Computer Hacking Forensic Investigator (CHFI v10) — Question 567

During an investigation, a forensics analyst discovers an unusual increase in outbound network traffic, network traffic traversing on non-standard ports, and multiple failed login attempts on a host system. The analyst also found that certain programs were using these unusual ports, appearing to be legitimate. If these are the primary Indicators of Compromise, what should be the next immediate step in the investigation to contain the intrusion effectively?

Answer options

• A. Enforcing stringent password policies and re-authenticating all users to prevent further login anomalies
• B. Examining the logs for repeated requests for the same file, indicating a possible exploit attempt
• C. Analyzing Uniform Resource Locators for any signs of phishing or spamming activities
• D. Conducting a deep dive into user-agent strings to determine if there is any spoofing of device OS and browser information

Correct answer: B

Explanation

The correct answer is B because examining the logs for repeated requests can reveal attempts to exploit vulnerabilities, which is critical for understanding the nature of the intrusion. Options A, C, and D, while potentially useful in broader security measures, do not directly address the immediate need to identify and contain the ongoing exploitation indicated by the unusual traffic patterns and failed logins.