CFR-410 Free Sample Questions

True or False: When collecting digital evidence from a mobile device, creating a logical acquisition is always preferable to a physical acquisition because it is faster and captures all user-generated data like messages and call logs.

An incident response team is investigating anomalous outbound traffic from a workstation. They need to analyze the executable files that have been recently run by the user to identify any suspicious programs. On a Windows 10 system, which forensic artifact would provide the most direct evidence of program execution, including the execution time and run count?

Following a major data breach, an organization's legal counsel requests a report from the CSIRT to prepare for potential litigation. To ensure the report's findings are defensible in court, which document is most critical for demonstrating the integrity and handling of all collected digital evidence?

During an incident, the response team determines that an attacker used PowerShell-based malware that executes entirely in memory, leaving minimal traces on the hard disk. Which forensic tool is essential for analyzing this type of attack?

During a forensic investigation, an analyst must create a bit-for-bit copy of a suspect's hard drive. To ensure the integrity of the original evidence is maintained, which of the following tools or techniques is essential?

During a post-incident review of a data exfiltration event, an analyst discovers that the attacker pivoted from a compromised web server to an internal database using credentials stored in a plaintext configuration file. The organization's policy mandates credential rotation every 90 days, but this had not been enforced. Which of the following countermeasures would be MOST effective in preventing a similar incident in the future?

An incident responder is analyzing a compromised Linux host. The attacker has attempted to cover their tracks. The responder needs to determine if the attacker modified critical system binaries like `/bin/ls` or `/bin/ps`. Which command should the responder use to verify the integrity of these files against a known-good database?

A manufacturing company is conducting a vulnerability assessment of its Industrial Control Systems (ICS) network. The assessment must identify vulnerabilities without disrupting the sensitive, real-time operations of the Programmable Logic Controllers (PLCs). Which scanning approach is MOST appropriate for this environment?

A security team is implementing a defense-in-depth strategy for their Active Directory environment to mitigate risks from compromised credentials. Which of the following controls should be implemented? (Select TWO).

True or False: In the context of evidence collection, a snapshot of a running virtual machine is considered a forensically sound duplicate of the live system's memory and disk.