200-201 Free Practice Test

What is a difference between tampered and untampered disk images?

1. A. Tampered images have the same stored and computed hash.
2. B. Tampered images are used as evidence.
3. C. Untampered images are used for forensic investigations.
4. D. Untampered images are deliberately altered to preserve as evidence

Correct Answer: D

Refer to the exhibit.

An employee received an email from an unknown sender with an attachment and reported it as a phishing attempt. An engineer uploaded the file to Cuckoo for further analysis. What should an engineer interpret from the provided Cuckoo report?

1. A. Win32.polip.a.exe is an executable file and should be flagged as malicious.
2. B. The file is clean and does not represent a risk.
3. C. Cuckoo cleaned the malicious file and prepared it for usage.
4. D. MD5 of the file was not identified as malicious.

Correct Answer: C

An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?

1. A. Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.
2. B. Run "ps -u" to find out who executed additional processes that caused a high load on a server.
3. C. Run "ps -ef" to understand which processes are taking a high amount of resources.
4. D. Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.

Correct Answer: C

Refer to the exhibit.

An engineer received a ticket about a slowed-down web application The engineer runs the #netstat -an command. How must the engineer interpret the results?

1. A. The web application is receiving a common, legitimate traffic
2. B. The engineer must gather more data.
3. C. The web application server is under a denial-of-service attack.
4. D. The server is under a man-in-the-middle attack between the web application and its database

Correct Answer: C

Which incidence response step includes identifying all hosts affected by an attack?

1. A. detection and analysis
2. B. post-incident activity
3. C. preparation
4. D. containment, eradication, and recovery

Correct Answer: D
* 3.3.3 Identifying the Attacking Hosts During incident handling, system owners and others sometimes want to or need to identify the attacking host or hosts. Although this information can be important, incident handlers should generally stay focused on containment, eradication, and recovery. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
The response phase, or containment, of incident response, is the point at which the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident.