A security analyst discovers several jpg photos from a cellular phone during a forensics investigation involving a compromised system. The analyst runs a forensics tool to gather file metadata. Which of the following would be part of the images if all the metadata is still intact?


A. The GPS location
B. When the file was deleted
C. The total number of print jobs
D. The number of copies made

A local server recently crashed and the team is attempting to restore the server from a backup. During the restore process, the team notices the file size of each daily backup is large and will run out of space at the current rate. The current solution appears to do a full backup every night.
Which of the following would use the least amount of storage space for backups?


A. A weekly, incremental backup with daily differential backups
B. A weekly, full backup with daily snapshot backups
C. A weekly, full backup with daily differential backups
D. A weekly, full backup with daily incremental backups

Which of the following describes the ability of code to target a hypervisor from inside a guest OS?


A. Fog computing
B. VM escape
C. Software-defined networking
D. Image forgery
E. Container breakout

An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system.
Which of the following best describes the actions taken by the organization?


A. Exception
B. Segmentation
C. Risk transfer
D. Compensating controls

An attacker is attempting to harvest user credentials on a client's website. A security analyst notices multiple attempts of random usernames and passwords. When the analyst types in a random username and password, the logon screen displays the following message:
The username you entered does not exist.
Which of the following should the analyst recommend be enabled?


A. Input valuation
B. Obfuscation
C. Error handling
D. Username lockout

Which of the following exercises should an organization use to improve its incident response process?


A. Tabletop
B. Replication
C. Failover
D. Recovery

A company hired a consultant to perform an offensive security assessment covering penetration testing and social engineering. Which of the following teams will conduct this assessment activity?


A. White
B. Purple
C. Blue
D. Red

A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would best prevent email contents from being released should another breach occur?


A. Implement S/MIME to encrypt the emails at rest.
B. Enable full disk encryption on the mail servers.
C. Use digital certificates when accessing email via the web.
D. Configure web traffic to only use TLS-enabled channels.

During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the following tools will best assist the analyst?


A. A vulnerability scanner
B. A NGFW
C. The Windows Event Viewer
D. A SIEM

An application owner reports suspicious activity on an internal financial application from various internal users
within the past 14 days. A security analyst notices the following:
– Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.
– Internal users in question were changing their passwords frequently during that time period.
– A jump box that several domain administrator users use to connect to remote devices was recently compromised.
– The authentication method used in the environment is NTLM.
Which of the following types of attacks is most likely being used to gain unauthorized access?


A. Pass-the-hash
B. Brute-force
C. Directory traversal
D. Replay