S.

No Question Opt-1 Opt-2 Opt-3 Opt-4 Correct Answer Roll Number

1 Which of the following is a common simple encoding technique used in malware obfuscation? AES encryption Base64 encoding RSA encryption Quantum encryption Base64 encoding 106
2 What role does XOR encryption play in malware obfuscation? It is primarily used to generate random numbers It securely transmits data over networks It is used to authenticate users securely It hides the malware’s true code by toggling bits It hides the malware’s true code by toggling bits 106
3 You suspect malware is utilizing advanced evasion techniques to reside solely in memory. Which memory acquisition technique would be the most suitable in this scenario? Creating a hibernation file Full disk image Live RAM capture Network traffic capture Live RAM capture 79
4 Which of the following is the most critical consideration for preserving the integrity of volatile memory during acquisition? Using a dedicated forensic workstation Maintaining a strict chain of custody Avoiding changes to the live system state Employing a write-blocker Avoiding changes to the live system state 79
5 Which of the following memory acquation techniquies often use to acquire volatile data from running system for malware analysis Disk Imaging Network packet capture Memory Dumping Registry Extraction Memory Dumping 181
6 When conducting memory acquation for malware analysis , which of the following is NOT a common Challange Acquiring data without altering the state of the system Ensuring the acquired memory is forensically sound Managing encryption keys stored in volatile memory Retrieving data from non-volatile storage device Retrieving data from non-volatile storage devices 181
7 What is the primary purpose of using volatility analysis tools in cybersecurity? To predict future cyberattacks To measure the level of risk associated with a system or network To determine the encryption strength of a communication channel To calculate the speed of data transmission To measure the level of risk associated with a system or network 105
8 Which volatility analysis tool is used to investigate and analyze the contents of a computer's volatile memory? Network Intrusion Detection System (NIDS) Disk Imaging Memory Forensics Packet Sniffing Memory Forensics 105
9 Which of the following volatile memory components is typically analyzed in memory forensics? Hard disk RAM CPU cache BIOS RAM 107
10 What is the term for a memory forensics technique that involves reconstructing data structures from raw memory dumps? Memory carving Memory mapping Memory parsing Memory reconstruction Memory parsing 107
12 Which DLL is responsible for providing essential system functions such as memory management and input/output operations? User32.dll Kernel32.dll Gdi32.dll Advapi32.dll Kernel32.dll 30
13 Which DLL provides functions for handling cryptographic operations, such as encryption and decryption? Kernel32.dll User32.dll Crypt32.dll Advapi32.dll Advapi32.dll 30
15 Which of the following activities is typically involved in the enumerating process of malware analysis? Creating a backup of the infected system Generating a hash value for the malware sample Listing active processes, network connections, and files Running the malware in a production environment Listing active processes, network connections, and files 182
16 During the enumerating process in malware analysis, which tool would you use to list all running processes on a Windows system? Task Manager Wireshark ls command ps command Task Manager 182
18 When dumping an executable or DLL, what is typically included in the output? Only machine code Machine code and ASCII text Only ASCII text Source code Machine code and ASCII text 35
19 Which type of analysis is facilitated by dumping DLLs? Static analysis Dynamic analysis both a and b None of the above Static analysis 35
21 What command in the Git version control system is used to display the command history? git log git history git show git reflog git reflog 32
Show-History
22 In PowerShell, what cmdlet is used to display the command history? Get-History Get-CommandHistory Display-History Get history 32

25 Which command-line tool can be used to list running processes and their handles in Windows? ps tasklist ls procmon tasklist 58
26 What is the purpose of accessing objects by a process through handles in malware analysis? To directly manipulate kernel objects To directly access objects in user space To perform subsequent operations on objects indirectly To bypass kernel memory restrictions To perform subsequent operations on objects indirectly 58
27 What is a common method used by malware to maintain persistence on a system? Modifying the system BIOS Creating scheduled tasks Manipulating the boot sector Modifying the firewall settings creating scheduled tasks 49
28 Which of the following is NOT a common technique used by malware to evade detection? Polymorphic code Signature-based detection Process injection Code obfuscation Code obfuscation 49
28 Which is not of the following is not a mode of malware distribution? Download from the internet Watching video on internet spam email None of the above C 55
All of the above All of the above
29 Why is it important to list process handles during malware forensics investigations? To find evidence of unauthorized access to system resources To determine if malware is using handles to hide from antivirus software To identify communication between malware and other processes 46
The memory usage of the target process
30 If a malware sample is suspected of injecting code into another process, what information from the process handles might help confirm this behavior? The type of handle and the process it's linked to The network connections of the target process The permissions associated with the handle The type of handle and the process it's linked to 46
What is the primary purpose of malware unpacking? To hide the presence of malware on a system To extract the original code of a packed malware sample To encrypt sensitive data on the system To enhance the performance of the malware To extract the original code of a packed malware sample
31 85
What is the purpose of using virtual machines or sandboxes in malware unpacking? To provide a safe environment for executing malware samples To physically isolate malware from the rest of the system To slow down the execution of malware To analyze malware without any computational resources To provide a safe environment for executing malware samples
What command can be used in PowerShell to retrieve command history? Get-History Retrieve-History Show-History View-History Get-History 57
In Linux-based systems, where is the command history typically stored? /var/log/messages /etc/commands.log ~/.bash_history /usr/bin/history ~/.bash_history 57
37 Which Volatility plugin is used to extract command history from a memory image? psscan cmdscan consoles cmdline cmdscan 128
38 If the cmdscan plugin does not display any command history entries, what could be a possible reason? The memory image is corrupted The system did not execute any commands The plugin is not compatible with the memory image profile All of the above All of the above 128
39 What tool is commonly used to inspect the Windows Registry? Task Manager Command Prompt Registry Editor Disk Cleanup Registry Editor 22
40 Which of the following is NOT typically stored in the Windows Registry System settings User preferences Installed programs Temporary internet files Temporary internet files 22
How does simple encoding differ from encryption? Simple encoding makes data unreadable, while encryption makes data indecipherable Simple encoding is reversible, while encryption is irreversible Simple encoding requires a key, while encryption does no There is no difference between them Simple encoding is reversible, while encryption is irreversible 92
Simple encoding is often used to: Increase the size of the malware Decrease the size of the malware Obfuscate the intent of the malware None of the above Obfuscate the intent of the malware 92
Which of the following statements is TRUE about decoding base64 encoded malware? It is a computationally expensive process It requires the original key used for encoding Decoding tools are readily available Decoded malware is always in a functional state Decoding tools are readily available 92
What does it indicate when MalwareBytes finds malicious registry keys but no malicious files or processes? The malware has been completely removed, but the registry keys are left behind. The malware has relocated itself to evade detection. Another program has deleted the files but left the registry keys. All of the above. All of the above 73
What is the recommended action when Rogue Killer detects possible malware in the registry? Delete the registry entries. Create a system restore point and delete the entries. Seek expert help before taking any action. Seek expert help before taking any action. Seek expert help before taking any action. 73
What is the purpose of the Sticky Keys attack in Windows? To replace the sethc.exe binary with something that can provide a shell. To execute cmd.exe from the logon screen. To provide a shell without needing to authenticate. All of the above. All of the above. 73
50 Which of the following Windows services is known to be a common target for malware persistence mechanisms? Remote Procedure Call (RPC) Windows Update Windows Time Security Accounts Manager (SAM) Remote Procedure Call (RPC) 170
51 Which of the following commands can be used to check for services running under the context of the "SYSTEM" account? tasklist /svc net start sc queryex wmic service get name,startname wmic service get name,startname 170
52 kill-ps list-dir lepp ldd
53 Which command is used to list dynamic-link libraries (DLLs) currently loaded into memory in Windows? list-ps list-dll dir-dll tasklist /m tasklist /m

Which of the following commands can be used to list all the shared libraries a binary depends on in Linux?

80 Which of the following techniques involves inserting non-functional code into the malware to confuse analysts? Code optimization Dead code insertion Code encryption Code signing Dead code insertion 80
80 What is a common method used in malware obfuscation to make the code harder to read and analyze? Adding comments to the code Removing unnecessary code Renaming variables and functions with random names Using descriptive function names Renaming variables and functions with random names 80
What is the primary purpose of extracting command history in malware forensics? A. To identify the source of the malware B. To understand the behavior of the malware C. To decrypt the encrypted files by the malware D. To remove the malware from the system B. To understand the behavior of the malware 144
Which of the following tools can be used to extract command history during malware forensics? A. Wireshark B. Volatility C. YARA D. Nessus B. Volatility 144
Which step in memory forensics involves the examination of volatile data structures to identify running processes, network connections, and loaded modules? Memory acquisition Memory analysis Memory preservation Memory reporting Memory analysis 157
In memory forensics, what does the process of "memory imaging" involve? Capturing a snapshot of the entire RAM content Analyzing file system metadata Extracting data from a hard disk Identifying network connections Capturing a snapshot of the entire RAM content 157
Which part of the SANS six-part memory analysis methodology is used to examine libraries and other files associated with a rogue process? Volatilty Strings Redline Encase Strings 95
Which of the following is typically not something that can be examined using memory forensics Running processes Network connections Loaded Dynamic Link Libraries (DLLs The Master File Table (MFT) The Master File Table (MFT) 95
How does a fileless malware attack differ from traditional malware? It requires physical contact with the infected device It resides in system memory without a file footprin It spreads through infected email attachments It targets specific geographic locations It resides in system memory without a file footprint 74
When investigating a suspected malware infection using Volatility, which of the following actions would be LEAST helpful? Dumping the physical memory of the infected system Analyzing network connections to identify suspicious activity Examining loaded processes for unusual names or behaviors Recovering deleted files from the disk Dumping the physical memory of the infected system 123
You suspect a process named "updateservice.exe" might be malicious. Which Volatility command would be most useful to investigate further? history get_history extract history strings pslist 123
Which command is used for extracting the details of the operating system? history echo uname wc
Which command is commonly used to extract command history in Unix/Linux systems? Ransomware Adware Rootkit Ransomeware
What is custom encoding in the context of malware obfuscation? A technique to hide malware from antivirus programs A method to encode malware payloads using predefined algorithms An approach to encode malware using unique algorithms or transformations
A process of encrypting malware using industry-standard encryption algorithms
An approach to encode malware using unique algorithms or transformations 48
What is the primary purpose of custom encoding in malware? To increase the size of the malware file To decrease the complexity of the malware code To evade detection by antivirus programs To make malware execution faster To evade detection by antivirus programs 48
What role does custom encoding play in the lifecycle of a malware attack? It only occurs during the initial infection phase. It is primarily used during the propagation phase. It is essential for maintaining persistence on infected systems. It helps conceal the malware's presence and intent throughout its lifecycle.
It helps conceal the malware's presence and intent throughout its lifecycle. 48
which command-line utility can be used to analyze and manipulate DLLs in Windows regsvr32 dumpbin regedit msconfig dumpbin 86

which command line tool can be used in windows to list dynamic link libraries (DLL's) loaded in a process ls dlllist tasklist ldd Tasklist 168
Which Windows Sysinternals tool is specifically designed for analyzing processes and the DLLs they load? Process Explorer Task Manager Performance Monitor Resource Monitor Process Explorer 168
88 Which obfuscation technique involves altering the structure of the malware without changing its functionality? Encryption Polymorphism Steganography Rootkitting Polymorphism 88
What is the primary purpose of obfuscating malware through encryption? To increase the size of the malware To slow down the execution of the malware To evade detection by antivirus software To improve the functionality of the malware To evade detection by antivirus software 88
Which of the following tools can be used to dump the executable code and data from a running process for analysis? Proc Dump Task Manager Registry Editor Command prompt Proc Dump 180
In the context of malware analysis, what is the primary purpose of dumping an executable or DLL? To extract embedded resources such as strings and metadata To analyze the behavior and functionality of the binary To decrypt encrypted sections of the binary To compress the file for storage purposes To analyze the behaviour and functionality of the binary 180
Which of the following best describes malware encryption? A technique used by malware to hide its presence and evade detection. A method used by antivirus software to remove malware from a system A process of encrypting legitimate files to protect them from unauthorized
A strategy
access.
employed by hackers to encrypt sensitive data on a victim's computer forA ransom.
technique used by malware to hide its presence and evade detection. 183
What is a common purpose of malware encryption? To improve the performance of the infected system. To enhance the user experience by encrypting files. To prevent security researchers from analyzing the malicious code. To increase the visibility of the malware to antivirus programs. To prevent security researchers from analyzing the malicious code. 183
What is a computer network? A device used to display information on a computer screen A type of
A collection of interconnected computers and devices that can communicate and share resources software used to create documents and presentations
Which of the following best describes the significance of listing processes and their handles in malware analysis? It helps identify legitimate system processes and distinguish them from potentially
It allowsmalicious
analysts ones.
to track resource allocation and usage, aidingIt in
provides
the detection
insightofinto
abnormal
inter-process
behavior.
communication (IPC) mechanisms
It assists in identifying
exploited system
by malware
vulnerabilities
for lateral that
movement.
could
It allows
be leveraged
analystsby
to malware
track resource
for privilege
allocation
escalation.
and usage, aiding in the detection
127of abnormal behavior.
Which of the following methods can be used to list processes and their handles in Windows for malware analysis? Task Manager Process Explorer PowerShell All of the above All of the above 127

What is the primary purpose of listing process handles in malware analysis? a- to identify potential legitimate processes b- to terminate legitimate processes c- to hide the presence of malware d- to bypass antivirus detection a- to identify potential legitimate processes 47 Arshdeep Kaur
which information can be obtained by listing process handlesin malware Analysis? a-File Hashes b-Registry Keys c-Network Connection d-Loaded Libraries d-Loaded Libraries 47

Which of the volatility option displays the supported plugins? vol.py -h vol.py -p vol.py -v vol.py -f vol.py -h 146

which command is used for extracting the details of the operating system cd echo uname wc uname
which command is commonly used to extract command history history get-history extract-history command-history history

history