CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 391:

  A digital forensics investigator works from duplicate images to preserve the integrity of the original evidence. Which of the following types of media are most volatile and should be preserved? (Select two).

  A. Memory cache

  B. Registry file

  C. SSD storage

  D. Temporary filesystems

  E. Packet decoding

  F. Swap volume

  Correct Answer: AF

  Memory cache and swap volume are types of media that are most volatile and should be preserved during a digital forensics investigation. Volatile media are those that store data temporarily and lose their contents when the power is turned off or interrupted. Memory cache is a small and fast memory that stores frequently used data or instructions for faster access by the processor. Swap volume is a part of the hard disk that is used as an extension of the memory when the memory is full or low . https://www.techopedia.com/definition39/memory-dump

• Question 392:

  A development team recently released a new version of a public-facing website for testing prior to production. The development team is soliciting the help of various teams to validate the functionality of the website due to its high visibility. Which of the following activities best describes the process the development team is initiating?

  A. Static analysis

  B. Stress testing

  C. Code review

  D. User acceptance testing

  Correct Answer: D

  User acceptance testing is a process of verifying that a software application meets the requirements and expectations of the end users before it is released to production. User acceptance testing can help to validate the functionality, usability, performance and compatibility of the software application with real-world scenarios and feedback . User acceptance testing can involve various teams, such as developers, testers, customers and stakeholders. https://www.techopedia.com/ definition7/user-acceptance-testing-uat

• Question 393:

  A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region.

  Which of the following shell script functions could help achieve the goal?

  A. function w() { a=$(ping -c 1 $1 | awk-F "/" 'END{print $1}') andand echo "$1 | $a" }

  B. function x() { b=traceroute -m 40 $1 | awk 'END{print $1}') andand echo "$1 | $b" }

  C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print $1}').origin.asn.cymru.com TXT +short }

  D. function z() { c=$(geoiplookup$1) andand echo "$1 | $c" }

  Correct Answer: C

• Question 394:

  A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

  A. function w() { info=$(ping -c 1 $1 | awk -F "/" `END{print $1}') andand echo "$1 | $info" }

  B. function x() { info=$(geoiplookup $1) andand echo "$1 | $info" }

  C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) andand echo "$1 | $info" }

  D. function z() { info=$(traceroute -m 40 $1 | awk `END{print $1}') andand echo "$1 | $info" }

  Correct Answer: B

• Question 395:

  A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:

  

  Which of the following should be completed first to remediate the findings?

  A. Ask the web development team to update the page contents B. Add the IP address allow listing for control panel access

  C. Purchase an appropriate certificate from a trusted root CA

  D. Perform proper sanitization on all fields

  Correct Answer: D

  The first action that should be completed to remediate the findings is to perform proper sanitization on all fields. Sanitization is a process that involves validating, filtering, or encoding any user input or data before processing or storing it on a system or application. Sanitization can help prevent various types of attacks, such as cross-site scripting (XSS), SQL injection, or command injection, that exploit unsanitized input or data to execute malicious scripts, commands, or queries on a system or application. Performing proper sanitization on all fields can help address the most critical and common vulnerability found during the vulnerability assessment, which is XSS.

• Question 396:

  A user reports a malware alert to the help desk. A technician verities the alert, determines the workstation is classified as a low-severity device, and uses network controls to block access. The technician then assigns the ticket to a security analyst who will complete the eradication and recovery processes. Which of the following should the security analyst do next?

  A. Document the procedures and walk through the incident training guide.

  B. Reverse engineer the malware to determine its purpose and risk to the organization.

  C. Sanitize the workstation and verify countermeasures are restored.

  D. Isolate the workstation and issue a new computer to the user.

  Correct Answer: C

  Sanitizing the workstation and verifying countermeasures are restored are part of the eradication and recovery processes that the security analyst should perform next. Eradication is the process of removing malware or other threats from the

  affected systems, while recovery is the process of restoring normal operations and functionality to the affected systems. Sanitizing the workstation can involve deleting or wiping any malicious files or programs, while verifying countermeasures

  are restored can involve checking and updating any security controls or settings that may have been compromised .

  https://www.cynet.com/incident-response/incident-response-sans-the-6-steps-in-depth/

• Question 397:

  An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

  A. Take a snapshot of the compromised server and verify its integrity

  B. Restore the affected server to remove any malware

  C. Contact the appropriate government agency to investigate

  D. Research the malware strain to perform attribution

  Correct Answer: A

  The next action that the CSIRT should conduct after isolating the compromised server from the network is to take a snapshot of the compromised server and verify its integrity. Taking a snapshot of the compromised server involves creating an exact copy or image" specific point in time. Verifying its integrity involves ensuring that the snapshot has not been altered, corrupted, or tampered with during or after its creation. Taking a snapshot and verifying its integrity can help preserve and protect any evidence or information related to the incident, as well as prevent any tampering, contamination, or destruction of evidence.

• Question 398:

  During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

  A. Disk contents

  B. Backup data

  C. Temporary files

  D. Running processes

  Correct Answer: D

  The most volatile type of evidence that must be collected first in a computer system is running processes. Running processes are programs or applications that are currently executing on a computer system and using its resources, such as memory, CPU, disk space, or network bandwidth. Running processes are very volatile because they can change rapidly or disappear completely when the system is shut down, rebooted, logged off, or crashed. Running processes can also be affected by other processes or users that may modify or terminate them. Therefore, running processes must be collected first before any other type of evidence in a computer system

• Question 399:

  A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

  A. Hacklivist

  B. Advanced persistent threat

  C. Insider threat

  D. Script kiddie

  Correct Answer: C

  The user has become an insider threat by downloading software that contains malware onto a computer that eventually infects numerous other systems. An insider threat is a person or entity that " or resources and uses that access to cause harm or damage to the organization. An insider threat can be intentional or unintentional, malicious or negligent, and can result from various actions or behaviors, such as downloading unauthorized software, violating security policies, stealing data, sabotaging systems, or collaborating with external attackers.

• Question 400:

  A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

  

  Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

  A. InLoud: Cobain: Yes Grohl: No Novo: Yes Smear: Yes

  Channing: No

  B. TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No

  C. ENameless: Cobain: Yes Grohl: No Novo: Yes Smear: No Channing: No

  D. PBleach: Cobain: Yes Grohl: No Novo: No Smear: No Channing: Yes

  Correct Answer: B

  The vulnerability that should be patched first, given the above third-party scoring system, is:

  TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No This vulnerability has three out of five metrics marked as Yes, which indicates a high severity level. The metrics Cobain, Grohl, and Novo are more important than Smear

  and Channing, according to the vulnerability management team. Therefore, this vulnerability poses a greater risk than the other vulnerabilities and should be patched first.