CCNA Incident Response and Recovery Questions

64 questions · Incident Response and Recovery · All types, answers revealed

1
MCQmedium

An incident responder needs to create a forensic image of a suspect hard drive. What is the correct procedure to ensure evidence integrity?

A.Use a write blocker, create a bit-for-bit image, and compute SHA-256 hash before and after imaging.
B.Boot the suspect system and use imaging software to copy data.
C.Remove the drive and place it in anti-static bag, then ship to lab.
D.Connect the drive directly to forensic workstation, copy all files, and compute MD5 hash of copy.
AnswerA

Correct. Write blocker prevents writes, and hash verification ensures integrity.

Why this answer

Option A is correct because forensic imaging requires a write blocker to prevent any modification to the original evidence, a bit-for-bit (sector-level) copy to capture all data including slack space and deleted files, and cryptographic hashing (SHA-256) both before and after imaging to verify that the image is an exact, unaltered duplicate of the source. This process ensures the integrity and admissibility of digital evidence in legal proceedings.

Exam trap

The trap here is that candidates may think booting the system or simply copying files is sufficient, but the SSCP exam emphasizes that any write activity to the original evidence breaks the chain of custody and invalidates the forensic integrity.

How to eliminate wrong answers

Option B is wrong because booting the suspect system alters the system state (e.g., writes temporary files, updates logs, changes timestamps), which modifies evidence and violates forensic best practices. Option C is wrong because simply placing the drive in an anti-static bag and shipping it does not create a forensic image; imaging must be performed to preserve the data, and the procedure omits write-blocking and hashing. Option D is wrong because connecting the drive directly without a write blocker risks accidental writes to the source, and copying files (rather than creating a bit-for-bit image) loses metadata, slack space, and deleted data; MD5 is also less collision-resistant than SHA-256 for modern forensic standards.

2
Multi-Selectmedium

After a ransomware incident, the incident response team is conducting recovery. Which THREE steps are essential to ensure a secure restoration and prevent reinfection? (Choose three.)

Select 3 answers
A.Restore from the most recent backup available, regardless of its integrity.
B.Reconnect the system to the network immediately after restoration to test functionality.
C.Perform a full system scan with updated antivirus on the restored system.
D.Remove persistence mechanisms from the registry and startup folders.
E.Patch the vulnerability that was exploited in the initial compromise.
AnswersC, D, E

Scanning verifies that no remnants of the malware remain before production use.

Why this answer

Option C is correct because performing a full system scan with updated antivirus on the restored system ensures that any malware remnants that may have survived the backup or been reintroduced during the restoration process are detected and removed. Ransomware often hides in shadow copies, system restore points, or backup archives, and a scan with current signatures is essential to verify the system is clean before it is placed back into production.

Exam trap

Cisco often tests the misconception that the most recent backup is always the safest choice, but the trap here is that integrity and cleanliness of the backup are more important than recency, and candidates may overlook the need to remove persistence mechanisms before reconnecting to the network.

3
MCQmedium

A company is developing a DR plan for a critical database. The maximum acceptable downtime is 2 hours, and the maximum data loss is 1 hour. What are the RTO and RPO?

A.RTO = 2 hours, RPO = 1 hour
B.RTO = 1 hour, RPO = 1 hour
C.RTO = 1 hour, RPO = 2 hours
D.RTO = 2 hours, RPO = 2 hours
AnswerA

Correct. RTO is recovery time, RPO is data loss tolerance.

Why this answer

The Recovery Time Objective (RTO) is the maximum acceptable downtime, which is 2 hours. The Recovery Point Objective (RPO) is the maximum acceptable data loss, which is 1 hour. Therefore, option A correctly identifies RTO = 2 hours and RPO = 1 hour.

Exam trap

The trap here is confusing RTO (time to recover) with RPO (data loss tolerance), leading candidates to swap the two values or assume they must be equal.

How to eliminate wrong answers

Option B is wrong because it swaps the RTO and RPO values, incorrectly setting RTO to 1 hour (the maximum data loss) and RPO to 1 hour (the maximum downtime). Option C is wrong because it inverts the definitions, setting RTO to 1 hour (data loss) and RPO to 2 hours (downtime). Option D is wrong because it sets both RTO and RPO to 2 hours, ignoring the specified 1-hour maximum data loss constraint.

4
MCQmedium

During the detection and analysis phase, an analyst receives a user report of unusual system behavior. The analyst reviews logs and finds several failed login attempts followed by a successful login from an unusual IP address. What is the next step?

A.Immediately disconnect the user's workstation from the network.
B.Rebuild the user's workstation from a known-good image.
C.Classify the incident and determine if escalation is needed.
D.Ignore the event as it may be a false positive.
AnswerC

Correct. Classification and escalation are part of detection and analysis.

Why this answer

Option C is correct because, during the detection and analysis phase of incident response, the primary goal is to assess the validity and scope of a potential security event before taking action. The analyst has observed indicators of a possible brute-force attack (failed logins followed by a successful login from an unusual IP), which requires classification to determine if it meets the criteria for a security incident. Escalation may be needed to involve a higher-tier incident response team or to initiate formal containment procedures, as per NIST SP 800-61 guidelines.

Exam trap

The trap here is that candidates often confuse the detection and analysis phase with the containment phase, leading them to choose immediate disconnection (Option A) instead of first classifying the incident and determining the need for escalation.

How to eliminate wrong answers

Option A is wrong because immediately disconnecting the user's workstation from the network is a premature containment action that should only occur after the incident has been confirmed and classified; doing so could disrupt business operations and destroy volatile evidence (e.g., active network connections, memory contents). Option B is wrong because rebuilding the workstation from a known-good image is a recovery step that occurs after containment, eradication, and evidence preservation; skipping analysis could result in losing forensic data needed to identify the root cause and prevent recurrence. Option D is wrong because ignoring the event as a false positive is negligent; the combination of multiple failed logins followed by a successful login from an unusual IP address is a classic indicator of a successful password-guessing attack and warrants investigation, not dismissal.

5
MCQhard

During a forensic investigation, an examiner needs to preserve volatile evidence. Which of the following lists the correct order of collection for volatile data?

A.Hard drive image, network connections, running processes, RAM
B.Running processes, RAM, hard drive image, network connections
C.RAM, network connections, running processes, hard drive image
D.Network connections, hard drive image, RAM, running processes
AnswerC

Correct. RAM is most volatile, then network state, then processes, then disk.

Why this answer

Option C is correct because volatile data must be collected in order of decreasing volatility to prevent loss of critical evidence. RAM is the most volatile (lost on power-off), followed by network connections (state changes rapidly), then running processes (persist slightly longer), and finally the hard drive image (non-volatile). This order follows the RFC 3227 guidelines for evidence collection.

Exam trap

Cisco often tests the 'order of volatility' principle, and the trap here is that candidates mistakenly prioritize network connections or running processes over RAM, not realizing that RAM is the most volatile and must be captured first to preserve evidence like encryption keys or active malware payloads.

How to eliminate wrong answers

Option A is wrong because it starts with a hard drive image, which is non-volatile and should be collected last, not first, risking loss of volatile data like RAM. Option B is wrong because it places running processes before RAM, but RAM contains process data and is more volatile, so RAM must be collected first. Option D is wrong because it places network connections before RAM, but network connection state can change rapidly and is less volatile than RAM, which holds active memory contents.

6
MCQmedium

During the eradication phase of incident response, which of the following actions is MOST critical to ensure the threat is completely removed from a compromised system?

A.Reimaging the system from a verified clean image
B.Resetting compromised user credentials
C.Removing malicious files and cleaning registry persistence
D.Patching the exploited vulnerability
AnswerC

Attackers often establish persistence; failing to remove it can lead to recompromise.

Why this answer

During the eradication phase, the primary goal is to ensure that no remnants of the attacker's presence remain on the system. Option C directly addresses this by removing malicious files and cleaning registry persistence, which eliminates backdoors, scheduled tasks, and other persistence mechanisms that could allow the threat to survive a reboot or evade detection. Without this step, even after patching or credential resets, the attacker could regain access through hidden persistence points.

Exam trap

Cisco often tests the distinction between eradication and recovery phases, trapping candidates who confuse patching (a preventive control) with the active removal of threat artifacts that is required during eradication.

How to eliminate wrong answers

Option A is wrong because reimaging from a clean image is a valid recovery step, but it is not the most critical action during eradication; it is typically performed after eradication is complete to restore the system to a known good state, and it does not involve analyzing or removing the threat's artifacts. Option B is wrong because resetting compromised user credentials is a containment and recovery action that prevents further unauthorized access, but it does not remove the threat itself—malicious files and persistence mechanisms remain active. Option D is wrong because patching the exploited vulnerability is a preventive measure that closes the initial attack vector, but it does not remove existing malware or persistence; the threat may still be present and active on the system.

7
MCQmedium

After a ransomware incident, an organization decides to restore data from backups. The RPO (Recovery Point Objective) is 4 hours. What does this RPO indicate?

A.Backups must be taken at least every 4 hours to ensure data loss does not exceed 4 hours
B.The organization can tolerate 4 hours of downtime
C.The system must be restored within 4 hours of the incident
D.The recovery process will take a maximum of 4 hours
AnswerA

Correct. RPO drives backup frequency to limit data loss.

Why this answer

The Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss measured in time. An RPO of 4 hours means the organization can tolerate losing up to 4 hours of data, so backups must be taken at least every 4 hours to ensure that in the worst case, no more than 4 hours of data is lost. This directly dictates the backup frequency, not the recovery time or downtime.

Exam trap

The trap here is confusing RPO (data loss tolerance) with RTO (downtime tolerance), leading candidates to select options that describe recovery time or downtime instead of backup frequency.

How to eliminate wrong answers

Option B is wrong because it describes the Recovery Time Objective (RTO), which is the maximum acceptable downtime, not the RPO. Option C is wrong because it also describes the RTO (time to restore service), not the RPO which is about data loss tolerance. Option D is wrong because it describes the actual recovery time, which is a metric of the restoration process, not the RPO's definition of acceptable data loss.

8
MCQhard

A company's disaster recovery plan specifies an RTO of 4 hours for its customer relationship management (CRM) system. Which of the following DR site types is MOST appropriate to meet this RTO?

A.Warm site
B.Mobile site
C.Hot site
D.Cold site
AnswerC

A hot site is fully configured and can be operational quickly, meeting a 4-hour RTO.

Why this answer

A hot site is fully configured with hardware, software, and live data replication, enabling recovery within minutes to a few hours. Since the RTO is 4 hours, a hot site can meet this requirement by allowing immediate failover without the need for extensive setup or data restoration.

Exam trap

The trap here is that candidates often confuse a warm site (which has hardware but not live data) as sufficient for a 4-hour RTO, underestimating the time needed to restore and validate backups, which can easily exceed 4 hours for a CRM system with large databases.

How to eliminate wrong answers

Option A is wrong because a warm site has pre-installed hardware but may lack up-to-date data and require several hours to days to restore from backups, making it unsuitable for a 4-hour RTO. Option B is wrong because a mobile site is a portable unit that must be transported and configured on-site, typically taking days to become operational, far exceeding the 4-hour RTO. Option D is wrong because a cold site provides only physical infrastructure (power, cooling, space) with no IT equipment or data, requiring weeks to procure and install systems, which cannot meet a 4-hour RTO.

9
Multi-Selecthard

A forensic investigator is collecting evidence from a compromised Windows server. According to the order of volatility, which THREE pieces of evidence should be collected FIRST? (Select THREE)

Select 3 answers
A.System event logs
B.Hard drive image
C.Network connections and open ports
D.Contents of RAM (memory dump)
E.List of running processes
AnswersC, D, E

Current network state is volatile and can change rapidly.

Why this answer

Network connections and open ports (C) are highly volatile because they can change rapidly and are lost when the system is disconnected from the network. Capturing this data first preserves evidence of active remote connections, which is critical for identifying the attacker's point of entry and ongoing malicious activity. Tools like netstat -anob or CurrPorts can be used to collect this information before any other forensic steps.

Exam trap

Cisco often tests the misconception that event logs are volatile because they are 'system state' data, but logs are written to disk and persist; the trap is confusing 'important' with 'volatile'.

10
Multi-Selecthard

During a post-incident review, the incident response team identifies several areas for improvement. According to NIST SP 800-61, which THREE activities are typically part of the post-incident activity phase?

Select 3 answers
A.Patch all systems in the organization as a precaution
B.Update the incident response plan based on findings
C.Replace all affected hardware immediately
D.Conduct a lessons learned meeting
E.Track metrics such as MTTD and MTTR
AnswersB, D, E

The plan should be updated to incorporate lessons learned.

Why this answer

Option B is correct because NIST SP 800-61 explicitly states that the post-incident activity phase includes updating the incident response plan based on lessons learned and findings from the incident. This ensures the plan evolves to address gaps and improve future response effectiveness.

Exam trap

The trap here is confusing operational recovery actions (like patching or hardware replacement) with the analytical and improvement-focused activities that define the post-incident phase per NIST SP 800-61.

11
MCQeasy

Which of the following is the primary purpose of a chain of custody form in digital forensics?

A.To track the possession and handling of evidence from collection to presentation
B.To document the steps taken to contain an incident
C.To record the hash values of forensic images
D.To provide a list of approved forensic tools
AnswerA

Correct. Chain of custody ensures evidence integrity and admissibility.

Why this answer

Chain of custody documents who handled the evidence, when, and why, ensuring it remains admissible in court.

12
MCQhard

During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) was 14 days. Which improvement would most directly reduce MTTD?

A.Implementing stricter access control policies
B.Conducting more frequent tabletop exercises
C.Deploying additional endpoint detection and response (EDR) sensors with automated alerting
D.Increasing the frequency of full system backups
AnswerC

Correct. Enhanced detection tools reduce MTTD.

Why this answer

Deploying additional EDR sensors with automated alerting directly reduces the time between an incident's occurrence and its detection by providing continuous monitoring and immediate notification of suspicious activities. This shortens the MTTD because automated alerts eliminate the delay inherent in manual log review or periodic checks, enabling the incident response team to react within minutes rather than days.

Exam trap

The trap here is that candidates often confuse detection speed (MTTD) with prevention or recovery metrics, mistakenly thinking that improving backups (Option D) or access controls (Option A) will help detect incidents faster, when in fact they address different phases of the incident response lifecycle.

How to eliminate wrong answers

Option A is wrong because stricter access control policies primarily reduce the likelihood of an incident (prevention) or limit the blast radius, but they do not improve detection speed; MTTD is a detection metric, not a prevention or containment metric. Option B is wrong because tabletop exercises improve team preparedness and response procedures, but they do not directly affect the speed of detecting real incidents; they focus on reaction and coordination after detection, not on reducing detection latency. Option D is wrong because increasing the frequency of full system backups improves data recovery capabilities and reduces recovery time objectives (RTO), but backups do not provide real-time visibility into ongoing malicious activity and thus have no direct impact on MTTD.

13
MCQeasy

During which phase of the NIST SP 800-61 incident response lifecycle are lessons learned meetings conducted and metrics such as MTTD and MTTR tracked?

A.Containment, Eradication, and Recovery
B.Preparation
C.Detection and Analysis
D.Post-Incident Activity
AnswerD

Correct. Lessons learned and metrics tracking are key parts of post-incident activity.

Why this answer

The Post-Incident Activity phase (D) is where lessons learned meetings are conducted and metrics such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are tracked. This phase focuses on reviewing the incident response process, identifying improvements, and documenting findings to enhance future response efforts, as defined in NIST SP 800-61 Revision 2.

Exam trap

Cisco often tests the misconception that metrics like MTTD and MTTR are tracked during Detection and Analysis or Containment phases, but they are actually reviewed and analyzed only after the incident is resolved in the Post-Incident Activity phase.

How to eliminate wrong answers

Option A is wrong because Containment, Eradication, and Recovery focuses on stopping the incident, removing threats, and restoring operations, not on post-incident analysis or metric tracking. Option B is wrong because Preparation involves establishing policies, tools, and training before an incident occurs, not conducting lessons learned or tracking MTTD/MTTR after an incident. Option C is wrong because Detection and Analysis is the phase where incidents are identified and analyzed, but it does not include the retrospective review or metric collection that occurs in the Post-Incident Activity phase.

14
Multi-Selectmedium

A company is conducting a disaster recovery test. Which TWO types of tests involve minimal risk to production operations?

Select 2 answers
A.Tabletop exercise
B.Simulation test
C.Parallel test
D.Walkthrough
E.Full interruption test
AnswersA, D

A discussion-based exercise with no actual system changes.

Why this answer

A tabletop exercise is a discussion-based test where key personnel walk through a disaster scenario without affecting live systems. It involves no actual failover, data replication, or production traffic, so the risk to operations is zero. This makes it a safe, low-cost method to validate plans and roles.

Exam trap

Cisco often tests the misconception that 'simulation' or 'parallel' tests are low-risk because they are 'controlled,' but the key distinction is that tabletop and walkthrough involve zero execution of technical recovery steps, while any test that touches production systems carries inherent risk.

15
MCQeasy

An organization is developing its incident response plan. According to NIST SP 800-61, which phase should include establishing a communication plan, acquiring necessary tools, and conducting exercises?

A.Preparation
B.Post-Incident Activity
C.Detection and Analysis
D.Containment, Eradication, and Recovery
AnswerA

Correct. Preparation includes the IR plan, team, tools, exercises, and communication plan.

Why this answer

According to NIST SP 800-61, the Preparation phase is where the organization establishes a communication plan, acquires necessary tools (e.g., forensic workstations, imaging software, network monitoring tools), and conducts exercises (e.g., tabletop exercises or full-scale simulations) to ensure readiness. This phase lays the foundation for all subsequent incident response activities by ensuring resources and procedures are in place before an incident occurs.

Exam trap

Cisco often tests the misconception that Detection and Analysis includes proactive preparation activities, but NIST SP 800-61 clearly separates the proactive Preparation phase from the reactive Detection phase, which only begins after an incident is suspected.

How to eliminate wrong answers

Option B is wrong because the Post-Incident Activity phase focuses on lessons learned, evidence retention, and report generation after containment and recovery, not on proactive preparation like tool acquisition or exercises. Option C is wrong because Detection and Analysis involves identifying and validating incidents through log analysis, alerts, and threat intelligence, not establishing communication plans or acquiring tools. Option D is wrong because Containment, Eradication, and Recovery are reactive phases that execute actions to stop the incident, remove threats, and restore systems, relying on the tools and plans already set up in Preparation.

16
Multi-Selecthard

A company is selecting a disaster recovery site for its critical applications. Which THREE characteristics differentiate a warm site from a cold site? (Select three.)

Select 3 answers
A.A warm site is typically ready to operate within hours.
B.A warm site has environmental controls (power, cooling) already in place.
C.A warm site has pre-installed servers and network equipment.
D.A warm site has live data replication from the primary site.
E.A warm site requires data restoration from backups before use.
AnswersB, C, E

Cold sites lack environmental controls; warm sites have them.

Why this answer

Option B is correct because a warm site is partially configured with environmental controls such as power, cooling, and network connectivity already in place. This distinguishes it from a cold site, which lacks these infrastructure components and requires significant setup time. The presence of environmental controls is a key differentiator that allows a warm site to become operational faster than a cold site, though it still requires data restoration from backups before full recovery.

Exam trap

The trap here is confusing the recovery time and data synchronization characteristics of warm sites with those of hot sites, leading candidates to incorrectly select 'live data replication' or 'operational within hours' as warm site traits.

17
MCQeasy

What is the primary purpose of establishing a chain of custody for digital evidence?

A.To reduce the size of evidence for storage
B.To encrypt evidence for secure transmission
C.To maintain evidence integrity and track handling
D.To prioritize which evidence to analyze first
AnswerC

It documents who handled evidence, when, and why, ensuring it hasn't been tampered with.

Why this answer

The primary purpose of establishing a chain of custody for digital evidence is to maintain evidence integrity and track every person who handled the evidence from collection through presentation in court. This process ensures that the evidence has not been tampered with, altered, or corrupted, which is critical for admissibility under legal standards such as the Federal Rules of Evidence (FRE) Rule 901. By documenting each transfer with timestamps, signatures, and hash values (e.g., MD5 or SHA-256), the chain of custody provides a verifiable audit trail that supports the evidence's authenticity and reliability.

Exam trap

The trap here is that candidates confuse chain of custody with data preservation techniques like encryption or compression, but the exam specifically tests that its core purpose is to ensure integrity and provide an unbroken audit trail of handling, not to secure or reduce the data.

How to eliminate wrong answers

Option A is wrong because reducing the size of evidence for storage is not a purpose of chain of custody; that is typically achieved through compression algorithms like ZIP or deduplication, and it has no bearing on legal admissibility. Option B is wrong because encrypting evidence for secure transmission is a separate security measure (e.g., using AES-256 or TLS), not a function of chain of custody, which focuses on documenting handling rather than protecting confidentiality. Option D is wrong because prioritizing which evidence to analyze first is a triage decision made during incident response based on impact or volatility (e.g., memory over disk), not a goal of chain of custody, which applies equally to all evidence items.

18
MCQmedium

Which type of disaster recovery test involves running the DR systems alongside the production systems to validate functionality without impacting live operations?

A.Simulation test
B.Full interruption test
C.Tabletop exercise
D.Parallel test
AnswerD

Parallel test runs DR systems side-by-side with production, verifying functionality without risk.

Why this answer

A parallel test runs the disaster recovery systems concurrently with the production systems to verify that the DR environment can handle the workload without disrupting live operations. This approach validates data replication, application functionality, and failover readiness while keeping production untouched, making it the correct choice for non-disruptive validation.

Exam trap

The trap here is that candidates often confuse 'parallel test' with 'simulation test' because both sound non-disruptive, but a simulation test is purely theoretical while a parallel test actually runs DR systems with live data.

How to eliminate wrong answers

Option A is wrong because a simulation test involves a controlled, often tabletop-style walkthrough of disaster scenarios without actually activating DR systems or processing live data. Option B is wrong because a full interruption test (also called a full-scale test) requires shutting down production systems to fail over to the DR site, which directly impacts live operations. Option C is wrong because a tabletop exercise is a discussion-based review of roles and procedures, not a technical validation of DR system functionality.

19
MCQhard

During the eradication phase of a malware incident, a security analyst removes malicious files and cleans registry persistence. What is the MOST critical additional step to prevent reinfection through the same vector?

A.Patching the vulnerability that was exploited
B.Running a full antivirus scan
C.Resetting all user passwords
D.Reimaging the system with a clean OS
AnswerA

Correct. Without patching, the same vulnerability can be exploited again.

Why this answer

Patching the exploited vulnerability (Option A) is the most critical additional step because it removes the root cause of the infection. Without patching, the same attack vector (e.g., an unpatched SMB vulnerability like EternalBlue) remains open, allowing the malware to reinfect the system immediately after cleanup. Eradication is incomplete if the underlying flaw is not addressed, as the attacker can simply re-exploit the same weakness.

Exam trap

Cisco often tests the misconception that cleaning or reimaging alone is sufficient, but the trap here is that candidates overlook the need to address the root cause (the vulnerability) to prevent reinfection through the same vector.

How to eliminate wrong answers

Option B is wrong because running a full antivirus scan is a detection and cleanup step, not a preventive measure against reinfection through the same vector; it may miss zero-day or polymorphic malware. Option C is wrong because resetting user passwords addresses credential theft or lateral movement, but does not close the exploited vulnerability (e.g., a remote code execution flaw in a network service). Option D is wrong because reimaging the system with a clean OS removes the malware but does not patch the original vulnerability; the system will be reinfected if reconnected to the same unpatched network.

20
MCQeasy

During the detection and analysis phase, an analyst classifies an incident as P1 (critical) because it involves a breach of sensitive customer data. What is the IMMEDIATE next step the analyst should take?

A.Notify the affected customers of the data breach
B.Create a forensic image of the compromised server
C.Escalate the incident to the incident response manager and legal counsel
D.Begin containment by isolating affected systems
AnswerC

P1 incidents require immediate escalation to management and legal for breach notification requirements.

Why this answer

When an incident is classified as P1 (critical) due to a breach of sensitive customer data, the immediate next step is to escalate to the incident response manager and legal counsel. This ensures that legal obligations (e.g., breach notification laws, regulatory reporting) and organizational authority are engaged before any technical actions that could alter evidence or violate chain-of-custody requirements. The detection and analysis phase prioritizes notification of key stakeholders to coordinate a lawful and effective response.

Exam trap

The trap here is that candidates often jump to containment (Option D) as the immediate technical step, but the SSCP exam emphasizes that for critical incidents involving sensitive data, escalation to management and legal must occur first to ensure legal and regulatory compliance before any technical action.

How to eliminate wrong answers

Option A is wrong because notifying affected customers prematurely, before legal counsel has assessed notification requirements (e.g., under GDPR or HIPAA), could violate data breach notification laws and expose the organization to liability. Option B is wrong because creating a forensic image is a step typically performed after escalation and authorization, and doing so without legal or managerial approval may compromise the chain of custody or violate data privacy regulations. Option D is wrong because beginning containment before escalation risks destroying volatile evidence or making unauthorized changes that could hinder forensic analysis and legal proceedings.

21
Multi-Selectmedium

A security analyst is responding to a malware incident on a Windows server. Which TWO actions should be taken to properly collect volatile evidence?

Select 2 answers
A.Reboot the system to clear malware from memory
B.Delete suspicious files to prevent further infection
C.Perform a full disk image using a write blocker
D.Capture a memory dump using WinPmem
E.Record active network connections
AnswersD, E

Memory dump captures volatile data from RAM.

Why this answer

WinPmem is a dedicated memory acquisition tool that captures the contents of RAM, which contains critical volatile evidence such as running processes, open network connections, and injected code. Since volatile data is lost on power loss or reboot, capturing a memory dump before any other action preserves this evidence for forensic analysis.

Exam trap

The trap here is that candidates often confuse 'volatile evidence' with 'non-volatile evidence' and choose disk imaging (Option C) instead of memory capture, or mistakenly think rebooting (Option A) is a safe containment step.

22
MCQmedium

After a security incident, the incident response team holds a lessons learned meeting. What is the PRIMARY outcome of this meeting?

A.Permanently delete all evidence related to the incident
B.Inform the media about the incident details
C.Identify improvements to the incident response process
D.Assign blame for the incident
AnswerC

The goal is to learn from the incident and enhance future response.

Why this answer

The primary outcome of a lessons learned meeting is to identify improvements to the incident response process. This meeting focuses on analyzing what worked well and what did not, leading to actionable changes in policies, procedures, and tools to enhance future incident handling. It is a key component of the continuous improvement cycle mandated by frameworks like NIST SP 800-61.

Exam trap

The trap here is that candidates may confuse the lessons learned meeting with the immediate operational steps of incident response, such as evidence handling or public relations, rather than recognizing its core purpose of process improvement and continuous learning.

How to eliminate wrong answers

Option A is wrong because permanently deleting all evidence related to the incident violates legal hold requirements, chain of custody, and potential forensic analysis needs; evidence must be preserved according to retention policies and regulatory mandates. Option B is wrong because informing the media about incident details is not a primary outcome of a lessons learned meeting; such communication is handled by a designated public relations or legal team to avoid compromising investigations or violating disclosure laws. Option D is wrong because assigning blame is counterproductive and contrary to the purpose of a lessons learned meeting, which is to focus on process improvement rather than individual fault; a blame-free culture encourages honest reporting and effective remediation.

23
MCQeasy

Which DR testing type involves running recovery systems in parallel with production systems to verify functionality without impacting live operations?

A.Full interruption test
B.Simulation test
C.Parallel test
D.Tabletop exercise
AnswerC

Correct. Parallel testing runs DR systems concurrently with production.

Why this answer

A parallel test is the correct DR testing type because it involves running the recovery systems concurrently with the production systems. This allows the organization to verify that the backup systems function correctly and can handle the workload without any impact on live operations, as the production environment remains untouched.

Exam trap

Cisco often tests the distinction between a parallel test and a simulation test, where candidates mistakenly think a simulation involves actual system execution, but in reality, a simulation test is a theoretical exercise without any live system activation.

How to eliminate wrong answers

Option A is wrong because a full interruption test (also known as a full-scale or hot start test) requires shutting down the primary production systems and failing over entirely to the recovery site, which directly impacts live operations and is not a parallel run. Option B is wrong because a simulation test involves a walk-through or role-playing scenario where team members discuss their responses to a disaster without actually activating any recovery systems or processing live data. Option D is wrong because a tabletop exercise is a discussion-based session where participants review plans and procedures in a meeting room, with no actual execution of recovery systems or parallel processing.

24
MCQmedium

An incident responder is collecting evidence from a compromised server. Which of the following is the correct order for collecting volatile data?

A.Network connections, memory dump, disk image
B.Disk image, network connections, memory dump
C.Memory dump, network connections, disk image
D.Disk image, memory dump, network connections
AnswerC

This follows the order of volatility: memory is most volatile, then network state, then disk.

Why this answer

Option C is correct because volatile data must be collected in order of decreasing volatility: memory (RAM) is most volatile and lost on power loss, followed by network connections (ephemeral state), and finally disk image (persistent storage). This order ensures critical evidence like running processes, encryption keys, and active network sessions are captured before they disappear.

Exam trap

Cisco often tests the misconception that disk imaging should be done first because it is the most stable evidence source, but the trap is that volatile data (memory and network state) is lost forever if not captured immediately, making the order of volatility the critical priority.

How to eliminate wrong answers

Option A is wrong because collecting network connections before memory dump risks losing volatile memory contents (e.g., processes, kernel objects) that may contain evidence of active malware or encryption keys. Option B is wrong because starting with a disk image is the least volatile and would cause loss of all volatile data (memory and network state) before they are captured. Option D is wrong because collecting disk image before memory dump violates the order of volatility; memory must be captured first as it is lost immediately upon shutdown or power loss.

25
MCQmedium

An analyst detects suspicious outbound traffic from a workstation to a known command-and-control IP. Which IoC blocking method is MOST appropriate as an immediate containment measure?

A.Delete the malicious files from the system
B.Remove the malware from the workstation using EDR
C.Block the IP address at the perimeter firewall
D.Disable the user's account
AnswerC

Correct. This disrupts the malicious communication channel.

Why this answer

Blocking the IP address at the perimeter firewall is the most appropriate immediate containment measure because it directly cuts the outbound communication channel to the known command-and-control (C2) server. This stops data exfiltration and prevents the attacker from issuing further commands, buying time for deeper analysis. Firewall ACLs or blackhole routes can be applied in seconds without altering the endpoint, which is critical when the malware may have persistence mechanisms or anti-forensic capabilities.

Exam trap

The trap here is that candidates confuse containment with remediation, choosing to delete files or remove malware (options A or B) instead of recognizing that the immediate priority is to sever the network-level communication channel to the C2 server.

How to eliminate wrong answers

Option A is wrong because deleting malicious files from the system does not stop active C2 traffic; the malware may be running in memory or have already established a persistent connection, and file deletion alone does not terminate existing network sessions. Option B is wrong because removing malware using EDR is a remediation step, not an immediate containment measure; EDR removal can take time, may trigger malware defenses, and does not instantly block the outbound C2 traffic already in progress. Option D is wrong because disabling the user's account does not affect the malware's network communication; the malware runs as a process independent of user authentication and can continue sending data over the network even with the account disabled.

26
MCQhard

During a malware containment operation, the incident response team decides to isolate an infected endpoint using network access controls. However, the malware is spreading via removable media. Which additional containment measure should the team implement?

A.Block the malware's command-and-control IP at the firewall
B.Disable the user's account and force a password reset
C.Reimage the infected system immediately
D.Group policy to disable USB ports or restrict autorun
AnswerD

Disabling USB ports or autorun prevents the malware from spreading via removable media.

Why this answer

Option D is correct because the malware is spreading via removable media, so disabling USB ports or restricting autorun via Group Policy directly cuts off the propagation vector. Network access controls (NAC) isolate the endpoint from the network, but they do not prevent the malware from copying itself to USB drives or executing via autorun.inf. Group Policy can disable the storage device class (e.g., via 'Removable Storage Access' policies) or disable autorun entirely (via 'Turn off Autoplay' policy), stopping the spread at the physical media level.

Exam trap

Cisco often tests the distinction between containment and remediation, and the trap here is that candidates confuse blocking C2 traffic (Option A) with stopping local propagation, failing to recognize that removable media spread is independent of network connectivity.

How to eliminate wrong answers

Option A is wrong because blocking the C2 IP at the firewall only disrupts command-and-control communication, not the local spread via removable media; the malware can still propagate via USB drives without needing network connectivity. Option B is wrong because disabling the user's account and forcing a password reset addresses credential compromise or unauthorized access, but does not stop the malware from copying itself to removable media or autorunning on other systems. Option C is wrong because reimaging the infected system immediately is a remediation step, not a containment step; containment must first stop the spread, and reimaging should only occur after containment is achieved to avoid reinfection or data loss.

27
MCQmedium

Which of the following is the PRIMARY purpose of establishing a chain of custody when handling digital evidence?

A.To determine the priority of the incident
B.To ensure that evidence is stored in a secure location
C.To prove that evidence has not been altered or tampered with from collection to presentation
D.To identify which forensic tools were used during analysis
AnswerC

Chain of custody maintains integrity and admissibility.

Why this answer

The primary purpose of chain of custody is to create a documented, unbroken record of every person who handled the evidence, from collection through presentation in court. This documentation is critical to demonstrate that the digital evidence has not been altered, tampered with, or corrupted, thereby preserving its integrity and admissibility. Without a proper chain of custody, the opposing party can successfully challenge the evidence as unreliable or compromised.

Exam trap

The trap here is that candidates often confuse the purpose of chain of custody with the purpose of secure storage (Option B), but the exam specifically tests that the primary goal is proving evidence integrity through an unbroken record of custody, not just physical security.

How to eliminate wrong answers

Option A is wrong because establishing chain of custody has nothing to do with determining incident priority; priority is based on impact, criticality, and business risk, not evidence handling. Option B is wrong because while secure storage is an important part of evidence preservation, it is only one component of the chain of custody process, not the primary purpose; the core goal is proving integrity through documentation of every transfer and access event. Option D is wrong because identifying forensic tools used during analysis is a matter of methodology documentation, not chain of custody; chain of custody focuses on who had possession and when, not which software was employed.

28
MCQeasy

Which metric is used to measure the average time it takes to detect an incident?

A.Recovery Point Objective (RPO)
B.Mean Time to Resolve (MTTR)
C.Mean Time to Detect (MTTD)
D.Recovery Time Objective (RTO)
AnswerC

MTTD is specifically for detection time.

Why this answer

Mean Time to Detect (MTTD) is the correct metric because it specifically measures the average time elapsed between the occurrence of an incident and its detection by monitoring systems or security personnel. This metric is critical in incident response as it directly impacts the window of opportunity for attackers to cause damage before containment begins.

Exam trap

The trap here is that candidates often confuse Mean Time to Detect (MTTD) with Mean Time to Resolve (MTTR) because both acronyms start with 'MTT' and relate to incident timelines, but MTTD focuses solely on detection while MTTR covers the entire resolution process after detection.

How to eliminate wrong answers

Option A is wrong because Recovery Point Objective (RPO) measures the maximum acceptable amount of data loss measured in time, not detection time; it is used in backup and disaster recovery planning. Option B is wrong because Mean Time to Resolve (MTTR) measures the average time taken to fully resolve an incident after detection, not the detection phase itself. Option D is wrong because Recovery Time Objective (RTO) measures the maximum acceptable downtime after a disaster, not the time to detect an incident.

29
Multi-Selectmedium

An incident responder is collecting volatile evidence from a compromised Linux server. Which TWO of the following should be collected first? (Select two.)

Select 2 answers
A.Disk image of the system drive
B.System log files from /var/log
C.Hardware configuration inventory
D.List of active network connections using netstat
E.Contents of RAM using LiME
AnswersD, E

Network connections are volatile and should be captured early.

Why this answer

In incident response, volatile data is data that will be lost when the system is powered off. Active network connections (captured via netstat) and the contents of RAM (captured via LiME) are the most volatile, as they change constantly and are lost immediately upon shutdown. Collecting these first preserves critical evidence of current attacker activity and in-memory artifacts like rootkits or encryption keys.

Exam trap

Cisco often tests the 'order of volatility' principle, and the trap here is that candidates mistakenly prioritize disk-based artifacts (logs, images) over truly volatile data like RAM and network connections, which are lost on power-off.

30
MCQmedium

An organization's security team detects a potential data breach. After confirming the incident, they classify it as P2 (high severity) and begin containment. Which action should be performed FIRST to preserve evidence for forensic analysis?

A.Disconnect the system from the network
B.Capture a memory dump using a tool like Magnet RAM Capture
C.Create a forensic image of the hard drive
D.Run an antivirus scan to remove malware
AnswerB

Correct. Memory contains volatile evidence that is lost when power is removed.

Why this answer

When a high-severity incident (P2) is confirmed, the first priority for forensic preservation is capturing volatile data, which includes system memory (RAM). A memory dump using a tool like Magnet RAM Capture preserves running processes, network connections, encryption keys, and malware in memory that would be lost on shutdown or disconnection. This order follows the volatility principle: capture the most volatile data first before any other action that could alter the system state.

Exam trap

The trap here is that candidates often choose 'Disconnect the system from the network' first, thinking containment is the immediate priority, but the SSCP exam emphasizes that evidence preservation (starting with volatile data) must precede containment actions to avoid destroying forensic artifacts.

How to eliminate wrong answers

Option A is wrong because disconnecting from the network first would cause loss of volatile network connections, active sessions, and memory-resident artifacts; it also may trigger anti-forensic mechanisms in malware. Option C is wrong because creating a forensic image of the hard drive is a non-volatile step that should occur after memory capture, as disk imaging can overwrite slack space or alter timestamps if done prematurely. Option D is wrong because running an antivirus scan modifies the system state (e.g., quarantining or deleting files) and destroys evidence; scanning is a remediation step, not a preservation step.

31
Multi-Selectmedium

After a security incident, the response team holds a lessons learned meeting. Which TWO are primary objectives of this meeting? (Select two.)

Select 2 answers
A.Identify what went well and what could be improved
B.Update the incident response plan and runbooks
C.Delete all evidence to free up storage
D.Assign blame for the incident
E.Restore affected systems to production
AnswersA, B

Correct. Lessons learned captures successes and areas for improvement.

Why this answer

The primary objectives of a lessons learned meeting after a security incident are to identify what went well and what could be improved, and to update the incident response plan and runbooks based on those findings. This meeting focuses on process improvement and documentation updates to enhance future response efforts, not on operational tasks like evidence handling or system restoration.

Exam trap

The trap here is that candidates may confuse operational recovery tasks (like restoring systems or deleting evidence) with the strategic, process-improvement objectives of the lessons learned meeting, which are solely focused on analyzing the response and updating documentation.

32
MCQhard

An organization is restoring a critical database from a backup after a ransomware attack. Which of the following steps should be performed BEFORE restoring the data to ensure the restoration is successful and secure?

A.Notify users that the system will be available in one hour
B.Disconnect the backup server from the network
C.Immediately restore the most recent backup to minimize data loss
D.Verify the integrity of the backup and patch the exploited vulnerability
AnswerD

This ensures the backup is clean and the system is hardened before restoration.

Why this answer

Option D is correct because verifying backup integrity (e.g., using checksums or restore tests) ensures the backup is not corrupted or incomplete, which is critical after a ransomware attack where backups may also be targeted. Patching the exploited vulnerability (e.g., applying a security update or disabling the vulnerable service) prevents re-infection during or after the restore, ensuring the recovery is secure. Without these steps, restoring a compromised or incomplete backup could lead to data loss or immediate re-encryption by the same ransomware.

Exam trap

The trap here is that candidates assume restoring the most recent backup is always the priority, but the SSCP exam emphasizes that verifying backup integrity and securing the environment against re-infection are mandatory prerequisites for a successful and secure recovery.

How to eliminate wrong answers

Option A is wrong because notifying users of a one-hour availability before verifying the backup or patching the vulnerability is premature and unrealistic; restoration time depends on backup size and integrity checks, and users should only be notified after a successful restore and testing. Option B is wrong because disconnecting the backup server from the network is a good practice during recovery to prevent ransomware spread, but it is not the step that ensures restoration success and security—it is a containment measure that should be done before or during the restore, not the critical prerequisite for a successful restore. Option C is wrong because immediately restoring the most recent backup without verifying its integrity risks restoring a corrupted or encrypted backup (common in ransomware attacks where backups are also encrypted), and without patching the vulnerability, the system will be immediately re-infected.

33
MCQmedium

During incident response, a team needs to isolate an infected workstation that is part of a critical manufacturing network. Which containment method is MOST appropriate to minimize disruption while preventing the spread of malware?

A.Place the workstation into a quarantine VLAN via switch configuration
B.Apply a host-based firewall rule to block all inbound traffic
C.Physically unplug the network cable
D.Disable the user's Active Directory account
AnswerA

Correct. VLAN quarantine isolates the device while allowing limited access for forensics.

Why this answer

Placing the workstation into a quarantine VLAN via switch configuration is most appropriate because it logically isolates the infected host from the rest of the network at Layer 2, preventing lateral spread of malware while allowing the manufacturing network to continue operating. This method uses 802.1Q VLAN tagging and access control lists (ACLs) on the switch to restrict traffic without physically disconnecting the device, which could disrupt time-sensitive manufacturing processes. It also preserves the ability to remotely manage or forensically image the workstation if needed.

Exam trap

The trap here is that candidates often choose 'physically unplug the network cable' because it seems like the most definitive containment, but they overlook the requirement to minimize disruption in a critical manufacturing network where sudden disconnection can halt production or cause safety hazards.

How to eliminate wrong answers

Option B is wrong because applying a host-based firewall rule to block all inbound traffic does not prevent the infected workstation from initiating outbound connections to spread malware to other systems, and it relies on the compromised host's own software, which may be disabled or bypassed by the malware. Option C is wrong because physically unplugging the network cable completely removes the workstation from the network, which can cause immediate disruption to critical manufacturing processes that depend on that workstation for real-time control or monitoring. Option D is wrong because disabling the user's Active Directory account only prevents authentication and access to domain resources, but does not stop the workstation from communicating with other devices on the same subnet or from spreading malware via non-authenticated protocols like ARP or NetBIOS.

34
MCQhard

After containing a ransomware incident, the incident response team identifies that the attacker gained initial access through a phishing email that installed a backdoor. Which of the following eradication steps is MOST critical to prevent re-infection?

A.Resetting all user passwords
B.Reimaging all affected systems from a known-good backup
C.Removing the backdoor executable and associated persistence mechanisms
D.Conducting security awareness training for all employees
AnswerC

Directly removing the backdoor prevents it from being used again. Combined with patching, this is critical.

Why this answer

Option C is correct because the primary goal of eradication is to remove the attacker's foothold from the system. Removing the backdoor executable and its associated persistence mechanisms (e.g., scheduled tasks, registry Run keys, or WMI subscriptions) directly eliminates the means by which the attacker can regain access, preventing re-infection from the same vector.

Exam trap

The trap here is that candidates often confuse eradication with recovery or prevention, choosing reimaging (Option B) or training (Option D) instead of recognizing that removing the attacker's specific foothold is the immediate technical priority to stop re-infection.

How to eliminate wrong answers

Option A is wrong because resetting user passwords addresses credential compromise but does not remove the backdoor or its persistence; the attacker can still re-enter via the backdoor without needing a password. Option B is wrong because reimaging from a known-good backup is a valid recovery step, but it is not the most critical eradication step—it is a more drastic measure that may not be necessary if the backdoor can be surgically removed, and it does not address the root cause of the initial compromise (the phishing vector). Option D is wrong because security awareness training is a preventive measure that reduces future risk but does not eradicate the existing backdoor or persistence mechanisms already present on affected systems.

35
Multi-Selectmedium

An organization uses a hot disaster recovery (DR) site and has a Recovery Time Objective (RTO) of 4 hours. During a DR test, the team discovers that data replication from the primary site fails. Which TWO actions should the team take to meet the RTO while ensuring data integrity? (Choose two.)

Select 2 answers
A.Verify the integrity of the backup before restoration using hash checks.
B.Extend the RTO to allow time for manual data re-entry.
C.Failover to the hot DR site immediately without data restoration.
D.Restore the latest valid backup from the primary site to the DR site.
E.Switch to a cold DR site that requires hardware setup.
AnswersA, D

Ensuring backup integrity prevents restoring corrupted or infected data.

Why this answer

Option A is correct because verifying the integrity of the backup using hash checks (e.g., SHA-256 or MD5) ensures that the data has not been corrupted during storage or transfer, which is critical before restoration to maintain data integrity. Option D is correct because restoring the latest valid backup from the primary site to the DR site provides a known-good data set, allowing the organization to meet the 4-hour RTO by having a consistent state to failover to, even if replication has failed.

Exam trap

Cisco often tests the misconception that failing over to a hot site immediately is sufficient, but the trap here is that without verifying and restoring a valid backup, the DR site may contain corrupted or incomplete data, breaking data integrity requirements.

36
Multi-Selecthard

During a post-incident review of a data breach, the incident response team is evaluating the chain of custody for forensic evidence. Which THREE practices demonstrate proper evidence handling? (Choose three.)

Select 3 answers
A.The original hard drive was used directly for analysis to avoid delays.
B.A write blocker was used when creating a forensic image of the disk.
C.MD5 hashes were computed only after the analysis was complete.
D.The forensic image was verified by comparing its hash to the hash of the original disk.
E.Each person who handled the evidence documented their name, date, time, and purpose.
AnswersB, D, E

Write blockers prevent any accidental writes to the original evidence during imaging.

Why this answer

Option B is correct because a write blocker is a hardware or software device that prevents any write operations to the original evidence drive during forensic imaging. This ensures the integrity of the original evidence by blocking all commands that could modify data, such as write, erase, or format commands, while allowing read-only access for creating a bit-for-bit copy.

Exam trap

Cisco often tests the misconception that hashing can be done at any point during the investigation, but the trap is that integrity verification must occur before analysis begins to establish a baseline, not after the fact.

37
MCQeasy

Which of the following is the FIRST step in the volatile evidence collection order when responding to an incident on a live system?

A.Capture a RAM dump using a tool like Magnet RAM Capture or WinPmem
B.Disconnect the system from the network
C.Run antivirus scans to identify malware
D.Create a forensic image of the hard drive
AnswerA

Memory is the most volatile; capturing it first preserves running processes, network connections, and encryption keys.

Why this answer

Volatile evidence is collected starting with the most volatile (memory) to preserve data that can be lost when the system is powered down. RAM dump must be done first.

38
MCQeasy

What is the PRIMARY purpose of a lessons learned meeting after an incident?

A.To assign blame for the incident
B.To satisfy regulatory compliance requirements
C.To calculate the financial cost of the incident
D.To identify improvements in the incident response process
AnswerD

Correct. It helps refine the IR plan and procedures.

Why this answer

The primary purpose of a lessons learned meeting is to analyze the incident response process to identify what worked well and what did not, enabling the team to update procedures, playbooks, and tools to improve future responses. This aligns with the continuous improvement cycle mandated by frameworks like NIST SP 800-61, which emphasizes post-incident activity to refine detection and remediation capabilities.

Exam trap

The trap here is that candidates confuse the primary goal of process improvement with secondary outcomes like cost calculation or compliance, but the SSCP exam emphasizes that the core purpose is to enhance the incident response plan's effectiveness, not to assign blame or tally expenses.

How to eliminate wrong answers

Option A is wrong because lessons learned meetings are explicitly non-punitive and focus on process improvement, not assigning blame, which would discourage open reporting and hinder future incident handling. Option B is wrong while regulatory compliance may require documentation of post-incident reviews, the primary purpose is not compliance but operational improvement; compliance is a secondary benefit. Option C is wrong because calculating financial cost is typically part of a separate damage assessment or forensic accounting, not the core objective of a lessons learned meeting, which centers on process effectiveness.

39
MCQhard

During a malware outbreak, a security analyst needs to contain the spread. The affected systems are on the same VLAN as critical servers. Which of the following containment actions should be performed FIRST to minimize impact?

A.Disable user accounts associated with the infected systems
B.Isolate the affected systems by applying VLAN quarantine or ACLs
C.Reboot the affected systems to clear malware from memory
D.Restore the affected systems from backup
AnswerB

Network isolation quickly stops communication with other systems.

Why this answer

Isolating the affected systems by applying VLAN quarantine or ACLs is the correct first action because it immediately stops the malware from spreading laterally across the same VLAN to critical servers, while preserving forensic evidence. This network-level containment is faster and less disruptive than account or system-level changes, and it prevents the outbreak from propagating before any remediation begins.

Exam trap

Cisco often tests the principle that containment must occur at the network layer first, not at the host or user layer, and the trap here is that candidates mistakenly choose to reboot or disable accounts, thinking they are stopping the infection, when in fact they are ignoring the immediate lateral spread risk.

How to eliminate wrong answers

Option A is wrong because disabling user accounts does not stop network-level propagation of malware; the infected systems can still communicate and spread the malware via network protocols even if the user account is disabled. Option C is wrong because rebooting may clear malware from memory but does not prevent reinfection from persistent components or lateral movement, and it can destroy volatile forensic evidence. Option D is wrong because restoring from backup is a recovery step, not a containment step; it should only be performed after the threat is contained and the root cause is understood, to avoid reintroducing the infection.

40
MCQhard

During a forensic investigation, a responder must collect evidence from a live Windows system. Which of the following represents the correct order for collecting volatile data?

A.Disk image, memory dump, process list, network connections
B.Memory dump, network connections, process list, disk image
C.Process list, memory dump, disk image, network connections
D.Network connections, memory dump, process list, disk image
AnswerB

Correct. Memory is the most volatile data.

Why this answer

Option B is correct because volatile data must be collected in order of decreasing volatility to avoid losing critical evidence. Memory (RAM) is the most volatile, followed by network connections and process lists (which change rapidly), and finally disk images (persistent storage). This order ensures that transient data is captured before it disappears.

Exam trap

The trap here is that candidates often think disk imaging is the most critical step and should be done first, but the SSCP exam tests the principle that volatile data (memory) must be captured before any non-volatile collection to prevent evidence loss.

How to eliminate wrong answers

Option A is wrong because it starts with a disk image, which is non-volatile, and places memory dump after it, risking loss of volatile data like running processes and network connections. Option C is wrong because it places process list before memory dump, but process list data resides in memory and can change if the system is altered during memory capture; memory must be collected first. Option D is wrong because it starts with network connections, which are more volatile than memory dump; memory should be captured before network state to avoid changes from system activity.

41
MCQeasy

During which phase of the NIST SP 800-61 incident response lifecycle are incident response plan updates and lessons learned typically documented?

A.Preparation
B.Containment, Eradication, and Recovery
C.Detection and Analysis
D.Post-Incident Activity
AnswerD

Correct. This phase is dedicated to learning from the incident and improving future response.

Why this answer

Option D is correct because the Post-Incident Activity phase of NIST SP 800-61 is specifically designed for conducting lessons learned meetings, documenting improvements, and updating the incident response plan based on findings from the incident. This phase ensures that the organization captures feedback to refine procedures, tools, and training for future incidents.

Exam trap

The trap here is that candidates confuse the Post-Incident Activity phase with the Preparation phase, mistakenly thinking that plan updates occur before incidents, but NIST SP 800-61 explicitly places lessons learned and plan updates after the incident is resolved.

How to eliminate wrong answers

Option A is wrong because the Preparation phase focuses on establishing policies, tools, and training before an incident occurs, not on documenting updates after an incident. Option B is wrong because Containment, Eradication, and Recovery phases are operational steps to stop the incident, remove threats, and restore systems, not for retrospective documentation. Option C is wrong because Detection and Analysis involves identifying and analyzing potential incidents, not capturing lessons learned or updating plans.

42
MCQmedium

An organization has experienced a ransomware attack. After containing the incident, the response team plans to restore systems from backups. Which step is most critical before restoring production systems?

A.Verify the integrity of backup data by restoring to an isolated test environment.
B.Notify law enforcement immediately.
C.Patch the exploited vulnerability and ensure the backup is free of malware.
D.Disconnect all systems from the network.
AnswerC

Correct. Eradication and patching prevent recurrence.

Why this answer

Option C is correct because restoring from backups while the original vulnerability remains unpatched would allow the ransomware to reinfect the systems immediately. Additionally, if the backup itself contains malware (e.g., the ransomware encrypted the backup repository), restoring it would reintroduce the infection. Patching the exploited vulnerability and verifying the backup is clean ensures a safe restoration point, breaking the attack chain.

Exam trap

The trap here is that candidates often choose Option A (verify backup integrity) because it sounds thorough, but they miss that the most critical step is to eliminate the root cause of the infection to prevent immediate reinfection after restoration.

How to eliminate wrong answers

Option A is wrong because verifying backup integrity in an isolated test environment is a good practice but not the most critical step before restoration; the primary risk is reinfection from the same vulnerability or a compromised backup, not data corruption. Option B is wrong because notifying law enforcement is a post-incident legal and compliance step that does not directly prevent reinfection or data loss during restoration; it should occur after containment and evidence preservation, not before restoring systems. Option D is wrong because disconnecting all systems from the network is a containment step that should have been performed earlier in the incident response process; by the time the team plans to restore from backups, containment is already assumed to be complete, and re-disconnecting would hinder the restoration process.

43
MCQmedium

An organization's disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. Which of the following DR site configurations BEST meets these requirements?

A.Cold site with weekly backup tapes shipped offsite
B.Cloud-based cold site with daily backups
C.Hot site with synchronous replication
D.Warm site with hourly log shipping to a standby database
AnswerD

Hourly log shipping achieves RPO of 1 hour; warm site provides hardware ready for activation within hours, meeting RTO.

Why this answer

Option D is correct because a warm site with hourly log shipping to a standby database can achieve an RPO of 1 hour (by losing at most one hour of transactions) and an RTO of 4 hours (by applying the logs and bringing the standby online within that window). The standby database is kept nearly current with minimal lag, meeting both recovery objectives without the cost of full synchronous replication.

Exam trap

The trap here is that candidates often choose a hot site (Option C) because it provides the best protection, but the question asks for the configuration that BEST meets the specified RTO/RPO, not the most robust or expensive option, making the warm site the most cost-effective and appropriate choice.

How to eliminate wrong answers

Option A is wrong because a cold site requires hardware setup and restoration from weekly backup tapes, which cannot meet a 4-hour RTO (setup alone often takes days) and the weekly backups exceed the 1-hour RPO (potential data loss of up to a week). Option B is wrong because a cloud-based cold site still requires provisioning resources and restoring from daily backups, which cannot achieve a 4-hour RTO (provisioning and restoration take longer) and the daily backups exceed the 1-hour RPO (potential data loss of up to 24 hours). Option C is wrong because a hot site with synchronous replication provides near-zero RPO and very low RTO (minutes), which over-delivers on the requirements and is unnecessarily expensive; the question asks for the configuration that BEST meets the stated RTO/RPO, not exceeds them with higher cost.

44
Multi-Selecteasy

During the containment phase of incident response, a security analyst identifies malware on a critical server. Which TWO actions should be taken FIRST to contain the threat and preserve evidence? (Choose two.)

Select 2 answers
A.Capture a forensic image of the hard drive.
B.Reboot the server to clear the malware from memory.
C.Disconnect the network cable from the server.
D.Run a full antivirus scan on the server.
E.Capture the contents of RAM using a tool like WinPmem.
AnswersC, E

This prevents the malware from communicating with command-and-control servers and spreading to other systems.

Why this answer

The immediate priority is to isolate the affected server from the network to prevent lateral movement and to capture volatile evidence (RAM) before it is lost. Disconnecting the network cable stops network-level spread, and capturing RAM preserves critical volatile data for forensic analysis.

45
MCQmedium

A security analyst receives a user report about a workstation exhibiting unusual behavior, such as unexpected pop-ups and slow performance. The analyst first checks the antivirus logs and finds no alerts. What is the NEXT step in the detection and analysis phase?

A.Escalate the incident to senior management
B.Isolate the workstation from the network immediately
C.Perform a forensic memory capture
D.Classify the severity of the potential incident
AnswerD

Severity classification helps determine the appropriate response priority.

Why this answer

According to incident response best practices, after initial detection, the next step is to classify the severity of the potential incident to prioritize response efforts.

46
MCQmedium

During a full interruption test of the disaster recovery plan, which of the following is the PRIMARY risk?

A.Vendor unavailability during the test
B.Employee confusion about their roles
C.Extended downtime or data loss if the plan fails
D.Cost overruns due to overtime pay
AnswerC

The realistic nature of the test can lead to actual outages if not carefully managed.

Why this answer

Full interruption tests involve actually failing over to the DR site, which may cause extended downtime or data loss if the plan has flaws or if the DR site fails.

47
MCQhard

An incident responder is tasked with collecting forensic evidence from a compromised Linux server. Which command would the responder use to capture the contents of volatile memory (RAM) for analysis?

A.lime-forensics --dump /tmp/mem.lime
B.cat /proc/kcore > /tmp/mem.dump
C.memdump -o /tmp/mem.dump
D.dd if=/dev/mem of=/tmp/mem.dump bs=1M
AnswerA

LiME is the correct tool for Linux memory acquisition, outputting a .lime file.

Why this answer

Option A is correct because LiME (Linux Memory Extractor) is specifically designed to capture volatile memory from Linux systems with minimal footprint, outputting a raw memory dump that can be analyzed with tools like Volatility. The `--dump` flag directs the acquisition to a specified file, ensuring the capture is forensically sound by avoiding writes to the compromised filesystem where possible.

Exam trap

The trap here is that candidates often assume `dd if=/dev/mem` is a valid method for full RAM capture, not realizing that modern Linux kernels restrict access to `/dev/mem` to only the first megabyte, making it useless for forensic memory acquisition.

How to eliminate wrong answers

Option B is wrong because `/proc/kcore` is a pseudo-file representing the kernel's view of memory, but it is not a complete or forensically reliable capture of physical RAM; it may omit certain memory regions and can change during read, leading to an inconsistent snapshot. Option C is wrong because `memdump` is not a standard Linux command; it is a tool from the `memdump` package that captures memory from `/dev/mem`, but it is less reliable than LiME for volatile memory acquisition and may not handle modern kernel protections. Option D is wrong because `dd if=/dev/mem` attempts to read physical memory via the `/dev/mem` device, which on modern Linux kernels is restricted to the first 1 MB of RAM by default (due to the `CONFIG_STRICT_DEVMEM` kernel option), making it incapable of capturing the full RAM contents.

48
MCQmedium

A security analyst detects a workstation communicating with a known command-and-control server. The workstation is running critical applications. What should be the analyst's first step according to the NIST incident response lifecycle?

A.Power off the workstation immediately to stop the communication.
B.Isolate the workstation from the network while preserving volatile data.
C.Run a full antivirus scan on the workstation.
D.Notify management and wait for instructions.
AnswerB

Correct. Network isolation stops communication while preserving evidence.

Why this answer

According to the NIST incident response lifecycle, the first priority is containment. Isolating the workstation from the network stops communication with the command-and-control server while preserving volatile data (e.g., memory, running processes, network connections) for forensic analysis. Powering off would destroy this critical evidence, and running a scan or waiting for instructions delays containment and risks further compromise.

Exam trap

Cisco often tests the misconception that immediate power-off is the safest containment action, but the trap is that it destroys volatile evidence required for incident analysis and attribution.

How to eliminate wrong answers

Option A is wrong because powering off the workstation destroys volatile data (e.g., RAM contents, active network connections, process lists) that are essential for forensic analysis and identifying the scope of the compromise. Option C is wrong because running a full antivirus scan on a live, compromised system can alter evidence, trigger destructive malware behaviors, and does not immediately stop the command-and-control communication. Option D is wrong because notifying management and waiting for instructions violates the NIST principle of immediate containment; delaying action allows the attacker to continue exfiltration or lateral movement.

49
MCQmedium

A security analyst receives an alert from the EDR system indicating that a workstation has been communicating with a known malicious IP address. The analyst confirms the alert and notes that the user is still logged in. Which immediate containment action should the analyst take FIRST?

A.Isolate the workstation using the EDR agent's network isolation capability
B.Create a full forensic image of the hard drive
C.Disable the user's Active Directory account
D.Block the malicious IP address at the firewall
AnswerA

Isolating the endpoint stops all network traffic, preventing data exfiltration or lateral movement.

Why this answer

The first priority is to contain the incident by isolating the endpoint to prevent further communication. EDR agents often have a feature to isolate the host from the network immediately.

50
MCQmedium

An organization's disaster recovery plan specifies an RPO of 4 hours and an RTO of 24 hours for a critical database. Which of the following best describes these metrics?

A.RPO means up to 4 hours of data loss; RTO means the database must be recovered within 24 hours.
B.RPO means recovery point objective; RTO means recovery time objective.
C.RPO means the database can be down for up to 4 hours; RTO means up to 24 hours of data loss.
D.RPO means the database must be recovered within 4 hours; RTO means up to 24 hours of data loss.
AnswerA

Correct. RPO = data loss, RTO = recovery time.

Why this answer

Option A is correct because RPO (Recovery Point Objective) defines the maximum acceptable data loss measured in time, meaning up to 4 hours of transactions could be lost. RTO (Recovery Time Objective) defines the maximum acceptable downtime, meaning the database must be fully operational within 24 hours after a disaster.

Exam trap

The trap here is confusing RPO with downtime and RTO with data loss, leading candidates to swap the definitions or misassign the time values.

How to eliminate wrong answers

Option B is wrong because it merely expands the acronyms without explaining the practical meaning of the metrics (e.g., it doesn't state that RPO is about data loss and RTO is about downtime). Option C is wrong because it reverses the definitions: RPO is about data loss, not downtime, and RTO is about downtime, not data loss. Option D is wrong because it swaps the values: RPO is 4 hours of data loss, not recovery time, and RTO is 24 hours of downtime, not data loss.

51
Multi-Selectmedium

A security analyst is investigating a phishing incident that led to credential theft. Which TWO actions are appropriate during the containment phase? (Select TWO)

Select 2 answers
A.Reset the compromised user's password
B.Update the incident response plan
C.Conduct a lessons learned meeting
D.Restore the user's machine from backup
E.Block the phishing domain at the email gateway
AnswersA, E

Correct. Prevents further unauthorized access with stolen credentials.

Why this answer

Resetting the compromised user's password (A) immediately invalidates the stolen credentials, preventing the attacker from using them for further unauthorized access. This is a critical containment step because it cuts off the attacker's authenticated session and access to resources like email, VPN, or cloud services. Blocking the phishing domain at the email gateway (E) prevents additional users from receiving the phishing email, reducing the attack surface and stopping the spread of the incident.

Both actions directly limit the impact and scope of the breach during the containment phase.

Exam trap

Cisco often tests the distinction between containment and recovery phases, trapping candidates who confuse restoring from backup (a recovery action) with immediate containment steps like password resets or blocking malicious infrastructure.

52
Multi-Selectmedium

An organization has suffered a ransomware attack that encrypted files on several file servers. The incident response team is planning recovery. Which TWO actions should be performed to verify that the restored systems are clean before returning them to production? (Select TWO)

Select 2 answers
A.Restore the systems from the most recent backup
B.Change all user passwords associated with the systems
C.Run a full antivirus and anti-malware scan on the restored systems
D.Apply all security patches to the operating system
E.Monitor the systems for any signs of reinfection or anomalous behavior for a period of time
AnswersC, E

Scanning ensures no malware remains in the restored data.

Why this answer

Option C is correct because running a full antivirus and anti-malware scan on the restored systems ensures that no remnants of the ransomware (e.g., dormant payloads, modified registry keys, or backdoor executables) remain in the restored data. Even if the backup was taken before the infection, the restore process could reintroduce malware if the backup itself was compromised or if the ransomware had persisted in the system state. A thorough scan validates that the restored environment is free of known malicious signatures and behavioral indicators.

Exam trap

The trap here is that candidates often assume restoring from a clean backup (Option A) is sufficient to guarantee a clean system, but the SSCP exam emphasizes that backups must be verified as malware-free and that additional validation steps (scanning and monitoring) are required before returning systems to production.

53
MCQmedium

During a forensic investigation, an examiner creates a bit-for-bit copy of a hard drive using a write blocker. What is the purpose of using a write blocker?

A.To prevent modification of the original evidence
B.To encrypt the data during transfer
C.To speed up the imaging process
D.To verify the hash of the original drive
AnswerA

Write blockers ensure that the original drive remains unchanged.

Why this answer

A write blocker is a hardware or software device that intercepts and blocks any write commands from the forensic workstation to the source drive, ensuring that the original evidence remains unaltered during acquisition. This is critical for maintaining the integrity and admissibility of digital evidence in legal proceedings, as any modification could compromise the chain of custody and forensic soundness.

Exam trap

Cisco often tests the misconception that write blockers are used for encryption or speed optimization, but the core purpose is strictly write prevention to preserve evidence integrity.

How to eliminate wrong answers

Option B is wrong because write blockers do not encrypt data; encryption is a separate process typically handled by forensic tools or software after acquisition, and a write blocker's sole function is to prevent writes. Option C is wrong because write blockers do not speed up imaging; in fact, they may introduce a slight overhead due to command filtering, and imaging speed is primarily determined by the drive interface and the imaging tool. Option D is wrong because verifying the hash of the original drive is a post-imaging step performed by the examiner using hashing algorithms like SHA-256 or MD5, not a function of the write blocker itself.

54
MCQmedium

An analyst detects suspicious outbound traffic from a server to a known command-and-control IP address. According to NIST SP 800-61, which phase of the incident response lifecycle does this activity fall under?

A.Post-Incident Activity
B.Preparation
C.Containment, Eradication, and Recovery
D.Detection and Analysis
AnswerD

This is the phase where incidents are identified and analyzed.

Why this answer

The detection of suspicious outbound traffic to a known command-and-control IP address is a clear indicator of a potential security incident. According to NIST SP 800-61, this activity falls under the 'Detection and Analysis' phase, which involves identifying and validating that an incident has occurred through monitoring, alerting, and analysis of security events.

Exam trap

Cisco often tests the distinction between 'Detection and Analysis' and 'Containment, Eradication, and Recovery' by presenting a detection event and expecting candidates to recognize that containment actions are separate and occur later in the lifecycle.

How to eliminate wrong answers

Option A is wrong because 'Post-Incident Activity' occurs after the incident has been contained and eradicated, focusing on lessons learned and reporting, not on initial detection. Option B is wrong because 'Preparation' involves establishing policies, tools, and training before an incident occurs, not detecting active malicious traffic. Option C is wrong because 'Containment, Eradication, and Recovery' are actions taken after detection to stop the spread, remove the threat, and restore systems, not the initial identification of suspicious traffic.

55
Multi-Selecteasy

Which TWO metrics are commonly tracked to measure the effectiveness of the incident response process? (Select TWO)

Select 2 answers
A.MTTD (Mean Time to Detect)
B.SLA (Service Level Agreement) compliance percentage
C.MTBF (Mean Time Between Failures)
D.MTTR (Mean Time to Respond)
E.Number of firewall rules
AnswersA, D

Correct. Measures detection speed.

Why this answer

MTTD (Mean Time to Detect) measures the average time from when an incident occurs until it is detected, directly reflecting the speed of detection capabilities. MTTR (Mean Time to Respond) measures the average time from detection to containment or remediation, indicating the efficiency of the response process. Both are key performance indicators (KPIs) for incident response effectiveness as defined in NIST SP 800-61 and industry frameworks.

Exam trap

Cisco often tests the distinction between operational metrics (MTTD, MTTR) and reliability metrics (MTBF) or configuration counts, so candidates mistakenly select MTBF or firewall rules because they sound technical but are irrelevant to incident response effectiveness.

56
Multi-Selectmedium

During the preparation phase of incident response, which TWO components are essential for an effective incident response plan? (Select TWO)

Select 2 answers
A.A list of approved vendors for hardware replacement
B.A list of all employee passwords
C.A communication plan with contact information for key stakeholders
D.Network topology diagrams
E.Detailed recovery procedures for each critical system
AnswersC, E

Essential for alerting and escalating incidents.

Why this answer

Option C is correct because a communication plan with contact information for key stakeholders ensures that the right people can be reached quickly during an incident, which is critical for coordination and decision-making. Option E is correct because detailed recovery procedures for each critical system provide step-by-step instructions to restore operations, minimizing downtime and ensuring consistency in response efforts.

Exam trap

The trap here is that candidates may confuse operational logistics (like vendor lists or network diagrams) with the core structural components of an incident response plan, which must prioritize communication and recovery to enable a coordinated and effective response.

57
MCQeasy

During the preparation phase of the incident response lifecycle, which of the following is the MOST important component to establish?

A.Communication plan
B.Incident response plan
C.Incident response team
D.Forensic analysis tools
AnswerB

A plan provides the framework for the entire incident response process.

Why this answer

The incident response plan is the foundational document that outlines the entire process, including roles, procedures, and escalation paths. Without a formal, approved plan, other components like the communication plan, team, or tools lack the necessary structure and authority to function effectively during an incident.

Exam trap

Cisco often tests the misconception that the incident response team is the most important component, but without a formal plan, the team lacks defined roles, authority, and procedures to act effectively.

How to eliminate wrong answers

Option A is wrong because a communication plan is a subset of the incident response plan; it cannot be established effectively without the overarching plan defining who communicates what and when. Option C is wrong because the incident response team is a resource that is assembled and trained based on the plan's requirements, not the primary component to establish first. Option D is wrong because forensic analysis tools are tactical resources selected after the plan defines the investigation procedures and legal requirements, not the most important preparatory component.

58
MCQhard

An incident responder is handling a malware outbreak. The malware has been identified as a fileless threat that persists via registry run keys. Which eradication step is most appropriate?

A.Disable the affected user accounts.
B.Reimage all affected systems.
C.Remove the malicious registry entries and restart the systems.
D.Run an antivirus scan on the systems.
AnswerC

Correct. Removing persistence mechanisms is key to eradication.

Why this answer

Option C is correct because fileless malware that persists via registry run keys can be eradicated by removing the malicious registry entries and restarting the systems. This breaks the persistence mechanism without requiring full reimaging, as the malware does not write files to disk and relies on registry-based auto-start locations (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) to execute after reboot.

Exam trap

The trap here is that candidates often choose reimaging (Option B) as a 'safe' default, failing to recognize that fileless malware with only registry persistence can be fully remediated by removing the registry entry and rebooting, without the operational cost of reimaging.

How to eliminate wrong answers

Option A is wrong because disabling affected user accounts does not remove the registry run key entries; the malware would still execute under other user contexts or system accounts, and it does not address the persistence mechanism. Option B is wrong because reimaging all affected systems is an overly aggressive and unnecessary step for fileless malware that only persists via registry keys; it wastes resources and downtime when a targeted registry cleanup and reboot suffices. Option D is wrong because running an antivirus scan is ineffective against fileless malware that has no file on disk to detect; traditional signature-based AV scans often miss registry-resident threats, and the scan does not remove the registry persistence entry.

59
MCQmedium

An incident responder needs to create a forensic image of a suspect hard drive. Which of the following steps is ESSENTIAL to ensure the integrity of the evidence?

A.Run an antivirus scan on the drive before imaging
B.Use a write blocker to prevent modification of the original drive
C.Boot the suspect system to verify it is functional
D.Perform the imaging over the network to save time
AnswerB

A write blocker ensures read-only access, preserving the integrity of the original evidence.

Why this answer

Using a write blocker is essential because it ensures that no data can be written to the suspect hard drive during the imaging process, preserving the original evidence in a forensically sound state. Without a write blocker, any operating system or imaging tool could inadvertently modify metadata (e.g., access timestamps) or the file system, which would compromise the integrity and admissibility of the evidence in legal proceedings.

Exam trap

Cisco often tests the misconception that booting the system or running software-based checks is acceptable, but the trap here is that any interaction with the original drive that could alter its state—even a read-only mount without a write blocker—can change metadata and break the chain of custody.

How to eliminate wrong answers

Option A is wrong because running an antivirus scan on the drive before imaging could modify the drive's contents (e.g., by quarantining or deleting files), which violates forensic integrity principles. Option C is wrong because booting the suspect system can alter the system state, including writing to the drive (e.g., log files, temporary files), and may trigger anti-forensic mechanisms. Option D is wrong because performing imaging over the network introduces risks of data corruption, packet loss, or interception, and does not inherently prevent writes to the original drive; a write blocker is still required for forensic soundness.

60
MCQeasy

Which type of disaster recovery test involves running the DR systems alongside production systems to verify functionality without impacting operations?

A.Tabletop exercise
B.Full interruption test
C.Parallel test
D.Simulation test
AnswerC

Correct. Parallel test runs DR and production systems simultaneously.

Why this answer

A parallel test runs the disaster recovery (DR) systems in a live, non-disruptive manner alongside the production environment. This allows the organization to validate that the DR systems can process transactions and handle workloads correctly without affecting the primary production operations, making it the correct choice for verifying functionality without impact.

Exam trap

The trap here is that candidates often confuse a parallel test with a simulation test, thinking both are 'non-disruptive,' but a simulation test does not run DR systems alongside production and typically uses synthetic data, whereas a parallel test uses real production data and systems in a concurrent, non-interfering manner.

How to eliminate wrong answers

Option A is wrong because a tabletop exercise is a discussion-based walkthrough of roles and procedures, not an actual technical test of DR systems running alongside production. Option B is wrong because a full interruption test (also called a full-scale or hot start test) involves shutting down production systems and failing over to the DR site, which directly impacts operations. Option D is wrong because a simulation test mimics a disaster scenario in a controlled environment but does not run DR systems concurrently with production systems; it often uses isolated test beds.

61
MCQhard

A security analyst receives a chain of custody form for a hard drive that was seized from a suspected insider threat. The form shows that the drive was handled by three individuals over two days. Which of the following is the PRIMARY reason for maintaining a chain of custody?

A.To prove that the evidence has not been tampered with and is admissible in legal proceedings
B.To determine the cost of the forensic investigation
C.To ensure the hard drive is stored in a secure location
D.To track the productivity of forensic analysts
AnswerA

Correct. Chain of custody provides a documented history to show evidence integrity.

Why this answer

The chain of custody is a documented chronological record of evidence handling, which is essential to demonstrate that the hard drive has not been altered, damaged, or substituted since seizure. Without this unbroken record, the evidence could be challenged as inadmissible in court under rules like the Federal Rules of Evidence (FRE) 901, which require authentication. This is the primary reason because legal admissibility hinges on proving integrity and continuity of custody.

Exam trap

Cisco often tests the distinction between the legal necessity of chain of custody (admissibility) versus operational tasks like storage or cost tracking, leading candidates to confuse a supporting activity (secure storage) with the primary purpose.

How to eliminate wrong answers

Option B is wrong because determining the cost of the forensic investigation is an administrative or budgeting concern, not the primary legal purpose of chain of custody. Option C is wrong because while secure storage is a component of proper evidence handling, the chain of custody specifically documents who had access and when, not just the storage location itself. Option D is wrong because tracking analyst productivity is a management metric unrelated to the forensic integrity and legal admissibility requirements that chain of custody is designed to satisfy.

62
MCQmedium

A security team detects lateral movement within the network. Which containment strategy should be applied first to limit the spread of the threat?

A.Disable user accounts associated with compromised systems.
B.Isolate the affected systems by disconnecting them from the network.
C.Block the attacker's IP addresses at the perimeter firewall.
D.Reimage all compromised systems immediately.
AnswerB

Correct. Network isolation prevents the attacker from moving to other systems.

Why this answer

Isolating affected systems by disconnecting them from the network is the immediate priority because it physically or logically severs the attacker's ability to propagate laterally via SMB, RDP, or other network protocols. This containment step stops the spread without destroying forensic evidence, which would be lost if systems were reimaged or powered off prematurely.

Exam trap

Cisco often tests the misconception that blocking external IPs or disabling accounts is sufficient for containment, when in fact internal lateral movement requires immediate network-level isolation of the compromised host.

How to eliminate wrong answers

Option A is wrong because disabling user accounts does not stop an attacker who has already established remote access via a service account, kernel-level backdoor, or cached credentials; the compromised system remains on the network and can still be used for lateral movement. Option C is wrong because blocking IP addresses at the perimeter firewall is ineffective against internal lateral movement, which occurs on the LAN and does not traverse the perimeter; the attacker can also easily change IP addresses or use internal routing to bypass the block. Option D is wrong because reimaging destroys volatile evidence (e.g., memory dumps, active network connections) and takes too long, allowing the attacker to continue spreading while the system is being rebuilt; containment must precede eradication.

63
Multi-Selecthard

During a ransomware incident, the incident response team needs to recover encrypted servers. Which THREE steps are essential for successful recovery? (Select THREE)

Select 3 answers
A.Restore data from the most recent clean backup
B.Pay the ransom to obtain the decryption key
C.Patch the vulnerability that allowed the ransomware to enter
D.Delete all user accounts and recreate them
E.Scan restored systems to ensure eradication of malware
AnswersA, C, E

Correct. Provides a known-good state.

Why this answer

Option A is correct because restoring from the most recent clean backup is the primary recovery method for ransomware incidents. It ensures that encrypted data can be recovered without paying the ransom, provided the backup was taken before the infection and is stored offline or immutable to prevent encryption. This aligns with the 3-2-1 backup strategy (three copies, two media types, one offsite) and is a core step in the NIST SP 800-61 incident response process.

Exam trap

Cisco often tests the misconception that paying the ransom is a valid recovery step, but the SSCP exam emphasizes that payment should never be recommended due to lack of guarantee and ethical concerns.

64
MCQmedium

A security team is collecting evidence from a compromised server. They need to create a forensic image. Which of the following is the CORRECT procedure to ensure data integrity?

A.Use a write blocker to create a bit-for-bit copy, then compute MD5 hash of the original and the copy to verify they match
B.Take a photo of the screen and document file timestamps manually
C.Create a compressed image file using software without a write blocker
D.Boot the system and run a backup utility to copy files to an external drive
AnswerA

Correct. This preserves integrity and verifies that the copy is exact.

Why this answer

Option A is correct because forensic imaging requires a write blocker to prevent any modification to the original evidence, and a bit-for-bit copy preserves all data, including slack space and deleted files. Computing an MD5 hash of both the original and the copy verifies integrity by ensuring the hashes match, confirming no data alteration occurred during acquisition.

Exam trap

The trap here is that candidates may think a simple backup or file copy is sufficient for forensic evidence, but the SSCP exam emphasizes that only a write-blocked bit-for-bit copy with hash verification ensures data integrity and admissibility.

How to eliminate wrong answers

Option B is wrong because taking a photo and manually documenting timestamps does not create a forensic image; it only captures superficial information and fails to preserve the full data for analysis. Option C is wrong because creating a compressed image without a write blocker risks altering the original drive's data due to write operations, compromising evidence integrity. Option D is wrong because booting the system and running a backup utility modifies the system state (e.g., writes to swap, logs, or file access times) and does not produce a bit-for-bit copy, violating forensic best practices.

Ready to test yourself?

Try a timed practice session using only Incident Response and Recovery questions.