CCE CCE Incident Response & Malware Analysis

Question 1

According to NIST SP 800-61, what are the four phases of the incident response lifecycle?

Accepted Answer

Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity

Answer

NIST SP 800-61 defines the incident response lifecycle as Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity.

Question 2

During malware analysis, what is the difference between static and dynamic analysis?

Accepted Answer

Static analysis examines the malware without executing it; dynamic analysis runs the malware in a controlled environment

Answer

Static analysis inspects malware code, strings, and structure without execution, while dynamic analysis runs the malware in a sandbox to observe its behavior.

Question 3

What is a 'sandbox' in the context of malware analysis?

Accepted Answer

An isolated virtual environment used to execute and observe malware behavior safely

Answer

A sandbox is an isolated environment (typically a VM) where malware can be executed and monitored without risk of infecting production systems.

Question 4

In incident response, what does the term 'containment' refer to?

Accepted Answer

Limiting the spread and impact of an incident while preserving forensic evidence

Answer

Containment involves taking steps to stop the incident from spreading further while carefully preserving evidence for forensic analysis.

Question 5

What tool would a CCE examiner use to examine strings embedded in a malware binary without executing it?

Accepted Answer

The 'strings' utility or BinText

Answer

The 'strings' command-line utility or tools like BinText extract printable character sequences from a binary, often revealing URLs, registry keys, and function names.

(CCE) Certified Computer Examiner Practice Test

(CCE) Certified Computer Examiner Practice Test

CCE CCE Incident Response & Malware Analysis