Ch. 8 Digital Forensics

When capturing a system image from a computer system, what type of device should you use when connecting to the evidence drive. a. Track pro b. iSCSI HBA c. Writer blocker d. Memory imager

c. Writer blocker

Place the following collecting items in order of volatility: ARP cache, USB drives, memory (RAM), temporary file system/swap space, CPU register contents, live network connections, data on hard disk.

CPU register contents, ARP cache, live network connections, memory (RAM), temporary file system/swap space, data on hard disk, USB Drives.

Which of the following techniques is most likely to be employed by a credit card company looking for fraudulent transactions? a. Big data analysis b. Network forensics c. Script mining d. Drive imaging

a. Big data analysis

What does MAC stand for when discussing MAC times in file analysis? a. Modified, available, and closed b. Modified, accessed, and created c. Modified, accessed, and copied d. Modified, appended, and created

b. Modified, accessed, and created

While examining your network logs, you notice a large amount of TCP traffic coming from an external IP address directed at the web server in your DMZ. The destination TCP port seems to be different for each packet you examine. What type of traffic are you likely seeing in your logs. a. Smurf attack b. Port scan c. Ping sweep d. DNS transfer

b. Port scan

Your organization has experienced a widescale, network-based compromise and customer records have been stolen. You've been asked to assemble an incident response team at your organization. Which of the following individuals are you least likely to put on your response team? a. Rajesh from Public Relations b. Tina from Human Resources c. Carl from Network Operations d. Jose from Legal

b. Tina from Human Resources

Your organization has just recovered from a large system failure and the members of the incident response team are about to go back to their normal duties. What should you do with the entire group before the response team is officially disbanded? a. Format any drives used during the response process b. document any lessons learned during the recovery process c. Review the organizations continuity of operations plan d. Head out to happy hour

b. document any lessons learned during the recovery process

You suspect a users workstation is infected with malware and are about to begin an investigation. If you want to reduce the likelihood that this workstation will infect other systems on your network, but you still want to preserve as much evidence as possible, which of the following should you do? a. Shut down the workstation b. remove the power cord from the workstation c. Remove the network cable from the workstation d. Remove all USB devices and peripherals from the system

c. Remove the network cable from the workstation

Your organization experienced a physical break in that was captured by a security camera system. When handling the drive containing the video of the break-in over to the police, you're asked to fill out a form that documents the description of the drive, serial number, condition, and so on. Why would you be asked to fill out that kind of form? a. To ensure the drive is not a copy b. to verify the drive is functional c. to maintain a chain of custody for evidence d. to ensure you get the same drive back after the investigation is complete

c. to maintain a chain of custody for evidence

When collecting evidence for a computer forensics investigation, which of the following is last in the order of volatility? a. File System Information b. Memory Contents c. Swap Files d. Raw disk blocks

d. Raw disk blocks

Which of the following is not a commonly used file-hashing algorithm? a. MD5 b. SHA-1 c. SHA-2 d. TLS

d. TLS

Place the following elements in order of volatility from most to least volatile with respect to data during a forensic collection:

ARP cache, Network connections, memory (RAM), swap space, data stored on archival media/backups (USB sticks)

A web server in your DMZ is being overwhelmed with ICMP packets from a large number of source addresses. Which of the following might be an appropriate mitigation step? a. Turn off the web server b. Block all ICMP packets at the firewall c. Move the web service to a different port d. Reboot the web server

b. Block all ICMP packets at the firewall

In which of the following areas is evidence most likely to be lost if a compromised system is shut down before evidence collection is complete? a. Raw disk blocks b. Memory Contents c. File system information d. USB drives

b. Memory contents