a complete forensic image. Option D is wrong because /dev/sda1 is only the first partition, not the entire disk, so it omits other partitions, MBR/GPT, and unallocated areas.

22
MCQeasy

Refer to the exhibit. A first responder runs the command on a Linux server. Which process should be considered MOST suspicious and investigated immediately?

A./bin/bash (PID 1245)
B.python /tmp/.payload.py (PID 1310)
C.nc -lvp 4444 (PID 1302)
D.perl /tmp/.script.pl (PID 1325)
AnswerB

A Python script running from a hidden temp directory with CPU usage is highly suspicious.

Why this answer

Option B is correct because the Python script located in /tmp/.payload.py (PID 1310) is a hidden file in a temporary directory, which is a common technique for storing malicious payloads. The command 'python /tmp/.payload.py' indicates execution of an arbitrary script, often used for reverse shells, data exfiltration, or persistence mechanisms, making it the most suspicious process in an incident response context.

Exam trap

EC-Council often tests the distinction between a network listener (like Netcat) and an active script execution, where candidates may incorrectly choose the listener as most suspicious because it implies a backdoor, but the hidden script execution represents active malicious code that is already running and could be performing data theft or lateral movement.

How to eliminate wrong answers

Option A is wrong because /bin/bash (PID 1245) is a standard shell process that is expected on a Linux server; without additional context like a parent-child relationship with a suspicious process, it is not inherently suspicious. Option C is wrong because nc -lvp 4444 (PID 1302) is a Netcat listener on port 4444, which is indeed suspicious for a backdoor, but it is less immediately actionable than a hidden script execution because the listener may be a legitimate administrative tool or a honeypot; however, in this scenario, the Python script execution is more directly indicative of active malicious code running. Option D is wrong because perl /tmp/.script.pl (PID 1325) is also a hidden script in /tmp, similar to B, but the question asks for the 'MOST suspicious' process; the Python script (B) is often associated with more versatile payloads (e.g., reverse shells, keyloggers) and is a common choice for attackers, making it the primary focus over Perl.

23
MCQmedium

You are a first responder for a medium-sized enterprise. The Help Desk received multiple reports that users cannot access the company's internal web application (app.example.com) hosted on a Windows Server 2019 VM. The server is also running a MySQL database and an FTP service for file transfers. You remote into the server and find that the web server (IIS) is still running, but the application pool is stopped. The event logs show multiple failed logon attempts from an external IP address (198.51.100.23) for the local administrator account around the time the issues started. The FTP service log shows successful anonymous logins from the same IP minutes before the web app failure. The MySQL log shows a query 'DROP TABLE users;' executed at 03:15 AM. The current time is 04:00 AM. What immediate action should you take?

A.Capture a memory dump of the server, then disconnect the network cable, and then image the hard drive.
B.Disconnect the server from the network and then restore the database from the last clean backup.
C.Immediately shut down the server to prevent further damage and then create a forensic image of the hard drive.
D.Run a full antivirus scan, then try to restart the application pool to restore service quickly.
AnswerA

Memory dump preserves volatile evidence (RAM, processes, network connections) which is critical for identifying the attack vector and malware; subsequent steps isolate and preserve disk evidence.

Why this answer

Option A is correct because the server is actively compromised — the attacker gained access via anonymous FTP, executed a destructive SQL query, and performed lateral movement. Capturing a memory dump preserves volatile evidence (e.g., running processes, network connections, and in-memory malware), disconnecting the network cable prevents further data exfiltration or remote control, and imaging the hard drive captures persistent evidence. This follows the CHFI first responder priority: preserve volatile data first, then isolate, then acquire non-volatile evidence.

Exam trap

EC-Council often tests the first responder's priority order — candidates mistakenly choose to shut down or restore services first, forgetting that volatile evidence (memory, network connections) is lost on power-off and that isolation must precede any remediation.

How to eliminate wrong answers

Option B is wrong because restoring the database from backup destroys volatile evidence (e.g., memory-resident malware, active network connections) and may re-infect the system if the backup is compromised; isolation must precede restoration. Option C is wrong because shutting down the server destroys volatile data (e.g., running processes, network connections, encryption keys in memory) and may trigger anti-forensic mechanisms; the correct order is memory capture before power-off. Option D is wrong because running an antivirus scan modifies the system state (e.g., file access times, quarantine actions) and may alert the attacker if they have remote access; service restoration is premature before forensic preservation.

Ready to test yourself?

Try a timed practice session using only Incident First Response questions.