Certified Incident Handler (CIH) Practice Ecam

Disable ads (and more) with a membership for a one time $2.99 payment

Prepare for the Certified Incident Handler (CIH) Exam. Enhance your knowledge with interactive quizzes and detailed insights into cyber incident handling. Boost your exam readiness with our expert-designed questions!

Each practice test/flash card set has 50 randomly selected questions from a bank of over 500. You'll get a new set of questions each time!

Practice this question and more.


Which tool is beneficial for acquiring evidence from compromised OT-based systems?

  1. Splunk Enterprise

  2. Registry Recon

  3. Wireshark

  4. Malcolm

The correct answer is: Registry Recon

The selection of Registry Recon as the beneficial tool for acquiring evidence from compromised Operational Technology (OT)-based systems stands out due to its specific focus on analyzing and recovering Windows registry data. In OT environments, which often utilize industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, understanding how the operating system was altered is crucial when investigating potential compromises. Registry Recon allows investigators to delve into the Windows registry, uncovering remnants of potentially malicious activity or configuration changes that could indicate how an attacker gained access or what the impact of the compromise was. This type of analysis is essential in an OT context, as it provides insights into the system’s state before and after the incident, thus helping to reconstruct the timeline of events. While other tools in the list serve important functions, they are generally oriented towards different aspects of evidence gathering or monitoring. For example, Splunk Enterprise is primarily a data analytics platform often used for log monitoring, which may not provide the intimate details of system-level changes that Registry Recon does. Wireshark is specialized in capturing and analyzing network traffic, which, while useful in many investigations, may not directly address the evidence recovery focused on a specific compromised system's state. Malcolm serves as a security monitoring framework that deals