Download Updated 300-215 CBRFIR Dumps (V10.02) to Make Preparations: Completing Your 300-215 Exam in 2026

1. A threat actor attempts to avoid detection by turning data into a code that shifts numbers to the right four times.

Which anti-forensics technique is being used?

2. What is the goal of an incident response plan?

3. Refer to the exhibit.

What should be determined from this Apache log?

4. An engineer received a call to assist with an ongoing DDoS attack. The Apache server is being targeted, and availability is compromised.

Which step should be taken to identify the origin of the threat?

5. Refer to the exhibit.

What do these artifacts indicate?

6. What are YARA rules based upon?

7. Refer to the exhibit.

Which two determinations should be made about the attack from the Apache access logs? (Choose two.)

8. What is the function of a disassembler?

9. Refer to the exhibit.

Which two actions should be taken as a result of this information? (Choose two.)

10. A website administrator has an output of an FTP session that runs nightly to download and unzip files to a local staging server. The download includes thousands of files, and the manual process used to find how many files failed to download is time-consuming. The administrator is working on a PowerShell script that will parse a log file and summarize how many files were successfully downloaded versus ones that failed.

Which script will read the contents of the file one line at a time and return a collection of objects?

11. An “unknown error code” is appearing on an ESXi host during authentication. An engineer checks the authentication logs but is unable to identify the issue. Analysis of the vCenter agent logs shows no connectivity errors.

What is the next log file the engineer should check to continue troubleshooting this error?

12. DRAG DROP

Drag and drop the steps from the left into the order to perform forensics analysis of infrastructure networks on the right.

13. An incident response team is recommending changes after analyzing a recent compromise in which:

a large number of events and logs were involved;

team members were not able to identify the anomalous behavior and escalate it in a timely manner;

several network systems were affected as a result of the latency in detection;

security engineers were able to mitigate the threat and bring systems back to a stable state; and the issue reoccurred shortly after and systems became unstable again because the correct information was not gathered during the initial identification phase.

Which two recommendations should be made for improving the incident response process? (Choose two.)

14. Which information is provided about the object file by the “-h” option in the objdump line command objdump Cb oasys Cm vax Ch fu.o?

15. Refer to the exhibit.

An HR department submitted a ticket to the IT helpdesk indicating slow performance on an internal share server. The helpdesk engineer checked the server with a real-time monitoring tool and did not notice anything suspicious. After checking the event logs, the engineer noticed an event that occurred 48 hours prior.

Which two indicators of compromise should be determined from this information? (Choose two.)

16. Refer to the exhibit.

Which two actions should be taken based on the intelligence information? (Choose two.)

17. Refer to the exhibit.

Which type of code is being used?

18. A scanner detected a malware-infected file on an endpoint that is attempting to beacon to an external site. An analyst has reviewed the IPS and SIEM logs but is unable to identify the file’s behavior.

Which logs should be reviewed next to evaluate this file further?

19. Refer to the exhibit.

According to the Wireshark output, what are two indicators of compromise for detecting an Emotet malware download? (Choose two.)

20. An engineer is investigating a ticket from the accounting department in which a user discovered an unexpected application on their workstation. Several alerts are seen from the intrusion detection system of unknown outgoing internet traffic from this workstation. The engineer also notices a degraded processing capability, which complicates the analysis process.

Which two actions should the engineer take? (Choose two.)

21. Which tool conducts memory analysis?

22. Which tool is used for reverse engineering malware?

23. Refer to the exhibit.

According to the SNORT alert, what is the attacker performing?

24. Which scripts will search a log file for the IP address of 192.168.100.100 and create an output file named parsed_host.log while printing results to the console?

A)

B)

C)

D)

25. An employee receives an email from a “trusted” person containing a hyperlink that is malvertising. The employee clicks the link and the malware downloads. An information analyst observes an alert at the SIEM and engages the cybersecurity team to conduct an analysis of this incident in accordance with the incident response plan.

Which event detail should be included in this root cause analysis?

26. DRAG DROP

Drag and drop the cloud characteristic from the left onto the challenges presented for gathering evidence on the right.

27. Refer to the exhibit.

Which element in this email is an indicator of attack?

28. Refer to the exhibit.

An engineer is analyzing a .LNK (shortcut) file recently received as an email attachment and blocked by email security as suspicious.

What is the next step an engineer should take?

29. A network host is infected with malware by an attacker who uses the host to make calls for files and shuttle traffic to bots. This attack went undetected and resulted in a significant loss. The organization wants to ensure this does not happen in the future and needs a security solution that will generate alerts when command and control communication from an infected device is detected.

Which network security solution should be recommended?

30. Refer to the exhibit.

What should an engineer determine from this Wireshark capture of suspicious network traffic?

31. Refer to the exhibit.

A security analyst notices unusual connections while monitoring traffic.

What is the attack vector, and which action should be taken to prevent this type of event?

32. Refer to the exhibit.

Which encoding technique is represented by this HEX string?

33. Over the last year, an organization’s HR department has accessed data from its legal department on the last day of each month to create a monthly activity report. An engineer is analyzing suspicious activity alerted by a threat intelligence platform that an authorized user in the HR department has accessed legal data daily for the last week. The engineer pulled the network data from the legal department’s shared folders and discovered above average-size data dumps.

Which threat actor is implied from these artifacts?

34. Refer to the exhibit.

What is the IOC threat and URL in this STIX JSON snippet?

35. An investigator is analyzing an attack in which malicious files were loaded on the network and were undetected. Several of the images received during the attack include repetitive patterns.

Which anti-forensic technique was used?

36. Refer to the exhibit.

A network engineer is analyzing a Wireshark file to determine the HTTP request that caused the initial Ursnif banking Trojan binary to download.

Which filter did the engineer apply to sort the Wireshark traffic logs?

37. 1.A security team is discussing lessons learned and suggesting process changes after a security breach incident. During the incident, members of the security team failed to report the abnormal system activity due to a high project workload. Additionally, when the incident was identified, the response took six hours due to management being unavailable to provide the approvals needed.

Which two steps will prevent these issues from occurring in the future? (Choose two.)

38. DRAG DROP

Drag and drop the capabilities on the left onto the Cisco security solutions on the right.

39. What is a use of TCP dump?

40. An attacker embedded a macro within a word processing file opened by a user in an organization’s legal department. The attacker used this technique to gain access to confidential financial data.

Which two recommendations should a security expert make to mitigate this type of attack? (Choose two.)

41. A security team received an alert of suspicious activity on a user’s Internet browser. The user’s anti-virus software indicated that the file attempted to create a fake recycle bin folder and connect to an external IP address.

Which two actions should be taken by the security analyst with the executable file for further analysis? (Choose two.)

42. What is a concern for gathering forensics evidence in public cloud environments?

43. What is the steganography anti-forensics technique?

44. A security team detected an above-average amount of inbound tcp/135 connection attempts from unidentified senders. The security team is responding based on their incident response playbook.

Which two elements are part of the eradication phase for this incident? (Choose two.)

45. What is the transmogrify anti-forensics technique?

46. Which technique is used to evade detection from security products by executing arbitrary code in the address space of a separate live operation?

47. Refer to the exhibit.

An engineer is analyzing a TCP stream in Wireshark after a suspicious email with a URL.

What should be determined about the SMB traffic from this stream?

48. Which magic byte indicates that an analyzed file is a pdf file?

49. Refer to the exhibit.

Which type of code created the snippet?

50. A security team receives reports of multiple files causing suspicious activity on users’ workstations. The file attempted to access highly confidential information in a centralized file server.

Which two actions should be taken by a security analyst to evaluate the file in a sandbox? (Choose two.)