e-forense - Análise Forense Computacional, Hacking, Segurança & Código

Sexta parte do question dump para o CISSP

Bom antes do exame convém sempre, para além da frequência do curso, ter alguma literatura:

- https://umeshume.files.wordpress.com/2013/03/mcgraw-hill-osborne-media-cissp-all-in-one-exam-guide-6th-edition-2012.pdf

Dar uma vista atenta a este link: http://opensecuritytraining.info/CISSP-Main.HTML

---

Question:
Which of the following statements is false?

A.A disaster recovery team’s primary task is to restore critical business functions at the alternate backup processing site.
B.A disaster salvage team’s task is to ensure that the primary site returns to normal processing conditions.
C.The disaster recovery plan should include how the company will return from the alternate site to the primary site.
D.When returning to the primary site, the most critical applications should be brought back first.

Answer:
D.When returning to the primary site, the most critical applications should be brought back first.

Explanation:
When the primary site is ready to receive operations again, less critical systems should be brought back first to ensure that everything is running smoothly before returning critical systems, which are already operating normally at the recovery site.

Question:
The least expensive and most difficult to test computer recovery site is a:

A.Non-mobile hot site
B.Mobile hot site
C.Warm site
D.Cold site

Answer:
D.Cold site

Explanation:
The cold site’s lack of equipment reduces its annual cost, but complicates testing or recovery because the equipment must be obtained, shipped, and installed at the site prior to use.

Question:
_______________ includes activities to test and validate system capability and functionality and outlines actions that can be taken to return the system to normal operating condition and prepare the system against future outages.

A.Activation
B.Recovery
C.Reconstitution
D.Validation

Answer:
C.Reconstitution

Explanation:
The Activation/Notification Phase describes the process of activating the plan based on outage impacts and notifying recovery personnel. The Recovery Phase details a suggested course of action for recovery teams to restore system operations at an alternate site or using contingency capabilities. The final phase, Reconstitution, includes activities to test and validate system capability and functionality and outlines actions that can be taken to return the system to normal operating condition and prepare the system against future outages.

Question:
What is a main advantage of using hot sites?

A.Costs are relatively low.
B.They can be used for an extended amount of time.
C.They do not require that equipment and systems software be compatible with the primary installation being backed up.
D.They can be made ready for operation quickly.

Answer:
D.They can be made ready for operation quickly.

Explanation:
The main advantage of hot sites is that they can normally be made ready for operation within hours.

Question:
A business continuity plan is an example of a __________ control.

A.Corrective
B.Detective
C.Preventive
D.Collective

Answer:
A.Corrective

Explanation:
Business continuity plans are designed to minimize the damage inflicted by an event and to facilitate restoration of the organization to its full operational capacity.

Question:
Business continuity plans are required for:

A.All areas of the enterprise
B.Financial resources and information processing
C.Operating areas of the enterprise
D.Marketing, finance, and information processing

Answer:
A.All areas of the enterprise

Explanation:
Business continuity plans are required for all parts of an enterprise.

Question:
In disaster recovery planning, what is the recovery point objective?

A.The point to which application data must be recovered to resume business operations
B.The maximum elapsed time required to complete recovery of application data
C.The point to which application data must be recovered to resume system operations
D.The point to which information system must be operational at an alternate site

Answer:
C.The point to which application data must be recovered to resume system operations

Explanation:
The Recovery Point Objective (RPO) is the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an "acceptable loss" in a disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2 hours. Based on this RPO the data must be restored to within 2 hours of the disaster.

Question:
In contingency planning, the first step is:

A.Perform a hardware backup
B.Perform a data backup
C.Perform an operating systems software backup
D.Perform an application software backup

Answer:
B.Perform a data backup

Explanation:
A data backup is the first step in contingency planning. Without data, there is nothing to process.

Question:
The most devastating business interruptions are the result of loss of:

A.Hardware/software
B.Data
C.Communication links
D.Applications

Answer:
B.Data

Explanation:
Loss of data can cause the most damage to an enterprise in the short and long run.

Question:
The Information Systems Contingency Plan does not include which of the following?

A.Information on system recovery
B.Information on roles and responsibilities
C.Assessment results
D.Testing procedures

Answer:
C.Assessment results

Explanation:
The Information Systems Contingency Plan provides key information needed for system recovery, including roles and responsibilities, inventory information, assessment procedures, detailed recovery procedures, and testing of a system.

---

Parte 1: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems.html
Parte 2: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_1.HTML
Parte 3: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_2.HTML
Parte 4: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_5.html
Parte 5: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_8.html

Quinta parte do question dump para o CISSP

Bom antes do exame convém sempre, para além da frequência do curso, ter alguma literatura:

- https://umeshume.files.wordpress.com/2013/03/mcgraw-hill-osborne-media-cissp-all-in-one-exam-guide-6th-edition-2012.pdf

Dar uma vista atenta a este link: http://opensecuritytraining.info/CISSP-Main.HTML

---

Question:
Business continuity plans address all of the following except:

A.Critical servers used on the company's LAN
B.The most critical devices housed in the main data center
C.Individual workstations that are used by operations personnel
D.The protection of cold sites at a remote location

Answer:
D.The protection of cold sites at a remote location

Explanation:
A BCP does not address the protection of cold sites at remote location.

Question:
Organizations should not view disaster recovery as:

A.A committed expense
B.A discretionary expense
C.An enforcement of legal statues
D.Compliance with regulations

Answer:
B.A discretionary expense

Explanation:
Businesses need to treat disaster recovery planning as a committed expense, much like insurance is a requirement. In many sectors, disaster recovery is a legal requirement.

Question:
Which of the following best describes a continuity of operations plan?

A.Establishes senior management and a headquarters after a disaster. Outlines roles and authorities, orders of succession, and individual role tasks.
B.Plan for systems, networks, and major applications recovery procedures after disruptions. A contingency plan should be developed for each major system and application.
C.Includes internal and external communications structure and roles. Identifies specific individuals who will communicate with external entities. Contains predeveloped statements that are to be released.
D.Focuses on malware, hackers, intrusions, attacks, and other security issues. Outlines procedures for incident response.

Answer:
A.Establishes senior management and a headquarters after a disaster. Outlines roles and authorities, orders of succession, and individual role tasks.

Explanation:
The continuity of operations plan establishes senior management and a headquarters after a disaster. It outlines roles and authorities, orders of succession, and individual role tasks.

Question:
Which of the following best describes a parallel test?

A.A scenario is established and individuals are gathered to go through each step of the plan.
B.Copies of the plan are handed out to representatives from each functional area.
C.Some systems are moved to the alternate site and installed to test processing procedures and compatibility.
D.Management gathers and goes through a structured walk-through test.

Answer:
C.Some systems are moved to the alternate site and installed to test processing procedures and compatibility.

Explanation:
When a parallel test is performed, the critical systems are taken to the site where they would need to perform in an actual disaster.

Question:
Which of the following is not a purpose to develop and implement a disaster recovery plan?

A.Provides procedures for emergency responses
B.Extends backup operations to include more than just backing up data
C.Provides steps for a post-disaster recovery
D.Outlines business functions and systems

Answer:
D.Outlines business functions and systems

Explanation:
The disaster recovery plan does not outline business functions and systems. Those are handled in the business impact analysis.

Question:
A reciprocal agreement is best described how?

A.A site that has some computers and environmental controls
B.A site that has fully redundant systems, software, and configurations
C.A site that is in use by another company already
D.An agreement that is enforceable

Answer:
C.A site that is in use by another company already

Explanation:
A reciprocal agreement is when one company promises another company that it can move in if a disaster hits. This agreement is not enforceable.

Question:
A business impact analysis (BIA) does not typically include:

A.Identifying the type and quantity of resources required for the recovery
B.Identifying critical business processes and the dependencies between them
C.Identifying organizational risks
D.Developing a mission statement

Answer:
D.Developing a mission statement

Explanation:
The development of a mission statement is normally performed before the BIA.

Question:
An off-site information processing facility:

A.Should have the same degree of physical access restrictions as the primary processing site
B.Should be located close to the originating site so that it can quickly be made operational
C.Should be easily identified from the outside for easy emergency access
D.Need not have the same level of environmental monitoring as the originating site since this would be cost prohibitive

Answer:
A.Should have the same degree of physical access restrictions as the primary processing site

Explanation:
An off-site information processing facility should have the same amount of physical control as the originating site.

Question:
Out of the following steps in the development of a disaster recovery plan, which is the second step?

A.Develop an information system contingency plan
B.Create contingency strategies
C.Conduct the business impact analysis (BIA)
D.Ensure plan testing, training, and exercises

Answer:
C.Conduct the business impact analysis (BIA)

Explanation:
The seven progressive steps are designed to be integrated into each stage of the system development life cycle.
- Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
- Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization's mission/business functions. A template for developing the BIA is provided to assist the user.
- Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
- Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
- Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system's security impact level and recovery requirements.
- Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness.
- Ensure plan maintenance. The plan should be a living document that is updated regularly.

Question:
An organization wants to gain a common understanding of functions that are critical to its survival. Which of the following will help the most?

A.Risk assessment
B.Business assessment
C.Disaster recovery plan
D.Business impact analysis

Answer:
D.Business impact analysis

Explanation:
A business impact analysis (BIA) is an assessment of an organization’s business functions to develop an understanding of their criticality, recovery time objectives, and resources needed.

---

Parte 1: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems.html
Parte 2: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_1.HTML
Parte 3: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_2.HTML
Parte 4: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_5.html
Parte 6: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_9.html

Quarta parte do question dump para o CISSP

Bom antes do exame convém sempre, para além da frequência do curso, ter alguma literatura:

- https://umeshume.files.wordpress.com/2013/03/mcgraw-hill-osborne-media-cissp-all-in-one-exam-guide-6th-edition-2012.pdf

Dar uma vista atenta a este link: http://opensecuritytraining.info/CISSP-Main.HTML

---

Question:
Which is not a task for senior management in disaster recovery?

A.Approve of final plans
B.Oversee budget
C.Drive all phases of plan
D.Implement the plans themselves

Answer:
D.Implement the plans themselves

Explanation:
Senior management should support all functions of disaster recovery and business continuity, and they should oversee the progress of developing, implementing, and testing the plans. They should also ensure that the proper resources and budget are available. But they are not usually the ones who actually implement the plans.

Question:
Which of the following issues is least important when quantifying risks associated with a potential disaster?

A.Gathering information from agencies that report the probability of certain natural disasters taking place in that area
B.Identifying the company’s key functions and business requirements
C.Identifying critical systems that support the company’s operations
D.Estimating the potential loss and impact the company would face based on how long the outage lasts

Answer:
A.Gathering information from agencies that report the probability of certain natural disasters taking place in that área

Explanation:
Information gathered from agencies that report the probability of certain natural disasters taking place in that area would be the least important out of this list.

Question:
Which of the following is the fourth step in a business impact analysis?

A.Identify the company's critical business functions.
B.Calculate how long these functions can survive without these resources.
C.Identify the resources these functions depend upon.
D.Calculate the risk for each different business function.

Answer:
B.Calculate how long these functions can survive without these resources.

Explanation:
The detailed steps of carrying out a business impact analysis are shown below:
. Select individuals to interview for data gathering.
. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
. Identify the company's critical business functions.
. Identify the resources these functions depend upon.
. Calculate how long these functions can survive without these resources.
. Identify vulnerabilities and threats to these functions.
. Calculate the risk for each different business function.
. Document findings and report them to management.

Question:
Which of the following statements is true of a full-scale BCP?

A.It is a long-term project.
B.It is a short-term project.
C.It is a single entity venture.
D.BCP guarantees no service interruption.

Answer:
A.It is a long-term project.

Explanation:
A BCP plan is a long-term project and must have support from upper management. It could take a year or more for a small to medium-size business before the plan is implemented and fully tested.

Question:
A hot site offers ___ recovery with ____ costs.

A.Instant, high
B.Moderate, high
C.Instant, low
D.Moderate, low

Answer:
A.Instant, high

Explanation:
A hot site has all of the equipment in place and can allow fast recovery. However it is also the most expensive solution.

Question:
Sam is a manager that is responsible for overseeing the development and the approval of the business continuity plan. He needs to make sure that his team is creating a correct and all inclusive loss criteria when it comes to potential business impacts. Which of the following should not be included in this criteria?
i. Loss in reputation and public confidence
ii. Loss of competitive advantages
iii. Decrease in operational expenses
iv. Violations of contract agreements
v. Violations of legal and regulatory requirements
vi. Delayed income costs
vii. Loss in revenue
viii. Loss in productivity

A.i, ii
B.v, vi
C.v
D.iii

Answer:
D.iii

Explanation:
Loss criteria must be applied to the individual threats that were identified. The criteria should include at least the following:
- Loss in reputation and public confidence
- Loss of competitive advantages
- Increase in operational expenses
- Violations of contract agreements
- Violations of legal and regulatory requirements
- Delayed income costs
- Loss in revenue
- Loss in productivity

Question:
Part of operational recovery is designing backup facility configurations to work in an acceptable manner so that business can continue. Which of the following is a setup that allows services to be distributed over two or more in-house centers?

A.Hot site
B.Multi-processing center
C.Mobile site
D.Reciprocal agreements

Answer:
B.Multi-processing center

Explanation:
A multi-processing center allows a company to have backup over multiple facilities where services have been distributed.

Question:
Recovery strategies are pre-established and management-______ steps that should be put into action in the event of a disaster.

A.Approved
B.Directed
C.Requested
D.Documented

Answer:
A.Approved

Explanation:
Recovery strategies are planned ahead of time before they are needed. These strategies are approved by management and are tested.

Question:
Amy has been appointed to the BCP team and is in charge of information gathering for the business impact analysis. Amy could use any of the following tools to gather information, except:

A.Surveys
B.Questionnaires
C.Workshops
D.Quantitative formulas

Answer:
D.Quantitative formulas

Explanation:
Amy is only at the information gathering step at this stage. She would not be doing her quantitative or qualitative risk assessment yet.

Question:
Which of the following provides the correct characteristic for the specific data backup type?

A.Differential process backs up the files that have been modified since the last backup
B.Differential process backs up the files that have been modified since the last full backup
C.Incremental process sets the archive bit to 1
D.Differential process sets the archive bit to 1

Answer:
B.Differential process backs up the files that have been modified since the last full backup

Explanation:
A differential process backs up the files that have been modified since the last full backup. When the data need to be restored, the full backup is laid down first, and then the most recent differential backup is put down on top of it.
The differential process does not change the archive bit value. An incremental process backs up all the files that have changed since the last full or incremental backup and sets the archive bit to 0.

---

Parte 1: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems.html
Parte 2: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_1.HTML
Parte 3: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_2.HTML
Parte 5: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_8.html
Parte 6: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_9.html

AccessEnum v1.32



Enquanto o modelo de segurança flexível existente nos sistemas de base Windows NT permitem o controlo total sobre as permissões de segurança e gestão de ficheiros. Já a gestão de permissões de utilizadores para que estes tenham acesso adequado a ficheiros, diretórios e chaves de registro pode ser difícil.

Não existe nenhuma solução built-in para visualizar rapidamente os acessos dos utilizadores a uma arvore de directórios ou a chaves.

AccessEnum dá-lhe uma visão completa do seu sistema de ficheiros e configurações de segurança do Registro em poucos segundos, o que torna esta ferramenta ideal para ajudá-lo a procurar falhas de segurança e bloquear permissões onde for necessário.

Mais informação: http://technet.microsoft.com/en-us/sysinternals/bb897332
Download: http://download.sysinternals.com/files/AccessEnum.zip

Terceira parte do question dump para o CISSP

Bom antes do exame convém sempre, para além da frequência do curso, ter alguma literatura:

- https://umeshume.files.wordpress.com/2013/03/mcgraw-hill-osborne-media-cissp-all-in-one-exam-guide-6th-edition-2012.pdf

Dar uma vista atenta a este link: http://opensecuritytraining.info/CISSP-Main.HTML

---

Question:
Which are the proper steps of developing a disaster recovery and continuity plan?

A.Project initiation, strategy development, business impact analysis, plan development, implementation, testing, and maintenance
B.Strategy development, project initiation, business impact analysis, plan development, implementation, testing, and maintenance
C.Implementation and testing, project initiation, strategy development, business impact analysis, and plan development
D.Plan development, project initiation, strategy development, business impact analysis, implementation, testing, and maintenance

Answer:
A.Project initiation, strategy development, business impact analysis, plan development, implementation, testing, and maintenance

Explanation:
These steps outline the processes that should take place from beginning to end pertaining to these types of plans.

Question:
During development, testing, and maintenance of the disaster recovery and continuity plan, a high degree of interaction and communication is crucial to the process. Why?

A.This is a regulatory requirement of the process.
B.The more people talk about it and get involved, the more awareness will increase.
C.This is not crucial to the plan and should not be interactive because it will most likely affect operations
D.Management will more likely support it.

Answer:
B.The more people talk about it and get involved, the more awareness will increase.

Explanation:
Communication not only provides awareness of these plans and their contents, but also allows more people to discuss the possible threats and solutions that the original team may not uncover.

Question:
John has to create a team to carry out a business impact analysis and develop the company's business continuity plan. Which of the following should not be on this team?
i. Business units
ii. Senior management
iii. IT department
iv. Security department
v. Communications department
vi. Legal department

A.v.
B.None of them
C.All of them
D.i

Answer:
B.None of them

Explanation:
The best plan is when all issues and threats are brought to the table and discussed. This cannot be done effectively with a few people who are familiar with only a couple of departments. Representatives from each department must be involved with not only the planning stages but also the testing and implementation stages.
The committee should be made up of representatives from at least the following departments:
- Business units
- Senior management
- IT department
- Security department
- Communications department
- Legal department

Question:
When is the emergency state actually over for a company?

A.When all people are safe and accounted for
B.When all operations and people are moved back into the primary site
C.When operations are safely moved to the off-site facility
D.When a civil official declares that all is safe

Answer:
B.When all operations and people are moved back into the primary site

Explanation:
The emergency state is not actually over until the company moves back into their primary site. The company is still vulnerable and at risk while it is operating in an altered or crippled state. This state of vulnerability is not over until the company is back operating in the fashion that it was prior to the disaster. Of course, this may mean that the primary site has to be totally rebuilt if it was destroyed.

Question:
Using another company's facilities in the event of a disaster is called what?

A.Rolling hot site
B.Redundant site
C.Merger
D.Reciprocal agreement

Answer:
D.Reciprocal agreement

Explanation:
Reciprocal agreements with other companies can be a cheap alternative to disaster recovery but are very difficult to enforce legally. A reciprocal agreement is not enforceable, meaning that the company that agreed to let the damaged company work out of its facility can decide not to allow this to take place.
A reciprocal agreement is a better secondary backup option if the primary plan falls through.

Question:
A disaster recovery procedure involving all affected departments acting out a specific scenario, but which does not go to an off-site facility, is referred to as a:

A.Simulation test
B.Structured walk-through test
C.Checklist test
D.Parallel test

Answer:
A.Simulation test

Explanation:
Simulation tests measure the responsiveness of each department during an emergency situation. A scenario is constructed, as in a flood, earthquake, or terrorist attack, and people are to carry out the tasks expected of them.

Question:
What should be done first when the original facility becomes operational again following a disaster?

A.Inform the media and stockholders
B.Inform all of the employees
C.Move the most critical functions to the original facility
D.Move the least critical functions to the original facility

Answer:
D.Move the least critical functions to the original facility

Explanation:
To ensure that critical business functions and systems continue to operate during a move back to the original facility, the first step should be reinstating the least critical functions.

Question:
Which is not true of a reciprocal agreement?

A.It is a temporary solution.
B.It is expensive.
C.It is difficult to enforce.
D.Most environments are not able to support multiple business operations at one time.

Answer:
B.It is expensive.

Explanation:
While a reciprocal agreement is difficult to implement and enforce, it does offer an extremely inexpensive alternative to disaster recovery. It is an agreement between two companies which usually have very similar technologies, to open their doors to the other in case of an emergency or disaster.

Question:
Which of the following disaster recovery tests is the most intrusive to business operations?

A.Parallel
B.Simulation
C.Full-interruption
D.Checklist

Answer:
C.Full-interruption

Explanation:
Full-interruption tests require the original site to be completely shut down and all processes moved to an alternate site. This can be very disruptive to a company, but is the only way to really know the disaster recovery plan will work when it is needed.

Question:
Talking to external organizations after a disaster is important for all of the following reasons except:

A.To inform customers and shareholders of the company's status
B.To redirect unfavorable attention to other entities
C.To ensure that the media is reporting the facts accurately
D.To help stop rumors from developing

Answer:
B.To redirect unfavorable attention to other entities

Explanation:
Informing the public and affected groups is a critical part of disaster recovery so that the company's reputation and overall business status are not damaged. The information that will be reported should be prepared beforehand, along with deciding who will be responsible for communicating the message to the public and press.

---

Parte 1: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems.html
Parte 2: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_1.HTML
Parte 4: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_5.HTML
Parte 5: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_8.html
Parte 6: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_9.html

Bom antes do exame convém sempre, para além da frequência do curso, ter alguma literatura:

- https://umeshume.files.wordpress.com/2013/03/mcgraw-hill-osborne-media-cissp-all-in-one-exam-guide-6th-edition-2012.pdf

Dar uma vista atenta a este link: http://opensecuritytraining.info/CISSP-Main.HTML

---

Deixo de seguida um dump de questões da certificação:

Question:
Business continuity planning needs to provide several types of functionalities and protection types for an organization. Which of the following is not one of these items?
i. Provide an immediate and appropriate response to emergency situations
ii. Protect lives and ensure safety
iii. Reduce business conflicts
iv. Resume critical business functions
v. Work with outside vendors during the recovery period
vi. Reduce confusion during a crisis
vii. Ensure survivability of the business
viii. Get "up and running" quickly after a disaster

A.ii, iii
B.iii, iv, vi
C.i, ii, vii
D.iii

Answer:
D.iii

Explanation:
Preplanned procedures allow an organization to:
i. Provide an immediate and appropriate response to emergency situations
ii. Protect lives and ensure safety
iii. Reduce business impact
iv. Resume critical business functions
v. Work with outside vendors during the recovery period
vi. Reduce confusion during a crisis
vii. Ensure survivability of the business
viii. Get "up and running" quickly after a disaster

Question:
What procedures should take place to restore a system and its data files after system failure?

A.Restore from storage media backup
B.Perform a parallel test
C.Implement recovery procedures
D.Perform a walk-through test

Answer:
C.Implement recovery procedures

Explanation:
In this and similar situations, recovery procedures should be followed, which most likely includes recovering data from the backup media. Recovery procedures could include proper steps of rebuilding a system from the beginning, applying the necessary patches and configurations, and whatever needs to take place to ensure productivity is not affected. Some type of redundant system may need to be put into place.

Question:
What is the first step in developing a disaster recovery plan?

A.Identify all critical systems and functions of the company
B.Decide if the company needs to perform a walk-through, parallel, or simulation
test
C.Perform a business impact analysis
D.Interview a representative from each department

Answer:
C.Perform a business impact analysis

Explanation:
A business impact analysis includes identifying critical systems and functions of a company and interviewing representatives from each department. Once management’s support is solidified, a business impact analysis needs to be performed to identify the threats the company faces and the potential costs of these threats.

Question:
During a recovery procedure, one important step is to maintain records of important events that happen during the procedure. What other step is just as important?

A.Schedule another test to address issues that took place during that procedure
B.Make sure someone is prepared to talk to the media with the appropriate responses
C.Report the events to management and the appropriate agencies
D.Identify essential business functions

Answer:
C.Report the events to management and the appropriate agencies

Explanation:
When recovery procedures are carried out, the outcome of those procedures should be reported to the individuals who are responsible for this type of activity. This is usually some level of management. If the procedures worked properly, they should know this, and if problems were encountered, they should definitely be made aware of this. They are the ones responsible for fixing the recovery system and will be the ones to delegate this work and provide the necessary funding and resources.

Question:
The purpose of initiating emergency actions right after a disaster takes place is to prevent loss of life, attend to injuries, and __________.

A.Secure the area to ensure that no looting or fraud takes place
B.Mitigate further damage
C.Protect evidence and clues
D.Investigate the extent of the damages

Answer:
B.Mitigate further damage

Explanation:
The main goal of disaster recovery and business continuity plans is to mitigate all risks that could be experienced by a company. Emergency procedures need to be carried out first to protect human life. Then other procedures need to be executed to reduce the damage from further threats.

Question:
Which of the following is the best way to ensure that a company’s backup tapes can be used at a warm site?

A.Retrieve the tapes from the off-site facility and verify that the equipment at the original site can read them
B.Test them on the vendor’s machine, which won’t be used during an emergency
C.Inventory each tape kept at the vendor’s site twice a month
D.Test them on the equipment maintained within the hot site

Answer:
A.Retrieve the tapes from the off-site facility and verify that the equipment at the original site can read them

Explanation:
A warm site is a facility that will not be fully equipped with the company’s main systems. The idea of using a warm site is that if a disaster takes place, the company would bring their systems with them. If they cannot bring the systems with them because they are damaged, the company must purchase new systems that are exactly like their original systems. So to properly test backups, the company needs to test them by recovering the data on their original systems at their main site.

Question:
Which of the following is something that should be required of an off-site backup facility that stores backed-up media for companies?

A.The facility should be within 10 to 15 minutes of the original facility to
ensure easy access.
B.The facility should contain all necessary PCs, servers, and raised flooring.
C.The facility should be protected by an armed guard.
D.The facility should protect against unauthorized access and entry.

Answer:
D.The facility should protect against unauthorized access and entry.

Explanation:
This question is addressing a facility that is used to store backed-up data; it is not talking about an off-site facility used for disaster recovery purposes. The facility should not be 10 to 15 minutes away because if there was some type of disaster, the company’s main facility and this facility could both be destroyed and the company would lose all of their information. The facility should have the same security standards as the company’s security, including protecting against unauthorized access.

Question:
Which item will a business impact analysis not identify?

A.If the company is best suited for a parallel or full-interrupt test
B.What areas would suffer the greatest operational and financial loss in the event of a particular disaster or disruption
C.What systems are critical for the company and must be highly protected
D.What amount of outage time a company can endure before it is permanently crippled

Answer:
A.If the company is best suited for a parallel or full-interrupt test

Explanation:
All of the other answers address the main components of a business impact analysis. Determining the best type of exercise or drill to carry out is not covered under this type of analysis.

Question:
Which areas of a company are business plans recommended for?

A.The most important operational and financial areas
B.The areas that house the critical systems
C.All areas
D.The areas that the company cannot survive without

Answer:
C.All areas

Explanation:
It is best if every department within the company has its own recovery plan and continuity plan and procedures in place. These individual plans would "roll up" into the overall enterprise plan.

Question:
Who has the final approval of the disaster recovery and business continuity plan?

A.The planning committee
B.Each representative of each department
C.Management
D.External authority

Answer:
C.Management

Explanation:
Management has the final approval over everything within a company, including these plans.

---

Parte 1: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems.html
Parte 3: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_2.html
Parte 4: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_5.html
Parte 5: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_8.html
Parte 6: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_9.html

(ISC)² International Information Systems Security Certification Consortium - CISSP Certified Information Systems Security Professional



- O que é?

CISSP é o acrônimo para Certified Information System Security Professional, é um certificado profissional emitido e mantido pela instituição (ISC)², fundada com o objetivo de estabelecer critérios para avaliar profissionais que trabalham com segurança da informação.

De acordo com o (ISC)², existem mais de 90.000 profissionais de segurança certificados em mais de 135 países.

Recentemente foi atribuída a certificação ANSI ISO/IEC Padrão ISO/IEC 17024 - trata-se da primeira certificação profissional a receber esta atribuição num espectro mundial.

A certificação é fundada sob um conjunto de melhores práticas estabelecidas pela instituição que foram agregadas na forma de 10 domínios.

Para se certificar, o profissional de segurança da informação deve passar o exame de conhecimentos específico, aceitar o Código de Ética da (ISC)², comprovar que tem um tempo mínimo de experiência na área e ser "apadrinhado" por outro profissional certificado.

- Áreas de incidência/domínios?

Metodologia e Sistema de Controle de Acesso:

Este domínio trata das melhores práticas para o desenvolvimento de metodologias de controlo de acessos. De controlos técnicos a gestão de controlos, trata-se de todo e qualquer mecanismo que tenha por objetivo estabelecer o triplo A (AAA - Autenticação, autorização e asserção - do inglês Authentication, authorization and accounting).

Segurança em Telecomunicações, Redes e Internet:

Este domínio trata dos principais controlos, técnicas e metodologias para assegurar a confidencialidade, integridade e disponibilidade de sistemas de informação através de mecanismos telecomunicação, redes de informação e Internet.

Práticas de Gestão de Segurança:

Trata-se do domínio que descreve as principais práticas de gestão da segurança de sistemas de informação. Está inserido neste contexto questões regulamentares (agências supragovernamentais), legislação específica (governo), gestão de políticas de segurança (diretrizes administrativas) e continuidade do negócio.

Desenvolvimento de Aplicações e Sistemas:

Este domínio compreende todas as práticas para gerir o desenvolvimento de aplicações e sistemas informativos com o foco em assegurar a confidencialidade, integridade e disponibilidade dos dados.

Criptografia:

O conjunto de melhores práticas para uso de algoritmos de criptografia simétricos, assimétricos e hash estão listados neste domínio. Considera-se também métodos de utilização híbridos que comportem a funcionalidade de autenticação, integridade e não-repúdio da informação.

Arquitetura e Modelos de Segurança:

Este domínio reúne os principais modelos de segurança utilizados para certificação de ambientes computacionais. São exemplos de modelos de certificação o ITSEC (Europa), TCSEC Estados Unidos (Orange Book), BS 7799 Inglaterra e Common Criteria.

Segurança Operacional:

Este domínio sugere uma compilação de boas práticas para a gestão operacional da segurança da informação, incluindo questões de armazenamento de cópias de segurança (técnicas de backup), controlo operacional de turnos, contratação de recursos humanos, etc.

Plano de Continuidade de Negócios:

O domínio mais próximo das necessidades da operação de negócios das empresas. Trata-se de uma compilação de melhores práticas para estabelecer um plano bem sucedido de continuidade de negócios, incluído procedimentos de contingência para componentes separados de negócio e, em casos mais tradicionais e custosos, um plano de recuperação de desastres.

Lei, Investigação e Ética:

Este domínio trata das questões legais que tangem o universo da segurança da informação. De exemplos concretos como os atos de proteção a sistemas de telecomunicação (1996) nos Estados Unidos à condição atual da legislação europeia, o objetivo é compreender a motivação para estabelecer regulamentações de proteção a informação em uma sociedade, processos investigativos para sustentar o devido processo legal e condição ética necessária para os profissionais envolvidos.

Segurança Física:

Conjunto de melhores práticas para avaliar e estabelecer controlos técnicos, operacionais e gerenciais de proteção física de um ambiente de processamento de dados.

- A quem se destina?

.Administradores de Segurança que pretendam melhorar as suas competências e assegurar a progressão da sua carreira profissional.

.Colaboradores de empresas que pretendam melhorar o ser perfil na área de segurança e garantir mais competitividade para a sua organização.

.Profissionais que colaborem em empresas especializadas na área de segurança e que necessitem de ver reconhecidas as suas competências na área da segurança perante parceiros, clientes e outras entidades terceiras, garantindo um patamar de destaque para a sua organização.

.Auditores e/ou Consultores de Segurança
.Quaisquer profissionais na área da segurança

---

Em Portugal pode-se encontrar o curso de preparação ao exame aqui:
http://www.behaviour-group.com/PT/homepage/isc2/cissp/

E os exames podem ser feitos nos centros certificados:
https://wsr.pearsonvue.com/testtaker/registration/SelectTestCenterProximity/ISC2/150639

CESAE Porto

---

Parte 2: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_1.html
Parte 3: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_2.HTML
Parte 4: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_5.html
Parte 5: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_8.html
Parte 6: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_9.html

FOCA (Fingerprinting Organizations with Collected Archives) é uma ferramenta usada principalmente para encontrar metadados e informações ocultas em documentos.

Estes documentos podem estar em páginas da web, e pode ser descarregados e analisados com FOCA .

É capaz de analisar uma grande variedade de documentos , sendo os mais comuns os do Microsoft Office, Open Office , ou arquivos PDF , embora também tem a capacidade de analisar Adobe InDesign ou arquivos SVG, entre outros.

Estes documentos são pesquisados por meio de três possíveis motores de busca: Google, Bing e Exalead.

Também é possível adicionar arquivos locais para extrair as informações EXIF de arquivos gráficos, e uma análise completa das informações descobertas através da URL é realizada mesmo antes de descarregar o ficheiro.




Mais informação & Download: https://www.elevenpaths.com/labs-tools-foca.HTML
"PENTESTING con FOCA": http://0xword.com/es/libros/59-pentesting-con-foca.HTML
Slides DEFCON 18: http://www.slideshare.net/chemai64/defcon-18-foca-2

Creepy é uma ferramenta OSINT de Geolocalização. Oferece informações sobre geolocalização reunida através de dados retirados de redes sociais.



Reúne informações de geolocalização relacionada a partir de fontes online, e permite a apresentação em mapa, filtragem de pesquisas baseadas em localização e/ou data exata, também permite a exportação para formatos .CSV ou .KML, para posterior análise no Google Maps.

Esta ferramenta está disponível para as plataformas

Windows 32&64 bits:

- 64bits: https://github.com/ilektrojohn/creepy/releases/download/v1.1/setup_v1.1_x86-64.exe
- 32bits: https://github.com/ilektrojohn/creepy/releases/download/v1.1/setup_v1.1_x86.exe

Linux:

- Source: https://github.com/ilektrojohn/creepy/tarball/master

OSX:

- https://github.com/ilektrojohn/creepy/releases/download/v1.1/creepy_v1.1.dmg


Mais informações em: http://ilektrojohn.github.io/creepy/
Facebook: https://www.facebook.com/geocreepy
Twitter: https://twitter.com/cree_py

Oryon C Portable é um browser desenvolvido para auxiliar em pesquisas e investigações de Open Source Intelligence.

Oryon vem com dezenas de ferramentas/extensões pré-instaladas e um conjunto selecionado de links catalogados por categorias.

Especificação:
- Baseado na versão SRWare Iron 31.0.1700.0 (Chromium)
- Mais de 70 ferramentas pré-instaladas para apoiar os investigadores no seu trabalho diário
- Mais de 600 links para fontes de informação especializadas e online ferramentas de investigação
- Os recursos adicionais de proteção de privacidade
- Um ficheiro OPML pronto para usar contendo uma coleção ordenada de fontes de informação para os campos: OSINT, Inteligência, InfoSec, defesa e muito mais.

Requisitos:
- Windows : XP, Vista, 7 x32 & x64

O acesso a motores de busca OSINTINSIGHT localizados no Oryon página inicial (Oryon C newtab) é possível mediante a subscrição.

Uma das características principais é a página de pesquisa por defeito, startpage.com por Ixquick, que segundo eles devolve todos os resultados diretamente do Google sem salvar o IP do utilizador e sem devolver nenhuma informação pessoal aos servidores da Google.

Mais algumas características:
- Proxy de navegação livre
- Elogiado por especialistas em privacidade no mundo inteiro
- Quatorze anos historial empresa
- Certificado por terceiros
- Nenhum endereço IP gravado/guardado
- Nenhuma gravação é feita das suas pesquisas
- Nenhuma identificação ou cookies de rastreamento usados
- Poderosa criptografia SSL disponível

Extensões pré-instaladas:
- Adblock Plus 1.7.2
- All in one web searcher 2.0
- BarDeCo: QR Code Decoder & Encoder/Generator 1.0.0.8 (Desabilitada por defeito)
- Bookmark Sentry (scanner) 1.7.18
- Chrome Poster 1.5 (Desabilitada por defeito)
- Clear Cache 0.3.3.3
- Company information lookup using CrunchBase 0.1.2 (Desabilitada por defeito)
- Copy Plain Text 0.1
- DeepDyve Plugin 1.23.54
- Development and Coding Search 9.0 (Desabilitada por defeito)
- DNS Lookup 1.2.1 (Desabilitada por defeito)
- DOM Snitch 0.717 (Desabilitada por defeito)
- Edit This Cookie 1.2.5 (Desabilitada por defeito)
- EmailSherlock 1.2
- EnviSwitch 0.3.0 (Desabilitada por defeito)
- Evernote Web Clipper 6.0.7
- EXIF Viewer 1.2.3
- Facebook Search 2.0.1.1 (Desabilitada por defeito)
- FastestFox for Chrome 8.0.8
- Firebug Lite for Google Chrome 1.4.0.11967
- Flag for Chrome 0.4.1
- Form Fuzzer 1.4 (Desabilitada por defeito)
- FreshStart - Cross Browser Session Manager 1.6.1
- FTP Free 2.5 (Desabilitada por defeito)
- Go Up 1.31
- Google Translate 1.2.5
- Hola Better Internet 1.2.258 (Desabilitada por defeito)
- Holmes 3.1.7
- HTTP Headers 1.0.0.2 (Desabilitada por defeito)
- HTTPS Everywhere 1.3 (Desabilitada por defeito)
- iMacros for Chrome 6.0.6 (Desabilitada por defeito)
- Image Search Options 0.0.7.3
- PDF Viewer 0.8.787
- Extensions Manager 0.2.1.2
- Hide My Proxy 0.1.2 (Desabilitada por defeito)
- IP Address and Domain Information 3.24
- IP Geolocator 1.2 (Desabilitada por defeito)
- JSONView 0.0.32.2 (Desabilitada por defeito)
- Kikin para Chrome 2.5.0
- LastPass 3.0.22
- Split Screen 0.45
- Mini Maps 2.0.3 (Desabilitada por defeito)
- BugMeNot Lite 0.3.10 (Desabilitada por defeito)
- Canton Public Library Catalog 2.1.1.2
- Chrome Crawler 0.6 (Desabilitada por defeito)
- Miniscrul Universal URL Shortener/Expander 3.1.5 (Desabilitada por defeito)
- Neat Bookmarks 0.9.17 (Desabilitada por defeito)
- Network and Internet tools 1.66 (Desabilitada por defeito)
- NoteBook Professional 1.4
- One-Click Extensions Manager 1.3.3.9 (Desabilitada por defeito)
- OneTab 1.6
- Oryon C NewTab 1.0.0
- Oryon C Tools 0.1
- Page Monitor 3.3.1
- Phone Number Lookup 1.3 (Desabilitada por defeito)
- PHP Console 3.0.17 (Desabilitada por defeito)
- Pocket 1.5.6
- Proxy SwitchySharp 1.10.2 (Desabilitada por defeito)
- ProxyPy Web Proxy 1.2.4 (Desabilitada por defeito)
- Python Shell 3.0.2 (Desabilitada por defeito)
- Rapportive 1.4.1
- Related Search 1.0
- Search All 2.2.12
- Search on Linkedin 0.2
- Search Twitter 0.1.1 (Desabilitada por defeito)
- SearchBar 0.7.4
- Select to Get Maps 1.1.1 (Desabilitada por defeito)
- Site Spider 1.2 (Desabilitada por defeito)
- Swap My Cookies 0.3 (Desabilitada por defeito)
- The Exploit Database 1.0.1 (Desabilitada por defeito)
- Threat Analytics Search 3.3.3
- Twitter Earth 1.2 (Desabilitada por defeito)
- User-Agent Switcher for Chrome 1.0.3 (Desabilitada por defeito)
- Wappalyzer 2.26
- WaybackMachine 1.0
- Web Server Notifier 1.4.6 (Desabilitada por defeito)
- Websecurify 4.0.0 (Desabilitada por defeito)
- Where is my tab? 1.1
- XV - XML Viewer 1.0.14 (Desabilitada por defeito)
- YOPmail 0.5 (Desabilitada por defeito)
- Zotero Connector 4.0.8.2




Saber mais: http://osintinsight.com/oryon.php
Sobre OSINTINSIGHT: http://osintinsight.com/
Download: http://sourceforge.net/projects/oryon/
Documentação: : http://osintinsight.com/Documentation.pdf

AccessChk v5.11



Introdução:

Esta ferramenta permite a um administrador de sistemas aceder/gerir recursos, tais como ficheiros, diretórios, chaves de registo, serviços e objetos globais, de utilizadores ou grupos.

Instalação:

AccessChk é uma ferramenta que se corre via linha de comandos, para tal basta navegar até onde a pasta o executável se encontra e escrever o comando "accesschk" para ver a sintaxe.

Sintaxe & Utilização:

accesschk [-s][-e][-u][-r][-w][-n][-v][[-a]|[-k]|[-p [-f] [-t]][-o [-t <tipo de objeto>]][-c]|[-d]] [[-l [-i]]|[utilizador]] <ficheiro, diretório, chave de registo, processo, serviço, objeto>

-a	Name is a Windows account right. Specify "*" as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed.
-c	Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.
-d	Only process directories or top-level keys
-e	Only show explicitly set-Integrity Levels (Windows Vista only)
-f	Show full process token information including groups and privileges
-i	Ignore objects with only inherited ACEs when dumping full access control lists.
-k	Name is a Registry key, e.g. hklm\software
-l	Show full access control list. Add -i to ignore inherited ACEs.
-n	Show only objects that have no access
-o	Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type.
-p	Name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads.
-q	Omit Banner
-r	Show only objects that have read access
-s	Recurse
-t	Object type filter, e.g. "section"
-u	Suppress errors
-v	Verbose (includes Windows Vista Integrity Level)
-w	Show only objects that have write access

Exemplos:

Mostra os tipos de acesso que o tipo de conta Power Users tem em ficheiros e diretórios dentro de \Windows\System32:
accesschk "power users" c:\windows\system32

Mostra que membros do grupo Users têm acesso a escrita:
accesschk users -cw *

Mostra que chaves de registo dentro de HKLM\CurrentUser um utilizador não tem acesso:
accesschk -kns austin\mruss hklm\software

Mostra a segurança em HKLM\Software key:
accesschk -k hklm\software

Mostrar os objetos globais que todos os utilizadores podem modificar:
accesschk -wuo everyone \basednamedobjects

Mais informação: http://technet.microsoft.com/en-us/sysinternals/bb664922
Download da Ferramenta: http://download.sysinternals.com/files/AccessChk.zip

O conjunto de ferramentas Sysinternals, criadas por Mark Russinovich e Bryce Cogswell, estão disponíveis na internet desde meados de 1996, e foram posteriormente adquiridas pela Microsoft em Julho de 2006.

Este conjunto de ferramentas é essencial para administradores, developers, ou simples utilizadores que trabalham sobre a plataforma Windows. Têm a particularidade de ajudar a diagnosticar e solucionar problemas em aplicações ou nos sistemas Windows.

A ultima novidade da Sysinternals é o serviço Sysinternals Live, que permite a execução das ferramentas diretamente da Web sem a necessidade de instala-las.

Nas próximas publicações vou mostrar a utilidade de cada uma das ferramentas.

AccessChk - http://e-forense.blogspot.com/2014/04/sysinternals-tools-ferramentas-para_4.HTML
AccessEnum - http://e-forense.blogspot.com/2014/05/sysinternals-tools-ferramentas-para.html

Download das ferramentas: http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

Decima primeira parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.

Volto a referir que é muito importante a leitura dos manuais:

Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf

Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.

Q.In FTK, a user may alter the alert or ignore status of individual hash sets within the active KFF. Which utility is used to accomplish this?
A. KFF Alert Editor
B. ADKFF Library Selector
C. Hash Database File Selector
D. Hash Database Recovery Engine
Answer: A

Q.After creating a case, the Encrypted Files container lists EFS files. However, no decrypted sub- items are present. All other necessary components for EFS decryption are present in the case. Which two files must be used to recover the EFS password for use in FTK? (Choose two.)
A. SAM
B. system
C. SECURITY
D. Master Key
E. FEK Certificate
Answer: A,B

Q.Which two statements are true? (Choose two.)
A. PRTK can recover Windows logon passwords.
B. PRTK must run in conjunction with DNA workers to decrypt EFS files.
C. PRTK and FTK must be installed on the same machine to decrypt EFS files.
D. EFS files must be exported from a case and provided to PRTK for decryption.
Answer: A,C


Q.Which two Registry Viewer operations can be conducted from FTK? (Choose two.)
A. list SAM file account names in FTK
B. view all registry files from within FTK
C. createsubitems of individual keys for FTK
D. export a registry report to the FTK case report
Answer: B,D

Q.FTK Imager can be invoked from within which program?
A. FTK
B. DNA
C. PRTK
D. Registry Viewer
Answer: A

Q.Into which two categories can an imported hash set be assigned? (Choose two.)
A. alert
B. ignore
C. contraband
D. system files
Answer: A,B

Q.What happens when a duplicate hash value is imported into a KFF database?
A. It will not be accepted.
B. It will be marked as a duplicate.
C. The database will be corrupted.
D. The database will hide the duplicate.
Answer: A

Q.You currently store alternate hash libraries on a remote server. Where do you configure FTK to access these files rather than the default library, ADKFFLibrary.hdb?
A. Preferences
B. User Options
C. Analysis Tools
D. Import KFF Hashes
Answer: A

Q.Which file should be selected to open an existing case in FTK?
A. ftk.exe
B. case.ini
C. case.dat
D. isobuster.dll
Answer: C

Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.html

Decima parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.

Volto a referir que é muito importante a leitura dos manuais:

Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf

Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.

Q.Which data in the Registry can the Registry Viewer translate for the user? (Choose three.)
A. calculate MD5 hashes of individual keys
B. translate the MRUs in chronological order
C. present data stored in null terminated keys
D. present the date and time of each typed URL
E. View Protected Storage System Provider (PSSP) data
Answer: B,C,E

Q.What are two functions of the Summary Report in Registry Viewer? (Choose two.)
A. adds individual key values
B. is a template for other registry files
C. displays investigator keyword search results
D. permits searching of registry values based on key headers
Answer: A,B

Q.When using Registry Viewer to view a key with 20 values, what option can be used to display only 5 of the 20 values in a report?
A. Report
B. Special Reports
C. Summary Report
D. Add to ReportWith Children
Answer: C

Q.You view a registry file in Registry Viewer. You want to create a report, which includes items that you have marked "Add to Report." Which Registry Viewer option accomplishes this task?
A. Common Areas
B. Generate Report
C. Define Summary Report
D. Manage Summary Reports
Answer: B

Q.Which Registry Viewer function would allow you to automatically document multiple unknown user names?
A. Add to Report
B. Export User List
C. Add to Report with Children
D. Summary Report with Wildcard
Answer: D

Q.In PRTK, which type of attack uses word lists?
A. dictionary attack
B. key space attack
C. brute-force attack
D. rainbow table attack
Answer: A

Q.What is the purpose of the Golden Dictionary?
A. maintains previously created level information
B. maintains previously created profile information
C. maintains a list of the 100 most likely passwords
D. maintains previously recovered passwords
Answer: D

Q.What is the most effective method to facilitate successful password recovery?
A. Art of War
B. Entropy Test
C. Advanced EFS Attack
D. Primary Dictionary Attack
Answer: A

Q.You are attempting to access data from the Protected Storage System Provider (PSSP) area of a registry. How do you accomplish this using PRTK?
A. You drop the SAM file onto the PRTK interface.
B. You drop the NTUSER.dat file onto the PRTK interface.
C. You use the PSSP Attack Marshal from Registry Viewer.
D. This area can not be accessed with PRTK as it is a registry file.
Answer: B

Q.When using PRTK to attack encrypted files exported from a case, which statement is true?
A. PRTK will request the user access control list from FTK.
B. PRTK will generate temporary copies of decrypted files for printing.
C. FTK will stop all active jobs to allow PRTK to decrypt the exported files.
D. File hash values will change when they are saved in their decrypted format.
E. Additional interoperability between PRTK andNTAccess becomes available when files begin decrypting.
Answer: D


Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 9: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_31.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html

Nona parte da coleção de questões para a certificação A30-327 AccessData Certified Examiner ACE, para a ferramenta FTK, FTK Imager, PRTK e Registry Viewer.

Volto a referir que é muito importante a leitura dos manuais:

Manual FTK: http://marketing.accessdata.com/acton/attachment/4390/f-0643/1/-/-/-/-/FTK_UG.pdf
Manual FTK Imager: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Manual PRTK: http://marketing.accessdata.com/acton/attachment/4390/f-0653/1/-/-/-/-/PRTK_DNA%20User%20Guide.pdf
Manual Registry Viewer: http://marketing.accessdata.com/acton/attachment/4390/f-0672/1/-/-/-/-/RegistryViewer_UG.pdf

Estas perguntas foram retiradas de um antigo dump disponível pela internet fora.

Q.You have processed a case in FTK using all the default options. The investigator supplies you with a list of 400 names in an electronic format. What is the quickest way to search unallocated space for all of these names?
A. build adtSearch string with all 400 names
B. create a Regular Expression with all the names
C. make an imported text file of the names in Live Search
D. use an imported text file containing the names in Indexed Search
Answer: D

Q.Which pattern does the following regular expression recover? (\d{4}[\- ]){3}\d{4}
A. 000-000-0000
B. ddd-4-3-dddd-4-3
C. 000-00000-000-ABC
D. 0000-0000-0000-0000
Answer: D

Q.You examine evidence and flag several graphic images found in different folders. You now want to bookmark these items into a single bookmark. Which tab in FTK do you use to view only the flagged thumbnails?
A. Explore tab
B. Graphics tab
C. Overview tab
D. Bookmark tab
Answer: C

Q.What change do you make to the file filter shown in the exhibit in order to show only graphics with a logical size between 500 kilobytes and 10 megabytes?
A. You change all file status items to a red circle.
B. You change all file status items to a yellow triangle.
C. You make no change. The filter is correct as shown.
D. You change Graphics in the File Type column to a yellow triangle.
Answer: D

Q.FTK uses Data Carving to find which three file types? (Choose three.)
A. JPEG files
B. Yahoo! Chat Archives
C. WPD (Word Perfect Documents)
D. Enhanced WindowsMeta Files (EMF)
E. OLE Archive Files (Office Documents)
Answer: A,D,E

Q.You are asked to process a case using FTK and to produce a report that only includes selected graphics. What allows you to display only flagged graphics?
A. List by File Path
B. List File Properties
C. Graphic Thumbnails
D. Supplementary Files
Answer: C

Q.Which two options are available in the FTK Report Wizard? (Choose two.)
A. List by File Path
B. List File Properties
C. Include HTML File Listing
D. Include PRTK Output List
Answer: A,B

Q.Using the FTK Report Wizard, which two options are available in the List by File Path window? (Choose two.)
A. List File Properties
B. Export to the Report
C. Apply a Filter to the List
D. Include Registry Viewer Reports
Answer: B,C

Q.Using the FTK Report Wizard, which two options are available in the Bookmarks - A window? (Choose two.)
A. Apply a filter to the list
B. Group all filenames at end of report
C. Yes, include all graphics in the case
D. No, do not include a bookmark section
E. Export full-size graphics and link them to the thumbnails
Answer: D,E

Q.In Registry Viewer, which steps initiate the Hex Interpreter?
A. highlight the data and select the Hex Value Interpreter tab
B. highlight the data, right-click on the highlighted data and select the Show Hex Interpreter Window
C. select the Hex Value Interpreter tab, highlight the data, right-click on the data to initiate the Hex Interpreter
D. right-click on the data area and select the Show Hex Interpreter Window and highlight the data you want to interpret
Answer: B

Parte 1: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified.HTML
Parte 2: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_11.HTML
Parte 3: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_12.HTML
Parte 4: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_13.HTML
Parte 5: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_14.HTML
Parte 6: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_28.HTML
Parte 7: http://e-forense.blogspot.com/2014/03/a30-327-ftk-accessdata-certified_6649.HTML
Parte 8: http://e-forense.blogspot.com/2014/03/q.HTML
Parte 10: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified.HTML
Parte 11: http://e-forense.blogspot.com/2014/04/a30-327-ftk-accessdata-certified_3.html