Deck 13: Computer Intrusions

ملء الشاشة (f)
exit full mode
سؤال
A more thorough method of collecting specific volatile data from a computer is to:

A) Examine the specific memory addresses live
B) Collect the full contents of physical memory
C) Selectively collect contents of physical memory
D) Take screenshots.
استخدم زر المسافة أو
up arrow
down arrow
لقلب البطاقة.
سؤال
The registry key HKLM\Software\Microsoft\Windows\Current
Version is one of the most common locations for:

A) New software entries
B) Time and date information
C) Trojans
D) A list of recently run programs
سؤال
If digital investigators find an unauthorized file, they should:

A) Immediately move the file to removable media
B) Check for other suspicious files in the same directory
C) Execute the file to determine its purpose
D) Permanently delete the file
سؤال
A thorough understanding of the tactics and techniques used by criminals is "nice to know" but is not essential to the successful investigation of criminal behavior.
سؤال
The forensic examiner needs to be aware that the process of collecting memory:

A) Is seldom useful and not often called for
B) Can take an extremely long period of time
C) Is only needed for standalone systems
D) Changes the contents of memory
سؤال
Determining skill level can lead to:

A) Determining the extent of the intrusion
B) Likely hiding places for rootkits and malware
C) Suspects
D) Offense behaviors
سؤال
A computer intruder's method of approach and attack can reveal a significant amount about their:

A) Skill level
B) Knowledge of the target
C) Intent
D) All of the above
سؤال
In the case of a computer intrusion, the target computer is:

A) The remote crime scene
B) The auxiliary crime scene
C) The virtual crime scen.
D) The primary crime scene
سؤال
A growing number of intrusions are committed by organized criminal organizations and state-sponsored groups.
سؤال
Why are "non-volatile" storage locations contained in the RFC 8227 "Order of Volatility"?

A) This is an old RFC and has not been updated.
B) No form of data storage is permanent.
C) An RFC is a Request for Comments - and corrections are expected.
D) None of the above.
سؤال
Remote forensic solutions can be used to access live systems, and include the ability to:

A) Acquire and, sometimes, analyze memory
B) Image systems without ever having to leave the lab
C) Conduct examination and analysis without the need to image
D) Image large systems across the Internet
سؤال
When collecting data from a compromised computer, consideration should be given to collecting the _________data first.

A) CMOS
B) Most volatile
C) Magnetic
D) Optical
سؤال
Although new exploits are published daily, it takes skill and experience to break into a computer system, commit a crime, and cover one's tracks.
سؤال
Capturing all of the network traffic to and from the compromised system can:

A) Allow the network administrators to participate in the investigation, establishing rapport for later interviews
B) Reveal the source of the attack
C) Seriously slow down the network, affecting normal work
D) None of the above
سؤال
Intruders who have a preferred toolkit that they have pieced together over time, with distinctive features:

A) Usually have little experience and are relying on the kit
B) Show little initiative - letting the tool do the work
C) Are generally more experienced
D) Pose less of a threat
سؤال
During the commission of a crime, evidence is transferred between the offender's computer and the target. This is an example of:

A) Locard's Exchange Principle
B) Sutherland's General Theory of Criminology
C) Martin's Rule
D) Parkinson's Rule of Available Space
سؤال
Social engineering refers to any attempt to contact legitimate users of the target system and trick them into giving out information that can be used by the intruder to break into the system.
سؤال
A forensic analysis conducted on a forensic duplicate of the system in question is referred to as:

A) Virtual analysis
B) Clone analysis
C) Post-mortem analysis
D) Ex post facto analysis
سؤال
A common technique that is highly useful and can be applied in a computer intrusion investigation is to simply focus on file system activities around the time of known events. This embodies a principle known as:

A) Temporal proximity
B) Timeline analysis
C) File system analysis
D) Temporal aggregation
سؤال
A valid profile of a computer intruder is an antisocial adolescent.
سؤال
Discuss why computer intrusions are among the most challenging types of cybercrimes from a digital evidence perspective.
سؤال
Investigating computer intrusions usually involves a small amount of digital evidence from only a few sources.
سؤال
Gathering information about a system through the use of a port scanner is considered a direct attack method.
سؤال
The first stage of a computer intrusion is Abuse.
سؤال
Discuss the difference between automated and dynamic modus operandi, including the kinds of information to look for, and the value of conducting this kind of analysis.
سؤال
Incident Response can be viewed as a subset or part of an intrusion investigation.
سؤال
In a computer intrusion, the stage after Attack is Abuse.
سؤال
An example of the Entrenchment phase of an intrusion would be uploading a backdoor through the remote shell.
سؤال
The first step when investigating a computer intrusion incident is to determine if there actually was one - there must be a corpus delicti.
سؤال
Examining a live system is prone to error, may change data on the system, and may even cause the system to stop functioning.
سؤال
Reverse social engineering is any attempt by intruders to have someone in the target organization contact them for assistance.
سؤال
"Spear phishing" is an intrusion technique wherein mass e-mails that appear or claim to be from a legitimate source request that the recipient follow instructions contained in the e-mail.
فتح الحزمة
قم بالتسجيل لفتح البطاقات في هذه المجموعة!
Unlock Deck
Unlock Deck
1/32
auto play flashcards
العب
simple tutorial
ملء الشاشة (f)
exit full mode
Deck 13: Computer Intrusions
1
A more thorough method of collecting specific volatile data from a computer is to:

A) Examine the specific memory addresses live
B) Collect the full contents of physical memory
C) Selectively collect contents of physical memory
D) Take screenshots.
B
2
The registry key HKLM\Software\Microsoft\Windows\Current
Version is one of the most common locations for:

A) New software entries
B) Time and date information
C) Trojans
D) A list of recently run programs
Trojans
3
If digital investigators find an unauthorized file, they should:

A) Immediately move the file to removable media
B) Check for other suspicious files in the same directory
C) Execute the file to determine its purpose
D) Permanently delete the file
B
4
A thorough understanding of the tactics and techniques used by criminals is "nice to know" but is not essential to the successful investigation of criminal behavior.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
5
The forensic examiner needs to be aware that the process of collecting memory:

A) Is seldom useful and not often called for
B) Can take an extremely long period of time
C) Is only needed for standalone systems
D) Changes the contents of memory
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
6
Determining skill level can lead to:

A) Determining the extent of the intrusion
B) Likely hiding places for rootkits and malware
C) Suspects
D) Offense behaviors
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
7
A computer intruder's method of approach and attack can reveal a significant amount about their:

A) Skill level
B) Knowledge of the target
C) Intent
D) All of the above
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
8
In the case of a computer intrusion, the target computer is:

A) The remote crime scene
B) The auxiliary crime scene
C) The virtual crime scen.
D) The primary crime scene
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
9
A growing number of intrusions are committed by organized criminal organizations and state-sponsored groups.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
10
Why are "non-volatile" storage locations contained in the RFC 8227 "Order of Volatility"?

A) This is an old RFC and has not been updated.
B) No form of data storage is permanent.
C) An RFC is a Request for Comments - and corrections are expected.
D) None of the above.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
11
Remote forensic solutions can be used to access live systems, and include the ability to:

A) Acquire and, sometimes, analyze memory
B) Image systems without ever having to leave the lab
C) Conduct examination and analysis without the need to image
D) Image large systems across the Internet
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
12
When collecting data from a compromised computer, consideration should be given to collecting the _________data first.

A) CMOS
B) Most volatile
C) Magnetic
D) Optical
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
13
Although new exploits are published daily, it takes skill and experience to break into a computer system, commit a crime, and cover one's tracks.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
14
Capturing all of the network traffic to and from the compromised system can:

A) Allow the network administrators to participate in the investigation, establishing rapport for later interviews
B) Reveal the source of the attack
C) Seriously slow down the network, affecting normal work
D) None of the above
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
15
Intruders who have a preferred toolkit that they have pieced together over time, with distinctive features:

A) Usually have little experience and are relying on the kit
B) Show little initiative - letting the tool do the work
C) Are generally more experienced
D) Pose less of a threat
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
16
During the commission of a crime, evidence is transferred between the offender's computer and the target. This is an example of:

A) Locard's Exchange Principle
B) Sutherland's General Theory of Criminology
C) Martin's Rule
D) Parkinson's Rule of Available Space
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
17
Social engineering refers to any attempt to contact legitimate users of the target system and trick them into giving out information that can be used by the intruder to break into the system.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
18
A forensic analysis conducted on a forensic duplicate of the system in question is referred to as:

A) Virtual analysis
B) Clone analysis
C) Post-mortem analysis
D) Ex post facto analysis
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
19
A common technique that is highly useful and can be applied in a computer intrusion investigation is to simply focus on file system activities around the time of known events. This embodies a principle known as:

A) Temporal proximity
B) Timeline analysis
C) File system analysis
D) Temporal aggregation
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
20
A valid profile of a computer intruder is an antisocial adolescent.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
21
Discuss why computer intrusions are among the most challenging types of cybercrimes from a digital evidence perspective.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
22
Investigating computer intrusions usually involves a small amount of digital evidence from only a few sources.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
23
Gathering information about a system through the use of a port scanner is considered a direct attack method.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
24
The first stage of a computer intrusion is Abuse.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
25
Discuss the difference between automated and dynamic modus operandi, including the kinds of information to look for, and the value of conducting this kind of analysis.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
26
Incident Response can be viewed as a subset or part of an intrusion investigation.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
27
In a computer intrusion, the stage after Attack is Abuse.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
28
An example of the Entrenchment phase of an intrusion would be uploading a backdoor through the remote shell.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
29
The first step when investigating a computer intrusion incident is to determine if there actually was one - there must be a corpus delicti.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
30
Examining a live system is prone to error, may change data on the system, and may even cause the system to stop functioning.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
31
Reverse social engineering is any attempt by intruders to have someone in the target organization contact them for assistance.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
32
"Spear phishing" is an intrusion technique wherein mass e-mails that appear or claim to be from a legitimate source request that the recipient follow instructions contained in the e-mail.
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.
فتح الحزمة
k this deck
locked card icon
فتح الحزمة
افتح القفل للوصول البطاقات البالغ عددها 32 في هذه المجموعة.