Beruflich Dokumente
Kultur Dokumente
1.
A.
B.
C.
D.
relevant files.
string searching
cryptographic files
relevant data
undeleted files
2. When trying to recover deleted files make sure the forensic duplication
is
so that it is not modified during our analysis.
A. On correct disk
B. Read-only
C. Write-only
D. Locked
3. To reconstruct a file, you can use the
the Sleuth Kit.
A. Skype
B. Netscan
C. Icat
D. Lscat
of
C. Duplicate disk
D. Forensic duplications
2. You can make an exact copy of the hard drive by first cleaning the
destination drive by placing
in all the blocks:
A. Random bits
B. Binary bits
C. Zeros
D. Reliable data
3. dd-rescue is a variation of the dd command. You can use this command to
copy it forward or backward from the end to the beginning. This is useful if
you encounter
.
A. blank disk
B. errors
C. full disk
D. negative integers
4.
A.
B.
C.
D.
5. The reason to place zeros in all of the hard drive blocks is because
,
A. Movies are left in there
B. Data is corrupted
C. Unwanted data might have been left there and this will damage forensic
evidence.
D. The ones in the blocks have to cancel with the zeros.
with make
1.
or transported on computers
A. Information forensics
B. Data forensics
C. Computer forensics
D. Network forensics
2.
of
4.
2. When trying to recover deleted files make sure the forensic duplication
is
so that it is not modified during our analysis.
A. On correct disk
B. Read-only
C. Write-only
D. Locked
3. To reconstruct a file, you can use the
the Sleuth Kit.
A. Skype
B. Netscan
C. Icat
D. Lscat
of
A.
B.
C.
D.
MD5 hashes
Active hashes
Forensic hashes
Cryptography
5.
A.
B.
C.
D.
5
7
3
6
Homepage
Index.dat
Script
Internet explorer
3.
is an open source used to used to examine index.dat files and how they
were populated when a suspect browses the internet.
A. Firefox
B. Pasco
C. cookie finder
D. Encase
4. A
activity record contains less information than the URL or LEAK
records and is symbolic of a website that redirects you to another website.
A. phone
B. Pasco
C. suspect
D. REDR
5. Keith J. Jones developed a tool named
to translate the information
inside an IE cookie to something a human can understand.
A. Cookie
B. Galleta
C. Pasco
D. Internet explorer
3.The first choice to read outlook express email repositories is to use a took name
.
A.
B.
C.
D.
3.
4.
A.
B.
C.
D.
Google it
Eindeutig
Hack it
Snort
3
One of the differences between email DMX file format and Folders DBM
file format is
.
The file signatures is slightly different
Messages are similar
Data entries are same
DBX is not good
6. In
intrusion detection system is a device or
application used to inspect all network traffic and alert the user or
administrator when there has been unauthorized attempts or access.
A. Alert Data
B. Security check
C. Network security
D. Traffic control
7.
C. Private conversations
D. Full content data
8. For
, the source sends one packet, and the destination
replies with one packet
A. Openf ports
B. Securityf ports
C. Closef ports
D. Dedicatedf ports
9.
10.
1.
IP config
Catscan
Netcat
Address resolution table
are the simplest and cheapest way to gain control to network traffic.
A.
B.
C.
D.
NAS
Hubs
Repeaters
Wireless router
4.
A.
B.
C.
D.
?.
1 ____ analysis is when data from the suspect is copied without the assistance of the
suspects operating system.
a. Live
b. Dead
c. Data
d. Forensic
2 ____ analysis uses the operating system or resources of the system being investigated to
find evidence.
a. Live
b. Dead
c. Data
d. Forensic
3 ____ is information we would use if the machine is turned off.
a. Registry information
b. Volatile information
c. Non-volatile information
d. Cached information
d. remote access
5. A data structure is composed of which two parts?
a. number and string
b. flag and register
c. byte and string
d. flag and byte
d.Security Logs
1. What tool was used by running it against the Libcap data to transform it into session
data?
b. Argus
2. Multiple protocols with low number of packets may indicate of activity?
d. Port Scanning
3. What tool was used in this chapter to find patterns of malicious activity?
a. Snort
4. A single SYN packet is sent through a port and a RST ACK packet is received. What
does this mean?
b. Port is closed
5. As opposed running Snort in live mode to inspect traffic actively passed on the wire,
what mode can Snort be running under to inspect previously captured data?
c. batch mode
b. Power Cables
c. Printer
d. Permanent Markers
2. Each piece of hardware must be documented with the items information which
includes
a. Drivers License
b. Make/Model
c. Date of Birth
d. Maiden Name
3. The information written on each label should include the following except
a. Number of Partitions
b. Date
c. Type of file system
d. Price
4. Which item is used to document evidence.
a. Digital Camera
b. Firewire
c. Flash Drive
d. Flashlight
5. The following should be recorded when evidence is checked out except
a. Date of Birth
b. Case Number
c. Name
d. Date
2. Each piece of hardware must be documented with the items information which
includes
b. Make/Model
3. The information written on each label should include the following except
d. Price
4. Which item is used to document evidence.
a. Digital Camera
5. The following should be recorded when evidence is checked out except
a. Date of Birth
2. When using EnCase or FTK, use which of the following to connect to the source hard
drive (evidence)
a. serial cable
b. read-only Firewire-to-IDE module
c. read-write Firewire-to-IDE module
d. coaxial cable
3. When EnCase duplicates an evidence hard drive, it crates evidence files on a
destination media. This usually means a
a. DVD-R
b. Floppy Disk
c. Flash drive
d. formatted storage hard drive
4. FTK can acquire the forensic duplication in the following three different formats
excepts
a. Portable Network Graphics
b. SMART format
c. Raw Disk Image (dd)
d. EnCase Evidence Files (.E01)
5. When using a laptop with Encase, two additional items are usually needed. This
includes a 2.5 to 3.5 laptop hard drive converter and a
a. Graphics card
b. PCMCIA Firewire card
c. Sound card
d. Data Acquisition card
5. Typically, we would cop the NED client onto a bootable CD-ROM environment which
would be loaded into _____ and booted.
c. the suspects computer
d. fat/ntsf
4. A better way to ignore known files is to compare the _____ of every file in a forensic
duplication.
a.MAC times
b. file sizes
c. MD5 hashes
d. full file names
5. We can download _____ and save ourselves a lot of time in ignoring known files.
a. EnCase
b. Undelete
c. FTK
d. NISTS NSRL distribution
b. Fport
c. dd
d. FTK
5 The cookies, History.IE5, and Content.IE5 folders contain a ____ file with forensic
evidence.
a. index.exe
b. index.dat
c. index.xls
d. index.txt
c. Pasco
d. regedit
Key
1 ____ is the method of modifying data so that it is meaningless and unreadable in its
current form.
d. encryption
2 ____ is the science of writing hidden messages I such a way that no one apart from th
sender and intended recipient even realizes there is a hidden message.
c. stenography
3 The following is used as forensic software except ____.
b. Outlook
4 ____ are devices that allow acquisition of information on a drive without creating the
possibility of accidentally damaging the drive contents
a. write blockers
5 A ____ function is any well defined procedure or mathematical function for turning
some kind of data into a relatively small integer.
a. hash
1.
2.
3.
4.
Chapter 1
When collecting data from a victim machine to determine the who, how, and
possibly why of an incident, which is a viable source:
a. Open TCP or UDP Ports
b. Users Currently Logged On
c. Open Files
d. All the above
An open rogue port usually denotes:
a. The system date and time
b. A backdoor running on the victim machine
c. Volatile data
d. Users currently logged on
FPort does the following:
a. Opens a backdoor
b. Closes all ports
c. Links open ports to executables that opened them
d. Launches live response
Group Policy information does not contain:
a. Redirected folders that are and their details
b. The last time policy was applied for both user and computer
c. IIS logs
d. Registry settings that were applied and their details
5. Most attacks happen over port:
a. 10
b. 1
c. 50
d. 80
1.
2.
3.
4.
5.
Chapter 2
1. The Live Response process for a Unix machine is____ to a Windows machine.
A. Completely different
B. Almost identical
C. Exactly the same
D. Unix has not released a version
2. Which of the following is a common password cracking program that attackers
employ to learn users passwords discussed in chapter 2?
A. Jack the Ripper
B. The Headless Horseman
C. The Minotaur
D. John the Ripper
3. When issuing the command uname a you will receive what information?
A. All the available operating system version information
B. A review of all the loaded kernel modules
C. A display of the mounted file systems
D. A list of all the running processes on the system
4. A quick way to eliminate redundant data in the file system is to ____:
A. Calculate and analyze the MD5 checksum
B. Use a Poor Mans FTP using netcat
C. Go to www.Facebook.com
D. Do a search for .kde
5. A hacker would search for a keyword such as datapipe with ____?
A. $
B. |
C. \
D. ?
Chapter 3 & 4
1. The acronym NBE stands for which of the following?
A. Network-based exposure
B. Network-based evidence
C. Non-Biological Extraterrestrials
D. None of the above
2. What type of data is the easiest form of data to understand and manipulate?
A. Full Content Data
B. Statistical Data
C. Session Data
D. Alert Data
3. Taps (also known as Test Access Ports) are placed ____.
A. Between the firewall and router
B. Between mirroring ports
C. Between switches
D. A and C
4. When looking at alert data ____ is helpful when searching for something
suspicious.
A. Wire Shark
B. Snort
C. Argus
D. Netstat
5. ARP is used to _____.
A. Rebuilds sessions of interest
B. Resolve IP addresses to MAC addresses
C. Get better retirement benefits
D. Check for Common Vulnerabilities and Exposure (CVE)
Chapter 6
1. All but which of the following is something that you would want to record in an
Evidence Worksheet:
A. Model
B. Serial number
C. Anti-static bags
D. Jumper settings
2. What principle is paramount to any investigation and should not be overlooked.
A. Documentation
B. Notation
C. Evidence
D. Smoking Gun
3. Any time evidence changes hands, which form should be filled out?
A. Agent Notes worksheet
B. Evidence Worksheet
C. Chain of Custody Form
D. Evidence Access Log
4. Which of the following is recommended to have in a toolkit mentioned in the
chapter?
A. Swiss Army Knife
B. Gerber Knife
C. Pens
D. HDMI cable
5. The following is unique information found on a hard drive that is recorded in the
Evidence Worksheet:
A. Calculus
B. Trigonometry
C. Algebra
D. Geometry
Chapter 7
1. _____ is one of the most widely used forensic duplication and analysis
software tools available today.
A. Snort
B. TechNet
C. TraceFirst
D. EnCase
2. When you hot swap a drive, you ____ or _____ it from a running
computer system without powering off the forensic workstation.
A. Add ; delete
B. Swap ; take
C. Read; write
D. Add; remove
3. By default, EnCase will duplicate the media and create a series of _____
files in a directory you specify.
A. 56k
B. 640 MB
C. 32 GB
D. 100 Mbps
4. Laptop hard drive converters come in _____ to _____.
A. 1.5 to 2.5
B. 5.5 to 7.5
C. 1.0 to 5.0
D. 2.5 to 3.5
5. A benefit when acquiring evidence using EnCase is that it allows us to
preview and ______ the drive in forensically sound manner.
A. Analyze
B. Send
C. Corrupt
D. Destroy
Chapter 9
1. One limitation of The Coroners Toolkit was that the authors pointed out involved
an emphasis on recovering deleted files from a ___________ when in fact FAT 32
and NTFS are the types of file systems we investigate the most.
A. Microsoft Windows file system
B. Linux file system
C. Unix file system
D. Both B and C
2. Downloading and installing The Sleuth Kit is a relatively ________ task.
A. Arduous
B. Trivial
C. Cumbersome
D. Difficult
3. Commercial methods to undelete files are more _________ and will show you the
logical and deleted files in one view.
A. Time consuming
B. Enabling
C. Fee-based
D. User-friendly
4. A notable hash distribution is the National Software Reference Library provided
by the National Institute of Standards and Technology. It is can be obtained by
_____ or ____?
A. Downloaded freely
B. Bought at the store
C. Purchased as a subscription
D. Both A and C
5. The process of looking for data when you know a portion of it is called?
A. String searching
B. Unicode searching
C. Microsoft office
D. File searching
Chapter 10
1. At the time the book was written, __________ was the most popular Web browser
utilized by the general computing population.
A. Google Chrome
B. Mozilla Firefox
C. Opera
D. Microsoft Internet Explorer
2. Which of the following is not a facility where we can find evidence to view Web
browsing history?
A. Temporary Internet Files
B. Web browsing history
C. Cookies
D. GNU directory
3. Why are cookies necessary for browsing the internet?
A. HTTP is a stateless protocol
B. URI is a stateless protocol
C. TCP/IP is a stateless protocol
D. RFC is a stateless protocol
4. A cookie contains _____?
A. Unallocated space
B. FTK display
C. Expiration time
D. Executables
5. A REDR activity record contains ____ information than the URL or LEAK
records.
A. More
B. The same
C. Less
D. None of the
Chapter 11
1. FTK will not recognize which of the following e-mail repository formats?
A. Yahoo
B. Earthlink
C. Lotus Notes
D. Outlook Express
3. There are currently ______ open source tools that can examine registry files
directly.
A. Plenty of
B. Really expensive
C. No available
D. Scarcely any
4. MRU stands for _______?
A. Most Redundantly Used
B. Maximum Receive Unit
C. Most Recently Used
D. Malware Removal Unit
5. Installed programs usually contain a mechanism that will enable them to be
_________.
A. Run
B. Uninstalled
C. Copied
D. Exported
Ayme Pena
Chapters 2, 3 & 4
1. Lsof is the single most powerful tool in our live response toolkit for UNIX systems;
what does it stand for.
a) list software operating files
b) list open filters
c) list open files
d) list several open files
2) In windows, an executable cannot be deleted while it is running in memory. Who locks
the file and it cannot be removed?
a) kernel
b) file system
c) operating system
d) none of the above
3) In Unix, an attacker can run a file, such as _________ and delete the original binary.
a) lsof
b) datapipe
c) mounted file
d) all of the above
c____4) Full Content Data
b____5) Session Data
d____6) Alert Data
a____7) Statistical Data
c) conection:networks
d) service:device
3. What is the command to exit from the FTP server?
a) exit
b) logoff
c) end
d) bye
4. If the comman used by the intruder is mget knark* what is he going to retrieve?
a) passwords
b) create a file with the name knark
c) files beginning with the word knark
d) that command is not recognized
5. What command shows the directory listings?
a) lo
b) la
c) ls
d) al
Chapter 6
1. Each piece of hardware must be documented with all except?
a) Different color
b) Peripheral connections
c) Evidence tag number
d) Make model
2. Your toolkit needs to have every type of computer hardware interface going back how
many years?
a) 2 years
b) Many
c) 6 months
d) Not applicable
3. Agent notes, Evidence labels, Chain of custody forms, Evidence custodian logs are all
part of which important part?
a) tags
b) labels
c) documents
d) printer
4. By what is the evidence safe maintained?
a) evidence custodian
b) evidence register
c) evidence janitor
d) evidence computer
Chapter 8
1. Data dump is part of the most basic of all
a) commercial tools
b) noncommercial forensic duplication tools
c) commercial forensic duplication tools
d) all of the above
2. After Linux has finished booting, what do you want to see?
a) if the computer will restart
b) the color of the screen
c) Which device represents your suspects hard drive
d) the device empty space
3. By running [root@localhost root]# md5sum c md5sums.txt you are trying to ?
a) validate the evidence file
b) separate the memory
c) hack the computer
d) delete
4. The ______ indicates the number of blocks that are skipped from the input before the
copying begins.
a) time
b) date
c) refresh
d) skip
5. So that data left on the storage hard drive previously is not introduced into the
evidence, the first order of business is to ______?
a) buy a new hard drive
b) wash the hard drive
c) cleanse the evidence
d) unplug the hard drive
Chapter 9
1. When conducting _________ analysis, the first step is to recover undeleted files.
a) research
b) forensic
c) process
d) security
2. In order so that you can associate a file with a local loopback device such as /dev/loop0
the _________ has to be altered?
a) memory
b) hard drive
c) device
d) kernel
3.Metadata includes ___________, file sizes, MAC times, MD5 hashes, and more.
a) full file names
b) brand
c) exact sizes
d) none of the above
4. What must you select from the menu bar to perform a keyword search with EnCase?
a) View->Words
b) View->Hidden words
c) View->Keywords
d) View->Menu bar
5. Keyword searching is a very important step for ________________________ and
___________________ throughout your evidence data set.
a) identifying relevant files : file fragments
b) finding time of data : file name
c) identifying images : relevant fragments
d) forensic analysis : security treats
Chapter 10
1. Who utilizes the E-script, to parse the Web browsing information found in the evidence
and present it to the investigator?
a) FTK
b) IE History
c) E-Script
d) EnCase
2.C:\Documents and Settings\<<profilename>>\Cookies\ is an example of one of the
____________________________________?
a) profile names
a.
b.
c.
d.
F-13
1.
2.
3.
4.
5.
4. drawback of FAT16?
a. Restricted disk size.
b. Slow speed
c. Easily corruptible
5. What is the Linux command to make a new file system?
a) Mkfs
b) Fdisk
c) Mkdir
d) Format
Chapter F8
1. What is the fastest and most reliable drive type available?
a. IDE
b. SATA
c. SCISI
d. ATA
2. What is the term for a chronological documentation of evidence?
a. Chain of custody
b. Evidence
c. Evidence log
d. Custody log
3. What is the most modern form of booting device are currently used in
computers today?
a. 5 Floppy disk
b. 3 Floppy disk
c. USB boot drives
d. CDROMS
4. Computer forensics deals with which of the following:
a. Virus software
b. Spyware
c. Legal evidence found in computer media
d. Intellectual property
5. What is the most important rule to remember in dealing with digital
forensic evidence?
a. Do not disturb the original disk image evidence
b. Recover deleted files
c. Access the information as fast as possible
d. Discover digital evidence
Chapter F9
1. What is the best digital investigation tool current available
commercially?
a. Symantic
b. Encase
c. Dfrag
d. Undelete
2. Encase is published by which company:
a. Guidance Software
b. Encase Software
c. Microsoft
d. Oracle
3. What is the recommended way of obtaining a digital copy of an
evidence disk?
a. Bit by bit disk copy
b. Copy Paste
c. Logging into the computer in question.
4. What is the extension for an EnCase media type?
a. .exe
b. .bat
c. .enc
d. .ewf
5. What type of software is FTK?
a. Virus program
b. Disk copy program
c. Scanning program
d. Computer forensic tool kit
a. Netstat n
b. Fport
c. FTP
d. Ipconfig
c) Mounted
d) Accessed
3. What is the best way to determine if a system file has been modified?
a) Do a virus scan
b) Do an LS command
c) Run a checksum
d) Try to run the file.
b) /etc/syslog.conf
c) /windown32/system.log
d) /bin/syslog.conf
a) /etc/passwd
b) /etc/bin/passwd
c) /windows/passwd
d) It does not exist
6. Which type of equipment joins networks together?
a. Hub
b. Switch
c. Router
d. Access Point
7. What type of device is used to filter network traffic?
a. Firewall
b. A server
c. Hub
d. Switch
8. What is a standard packet capture program?
a. TCPdump
b. Fport
c. Telnet
d. Netstat
a. Snort
b. SSH
c. Netstat
d. Telnet
10.In a standard intrusion scenario, when an intruder conducts probes
against a target system it is called?
a. Consolidation
b. Exploitation
c. Reconnaissance
d. Pillage
11. What type of data gives you a general pattern of network traffic?
a. Alert data
b. Statistical data
c. Sample data
d. Raw data
13. The intercepting of network data directly from the network via a
hardware device is known as?
a. Exploit
b. Tap
c. Signature
d. Sample
14.The data that records all network activity that occurred during a
specific period is know as?
a. Raw data
c. Sample data
d. Alert data
15.Gaining root privileges in a linux/unix system usually refers to the
following?
5. Which set of tools provide enhanced functionality for viewing volatile data in
Windows?
a. IIS
b. Policy Manager
c. pstools
d. Windows XP Service Pack 3
1. What is NBE?
a. NetBios Environment
b. Network-Based Evidence
c. Non-Breakable Execution
d. Network Bound E-mail
2. Which one of these is not a type of NBE
a. Session Data
b. Alert Data
c. Application Data
d. Statistical Data
3. Which of these is not a method to intercept network traffic
a. Multimeter
b. Taps
c. Hubs
d. Inline devices
4. What function does the snort program perform
a. performs a core dump
b. eavesdrop through the telephone system
c. perform statistical analysis
d. captures interesting network packets
5. Which event is a likely precursor to an attack
a. server begins to power off without warning
b. a disgruntled employee was fired
c. a threatening email
d. a port scan
a. true
b. false
8. What device can be used to avoid disturbing the data on a suspect drive when
accessing it?
a. Write blocker
b. dongle
c. MTU
d. Just set all the file to read-only.
b. Decryption
c. Bicryption
d. Monocryption
5. A _____ function is any well-defined procedure or mathematical
function for turning some kind of data into a relatively small integer.
a. Mash
b. Hash
c. Linear
d. Quadratic
6. What does SHA stand for?
a. System Hit Algorithm
b. Secure Hash Algorithm
c. Science History Agency
d. Secure Hail Algorithm
7. Use a __________device to prevent accidentally writing to the suspect
media.
a. System
b. File
c. Read-Blocking
d. Write-blocking
8. The _____ algorithm takes as input a message of arbitrary length and
produces as output a 128-bit fingerprint of the input.
a. MD8
b. MD5
c. MD6
d. MD7
9. It is important that an _____ is made of the hard drive and not a copy or
a backup.
a. Icon
b. File
c. Picture
d. Image
10.Which is NOT a name for a returned value of hash function?
a. Hash values
b. Hash codes
c. Hashish
d. Hashesh
Moises Flores Jr
CSCI 6318
Dr. John Abraham
Chapter 6 Questions
1. Which of the following tools is an essential tool when conducting forensic
duplication?
a. Hammer
b. Digital Camera
c. Cell Phone
d. Pager
2.
d. EnCase.
3. It is highly recommended to use
than a software solution.
a. Active.
b. Hardware.
c. Physical.
d. Password.
4. FTK can acquire the forensic duplication in three different formats, what are they?
a. EnChase Information Files, Raw Disk Image, SMART Format.
b. EnCase Evidence Files, Row Disk Image, SMART Format.
c. EnCase Evidence Files, Raw Disk Image, SMART Format.
d. EnCase Evidence Files, Raw Disk Image, SNORT Format.
5. To acquire a forensic duplication with FTK, you must open the FTK
.
a. Instant program.
b. Initiation program.
c. Imager program.
d. Imaging program.
Chapter 8 Questions
1. The most basic of all noncommercial forensic duplication tools is definitely
a.
b.
c.
d.
Desk dump
Data dunk
Date dump
Data dump
4. When creating an evidence hard drive, the first thing one should do is?
a. Delete the evidence hard drive so that data left on the storage hard drive
previously is not introduced into the evidence.
b. Detect the evidence in the hard drive so that data left on the storage hard
drive is introduced into the evidence.
c. Cleanse the evidence hard drive so that date left on the storage hard drive
previously is not introduced into the evidence.
d. None of the above.
5. The
is a variation of the standard dd that provides functionality for
greater authentication using a built-in MD5 hashing algorithm.
a. DCFLLD
b. DCFLDD
c. DDFLCD
d. DDFLDD
Chapter 9 Questions
1. When conducting forensic analysis, what is the first step you want to take?
a. Delete files.
b. Undelete files.
c. Recover files.
d. Take pictures.
2. The
is altered so that you can associate a file (the forensic duplication)
with a local loopback device such as /dev/loop0.
a. Operating system.
b. Memory.
c. Kernel.
d. Shell.
3. The first step to recover deleted files is to load our evidence into
a. Hard drive.
b. USB.
c. EnCase.
d. Forensic Work Station.
4. What is one of the advantages of using open source tools to undelete files?
a. It is easier to use than commercial alternatives.
b. No licensing fees associated.
c. It retrieves more undeleted files than commercial solutions.
d. None of the above.
5. What does Metadata include?
a.
b.
c.
d.
A. index.html
B. history.dat
C. index.dat
D. ie.dat
5. The following are valid types for an activity record in internet explorers history
EXCEPT:
A. LEAK
B. REDR
C. URL
D. COOKIE
1. The aim of an information management strategy is to:
A.
B.
C.
D.
E.
2.
A.
B.
C.
D.
E.
CSCI6318
03/28/2010
Liang Ding
Lecture 1: Live Incident Response
1. Which option is not included in Volatile Data?
A. The System Date and Time
B. Which Executables Are Opening TCP or UDP Ports
C. A History of Logins
D. Open Files
2. Which symbol can we use to write information printed on screen
into file?
A. ^
B. <<
C. &
D. >
3. Which command do we use to get information about Scheduled
Jobs?
A. at
B. Pslist
C. Fport
D. Date
4.
A.
B.
C.
D.
5. Which command in our book do we use to get File System Time and
A.
B.
C.
D.
Date Stamps?
dir
find
psinfo
time
3.
A.
B.
C.
D.
4.
A.
B.
C.
D.
2.
3.
4.
5.
D
A
D
B
Lecture2 Answers:
1. D
2. A
3. C
4. B
5. AD
CSCI6318
03/28/2010
Liang Ding
Lecture 3: Unix Live Incident Response
1.
A.
B.
C.
D.
A.
B.
C.
D.
7.
A.
B.
C.
D.
8.
Network security specialists use four main ways to access network traffic. These
methods include:
A.
Hubs
B.
Taps
C.
Inline devices
D.
Switch SPAN ports
E.
All of above
9.
Which description is for Full Content Data?
A.
Consists of the actual packets, typically including headers and application
information.
B.
Shows aggregations of packets into flows or groups of associated packets.
C. Created by network IDSs, when the IDSs see traffic that matches its signature or rule
base, it informs the administrator via an alert reported to a database, console, or email.
D. For stepping back and looking at the big picture, provides perspective.
10.
A.
Consists of the actual packets, typically including headers and application
information.
B.
Shows aggregations of packets into flows or groups of associated packets.
C. Created by network IDSs, when the IDSs see traffic that matches its signature or rule
base, it informs the administrator via an alert reported to a database, console, or email.
D. For stepping back and looking at the big picture, provides perspective.
Answer:
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
C.
A.
C.
B.
A.
E.
D.
E.
A.
C.
CSCI6318
04/15/2010
Liang Ding
Chapter 6 & 7:
2.
E.
F.
G.
H.
I.
3.
E.
F.
G.
H.
I.
4.
E.
F.
G.
envelope
H. Modify a boot disk
5.
A.
B.
C.
8.
The ______ is a variation of the standard dd that provides functionality for greater
authentication using a built-in MD5 hashing algorithm.
A.
NED
B.
DCFLDD
C.
FTK
D.
EnCase
9.
A.
Which is the newest open source forensics tool that runs in linux environment?
NED
B.
C.
D.
FTK
EnCase
DD
9.
J.
K.
L.
M.
N.
envelope
L. Modify a boot disk
11. What is the purpose of Blank floppies for Forensic Duplications?
E. Cut a cable tie in the suspects computer to acquire a duplication
F. Connect the suspects media to your forensic
G. Show tampering if you store your evidence in a standard business
envelope
H. Modify a boot disk
12. Which is the commercial software we use to accomplish a
forensic duplication? It is one of the most widely used forensic
duplication and analysis software tools available today.
E. FTK
F. EnCase
G. DD
H. DCFLDD
8.
The ______ is a variation of the standard dd that provides functionality for greater
authentication using a built-in MD5 hashing algorithm.
A.
NED
B.
DCFLDD
C.
FTK
D.
EnCase
9.
A.
Which is the newest open source forensics tool that runs in linux environment?
NED
B.
C.
D.
FTK
EnCase
DD
Answer:
1 E
2 E
3 C
4 D
5 B
6 E
7 D
8 B
9 A
10 D
CSCI6318
04/22/2010
Liang Ding
Chapter 9: Common forensic analysis techniques
14. Before analysis, we should make sure that forensic duplication
is________.
O. Read and write
P. Write only
Q. Read only
R. Hidden
15. Which is the most notable forensic tool in the open source
movement to recover deleted files?
O. The Coroners Toolkit
P. EnCase
Q. JBRWWW
R. FTK
16. After we finish forensic duplication and files recovering, we
should do______.
M. Load evidence
N. Acquire the metadata from all files that exist in the evidence
O. Create new image
P. Create MD5 hashes for the files
17. What is the better way to ignore known files?
I. Delete known files at first
J. Make marks for the known files
K. Copy the known files into another hard drive
L. Compare the MD5 hashes of every file in a forensic duplication with
a known set of hashes and ignore any matches
18. If you do not know what you will find on the subjects hard drive,
but you know specifics of a case, what you should do?
I. Perform a search across the whole hard drive and detect files or file
fragments that contain the information you are looking for
J. Determine the file signatures
K. Remove known files
L. Forensic duplication
D.
DD
8.
Pasco examines ______ files and how they were populated when a suspect
browses the internet.
A.
index.html
B.
index.sys
C.
index.dat
D.
index.zip
9.
Which is the tool to translate the information inside an IE cookie file to something
a human can understand?
A.
Pasco
B.
FTK
C.
EnCase
D.
Galleta
10. Cookie files are store in _____.
A. Remote computer
B. Server
C.
Native computer
D.
Switch
A)Netcat
B)Cryptcat
C)MD5
D)FPort
5.-_________, is an application to list the process table in order to know what processes
the attacker executed.
A)PsExec
B)PsTools
C)PsList
D)Netstat
1.-______________, network security monitoring. Is used when the attack has already
happened.
A)Threat response
D)Proactive NBE
B)Reactive NSM
E)Resulting NSM
2.-____________, a java program that reads information from a MYSQL database and
produces a 3-D map of network traffic.
A)scanmap3d
B) Tcpdump
C)3-D visualizer
D)IDS
3.-In a Linux environment, if an administrator want to check if a kernel module have
been trojaned, he must use the ________ command to review all the loaded kernel
modules.
A)lsmod
B)Cryptcat
C)MD5
D)FPort
4.-_________, network security monitoring. Is used to prevent attacks.
A)Proactive NSM
B)Cryptcat
C)Reactive NBE
D)FPort
5.- ___________, is the protocol Microsoft uses to share files, printers, serial ports, and
also to communicate between computers.
A)Active Directory
B)Sharepoint Services
C)Server Message Block
D)System Services
Prepared by: Edgar Garcia
1.-________, is an open source tool used to examine the contents of Internet Explorers
cache files. It will parse the information in an index.dat file and output the results in a
field delimited manner.
A)FTK
D)Pasco
B)EnCase
E)NBE
2.-________, is an open source tool used to examine the contents of a cookie file. It will
parse the information in a cookie file and output the results in a field delimited manner.
A)FTK
D)Pasco
B)NBE
E)Galleta
3.- _________________,a file that can be used to reconstruct the Web browsing activity.
It contains three activity records, LEAK, URL and REDR.
A)index.dat
B)iehistory.dat
C)browser.dat
D)ielogs.dat
4.-_________,this record shows information about a browsers redirection to another site.
A)URL
B)LEAK
C)REDR
D)WebRecord
5.-It does the same as URL, it contains information about websites visited______ record.
A)REDR
B)Webrecord
C)FTK
D)LEAK
1.-__________, is an open source tool that can be used to reconstruct an E-Mail DBX
file.
A)Encase
D)Eindeutig
B)MailRecover
E)MailRestore
2.-An open source tool named __________, can be used to undecode MIME file
attachments in email.
A)EnCase
B)PASCO
C)Munpack
D)Undelete
3.- Lotus Notes e-mail repositories can be directly analyzed. They do not need to be
converted to another format before analysis.
A)True
B)False
4.-AOL E-mail repositories can be directly analyzed without having to download the
AOL client.
A)False
B)True
5.-Is a file format used by Outlook Express and contains the actual e-mail messages
content and attachments, is called______________.
A)E-Mail DBX file
B) Standard IDE Cable
C)Folders DBX File
D)Express E-Mail File
b. PsService
c. PsExec
d. PsFile
4. Which command displays protocol statistics and current TCP/IP
connections using NetBIOS over TCP/IP?
1. nc
2. Ipconfig
3. Nbtstat
4. Fport
5. What tool opens TCP/IP and UDP ports and maps them to the owning
application?
a. Fport
b. ShoWin
c. NTLast
d. Fpipe
Chapter 2
1. The ______file system can be obtained from issuing either the mount
command or the dfcommand.
a. Mount
b. Internal
c. Windows
d. Linux
2. Which of the following is not a form of nonvolatile data?
a. User accounts
b. User history accounts
c. Syslog logs
d. Open files
3. What command must you use to review all loaded kernel modules?
a. Nbtstat
b. Netstat
c. Lsmod
d. Md5sum
4. You can view open processes and the users running them by issuing
the _____ command.
a. Ps aux
b. Ps rn
c. Pt x
d. Pq rt
5. _______are commands the user types at the prompt.
a. User log files
b. History files
c. Event log files
d. System log files
Chapter 3
1. Which of the following a type of NBE?
a. Statistical data
b. Raw data
c. Registry Keys
d. Metadata
2. Which of the followings is NOT a way to access network traffic?
a. Hubs
b. Taps
c. Switch SPAN ports
d. Radio waves
3. Under which standard intrusion scenario does the intruder perform
reconnaissance against the target to validate connectivity, enumerate
services, and check for vulnerable versions?
a. Pillage
b. Consolidation
c. Reconnaissance
d. Exploitation
4. ________data is created by analyzing NBE for predefined items of
interest.
a. Alert
b. Session
c. Physical
d. New
5. _____are the simplest and cheapest way to gain access to network
traffic.
a. Hubs
b. Wireless routers
c. Repeaters
d. NAS
1.
2.
3.
4.
5.
Chapter 4
_______ mode runs Snort against previously captured data.
a. Stealth
b. Live
c. Batch
d. Silent
_______ is the protocol Microsoft uses to share files, printers, serial
ports, and also to communicate between computers using named
pipes and mail slots.
a. Server Message Block (SMB)
b. MAC
c. FTP
d. HTTP
An identification request, commonly used with email and Internet Relay
Chat (IRC) is known as_________.
a. ICMP
b. SNTP
c. IDENT
d. HTML
What does the -n do in the command tcpdump n I eth0 s 1515
capture_file.lpc?
a. Disable translation of IP addresses to host names and port
number services to names.
b. Enables trandlsation of IP addresses to host names and port
number services to names.
c. Changes the port numbers and IP addresses.
d. Disables the all functions of TCP/IP
Which Microsoft service contains a dedicated scripting engine for
advanced file types such as ASP, ASA, and HTR files.
a. WebClient
b. IIS 5.0
c. W32Time
d. RapiMgr
b.
c.
d.
e.
2. When
a.
b.
c.
a.
b.
c.
d.
e.
OpenDD
EnCase
Standard dd
All of the above
None of the above
using DD, always boot make sure that the BIOS boots from:
Your LINUX operating system
The suspects hard drive
None of the above
3. Encase is a:
a. Freeware application
b. Commercial application
c. None of the above
d. All of the above
4. FTK can acquire forensic duplication in the following formats:
a. Encase evidence files
b. Raw disk image
c. Smart format
d. All of the above
e. None of the above
5. DD does:
a. High level copying
b. Low level copying
c. All of the above
d. None of the above
6. DD is
a.
b.
c.
d.
e.
10.Metadata includes:
a. Full tile names
b.
c.
d.
e.
File sizes
MD5 hashes
All of the above
None of the above
20.Metadata includes:
a. Full tile names
b. File sizes
c. MD5 hashes
d. All of the above
e. None of the above