Exam CS0-002 topic 1 question 77 discussion

I studied Dion's course and I'm pretty sure this is B !!! I'm surprised no one says B! :o Reverse Engineering is to understand how a CODE works. Here we identified some "malicious processes" you dont Reverse Engineer a process! to further investigate the MALICIOUS PROCESSES you must build a Timeline. Timeline Tool that shows the sequence of file system events within a source image ▪ How was access to the system obtain? ▪ What tools have been installed? ▪ What changes to files were made? ▪ What data has been retrieved? ▪ Was data exfiltrated?

Correct is D.

B. Timeline construction

The NEXT step for further investigation after identifying potentially malicious processes in memory during incident response would typically be: B. Timeline construction

Quizlet has the same question and says reverse engineering is the answer.

B. Timeline construction In incident response, especially after capturing the contents of memory (also known as a memory dump) and identifying potentially malicious processes, constructing a timeline is typically a crucial next step.

ChatGPT: 1. Isolation and Containment 2. Memory Analysis 3. Process Identification and Investigation 4. IOC and TTP Analysis: 5. Malware Analysis (if applicable): *** 6. Timeline and Event Reconstruction *** 7. Affected System Examination 8. User and Credential Investigation 9. Network Traffic Analysis (if applicable) 10. Incident Documentation: 11. Incident Response Coordination 12. Reporting and Escalation 13. Remediation and Mitigation 14. Lessons Learned

i don't think we can reverse Engineer a process. the best thing here to do will be time construct

I think it's C. It's wise to firstly create a copy of the file not to affect it during further investigation

File (Data) carving is the process of extracting data from an image (from a computer) when that data has no associated file system metadata. A file-carving tool analyzes the disk at sector/page level and attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files, or at least bits of information from deleted files. In real world, once you identified a malicious file/process, security analysts will first check for other artifacts associated to it through reverse engineering. At later stages, once all IOCs were analyzed, timeline construction will be part of the reporting to get a view of the whole picture. File cloning is of course not an option.

Data carving is a technique used to extract specific file types from a larger data set or volume. While it can be useful in certain investigations, it may not be the most appropriate next step for further investigation if the security analyst has already identified potentially malicious processes. In this case, the next step for further investigation could be to construct a timeline of events or to perform file cloning to further analyze the suspicious processes. Reverse engineering could also be a potential option if the security analyst has the necessary skills and resources.

D... if I had to choose from this mess. If reverse engineering means analyzing the captured processes, then D it is. Timeline construction would be a part over the overall reporting process of IR. Data carving is carving (putting together) files from a HD or SSD.

Data carving is for hard disks...

Therefore, option B is the correct answer. Timeline construction involves identifying and documenting the sequence of events and actions that occurred on the system leading up to the incident. This process provides a clear picture of the actions taken by the attacker and the steps they took to achieve their goals. By reconstructing the timeline of events, the security analyst can identify patterns of activity that may help to identify the root cause of the incident and the extent of the compromise.

In book glossary; reverse engineering:The process of analyzing the structure of hardware or software to reveal more about how it functions. Analyst already identified some malicious process, i think next step perform reverse engineering this process. Data carving already performed.

Answer is D = Reverse Engineeering, Carving is related to Storage, not memory.

A. Data carving is a process used to extract files from unallocated space on a hard drive, which can be useful for discovering deleted files or hidden data. However, in this scenario, the security analyst has already captured the contents of memory from the machine, so data carving would not be the next step. Data carving would be useful in cases where the analyst is trying to recover data that was deleted or hidden by an attacker, but in this scenario, the focus is on analyzing the potentially malicious processes that were identified in memory, which would be best accomplished through reverse engineering.