Security+ Forensic Performance Based Question

If you’re planning to take the Security+ exam you can expect to see some performance based questions and you might even see a Security+ forensic performance based question. Performance based questions expect you to perform some action rather than simply answer a multiple choice question.

While the performance based questions are new, the actual Security+ objectives haven't changed since the SY0-301 objectives were first released. Some of the objectives use active words such as "Implement," "Execute," and "Analyze," and CompTIA is using performance based questions to test candidates for many of these objectives.

One of the objectives that can easily be used in a Security+ forensic performance based question is this: 2.3 Execute appropriate incident response procedures

• Basic forensic procedures
  • Order of volatility

Sample Security+ Forensic Performance Based Question

As an example, you might see a question such as this: Q. Organize the following list in the correct order based on each item's volatility. List the items from most volatile to least volatile.

Do you know the correct order? The answer and explanation is included later in this blog.

Pass the Security+ exam the first time you take it: CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Order of Volatility

Order of volatility refers to the order in which you should collect evidence. “Volatile” doesn’t mean it’s explosive, but rather that it is not permanent. In general, you should collect evidence starting with the most volatile and moving to the least volatile.

Many forensic tools include the ability to capture volatile data. Once it’s captured, experts can analyze it and gain insight into what the computer and user were doing. You might not be the forensic expert capturing and analyzing the data, but you certainly don't want to be the technician that destroyed it. With this in mind, you should know the order of volatility of data and what you can do to protect evidence.

A processor can only work on data in random access memory (RAM), so all the data in RAM indicates what the system was doing. This includes data a user has been working on, system processes, network processes, application remnants, and much more. All of this can be valuable evidence in an investigation, but the evidence is lost when the computer is turned off. Because of this, it is important to realize you shouldn't power a computer down if it’s suspected to be involved in a security incident.

Data worked on by the central processing unit (CPU) is held in the CPU cache. A system has less cache than regular RAM so data in cache is more likely to be overwritten sooner than data in regular RAM. In other words, the CPU cache is more volatile than regular RAM and should be collected first if possible.

In contrast, data on hard disk drives (HDDs) remains on the HDD even after powering a system down. This includes any files and even low-level data such as the master boot record on a disk.

While a computer is running, it maintains a paging file (also called a swap file) as an extension of memory. The paging file is stored on the HDD so it is less volatile than RAM. However, the paging file is rebuilt after rebooting a computer so it is more volatile than regular files stored on a HDD.

Any data stored on a remote system is less volatile than data stored directly on a computer. As an example, many servers send log files to remote systems for centralized collection. Even if the original computer is completely destroyed, these log files are still available.

Last, data stored on archive media such as backup tapes of optical media is the least volatile. This data is offline and much less likely to be destroyed or corrupted than any online data.

The order of volatility from most volatile to least volatile is:

1. Data in RAM, including CPU cache and recently used data and applications
2. Data in RAM, including system and network processes
3. Swap files (also known as paging files) stored on local disk drives
4. Data stored on local disk drives
5. Logs stored on remote systems
6. Archive media

Realistic practice test questions for the Security+ exam. Available through LearnZapp on your mobile phone

Answer Security+ Forensic Performance Based Question

Q. Organize the following list in the correct order based on each item's volatility. List the items from most volatile to least volatile.

You would need to use the testing interface to organize the items in the correct order. For example, you might need to drag and drop them so that they are in the correct order. The correct order is:

Explanation

1. Cache - Cache memory is more temporary than regular RAM. This includes central processor (CPU) cache or any other type of cache used in the system. It typically includes recently used data and information used by applications. It is more volatile than regular RAM because a system has significantly less cache memory than regular RAM so it will likely be overwritten quicker than regular RAM.
2. RAM - RAM is slightly less volatile than cache memory. It can include information used by the system and network processes. It will be lost if the system is powered down (as will the cache memory).
3. Paging file - This is also known as the swap file. It is an extension of RAM but it is stored on the hard drive. The paging file is rebuilt each time the system is rebooted so it is more volatile than regular data stored on a hard drive.
4. HDD - Data stored on a hard disk drive (HDD) is semi-permanent. It remains on the hard drive even after the system is powered down and rebooted.
5. Logs stored on remote systems - Any data stored on a remote system is less volatile than data stored on the target system. For this reason, many servers send log data to a remote system for centralized collection. Even if the server is completely destroyed, the centralized logs still have key data.
6. Archive media - This includes any types of backups or copies of data captured for either recovery or archive purposes. They are generally offline and less likely to be destroyed or corrupted. For example, backup tapes and DVDs can be used as archive media.

Performance Based Question Blogs

• CompTIA Performance Based Testing
• Security+ and Performance Based Questions
• Security+ WAP Performance Based Questions
• CompTIA Testing Changes

Other Security+ Resources

• CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide
• Security+ Audio Files
• Kindle Version of Security+ Study Guide
• Security+ Practice Test Questions for Your Mobile Phone

Security+ Forensic Performance Based Question Summary

You can expect to see some performance based questions on the Security+ exam and you might even see a Security+ forensic performance based question related to order of volatility. While these are different froma typical multiple choice question, you can still answer them correctly as long as you know the content. The information from this blog was derived from the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide.