CCT 221: Malicious QR Codes and Advanced Digital Forensics Techniques for CISSP (D7.1)

Feb 10, 2025
 

Curious about the latest tactics cybercriminals are using to exploit vulnerabilities in messaging apps? Join me, Shon Gerber, on the CISSP Cyber Training Podcast as we unravel how Russian hackers are leveraging malicious QR codes to breach platforms like Signal, Telegram, and WhatsApp. We'll dissect this alarming trend that targets high-profile individuals including politicians and journalists, and underscore the importance of staying vigilant when interacting with QR codes. Despite fighting off a cold, I share a heartening story of collaboration with a student who helped correct errors in our study materials, reminding us all of the power of continuous learning and positive contributions to the cybersecurity community.

Ever wondered how digital forensics can help you get ahead of potential cybersecurity incidents? Discover essential techniques for conducting thorough investigations as we unpack the art of digital forensics and incident response. From using static analysis to safely examine suspicious files, crafting incident reports with precision, to tackling insider threats with comprehensive artifact collection, this episode covers it all. Learn about the role of tools like Cellebrite in mobile device analysis and the critical importance of maintaining a chain of custody to safeguard evidence integrity. We also highlight root cause analysis as a key strategy for dissecting malware outbreaks and fortifying your organization’s defenses.

Looking to deepen your cybersecurity expertise? We’ve got you covered with a treasure trove of resources, including video content on our CISSP Cyber Training blog and consulting services through partnerships like NextPeak. Whether you’re a seasoned expert or just beginning your journey, these tools are designed to enhance your skills and provide specialized guidance. Explore how anomaly-based detection aids in spotting malicious network activity and why clear, jargon-free reporting is crucial in post-incident reviews. This episode promises to equip you with the insights needed to navigate the evolving landscape of cybersecurity challenges and opportunities.

Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

TRANSCRIPT

Speaker 1:  

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.

Speaker 2:  

Let's go. Cybersecurity knowledge. All right, let's get started. Good morning everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today.

Speaker 2:  

Today is CISSP Question Thursday, and so today we're gonna be getting into some CISSP questions focused around the domain that we just had in the podcast, and today's going to be 7.1. So we have some questions fully are going towards 7.1 and we'll be talking about those. But before we do, one thing is yes, you can tell I have a cold. Yes, it's a very unfortunate thing. Status of events right now and oh, it's just no fun, but that's all I can say is in the airports now I will be wearing masks, so if you see me in the airport, you can wave at me behind my mask and I will wave back at you. Yeah, that unfortunately got this cold when I was heading out to do a consulting gig and, needless to say, I just yeah, it's been about a week and a half, so fun times, but it's almost done, so the life is good, and then I'm getting ready to go back on the road again. So masks are coming out.

Speaker 2:  

So, before we get started, before that we're going to talk about the Russian hackers are exploiting Signal link devices, featuring real-time spying. Now, this is in the Security Week article, and one of the things that I came up was a signal is used a lot by people. Okay, I've used it. There's a lot of people that use Signal within their companies. Now, one of the things that they came up with it's that they figured out how to abuse this is through a scanning malicious qr codes that are embedded within these overall phishing links is what's happening, and because of that is basically the result is every message sent to the user is being duplicated to the attacker's device in real time if you click on the or you scan the qr code that's associated with that. So, again, taking a private line from a person who's a great singer and I love her to death is haters are going to hate, hate, hate. Scammers are going to scam, scam, scam. Yes, they are. So if you have get emails that have got QR codes embedded in them, you may want to consider whether or not you wish to use them or not.

Speaker 2:  

Signal is a great tool. If you haven't all used it. It's an awesome encryption communication tool. It works really, really well and it's an out-of-band system. It's not your typical WhatsApp or texting capability within Apple. So it's an out-of-band system. It installs apps on your phone and you can do this signal encryption from point to point, so it works really, really well. However, like anything else, if you allow the attackers into that cone of silence or the zone of trust.

Speaker 2:  

Now, the targeted user base typically are politicians, journalists and folks that are in the military that want to have an encryption with out-of-band communications and so that you can understand why that these groups would be after these individuals as well. So it's, again, it's one of those aspects that are it's an important part. If you have any of these, these communication methods and communication tools, you should consider making sure that you don't fall for the scams. One of the bigger implications that comes out of this as well is a threat it's sort of a threat beyond signal itself, and it's also a went after other messaging applications such as telegraph and whatsapp. So or telegram, I should say, and whatsapp, so these are actively being targeted by russian apts. You need to consider that, if you are using signal, just make sure that you are not clicking on any links and you are not scanning any QR codes with your device unless you know specifically where those QR codes came from. So, again, it's an important part of what you're doing. If you're obviously using Signal in many forms and fashions, you're probably a little bit more security conscious, but anybody can get scammed.

Speaker 2:  

I've been there, done that. The French got me multiple times accidentally, so it wasn't accidentally. I actually clicked on the link. But, that being said, yeah, you just got to be careful, all right, so let's get into today's questions. Okay, so, like I mentioned before, this is over domain 7.1. And you can go to CISSP Cyber Training and get access to all of my questions Every one of them. They're all there and available for you.

Speaker 2:  

I had a really great conversation with one of my students just yesterday and he gave me some great feedback on some of the questions. I actually found a couple errors in them, which is awesome. I appreciate that when you start putting questions in, just like everybody knows, you do make mistakes. So he found a couple and that was awesome. I fixed those and we're in the process of fixing those right now. So that is super cool.

Speaker 2:  

The other cool part about doing the mentorship piece that I have with CISSP Cyber Training I get to meet a lot of really cool people and the neat part about all this is the fact that you all are doing some amazing things in security, and the neat part the even more neat part, more cool part is the fact that a lot of you are actually utilizing nonprofits and you're giving your skills and utilizing your skills for good, not necessarily evil, which is a great concept. Right, we talk about that. Use your skills for good, not for evil or your powers, I should say, because you do. And if you haven't realized this yet, one of the individuals I was talking to just the other day also mentioned this that he is working with communicating with the board level executives, and understanding and trying to communicate these IT vernacular or jargon to what boards need is a really great skill, and having the ability to do that, to be able to communicate to senior leaders about IT security, about IT risk, is a great, great concept and it's a great capability. If you can do it, and if you can do it, I would highly recommend that you exercise it, because it will also be very lucrative for you in the future. So just keep that in mind.

Speaker 2:  

Okay, so let's get into question number one. A company has experienced a data breach and now is in the process of collecting evidence. What is the first step in the incident response team should take when handling digital evidence? Okay, so keep in mind as you read these questions, don't glob on to the first thing. You also need to think very long about what exactly they're saying. So just again, read the questions slowly, don't jump, don't get ahead of yourself. A analyze the evidence to identify the attack vector. B create a forensics copy of the evidence. C notify law enforcement about the breach. Or. D document the findings in an incident report. Again, what is the first thing, the first step the incident response team should take when handling digital evidence? And that is B create a forensic copy of the evidence. Okay, again, when you want to create a forensic copy to preserve the original data's integrity, the moment you start messing with the data, the original data, then it can be thrown out and not be admissible in court, and so therefore, it's important that you make a digital copy, set the original off to the side and only do your searching through the digital copy.

Speaker 2:  

Question two During an incident investigation, the incident response team discovers a suspicious file on a compromised workstation. What is the investigative technique that should they do to analyze the file further? Again, they find an incident response team discovers a suspicious file on a compromised workstation, what technique should they use to analyze the file further? A heuristic analysis, b dynamic analysis, c threat hunting or D static analysis. And the answer is D static analysis. Right, static analysis involves examining the file's properties, content and metadata without actually executing it. This actually helps identify any potential malware that might be within this, or a logic bomb something like that that could occur within that file if you start messing or tampering with it.

Speaker 2:  

Question three after completing an investigation into a security incident, the team needs to report their findings. What critical information should be included in the incident report? So, again, after completing an investigation into a security incident, the team needs to report their findings. What critical information should be included in the incident report? A the timeline of events and actions taken during the investigation. B Personal information about employees involved in the incident. C Detailed technical specifications of all affected systems. Or D Company financial data related to the incident.

Speaker 2:  

Again, after completing the investigation, the team needs to report their findings.

Speaker 2:  

What critical information should be included in the incident report? And the answer is A a timeline of events and actions taken during the investigation. The incident report should include the detailed timeline of events and the actions taken during the investigation. And again, it's crucial to understand the incident's context, assessing the response effectiveness and identifying areas for improvement. All of this information is very important when you're doing any sort of investigation. Now the one thing to consider is personal information, and technical specifications or financial data may not be necessary in this report, but it could be necessary. So you want to consider that during any investigation that you do. Again, don't just because it's personal information, do not automatically just assume well, it's personal, I can't use it. That may not be the case. You may want to use it. However, you just need to make sure that you have adequate protections in place to protect the information of the people and the data itself.

Speaker 2:  

Question four a digital forensics team is tasked with investigating a suspected insider threat involving company laptop. Which of the following artifacts should they prioritize in collecting so you have an insider threat involving a company laptop? A email archives and calendar entries. C or B system logs and application logs. C network traffic data or D all of the above? And I bet you guys know this one, and the answer is D. Right, all of the above. Anytime you're dealing with an insider threat and you have a company laptop especially, but I mean it really doesn't matter anything that deals with insider. Our email archives and calendar entries are an important part. System logs, application logs and network traffic data all are valuable pieces of information when dealing with an insider threat and an investigation around that person. So, again, leave nothing off the table.

Speaker 2:  

Question five when performing a digital forensics investigation, which of the following tools is specifically designed for analyzing mobile devices? Okay, so you're dealing with digital forensics and you're dealing with mobile devices, so which one is actually? It? A Incase, b, ftk Imager, c Cellebrite, ufed or D Wireshark? Now, can any of these devices be used? Yes, but when you're analyzing mobile devices, which one works the best? And that would be C Cellebrite. Cellebrite is a specialized tool designed for extracting and like data on mobile devices, including smartphones and tablets. Uh, it was one of my legal classes that I went through when the individuals were recommending that for um, any sort of legal activity. The one thing I will say, though, is now that the encryption on a lot of these cell phones uh, sell you bright celebrate has been having to work really hard to get around those pieces of uh that. So how it works, I don't know specifically, I just know it's used a lot in mobile phone investigations, so something to keep in mind. Okay, question six In the context of evidence handling, what is the significance of maintaining a chain of custody?

Speaker 2:  

A it guarantees that all evidence is stored in a secure location. B it provides documented history of evidence from collection to presentation in court. C it ensures evidence is analyzed using the most advanced tools. Or, d it allows investigators to bypass legal requirements for evidence presentation. Again, the context of evidence handling what is the significance of maintaining a chain of custody? And the answer is B it provides a documented history of evidence from collection to the presentation in court. We've talked about this numerous times on CISSP, cyber training.

Speaker 2:  

Your chain of custody is an important factor. I've worked with legal teams, both in the consulting gig and as what I was working with Koch Industries as their CISO for one of the Koch companies. This was a big factor. Right, chain of custody is an important part, and when you tell me you're dealing with an investigation, you really, truly want to have all that collected and how it's handled, because the last thing you need is if somebody ends up stealing data. Now, this can happen, whether a person was an IT individual going after your data or it was just an insider, an individual who was doing fraudulent wire transfers. You want to have a chain of custody around all of the data that you're using within your court or within the presentation, and one of the things you want to deal is, if you're dealing with the lawyers, they may not they understand chain of custody. Obviously they're lawyers, but they may not totally understand it when you're dealing with IT systems. So you're going to have to be the seeing eye dog that's going to have to help them through this entire process.

Speaker 2:  

Question seven a cybersecurity analyst is tasked with identifying root cause of a recent malware outbreak in an organization. Which investigative technique is the most effective for this purpose? A social engineering testing. B threat modeling. C root cause analysis or D vulnerability scanning. Okay, which investigative technique is the most effective when you're looking for rca or root cause analysis? And the answer is c, right, sorry, I gave the answer ahead of the question. Now there's root cause, right? So if you deal with root cause, the answer is c root cause analysis, rca. So root rca is a systematic approach for identifying the fundamental cause of the problem or incident. Again, the answer was c in this case. Again, it helps you understand the malware outbreak. How did it happen? How did it affect the organization?

Speaker 2:  

Rca is an important factor in anything you do when it comes to dealing with after the fact incidents, whether it's dealing with the malware and an investigation or an insider threat. You want to understand how they got to this point, did an insider investigation a few years back and come to find out the data was leaving the organization. We couldn't figure out why Come to find out that the individual was connecting their phone via Bluetooth to their computer and then they were able to, or should say, connecting their computer to their phone via Bluetooth and then migrating the data out that way. So one of the things we did is we did a root cause analysis and realized oh yeah, look at that, hmm, that's not good. So, needless to say, after that we quickly shut everything else down.

Speaker 2:  

Question A which of the following is a critical consideration when documenting the evidence collected during an investigation? Again, which of the following is a critical consideration when documenting the evidence collected during an investigation? A maintaining objectivity and avoiding assumptions. B using complex technical jargon to ensure clarity. C including personal opinions about the incident. And. D using informal language for better readability. Okay again, what do you want to do in documenting the evidence, with collecting it during an investigation? What is a critical consideration? Consideration a maintaining objectivity and avoiding assumptions? Okay, making an assumption makes a blank out of you and me. Right, don't avoid or don't assume anything. Right, you may understand this information, but assuming it can get you into challenges. So document the objective as fact-based, avoiding assumptions or personal opinions is an important part. And, again, it ensures the integrity of the documentation, making it reliable and allows for further investigation or legal proceedings. Again, we want to make sure that you pull the assumptions out of it. Now, you might be right, you might be right 99.99% of the time, but at that 0.01% or 0.1% you could cause things to go off the rails and it would end up making your case fall apart because you made assumptions.

Speaker 2:  

Question nine during an investigation, an analyst uncovers evidence of unauthorized access to a server. Oh no, pray tell. What is the best initial response to mitigate the risk further for unauthorized access? Okay, so, during an investigation, analyst uncovers unauthorized access to a server. What is the best initial response to mitigate the risk of further unauthorized access? A immediately disconnect the server from the network. B change all user passwords associated with the server. C conduct a full system reboot. Or D notify all employees about the breach. Okay, you guys probably can figure out at least the last one. You probably definitely wouldn't do right. But the answer is A immediately disconnect the server from the network. So disconnecting the compromised server from the network is an important, critical part in this overall process.

Speaker 2:  

That being said, you may or may not want to do that, depending upon the situation. So say, for instance, you, there's somebody that's accessing that server and you want to get a little more information about it. You may leave it out there and open. Again, that is a legal decision and that is not your decision as the IT person. So you need to talk to legal senior leadership before you do anything like that. So again, I'm not a lawyer, I just play one on TV. But I don't do not recommend that you go and do this on your own. That would be a really bad idea. You need to make sure that if you are going to leave a computer out there like a honeypot, that you have legal senior leadership. Everybody up the up the flagpole is involved in this discussion and in this decision, because if you try to do this on your own. You will be left hanging out to dry. You will be walking the gangplank. There'll be a bunch of pirates behind you with knives watching you walk off the plank into your demise. So I hope I made that colorful enough.

Speaker 2:  

Question 10. What is the purpose of using digital forensics tools during your investigation? A Automate the incident response process. B Collect and preserve the analyzed digital evidence systematically. C To replace the need for human investigators. Or D enhance the overall security posture of an organization. Again, what is the purpose of using digital forensics tools during an investigation? And the answer is B to collect, preserve and analyze digital evidence systematically. That's the goal right Preserving it and analyzing the digital evidence from the various sources that are out there and making sure that they are handled in a correct fashion.

Speaker 2:  

Question 11. An organization is conducting a post-incident review after a security breach. What would be the primary focus of this review? Again, they're a post-incident review after a breach. What would be the primary focus of this review? A Evaluate employees' performance during an incident. B determine the financial impact of the breach. C identify vulnerabilities that were exploited during the breach. Or D assessing the adequacy of the organization's physical security controls. So, again, their post-incident review. What would be the primary focus of this review. C, identifying vulnerabilities that were exploited during the breach. So, again, if you know there are vulnerabilities that were exploited and the bad guys got in in because of that, you would want to understand how did they do this? Again, a root cause analysis, action report would be done would be good. So you want to look at this from how it affects your organization, improves the defenses and your incident response process.

Speaker 2:  

Again, you have to go back over these things. When we were flying when I was flying airplanes, we would do have a pre-brief and a post-brief. You would go, drop the bombs, you come back and evaluate how you did and then all the people in the room would tell you how you stink and you're no good. That's just kind of that hazing thing that occurred. You know it's that bravado stuff. Yeah, you go in, yeah, I'm pretty cool. You drop your bombs and then they come back and they just totally lambaste you and tell you that you suck. Yes, that was not fun but it was good. It was good learning opportunities. Question 12. You can tell I've got PTSD over that. Question 12.

Speaker 2:  

An incident response team is analyzing network traffic logs to detect anomalous activity. Which of the following techniques is the most appropriate for identifying patterns of malicious behavior? So an incident response team is analyzing network traffic logs to detect anomalous activity. Which of the following is the most appropriate for identifying patterns of malicious behavior? A signature-based detection, b heuristic analysis, c risk assessments or D anomaly-based detection? And the answer is D anomaly-based detection. Anomaly-based detection involves analyzing network traffic for deviations from normal network behaviors. This technique is effective in identifying potential malicious activity that may not match known signatures.

Speaker 2:  

That's a lot of words. Especially when you have a cold. You just want to look for any anomalies that are in your. Anything that's not right that's going on in your network, that's anomaly-based detection. A big $10 word to say looking anything that's not right that's going on in your network, that's anomaly-based detection. A big $10 word to say looking for things that aren't right. But there's more words there. But anyway, anomaly-based detection. You want to make sure you look for it.

Speaker 2:  

Question 13. What role do artifacts play in digital forensics investigations? A they provide context and insight into user actions and system events. B they serve as evidence of compliance and security policies. C they are used solely for legal documentation. And. D they have no significant value in any sort of investigation whatsoever. Again, that is an artifact in a digital forensics investigation. They provide A context and insight into user actions and system events. They're an important part. These include logs, files, configurations, you name it. They could be pictures, they could be all kinds of things that they act are part of an overall investigation. These artifacts help investigators understand what occurred during the incident. They also give them an idea of how much data was potentially uploaded not uploaded all of those different aspects. So artifacts are an important part.

Speaker 2:  

Question 14, which of the following is an essential component for effective reporting during digital forensics investigations? So which of the following is an essential component of effective reporting during digital forensics investigations? A technical jargon to impress the stakeholders. Yes, I'm very cool. I use $10 words and I use quantification and every other thing that you could possibly think of. That is a big word, yeah, no. B clarity and conciseness. C personal opinions about the investigation. Or D avoiding details to maintain confidentiality. So which of the following is a central component of effective reporting during digital forensics investigations? The answer is B clarity and conciseness to ensure understanding.

Speaker 2:  

I despise going into meetings when people will use these big words like quantification, sanctification Well, that's actually a Christian term. It's a big word, but anyway, quantification yeah, that's a big one. I know that one, and they use these big oh my gosh bespoke. Somebody used a bespoke on me the other day. I was like what in the world is that? So, again, my third grade education struggles with big words. Well, guess what Everybody else does too. Yeah, they may understand the word, the bespoke word and I had to actually Google that. That means like different things, not like different things. It means like you're going after different things, like a spoke on a tire, I guess. But that being said, clarity and conciseness is key to understanding what you're doing. So don't be that guy or gal that is in the room talking in big $10 words and everybody's going oh, you're so smart, you're such a brilliant person. They might be thinking that and that's probably true. However, there is the guy in the corner, like me, that's in the corner, that may have a lot of pull within the organization and may go. I have no clue what you're talking about, and if I don't know what you're talking about, maybe I don't trust you. So, again, clarity and conciseness is an important factor. Okay, now we're getting to the last question, the last melon, question 15.

Speaker 2:  

In a cybersecurity incident, which document outlines the specific actions that an incident response team must take to manage the incident effectively? That's a really long run on sentence. Okay, in a cybersecurity incident, which document outlines the specific actions that an incident response team must take to manage the incident effectively? A incident response plan B, disaster recovery plan C business continuity plan or D vulnerability management policy? Again, which of these documents outline specific actions that the incident response team must take to manage the incident effectively? If you don't know, you can throw a policy out because guess what, three of the four look alike right, but when it comes right down to how to deal with incident response, it would be A an incident response plan that helps you take and manage the incident effectively. So IRPs again, the outline specific actions of the incident response team is going to take to manage. The incident response team is going to take to manage the incident, provide structured approach to detecting, responding to and recovering from security incidents and ensures that all team members understand their roles and responsibilities. So again, it's an important part of all of this is that incident response plan.

Speaker 2:  

Okay, so I hope that you guys got a lot out of this today. If you have any questions, just ping me. You can reach out to me at CISSP Cyber Training and I'm happy to reach out. There's a contact at CISSP Cyber Training. I'm happy to answer any questions you have. Also, keep in mind, you can go to CISSP Cyber Training and get access to all my content. It is out there and available for you.

Speaker 2:  

My videos are out there. I post those on my blog, so those are available as well. I'm a little bit behind on some of those. I kind of go do those in spurts, I don't get to them as fast as I could, but the videos are out there as well. So all the stuff you see that you're hearing on the podcast is in video format for the most part out there at CISSP Cyber Training. If you are looking for a consultant, you can go to CISSP or you can go to reducecyberriskcom or you can go to another. I'm partnering with a group called NextPeak and you can go to nextpeaknet and you can. We've got all kinds of great stuff that we're dealing with for financial institutions, manufacturing institutions or organizations as well. So a lot of great stuff out there to help you with your cybersecurity capabilities at CISSP Cyber Training, reducecyberriskcom or NextPeaknet. Okay, hope you all have a beautifully wonderful day, and we will catch you all on the flip side, see ya.

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!