Question 1

Network forensics is a fast, easy process.

Accepted Answer

Network forensics is a complex process that requires specialized skills and tools to analyze network traffic, identify potential security incidents, and gather evidence that can be used in legal proceedings. It involves collecting and analyzing data from various sources, such as network logs, packet captures, and system logs, to understand the scope and impact of a security incident, and to identify the source of the attack. It requires a systematic approach, attention to detail, and extensive knowledge of network protocols and security technologies.

Question 2

____ is a popular network intrusion detection system that performs packet capture and analysis in real time.&#10;A) Ethereal&#10;B) Snort&#10;C) Tcpdump&#10;D) john

Accepted Answer

Snort is a popular network intrusion detection system that performs packet capture and analysis in real time. It uses a rule-based language to identify and alert on suspicious network activity. Ethereal is a network protocol analyzer, Tcpdump is a command-line packet capture tool, and john is a password cracking tool.

Question 3

____ hide the most valuable data at the innermost part of the network.&#10;A) Layered network defense strategies&#10;B) Firewalls&#10;C) Protocols&#10;D) NAT

Accepted Answer

Layered network defense strategies involve the use of multiple layers of security measures to protect the network from various types of attacks. One important aspect of this approach is to hide the most valuable data at the innermost part of the network, which adds an extra layer of protection against unauthorized access. Firewalls and NAT are also important components of network security, but they are not specifically designed to protect against data breaches or attacks on sensitive information. Protocols are a set of rules that govern communication between devices, and they can be used to enhance network security but do not directly protect data.

Question 4

A common way of examining network traffic is by running the ____ program.&#10;A) Netdump&#10;B) Slackdump&#10;C) Coredump&#10;D) Tcpdump

Accepted Answer

Tcpdump is a command-line tool used to capture and analyze network traffic. It captures packets and displays information about them, such as source and destination IP addresses, protocols used, and payload data. It is commonly used for network troubleshooting and security analysis. The other options, Netdump, Slackdump, and Coredump, are not commonly used tools for examining network traffic.

Question 5

When intruders break into a network, they rarely leave a trail behind.

Accepted Answer

This statement is false. Intruders generally leave traces behind in the form of logs, unusual network activity, changes to files or configurations, or malware that may have been installed. These traces can be used to investigate the incident and identify the source of the intrusion.

Question 6

Ngrep cannot be used to examine e-mail headers or IRC chats.

Accepted Answer

Ngrep can be used to examine e-mail headers or IRC chats.

Question 7

Helix operates in two modes:Windows Live (GUI or command line) and ____.&#10;A) command Windows&#10;B) remote GUI&#10;C) command Linux&#10;D) bootable Linux

Accepted Answer

Helix operates in two modes: Windows Live (GUI or command line) and bootable Linux. The bootable Linux mode allows Helix to be used without depending on the host operating system, which can be crucial for forensic investigations to avoid altering data on the suspect system.

Question 8

____ is a Sysinternals command that shows all Registry data in real time on a Windows computer.&#10;A) PsReg&#10;B) RegExplorer&#10;C) RegMon&#10;D) RegHandle

Accepted Answer

RegMon (Registry Monitor) is a Sysinternals command that monitors and displays all Registry data in real-time. It allows users to track Registry changes made by applications and processes, and offers detailed information about the changes, including the keys and values modified. PsReg (Process Registry) is a different utility that displays Registry keys and values associated with a particular process, RegExplorer is not a valid Sysinternals command, and RegHandle is a utility for examining handles for processes and applications, not for monitoring Registry data. Therefore, the best choice is C, RegMon.

Question 9

____ can be used to create a bootable forensic CD and perform a live acquisition.&#10;A) Helix&#10;B) DTDD&#10;C) Inquisitor&#10;D) Neon

Accepted Answer

Helix is a forensic tool that can be used to create a bootable forensic CD or USB drive. It can perform live acquisitions of data from a suspect device without altering the data on the suspect device. Helix comes with a variety of forensic tools and utilities that can be used for analysis and investigation.

Question 10

Most packet sniffers operate on layer 2 or ____ of the OSI model.&#10;A) 1&#10;B) 3&#10;C) 5&#10;D) 7

Accepted Answer

Packet sniffers operate on the link layer (layer 2) and sometimes the network layer (layer 3) of the OSI model. They capture and analyze network traffic at these layers to identify network protocols, detect network problems, and gain insight into network behavior. Packet sniffers do not typically operate at higher layers of the OSI model, such as the session layer (layer 5) or application layer (layer 7).

Question 11

____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program.&#10;A) Broadcast forensics&#10;B) Network forensics&#10;C) Computer forensics&#10;D) Traffic forensics

Accepted Answer

The answer of ____ can help you determine whether a...

Question 12

____ forensics is the systematic tracking of incoming and outgoing traffic on your network.&#10;A) Network&#10;B) Computer&#10;C) Criminal&#10;D) Server

Accepted Answer

The answer of ____ forensics is the systematic tracking of...

Question 13

____ is the U.S. DoD computer forensics lab's version of the dd command that comes with Knoppix-STD.&#10;A) chntpw&#10;B) john&#10;C) memfetch&#10;D) dcfldd

Accepted Answer

The answer of ____ is the U.S. DoD computer forensics...

Question 14

____ are devices and/or software placed on a network to monitor traffic.&#10;A) Packet sniffers&#10;B) Bridges&#10;C) Hubs&#10;D) Honeypots

Accepted Answer

The answer of ____ are devices and/or software placed on...

Question 15

With the Knoppix STD tools on a portable CD, you can examine almost any network system.

Accepted Answer

The answer of With the Knoppix STD tools on a...

Question 16

The Knoppix STD tool ____ enables you to reset passwords on a Windows computer, including the administrator password&#10;A) chntpw&#10;B) john&#10;C) oinkmaster&#10;D) memfetch

Accepted Answer

The answer of The Knoppix STD tool ____ enables you...

Question 17

PsList from PsTools allows you to list detailed information about processes.

Accepted Answer

The answer of PsList from PsTools allows you to list...

Question 18

Most packet sniffer tools can read anything captured in ____ format.&#10;A) SYN&#10;B) DOPI&#10;C) PCAP&#10;D) AIATP

Accepted Answer

The answer of Most packet sniffer tools can read anything...

Question 19

____ is a suite of tools created by Sysinternals.&#10;A) EnCase&#10;B) PsTools&#10;C) R-Tools&#10;D) Knoppix

Accepted Answer

The answer of ____ is a suite of tools created...

Question 20

The PSTools ____ kills processes by name or process ID.&#10;A) PsExec&#10;B) PsList&#10;C) PsKill&#10;D) PsShutdown

Accepted Answer

The answer of The PSTools ____ kills processes by name...

Question 21

The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers.&#10;A) Honeynet&#10;B) Honeypot&#10;C) Honeywall&#10;D) Honeyweb

Accepted Answer

The answer of The ____ Project was developed to make...

Question 22

____________________ is a layered network defense strategy developed by the National Security Agency (NSA).

Accepted Answer

The answer of ____________________ is a layered network defense strategy...

Question 23

Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan horse&#10;b.Ethereal&#10;g.Knoppix&#10;c.Tripwire&#10;h.PsShutdown&#10;d.PsGetSid&#10;i.oinkmaster&#10;e.PsLoggedOn&#10;a network analysis tool

Accepted Answer

The answer of Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan...

Question 24

Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan horse&#10;b.Ethereal&#10;g.Knoppix&#10;c.Tripwire&#10;h.PsShutdown&#10;d.PsGetSid&#10;i.oinkmaster&#10;e.PsLoggedOn&#10;type of malware

Accepted Answer

The answer of Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan...

Question 25

The term ____________________ means how long a piece of information lasts on a system.

Accepted Answer

The answer of The term ____________________ means how long a...

Question 26

____ is a good tool for extracting information from large Libpcap files.&#10;A) Nmap&#10;B) Tcpslice&#10;C) Pcap&#10;D) TCPcap

Accepted Answer

The answer of ____ is a good tool for extracting...

Question 27

Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan horse&#10;b.Ethereal&#10;g.Knoppix&#10;c.Tripwire&#10;h.PsShutdown&#10;d.PsGetSid&#10;i.oinkmaster&#10;e.PsLoggedOn&#10;displays who's logged on locally

Accepted Answer

The answer of Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan...

Question 28

In a(n) ____ attack, the attacker keeps asking your server to establish a connection.&#10;A) SYN flood&#10;B) ACK flood&#10;C) brute-force attack&#10;D) PCAP attack

Accepted Answer

The answer of In a(n) ____ attack, the attacker keeps...

Question 29

Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan horse&#10;b.Ethereal&#10;g.Knoppix&#10;c.Tripwire&#10;h.PsShutdown&#10;d.PsGetSid&#10;i.oinkmaster&#10;e.PsLoggedOn&#10;usually refers to network forensics

Accepted Answer

The answer of Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan...

Question 30

Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan horse&#10;b.Ethereal&#10;g.Knoppix&#10;c.Tripwire&#10;h.PsShutdown&#10;d.PsGetSid&#10;i.oinkmaster&#10;e.PsLoggedOn&#10;a bootable Linux CD intended for computer and network forensics

Accepted Answer

The answer of Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan...

Question 31

Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan horse&#10;b.Ethereal&#10;g.Knoppix&#10;c.Tripwire&#10;h.PsShutdown&#10;d.PsGetSid&#10;i.oinkmaster&#10;e.PsLoggedOn&#10;an audit control program that detects anomalies in traffic and sends an alert automatically

Accepted Answer

The answer of Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan...

Question 32

The PSTools ____________________ tool allows you to suspend processes.

Accepted Answer

The answer of The PSTools ____________________ tool allows you to...

Question 33

Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan horse&#10;b.Ethereal&#10;g.Knoppix&#10;c.Tripwire&#10;h.PsShutdown&#10;d.PsGetSid&#10;i.oinkmaster&#10;e.PsLoggedOn&#10;helps manage snort rules so that you can specify what items to ignore as regular traffic and what items should raise alarms

Accepted Answer

The answer of Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan...

Question 34

A ____ is a computer set up to look like any other machine on your network, but it lures the attacker to it.&#10;A) honeywall&#10;B) honeypot&#10;C) honeynet&#10;D) honeyhost

Accepted Answer

The answer of A ____ is a computer set up...

Question 35

Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan horse&#10;b.Ethereal&#10;g.Knoppix&#10;c.Tripwire&#10;h.PsShutdown&#10;d.PsGetSid&#10;i.oinkmaster&#10;e.PsLoggedOn&#10;shuts down and optionally restarts a computer

Accepted Answer

The answer of Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan...

Question 36

____________________ logs record traffic in and out of a network.

Accepted Answer

The answer of ____________________ logs record traffic in and out...

Question 37

Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan horse&#10;b.Ethereal&#10;g.Knoppix&#10;c.Tripwire&#10;h.PsShutdown&#10;d.PsGetSid&#10;i.oinkmaster&#10;e.PsLoggedOn&#10;displays the security identifier (SID) of a computer or user

Accepted Answer

The answer of Match each item with a statement below&#10;a.Cyberforensics&#10;f.Trojan...

Question 38

____ is the text version of Ethereal, a packet sniffer tool.&#10;A) Tcpdump&#10;B) Ethertext&#10;C) Etherape&#10;D) Tethereal

Accepted Answer

The answer of ____ is the text version of Ethereal,...

Question 39

Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack.&#10;A) ISPs&#10;B) soldiers&#10;C) zombies&#10;D) pawns

Accepted Answer

The answer of Machines used on a DDoS are known...

Question 40

The U.K. Honeynet Project has created the ____________________. It contains the honeywall and honeypot on a bootable memory stick.

Accepted Answer

The answer of The U.K. Honeynet Project has created the...

Question 41

What is the general procedure for a live acquisition?

Accepted Answer

The answer of What is the general procedure for a...

Question 42

When are live acquisitions useful?

Accepted Answer

The answer of When are live acquisitions useful?...

Question 43

Explain The Auditor tool.

Accepted Answer

The answer of Explain The Auditor tool....

Question 44

Why is testing networks as important as testing servers?

Accepted Answer

The answer of Why is testing networks as important as...

Question 45

What are some of the tools included with the PSTools suite?

Accepted Answer

The answer of What are some of the tools included...

Question 46

How should you proceed if your network forensic investigation involves other companies?

Accepted Answer

The answer of How should you proceed if your network...

Question 47

What are some of the tools included with Knoppix STD?

Accepted Answer

The answer of What are some of the tools included...

Question 48

What is Knoppix-STD?

Accepted Answer

The answer of What is Knoppix-STD?...

Question 49

Describe some of the Windows tools available at Sysinternals.

Accepted Answer

The answer of Describe some of the Windows tools available...

Question 50

Detail a standard procedure for network forensics investigations.

Accepted Answer

The answer of Detail a standard procedure for network forensics...

Deck 11: Virtual Machines, Network Forensics, and Live Acquisitions