Conducting Forensic Analysis and Incident Response Using Cisco Technologies (CBRFIR) — Question 21
A security team receives reports of multiple files causing suspicious activity on users' workstations. The file attempted to access highly confidential information in a centralized file server. Which two actions should be taken by a security analyst to evaluate the file in a sandbox? (Choose two.)
Answer options
- A. Inspect registry entries
- B. Inspect processes.
- C. Inspect file hash.
- D. Inspect file type.
- E. Inspect PE header.
Correct answer: B, C
Explanation
The correct actions are to inspect processes and file hash. Inspecting processes allows the analyst to see what the file is doing in real-time, while checking the file hash helps identify known malicious files. The other options like inspecting registry entries, file type, and PE header may provide some information but are not as directly relevant for immediate evaluation of suspicious activity.