ACI ACI Network Forensics & Incident Response

Question 1

During a network forensics investigation, which type of log is most useful for reconstructing the timeline of a security breach?

Accepted Answer

Firewall and IDS/IPS logs

Answer

Application error logs

Answer

Printer spool logs

Answer

Font cache logs

Question 2

What is the primary purpose of capturing a memory dump at the start of an incident response investigation?

Accepted Answer

To preserve volatile data such as running processes and network connections

Answer

To free up RAM for forensic tools

Answer

To create a backup of the hard drive

Answer

To reset the system to a clean state

Question 3

In FTK, which feature allows an investigator to examine network packet captures alongside file system evidence?

Accepted Answer

Evidence Tree integration with PCAP parsing

Answer

Registry Viewer

Answer

Bookmark Manager

Answer

Hash Set Manager

Question 4

Which protocol is most commonly analyzed to identify data exfiltration over encrypted channels during a network forensics review?

Accepted Answer

HTTPS/TLS

Answer

FTP

Answer

SMTP

Answer

DHCP

Question 5

During incident response, what is the correct order of evidence collection per the order of volatility?

Accepted Answer

CPU registers, memory, network state, hard drive

Answer

Hard drive, memory, network state, CPU registers

Answer

Network state, hard drive, memory, CPU registers

Answer

Memory, hard drive, CPU registers, network state

Question 6

What does an abnormally high volume of DNS queries to a single external domain indicate during a network investigation?

Accepted Answer

Possible DNS tunneling or command-and-control communication

Answer

Normal web browsing activity

Answer

A misconfigured DHCP server

Answer

Routine OS update traffic