Exam 2 (M05-M08) quiz questions
Which mode intercepts all packets flowing across the network? a. transactional b. promiscuous c. open-source d. universal
b. promiscuous
One of HIPAA's three tenets focuses on ________. a. RICO b. the EDI c. the ECPA d. NISAC
b. the EDI
Which action is part of the security measure implementation stage of incident response? a. Create network logs b. Make forensic duplicate c. Isolate and contain d. Harden the system
c. Isolate and contain
Which tool is focused towards maintaining the chain of evidence and the integrity of tools? a. NetCat b. SnapBack c. MD5 Summer d. REGMON
c. MD5 Summer
What term refers to the original media that needs to be investigated? a. target media b. restored media c. evidence media d. offline media
c. evidence media
Which answer below describes what I am doing in the incident response process: -What specifically happened? -What was the entry point? -What local computers/networks were affected? -What remote computers/networks were affected? a. personnel interviews b. on scene response c. initial evaluation d. incident reporting
c. initial evaluation
What might I be doing if these actions are being performed? • Checking critical files for the appropriate file protection and permissions • Checking for changes to the /etc/hosts.equiv file • Checking for changes in user startup files • Checking for hidden or unowned files and directories a. initial response b. initial assessment c. system restoration d. preparing for intrusion detection
c. system restoration
The Electronic Communications Privacy Act (ECPA) stipulates that private providers cannot share information. True False
False
When monitoring a network, it is best to capture the network traffic as far away from the source host as possible. True False
False
Which organization focuses on matching hardware types to MAC addresses? a. cavebear b. proxys4all c. attrition d. wotsit
a. cavebear
When preparing systems for incident response, record cryptographic _________ of critical files. a. checksums b. messages c. images d. logs
a. checksums
Transactional information consists only of ________. a. header information b. data packets c. encrypted data d. traffic protocols
a. header information
The first responder to an incident scene should focus on __________. a. record b. contain c. back up d. test
a. record
Which answer best pertains to the characteristics below? • Failure to playback • Failure to monitor • Failure to trace • Failure to detect a. pitfalls made during initial evaluation b. Common mistakes made in the network forensics process c. four things the Host IDS could experience during incident response d. four key steps during formulating an incident response strategy
b. Common mistakes made in the network forensics process
What is the prime directive of incident investigation? a.Log everything b. Do no harm c. Turn it in d. Work alone
b. Do no harm
Which act is particularly relevant to "sniffing"? a. Gramm-Leach-Bliley Act b. Wiretap Act, 18 U.S.C. sect 2511 c. Health Information Protection and Accountability Act of 2002 d. Computer Fraud and Abuse Act of 1986
b. Wiretap Act, 18 U.S.C. sect 2511
What LKM rootkit method remaps system utility calls? a. remote execution b. execute redirection c. real-time process hiding d. promiscuous mode hiding
b. execute redirection
A current trend in law enforcement is to show greater sensitivity to the victim's needs. True False
True
Completing a response checklist is one of the first steps in incident response. True False
True
If a machine is powered down, volatile data will be lost. True False
True
The Gramm-Leach-Bliley Act ________. a.oversees the government's incident responder policy framework b.recommends, but does not require, financial institutions to implement security policies c. regulates law enforcement's ability to conduct computer investigations d. requires financial institutions to allow consumers to "opt out"
d. requires financial institutions to allow consumers to "opt out"
Which forensics tool best fits the bulleted description below? • It creates a channel of communication between hosts • It creates a reliable, TCP connection between the target system and the forensic workstation • It has a variant that provides for encryption a. CYGWIN b. Process Explorer c. The Coroners Toolkit d.Netcat e. none of the above
d.Netcat