A forensic engineer determines that the root cause of a comp - CompTIA Security+ SY0-701
Question
A forensic engineer determines that the root cause of a compromise is a SQL injection attack. Which of the following should the engineer review to identify the command used by the threat actor?
Answers
-
-
correct
-
-
Explanation
Correct Answer: B. Application log. Application logs are the correct resource to identify SQL injection commands because they record interactions between users and the application, including input queries. A SQL injection attack manipulates database queries through vulnerable input fields, and those malicious queries are captured in the application’s request logs. By reviewing these, the forensic engineer can pinpoint the exact injected command used by the threat actor, reconstruct how the database was manipulated, and identify what data may have been exposed or altered. Application logs also help determine whether the attack was automated or manual, how long it persisted, and which parts of the system were affected. Unlike system logs, which focus on OS events, or Netflow logs, which show traffic flow but not payloads, application logs contain the necessary detail to trace the malicious SQL commands. This step is critical for confirming the exploitation path and designing appropriate mitigations.
Why Other Options are Incorrect:
-
A. Metadata provides descriptive information about files or records but does not capture real-time SQL commands or injection attempts.
-
C. System log tracks operating system events such as logins, process starts, or errors, not specific SQL queries executed by an application.
-
D. Netflow log records traffic flows (source, destination, port, protocol) but not the content of SQL commands. It shows that traffic occurred, not what the attacker injected.
No Payment Cards Needed
