Term
| Which three disciplines make up the "investigations triad"? |
|
Definition
| Vulnerability/Threat Assessment and Risk Management; Network Intrusion Detection and Incident Response; Digital Investigation |
|
|
Term
| Which of the following is an example of hearsay evidence? |
|
Definition
Hearsay:
“They guy told me he did it”
“He said he knew who did it, and could testify”
“I saw a recording of the whole thing go down”
A text file containing a personal letter |
|
|
Term
| Which of the following is an example of "Low-Tech" Reconnaissance? |
|
Definition
1. Visiting Target
2. Breaking into Target
3. Dumpster Diving
4. Social Engineering |
|
|
Term
| Which NMAP scan type attempts to complete the 3-way handshake with each scanned port? |
|
Definition
|
|
Term
| A vulnerability is known as the intersection of exploiting a flaw, access to a flaw, and what? |
|
Definition
| System susceptability/flaw |
|
|
Term
|
Definition
| A piece of software, chunk of data, or sequence of commands that takes advantage of a bug, glitch, or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software or hardware |
|
|
Term
| Malware is code that has an adverse impact on which of the following? |
|
Definition
| Confidentiality, integrity, availability |
|
|
Term
| When a logical condition causes a virus to move from a dormant or propagation phase is which phase? |
|
Definition
|
|
Term
| What ISO standard was ratified for digital forensics in October 2012? |
|
Definition
| ISO 27037 Information Technology - Secuirty Techniques |
|
|
Term
| When did the FBI form the Computer Analysis and Response Team (CART)? |
|
Definition
|
|
Term
| Which US Constitutional Amendment protects everyone's right to be secure from search and seizure? |
|
Definition
|
|
Term
| Digital Evidence is the same as Data Recovery? |
|
Definition
| No, forensics includes retrieving information that was deleted by mistake or lost during a power surge or server crash |
|
|
Term
| Which Digital Evidence role has the skill to analyze the data and determine when another specialist should be called in to assist? |
|
Definition
| Digital Evidence Specialist (DES) |
|
|
Term
| What policy defines rules for using a company's computers and networks? |
|
Definition
|
|
Term
| Which of the following situations are most common for private sector investigations? |
|
Definition
Abuse or misuse of computing assets
Email abuse
Internet abuse |
|
|
Term
| What do you secure evidence in? |
|
Definition
| Antistatic evidence bags or pads |
|
|
Term
| Which of the following is a basic requirement for setting up your forensics workstation? |
|
Definition
Basic requirements
A workstation running necessary OS (usually Windows)
A write-blocker device
Digital forensics acquisition tool
Digital forensics analysis tool
Target drive to receive the source or suspect disk data
Spare PATA or SATA ports
USB ports
Additional useful items
Network interface card (NIC)
Extra USB ports
FireWire 400/800 ports
SCSI card
Disk editor tool
Text editor tool
Graphics viewer program
Other specialized viewing tools |
|
|
Term
| Which of the following is an example of best evidence? |
|
Definition
Best Evidence:
A photo of the crime scene
A copy of a signed contract
A file recovered from a hard drive
A bit-for-bit snapshot of a network transaction (pcap) |
|
|
Term
| Which of the following is an example of digital evidence? |
|
Definition
Digital Evidence
Emails and IM sessions
Invoices and records of payment received
Browser activity, including web-based email
Routinely kept access logs
/var/log/messages |
|
|
Term
| A bit-by-bit copy of the original storage medium is known as? |
|
Definition
|
|
Term
| A bit-stream copy of all data on a disk or partition is known as? |
|
Definition
| “image” or “image file” or Bit-stream Image |
|
|
Term
| What is the first rule of computer forensics? |
|
Definition
| Preserve the original evidence |
|
|
Term
| Which of the following is an advantage of the RAW format? |
|
Definition
- Fast data transfers
- Ignores minor data read errors on source drive
- Most computer forensics tools can read raw format |
|
|
Term
| Which of the following is a feature offered by using a proprietary format? |
|
Definition
- Option to compress or not compress image files
- Can split an image into smaller segmented files
- Can integrate metadata into the image file |
|
|
Term
| Who developed the Advanced Forensics Format? |
|
Definition
| - Dr. Simson L. Garfinkel |
|
|
Term
| Which acquisition method is the most common method and offers the most flexibility? |
|
Definition
| Creating a disk-to-image file |
|
|
Term
| At least how many images of digital evidence should you make for contingency planning purposes? |
|
Definition
|
|
Term
| In order to validate data acquisitions, what utility is required? |
|
Definition
| Hashing algorithm utility |
|
|
Term
| Windows does not have a built-in hashing algorithm tool for forensics? |
|
Definition
|
|
Term
| RIAD 0's biggest disadvantage is? |
|
Definition
|
|
Term
| Which of the following are components of a disk drive? |
|
Definition
- Geometry
- Head
- Tracks
- Cylinders
- Sectors |
|
|
Term
| Given 512 bytes per sector, and using a disk with 1024 cylinders, 64 read/write heads and 63 sectors, how large is the disk in GB? |
|
Definition
- 1024 x 64 x 63 = 4,128,768 sectors
- 4,128,768 x 512 / sector = 2,113,929,216
- 2.114 GB |
|
|
Term
| It is crucial to make a full forensic copy of a solid-state drive as soon as possible due to what feature? |
|
Definition
|
|
Term
| A partition is known as a ? |
|
Definition
|
|
Term
| The unused space between partitions is known as ? |
|
Definition
|
|
Term
| The Master Boot Record (MBR) is located at sector? |
|
Definition
|
|
Term
| Which of the following is not contained in the File Allocation Table (FAT) database? |
|
Definition
The following ARE contained:
- Filenames
- Directory names
- Date and time stamps
- Starting cluster number
- File attributes |
|
|
Term
| In Microsoft Windows, when a file is deleted which HEX character is used to replace the first letter of the filename? |
|
Definition
|
|
Term
| Which of the following is an improvement NTFS has over FAT file systems? |
|
Definition
- NTFS provides more information about a file
- NTFS gives more control over files and folders |
|
|
Term
| On an NTFS disk, the first data set is what? |
|
Definition
|
|
Term
| When reviewing the registry, which file contains the user-specific configuration settings? |
|
Definition
|
|
Term
| When using Volatility to perform memory forensics, which of the following modules provide a list of processes that were running on the computer when the image was taken? |
|
Definition
|
|
Term
| On mobile devices, the Operating System is stored in? |
|
Definition
|
|
Term
| On mobile devices, the system data is stored in? |
|
Definition
| electronically erasable programmable read-only memory (EEPROM) |
|
|
Term
| The file system of a SIM card is in a hiefarchical structure? |
|
Definition
|
|
Term
| There are many free mobile device forensics tools? |
|
Definition
| False (Many tools but most aren’t free) |
|
|
Term
| When reviewing a forensic copy of an android device, where would we find the contents of the SD card? |
|
Definition
|
|
Term
| When reviewing a forensic copy of an iOS device, which directory would we look in for information on Mobile Safari browsing history? |
|
Definition
|
|
Term
| Identifying the date, time, and method of incident discovery is an example of which part of the Network Forensics investigative Methodology? |
|
Definition
|
|
Term
| Planning the initial acquisition and analysis of evidence is an example of which part of the Network Forensics Investigative Methodology? |
|
Definition
|
|
Term
| The Network Forensics Investigative Methodology uses which acronym? |
|
Definition
OSCAR
- Obtain Information
- Strategize
- Collect Evidence
- Analyze
- Report |
|
|
Term
| Understanding the network topology and organization structure is an example of which part of the Network Forensics |
|
Definition
|
|
Term
| Using the Berkeley Packet Filter, how would we filter onto traffic containing an ip address of 192.168.10.11? |
|
Definition
|
|
Term
| Using the Berkeley Packet Filter, how would we filter onto traffic for the FTP service? |
|
Definition
| dst.port == 21 (or 'ftp') |
|
|
Term
| When analyzing evidence, which of the following best defines correlation? |
|
Definition
| Marrying disparate sources of data from multiple sources |
|
|
Term
| IPFIX succeeded Cisco's NETFLOW and is based on which version? |
|
Definition
| specified in RFC 5101 and based on version 9 of NetFlow. |
|
|
Term
| Is time synchronization an issue when placing a Flow Record Sensor within your network? |
|
Definition
|
|
Term
| When analyzing flow record data, which of the following is not one of the four analysis techniques? |
|
Definition
The 4 analysis techniques ARE:
Filtering;
Baselining;
Dirty Values;
Activity Pattern Matching |
|
|
Term
| When collecting evidence, we analyze which pieces of evidence? |
|
Definition
|
|
Term
| Which of the following are sources of network based evidence? |
|
Definition
On the wire
In the Air
Switches
Routers
DHCP Servers
Name Servers
Authentication Servers
NIDS/NIPS
Web Proxies
Application Servers
Central Log Servers
Honeynets |
|
|
Term
| Which components of the Flow Record Processing System is used to analyze the evidence collected from one or multiple servers? |
|
Definition
- Aggregator: Central server that is used for multiple collectors
Analysis: Once the data has been collected and stored, it can be analyzed using a variety of commercial, open-source, and homegrown tools |
|
|
Term
| A wireless 802.11 frame for Management frames is type? |
|
Definition
| Type 0 - These include probes, beacons, authentications, associations, and others |
|
|
Term
| In a wireless network, spoofing is not trivial? |
|
Definition
|
|
Term
| A single NIDS or NIPS sensor can monitor many hosts? |
|
Definition
|
|
Term
| A Switched Port Analyzer (SPAN) is used in which deployment? |
|
Definition
| Promiscuous Mode - IDS (detection) |
|
|
Term
| Which of the following is not a type of network attack that a NIDS/NIPS detects/protects against? |
|
Definition
he 3 types of attack that NIDS/NIPS DOES protect against are:
Reconnaissance;
Access;
Denial-of-service |
|
|
Term
| A NIPS deployment utilizes its sensor in "inline" mode? |
|
Definition
|
|
Term
| A NIDS relies on a piece of software (agent) installed on each system? |
|
Definition
| False (HIDS/HIPS rely on these) |
|
|
Term
| Which of the following contains details regarding illicit connections or attempts? |
|
Definition
|
|
Term
| Which of the following is the most widely used NIDS? |
|
Definition
|
|
Term
| Profile based NIDS are NOT subject to a high number of false-positives? |
|
Definition
|
|
Term
| Which NIDS is also known as Misuse Detection? |
|
Definition
|
|
Term
| Which of the following is not a type of evidence we can collect from a NIDS/NIPS? |
|
Definition
The following ARE types of evidence:
Configuration
Alert data
Packet header and/or flow records
Packet payloads
Activities correlated accross multiple sensors |
|
|
Term
| Which NIDS operates similar to how most antivirus software detects malware? |
|
Definition
|
|
Term
| The snort/rules/ directory contains the global configuration file for network values, preprocessor rules, and output information? |
|
Definition
| False - (it is the directory of all rule files specific that are used) |
|
|
Term
| In reviewing Squid proxy logs, which of the following files provide us with the web history for that server? |
|
Definition
| access.log (web access history) |
|
|
Term
| Which of the following is a proxy type that inspects the content of web traffic and filters based on keywords, presence of malware, etc.? |
|
Definition
|
|
Term
| A signature based NIDS monitors packets and compares them against a database of signatures? |
|
Definition
|
|
Term
| Which caching mechanism is implemented through the cache-control field? |
|
Definition
|
|
Term
| Which RFC pertains to the caching of HTTP1.1? |
|
Definition
|
|
Term
| After an internal system may have downloaded malicious content via the web, which of the following systems would you look at for evidence? |
|
Definition
|
|
Term
| Cached content of web traffic stored on disk is consider which type of evidence from a proxy server? |
|
Definition
|
|
Term
| Dynamically scanning web objects for viruses and malware is a feature of which form of filtering? |
|
Definition
|
|
Term
| Which of the following are protocols related to the use of a Distributed Caching proxy? |
|
Definition
Internet Cache Protocol (ICP)
Internet Content Adaptation Protocol (ICAP) |
|
|
Term
| In reviewing Squid proxy logs, which of the following files provide us access to information about the client browsers? |
|
Definition
|
|
Term
| Which caching mechanism is implemented through the use of the Entity Tag (Etag)? |
|
Definition
|
|
Term
| The history of all HTTP or HTTPS traffic passed through a proxy server is considered which evidence type? |
|
Definition
|
|
Term
| Which caching mechanism is implemented through the Last-Modified header? |
|
Definition
|
|
Term
| The use of whitelists or blacklists is a feature of which form of filtering? |
|
Definition
|
|
Term
| Which of the following is a proxy type that acts as an intermediary to protect the identities of web surfers? |
|
Definition
|
|
Term
| Which of the following is a proxy type that stores the previously used web pages to speed up performance? |
|
Definition
|
|
Term
| Which of the following is NOT a type of firewall? |
|
Definition
Firewall types ARE:
Packet Filter;
Session-Layer Proxy;
Application Proxy;
Enterprise;
Consumer;
Roll-Your-Own |
|
|
Term
| Which network log architecture provides the easiest method for collecting logs? |
|
Definition
|
|
Term
| Time skew is best addressed under which form of network log architecture? |
|
Definition
|
|
Term
| When implementing Remote Network Logging, which of the following is NOT an area of concern? |
|
Definition
The following ARE:
Reliability;
Time skew;
Confidentiality;
Integrity |
|
|
Term
| Utilizing TLS/SSL addresses which concern with remote network log collection? |
|
Definition
| Confidentiality (maybe also Integrity) |
|
|
Term
| Routers contain which of the following volatile evidence that can assist in an investigation to identify a system on the network? |
|
Definition
Routing tables;
ARP table;
ACLs;
DHCP leases;
IO;
running configuration;
flow data |
|
|
Term
| Utilizing NTP addresses which concern with remote network log collection? |
|
Definition
|
|
Term
| Switches contain which of the following volatile evidence that can assist in an investigation to identify a system on the network? |
|
Definition
Stored packets prior to forwarding;
CAM table;
ARP table;
ACLs;
IO;
running configuration;
flow data |
|
|
Term
| Which of the following is NOT a method for propagation of malware? |
|
Definition
Propagation methods ARE:
Email;
Web links and content;
Network shares;
Direct Network Exploitation |
|
|
Term
| Which tool below is an open source tool designed to tunnel IPv4 data through a DNS server and is named after the atomic number 53? |
|
Definition
|
|
Term
| Transport Layer Security (TLS) operates at the transport layer in the OSI model? |
|
Definition
| False - TLS provides session layer (layer 5) encryption and authentication |
|
|
Term
| VLAN trunking provides support for how many different VLANS? |
|
Definition
| 4096 different (virtual LANs) VLANs |
|
|
Term
| Which of the following is a legitimate use of a network tunnel? |
|
Definition
Aggregating network traffic across “virtual circuits”;
Provide a layer of encryption for data in transit |
|
|
Term
| Which proprietary format encapsulates Ethernet frames prior to being sent over a WAN? |
|
Definition
|
|
Term
| Which of the following is NOT a method for Command and Control Communications of malware? |
|
Definition
Malware C2 communications methods ARE:
HTTP;
Social Networking sites;
Peer-to-peer;
IFC;
Cloud computing |
|
|
Term
| In an IPSec tunnel, which mode encapsulates the entire original IP packet within a new IP packet which prevents inspection/analysis of the information? |
|
Definition
|
|
Term
| After negotiation and key generation using the IKE protocol, what is the next step in establishing Security Associations (SA's)? |
|
Definition
| 2. Authentication Header (AH) to provide node to node authentication and integrity |
|
|
Term
| Which of the following allows for tunneling IPv6 traffic over IPv4 traffic? |
|
Definition
| Teredo - Tunnel IPv6 traffic over UDP over IPv4 |
|
|
Term
| Which payload behavior of malware is also a method of propagation? |
|
Definition
|
|
Term
| Which of the following is an alternative to ISL? |
|
Definition
| Generic Routing Encapsulation (GRE) |
|
|
Term
| In which phase of the attack methodology do we correlate open ports and running services to a potential attack vector? |
|
Definition
| Phase #3. Vulnerability identification |
|
|
Term
| Which of the following is NOT a concern with acquiring mobile devices? |
|
Definition
"The following ARE concerns:
- loss of power
- synchronization with cloud services
- remote wiping" |
|
|
