During an investigation a security analyst discovers traffic going out to a command-and-control server. The analyst must find out if any data exfiltration has occurred. Which of the following would best help the analyst determine this?

Rationale

Packet captures provide the most detailed evidence for determining whether data exfiltration occurred.

When investigating communication with a command-and-control (C2) server, a security analyst must determine whether sensitive data was transferred out of the network. A packet capture (PCAP) records the actual network traffic transmitted between systems, allowing the analyst to inspect packet contents, transfer sizes, destinations, protocols, and possible exfiltrated data. This makes packet captures one of the most effective tools for confirming data exfiltration.

A (Application log) YOUR ANSWER

Application logs record events related to specific applications, such as authentication attempts, errors, or user actions. While useful for understanding application activity, they generally do not provide enough visibility into outbound network traffic to confirm whether data was exfiltrated.

B (Metadata) YOUR ANSWER

Metadata provides information about files or communications, such as timestamps, ownership, or file size. Although metadata may help support an investigation, it does not contain the actual network communication details needed to determine whether data was transferred to an external system.

C (Network log) YOUR ANSWER

Network logs can show connections between systems, including source and destination IP addresses, ports, and traffic patterns. They are useful for identifying suspicious outbound communication, but they usually do not contain the full packet contents necessary to verify exactly what data, if any, was exfiltrated.

D (Packet capture) CORRECT

Packet captures provide detailed visibility into network communications by recording the actual packets transmitted across the network. Analysts can inspect the contents of communications with the command-and-control server, identify files or sensitive information that may have been transmitted, and confirm whether data exfiltration occurred.

Conclusion

To determine whether data exfiltration occurred, the most effective resource is a packet capture because it provides detailed, packet-level evidence of outbound communications and transferred data. While logs and metadata can support the investigation, packet captures offer the most complete forensic visibility into network activity.

During an investigation a security analyst discovers traffic going out to a command-and-control server. The analyst must find out if any data exfiltration has occurred. Which of the following would best help the analyst determine this?

Packet captures provide the most detailed evidence for determining whether data exfiltration occurred.

Related Questions

Related Quizzes

How familiar were you with this question?

Report an Issue

Rate this Practice Test