Investigating Unexpected Application and Unknown Outgoing Traffic: Cisco Exam 300-215-CBRFIR

Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps

Q: An engineer is investigating a ticket from the accounting department in which a user discovered an unexpected application on their workstation.Several alerts are seen from the intrusion detection system of unknown outgoing internet traffic from this workstation.The engineer also notices a degraded processing capability, which complicates the analysis process.Which two actions should the engineer take? (Choose two.)

Restore to a system recovery point.Take an image of the workstation.

Prev Question Next Question

Question

An engineer is investigating a ticket from the accounting department in which a user discovered an unexpected application on their workstation.

Several alerts are seen from the intrusion detection system of unknown outgoing internet traffic from this workstation.

The engineer also notices a degraded processing capability, which complicates the analysis process.

Which two actions should the engineer take? (Choose two.)

Answers

A. Restore to a system recovery point.

B. Replace the faulty CPU.

C. Disconnect from the network.

D. Format the workstation drives.

E. Take an image of the workstation.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

AE.

The engineer is investigating an incident where an unexpected application has been discovered on a workstation in the accounting department. This is a potential indication of compromise and requires immediate attention. Additionally, several alerts from the intrusion detection system indicate unknown outgoing internet traffic from the workstation. This indicates that there may be ongoing malicious activity from the workstation.

Furthermore, the engineer has also noticed that there is a degraded processing capability on the workstation. This can complicate the analysis process as it may take longer to perform necessary tasks such as identifying the source of the unexpected application, determining the extent of the compromise, and taking appropriate action.

Given these circumstances, the engineer should take the following two actions:

Disconnect the workstation from the network - This will prevent any further communication with the attacker's command and control infrastructure and limit the potential for additional damage. It will also prevent the attacker from further compromising other systems on the network.
Take an image of the workstation - An image of the workstation's hard drive should be taken as soon as possible. This will preserve the current state of the system, including any potential evidence related to the incident. The image should be taken using a forensically sound tool that ensures the integrity of the data and does not modify the original hard drive.

The other options listed are not appropriate in this scenario:

A. Restore to a system recovery point - This is not recommended as it may overwrite or destroy potential evidence. It is also not clear if a system recovery point exists and, if so, whether it would be clean or compromised.

B. Replace the faulty CPU - While a faulty CPU may impact the processing capability of the workstation, it is unlikely to be the cause of the unexpected application or the unknown outgoing internet traffic. Additionally, replacing the CPU may also overwrite or destroy potential evidence.

D. Format the workstation drives - Formatting the drives will destroy any potential evidence and should not be done until a complete forensic analysis has been performed and all necessary evidence has been collected.

Therefore, disconnecting the workstation from the network and taking an image of the workstation's hard drive are the most appropriate actions to take in this scenario.

Prev Question Next Question