GCFR GIAC Cloud Forensics Responder (GCFR) Questions and Answers

A threat actor conducts brute force attacks against SSH services to gain Initial access. This attack technique falls under which category of the Google Workspace MITRE ATT&CK matrix?

Access Kibana via http://10.0.1.7:5601 and use the *ws-* index pattern. Use the time range 2021-03-0100:00 UTC to 2021 04 U 00:00 UTC. How many ec2 DescribMnstantp*; events were performed by the root user?

What Azure SaaS option executes workflows instead of code?

In which scenario would an investigator collect NetFlow logs rather than PCAP logs?

Which is a limitation of AWS Lambdas?

Which Azure blob storage option is typically used to store virtual hard drive (VHD) Ales?

What method does Google use to alert Gmail account holders that they may be under attack by government sponsored attackers?

What Amazon EC2 instance prefix should be monitored to detect potential crypto mining?

Communication between the VPN client and Azure VNet1via VPN Tunnel #1 is using which of the following connections?

Which AW5 1AM policy element indicates the API that is in scope?

Use Kibana to analyze the Azure AD sign-in logs in the azure-* index. On March 31st, 2021, what is the timestamp of the earliest failed login attempt for the accountdcr0ss5pymtechlabs.com?

ViewVM

A company is creating an incident response team that will be part of their existing GCP Organization. Where in the organizational structure should their services be placed?

What AWS service will allow an organization to set custom compliance metrics and force compliance on an organizational, sub-organizational, or individual account level?

An investigator is evaluating a client's Microsoft 365 deployment using the web portals and has identified that the Purview compliance portal states that the Unified Audit Logs are not enabled. Based on the additional Information gathered below, what is most likely the cause of this configuration message?

Subscription creation date: December 4, 2021 Number of administrators: 2 Number of non-administrative user accounts: 74 Last tenant administration change: December 4,2021

At what point of the OAuth delegation process does the Resource Owner approve the scope of access to be allowed?

The Azure URI for the Develop VM is shown below. What will change in the notation when referencing the VM's OS disk?

What unique identifier is used by AWS to identify a specific account and allow integration with external organizations?

What is the maximum file size for Azure Page Blob storage?

What logical AWS structure type is used to chain together accounts in a trust relationship which allows for single sign-on and cross-account management?

Which AWS Storage option is ideal for storing incident response related artifacts and logs?

AWS VPC Flow logs are enabled. What do these logs capture?