Cisco 300-215 Exam Dumps

Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR)

581 Reviews

Exam Code	300-215
Exam Name	Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR)
Questions	115 Questions Answers With Explanation
Update Date	February 11,2026
Price	Was : $90 Today : $50 Was : $108 Today : $60 Was : $126 Today : $70

Add To Cart

Demo Questions

Question # 1

An engineer is analyzing a ticket for an unexpected server shutdown and discovers that the web-server ran out of useable memory and crashed. Which data is needed for further investigation? 

A. /var/log/access.log
 B. /var/log/messages.log 
C. /var/log/httpd/messages.log 
D. /var/log/httpd/access.log 

Show Answer

Question # 2

Which technique is used to evade detection from security products by executing arbitrary code in the address space of a separate live operation? 

A. process injection 
B. privilege escalation 
C. GPO modification 
D. token manipulation 

Show Answer

Question # 3

A network host is infected with malware by an attacker who uses the host to make calls for files and shuttle traffic to bots. This attack went undetected and resulted in a significant loss. The organization wants to ensure this does not happen in the future and needs a security solution that will generate alerts when command and control communication from an infected device is detected. Which network security solution should be recommended? 

A. Cisco Secure Firewall ASA 
B. Cisco Secure Firewall Threat Defense (Firepower) 
C. Cisco Secure Email Gateway (ESA) 
D. Cisco Secure Web Appliance (WSA) 

Show Answer

Question # 4

An employee receives an email from a “trusted” person containing a hyperlink that is malvertising. The employee clicks the link and the malware downloads. An information analyst observes an alert at the SIEM and engages the cybersecurity team to conduct an analysis of this incident in accordance with the incident response plan. Which event detail should be included in this root cause analysis? 

A. phishing email sent to the victim 
B. alarm raised by the SIEM 
C. information from the email header 
D. alert identified by the cybersecurity team 

Show Answer

Question # 5

What are YARA rules based upon? 

A. binary patterns 
B. HTML code 
C. network artifacts 
D. IP addresses

Show Answer

Question # 6

An engineer received a report of a suspicious email from an employee. The employee had already opened the attachment, which was an empty Word document. The engineer cannot identify any clear signs of compromise but while reviewing running processes, observes that PowerShell.exe was spawned by cmd.exe with a grandparent winword.exe process. What is the recommended action the engineer should take? 

A. Upload the file signature to threat intelligence tools to determine if the file is malicious.
 B. Monitor processes as this a standard behavior of Word macro embedded documents. 
C. Contain the threat for further analysis as this is an indication of suspicious activity. 
D. Investigate the sender of the email and communicate with the employee to determine the motives. 

Show Answer

Question # 7

A security team received reports of users receiving emails linked to external or unknown URLs that are non- returnable and non-deliverable. The ISP also reported a 500% increase in the amount of ingress and egress email traffic received. After detecting the problem, the security team moves to the recovery phase in their incident response plan. Which two actions should be taken in the recovery phase of this incident? (Choose two.)

 A. verify the breadth of the attack 
B. collect logs 
C. request packet capture 
D. remove vulnerabilities 
E. scan hosts with updated signatures 

Show Answer

Question # 8

What is the goal of an incident response plan? 

A. to identify critical systems and resources in an organization 
B. to ensure systems are in place to prevent an attack 
C. to determine security weaknesses and recommend solutions 
D. to contain an attack and prevent it from spreading 

Show Answer

Question # 9

Which tool conducts memory analysis? 

A. MemDump 
B. Sysinternals Autoruns 
C. Volatility 
D. Memoryze 

Show Answer

Question # 10

Which magic byte indicates that an analyzed file is a pdf file? 

A. cGRmZmlsZQ B. 706466666 
B. 255044462d 
C. 0a0ah4cg 

Show Answer

Question # 11

A website administrator has an output of an FTP session that runs nightly to download and unzip files to a local staging server. The download includes thousands of files, and the manual process used to find how many files failed to download is time-consuming. The administrator is working on a PowerShell script that will parse a log file and summarize how many files were successfully downloaded versus ones that failed. Which script will read the contents of the file one line at a time and return a collection of objects? 

A. Get-Content-Folder \\Server\FTPFolder\Logfiles\ftpfiles.log | Show-From “ERROR”, “SUCCESS” 
B. Get-Content –ifmatch \\Server\FTPFolder\Logfiles\ftpfiles.log | Copy-Marked “ERROR”, “SUCCESS” 
C. Get-Content –Directory \\Server\FTPFolder\Logfiles\ftpfiles.log | Export-Result “ERROR”, “SUCCESS” 
D. Get-Content –Path \\Server\FTPFolder\Logfiles\ftpfiles.log | Select-String “ERROR”, “SUCCESS” 

Show Answer

Question # 12

A threat actor attempts to avoid detection by turning data into a code that shifts numbers to the right four times. Which anti-forensics technique is being used? 

A. encryption 
B. tunneling
 C. obfuscation 
D. poisoning 

Show Answer

Question # 13

What is a concern for gathering forensics evidence in public cloud environments? 

A. High Cost: Cloud service providers typically charge high fees for allowing cloud forensics. 
B. Configuration: Implementing security zones and proper network segmentation. 
C. Timeliness: Gathering forensics evidence from cloud service providers typically requires substantial time. 
D. Multitenancy: Evidence gathering must avoid exposure of data from other tenants. 

Show Answer

Question # 14

A security team is discussing lessons learned and suggesting process changes after a security breach incident. During the incident, members of the security team failed to report the abnormal system activity due to a high project workload. Additionally, when the incident was identified, the response took six hours due to management being unavailable to provide the approvals needed. Which two steps will prevent these issues from occurring in the future? (Choose two.) 

A. Introduce a priority rating for incident response workloads.
B. Provide phishing awareness training for the fill security team. 
C. Conduct a risk audit of the incident response workflow. 
D. Create an executive team delegation plan. 
E. Automate security alert timeframes with escalation triggers. 

Show Answer

Question # 15

What is a use of TCPdump? 

A. to analyze IP and other packets
 B. to view encrypted data fields 
C. to decode user credentials 
D. to change IP ports 

Show Answer

Question # 16

An incident response team is recommending changes after analyzing a recent compromise in which: a large number of events and logs were involved; team members were not able to identify the anomalous behavior and escalate it in a timely manner; several network systems were affected as a result of the latency in detection; security engineers were able to mitigate the threat and bring systems back to a stable state; and the issue reoccurred shortly after and systems became unstable again because the correct information was not gathered during the initial identification phase. Which two recommendations should be made for improving the incident response process? (Choose two.) 

A. Formalize reporting requirements and responsibilities to update management and internal stakeholders throughout the incident-handling process effectively. 
B. Improve the mitigation phase to ensure causes can be quickly identified, and systems returned to a functioning state. 
C. Implement an automated operation to pull systems events/logs and bring them into an organizational context. 
D. Allocate additional resources for the containment phase to stabilize systems in a timely manner and reduce an attack’s breadth. 
E. Modify the incident handling playbook and checklist to ensure alignment and agreement on roles, responsibilities, and steps before an incident occurs. 

Show Answer

Question # 17

Which information is provided bout the object file by the “-h” option in the objdump line command objdump –b oasys –m vax –h fu.o? 

A. bfdname 
B. debugging 
C. help 
D. headers

Show Answer

Question # 18

An engineer received a call to assist with an ongoing DDoS attack. The Apache server is being targeted, and availability is compromised. Which step should be taken to identify the origin of the threat? 

A. An engineer should check the list of usernames currently logged in by running the command $ who | cut – d’ ‘ -f1| sort | uniq 
B. An engineer should check the server’s processes by running commands ps -aux and sudo ps -a. 
C. An engineer should check the services on the machine by running the command service -status-all. 
D. An engineer should check the last hundred entries of a web server with the command sudo tail -100 /var/ log/apache2/access.log. 

Show Answer

Question # 19

What is the transmogrify anti-forensics technique?

A. hiding a section of a malicious file in unused areas of a file 
B. sending malicious files over a public network by encapsulation 
C. concealing malicious files in ordinary or unsuspecting places 
D. changing the file header of a malicious file to another file type 

Show Answer

Question # 20

A security team detected an above-average amount of inbound tcp/135 connection attempts from unidentified senders. The security team is responding based on their incident response playbook. Which two elements are part of the eradication phase for this incident? (Choose two.) 

A. anti-malware software 
B. data and workload isolation 
C. centralized user management 
D. intrusion prevention system 
E. enterprise block listing solution 

Show Answer

Question # 21

Which tool is used for reverse engineering malware? 

A. Ghidra 
B. SNORT 
C. Wireshark 
D. NMAP 

Show Answer

Question # 22

An organization uses a Windows 7 workstation for access tracking in one of their physical data centers on which a guard documents entrance/exit activities of all personnel. A server shut down unexpectedly in this data center, and a security specialist is analyzing the case. Initial checks show that the previous two days of entrance/exit logs are missing, and the guard is confident that the logs were entered on the workstation. Where should the security specialist look next to continue investigating this case?

A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon 
B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList 
C. HKEY_CURRENT_USER\Software\Classes\Winlog 
D. HKEY_LOCAL_MACHINES\SOFTWARE\Microsoft\WindowsNT\CurrentUser 

Show Answer

Question # 23

A scanner detected a malware-infected file on an endpoint that is attempting to beacon to an external site. An analyst has reviewed the IPS and SIEM logs but is unable to identify the file’s behavior. Which logs should be reviewed next to evaluate this file further? 

A. email security appliance
 B. DNS server 
C. Antivirus solution 
D. network device 

Show Answer

Question # 24

Over the last year, an organization’s HR department has accessed data from its legal department on the last day of each month to create a monthly activity report. An engineer is analyzing suspicious activity alerted by a threat intelligence platform that an authorized user in the HR department has accessed legal data daily for the last week. The engineer pulled the network data from the legal department’s shared folders and discovered above average-size data dumps. Which threat actor is implied from these artifacts? 

A. privilege escalation 
B. internal user errors 
C. malicious insider 
D. external exfiltration 

Show Answer

Question # 25

What is the steganography anti-forensics technique? 

A. hiding a section of a malicious file in unused areas of a file 
B. changing the file header of a malicious file to another file type 
C. sending malicious files over a public network by encapsulation
 D. concealing malicious files in ordinary or unsuspecting places 

Show Answer