NETWORK FORENSICS 7-12

In nmap, what type of scan does the -sT command perform?

A connect scan

In nmap, what type of scan does the command -sS perform?

A half-scan

The term Diffie-Hellman is known to achieve?

A key exchange protocol

What is the Caeser cipher?

A letter substitution process

Which of the following is a type of symmetric encryption algorithm?

AES

Restoring encrypted information to the original message, commonly called plaintext, is?

Decryption

The tools Nessus, is used for?

Determine system vulnerabilities

What is the objective of using SSLScan?

Determines cipher suites supported in SLL or TLS

When conducting normal frequency distribution of letters, which letter is more often encountered?

E

All the sentences present correct information about SIEM, EXCEPT:

Each SIEM will generate rules in different ways, but always with same complexity level.

Syslog was configured with a level 1 trap. Which types of logs would be generated?

Emergencies

Syslog defines a priority as being the facility code multiplied by 8 then adding the severity code. In that case, which Severity would automatically give you a priority of 0?

Emergency

Why does the nmap -sS require sudo before the command?

So it can use raw sockets

Which technology allows syslog messages to be filtered to different devices based on event importance?

Syslog severity levels

Which of the options below are primary categories of Windows logs? (Select all the correct alternatives)

System / Application / Security

Which sentence is false about Windows Event Logs?

The Windows Event Log has been around since Windows NT was released in 1991

The Onion Router (TOR) provides access to what system?

The dark web

Which option represents a correct correlation between Severity, Keyword and Description

Warning - warning - May indicate that an error will occur if action is not taken

Which sentence is FALSE?

When it comes to monitoring IDS alerts, no additional infrastructure is necessary.

What information is obtained from using fping -g 192.168.86.0/24?

Which systems are alive

What does cloud computing means?

a computing service is being provided somewhere in a network

Snort rules

can be used across multiple packages, which makes learning how to read and create the rules useful, even if you aren't using Snort itself

There are other ways to look at the Event Logs on Windows. One method is to use

powershell

To perform banner grabbing, which tools would you use?

telnet

About time synchronization, select the correct affirmatives:

- Each system within a network would be configured to synchronize with a local time source. - Linux, systems would commonly use one of the pool servers maintained by ntp.org to synchronize. - Operating systems like Windows and Mac OS X are configured by default to synchronize with a time server maintained by Microsoft and Apple, respectively.

Nmap can determine the operating system of its target, what option would perform this action?

- O

Why does NTP transmits and receives over UDP? (Select all the correct options)

-Because speed is the most important factor. -Because in that case you want to receive the messages from the NTP server with the shortest delay absolutely possible. - Because in the case of a time synchronization message, it is less important that it get there guaranteed.

As Syslog defines a priority as being the facility code multiplied by 8 then adding the severity code, what is the priority of a local7 debug message?

191

Convert the hexadecimal number 2C to decimal:

44

What does the following command accomplish, nmap -sn 192.168.86.0/24?

A ping sweep

About firewall logs it is WRONG to say:

All firewalls will automatically log dropped messages, but they can often be directed to log drops.

Firewall logs are another important tool when it comes to looking into network incidents. What is possible to see in the log entries below?

All of the above

A Host-based IDS:

All the above

When synchronizing time across systems regardless the time zone they are located in, it is correct to say:

All the above

A type of Infrastructure as a Service is?

AmazonEc2

Certificates are normal used in which type of encryption?

Asymmetric

Which affirmative is wrong about OSSEC?

Besides the evidence that can be provided by the network traffic, OSSEC cannot provide any additional evidence of what is happening on the local system.

Which of the following is NOT a characteristic of an intrusion detection system?

Blocks attacks

About Bro is wrong to say:

Bro doesn't provide a lot of flexibility, as compared to an IDS like Snort, that provides a large number of actions that can be triggered.

Windows uses the ____________ to store log information.

Event Log

Where syslog runs on Unix-like systems as the de facto logging system, on Windows systems, you can count on the Event Logs and being able to view them using the:

Event Viewer

The term port knocking refers to?

Externally opening ports

When conducting ports scanning, what is the main objective?

Find open ports

Suricata

Had the advantage of being multithreaded where Snort was single-threaded, when it was developed.

The search engine Ahmia searches for?

Hidden services on the Tor Network

In the Syslog severity Levels, the _______ severities have ______ numbers. The most severe log entry will have a severity level of ___

Higher, higher, 10

Tripwire is a ____________ IDS and was long focused on identifying file changes.

Host-Based

Nxlog is a tool owned by:

IBM

About Logging, which sentences are true? I.From a networking perspective analyzing only the operating system and application logsismore than enough to investigate network incidents. II.While logging systems often store the log data on the device where it is generated, largerenterprises may be more likely to store their logs on centralized logging systems. III.Any device that interacts with users in some way or is exposed to a larger network has thepotential to be compromised IV.An attacker couldn't manipulate the log files even if he gains the necessary access, whichmay include administrative privileges

II and III

Which one is not a problem of the Heuristic detection system?

It requires multiple rules which may increase over time, increasing the processing needs.

Syslog defines a priority as being the facility code multiplied by 8 then adding the severity code. In that case, which Facility would automatically give you a priority of 0?

Kernel

In the Common Log format, all the options are present except:

MAC address

The scanner OpenVas is more closely related to which other scanner?

Nessus

_______________ is a protocol that was developed by_____________ as a way of providing data that could be used to troubleshoot a network.

NetFlow / Cisco Systems

A tool very similar to Nessus is?

Nexpose

Which of these tools are commonly used to perform Log Management? (Select all the correct options) (Select all)

Nxlog / Splunk / Windows Event Viewer / Syslog

About NetFlow, the false sentence is:

Once you have devices generating NetFlow data, you need a system in place to handle the collection. This system is called a NetFlow Compiler

How can keys are required for a symmetric encryption?

One

About packages timing and capture, all the options are correct, EXCEPT:

Packet captures always include their own per-frame times.

Which tool is capable of doing analysis on potential malware samples?

PacketTotal

When using Wireshark, which file format is used to store timestamps for all frames in Epoch time?

Pcap

Wireshark is a tool that can be used to the following purposes, EXCEPT:

Perform log aggregation and management

Select the correct sentences about the tool known as Plaso.

Plaso is a collection of software that provides the ability to ingest several data types. log2timeline is a Plaso's component, which does the work of taking the input, performing any parsing, and filtering then outputting a storage file useful to other tools.

What are hypervisors?

Power system that allow for system virtualization

By default, the Snort source doesn't come with rules. Because rules are regularly being contributed, these additional signatures need to be downloaded. This means that new rules need to be pulled, and Snort doesn't come with the ability to do that without help. Which program can you use to regularly download the new sets of rules that are available?

Pulledpork

What does this command accomplish, sudo nmap --script=ssh-hostkey.nse 192.168.86.111 ?

Runs scripts against target

The _________ will leave behind an audit event indicating that the log had been cleared. The same is true of the __________. In fact, the ________ will also generate an event saying that the _________ has been cleared, if the it was to be cleared.

Security / System / System / Application

What does SIEM stands for?

Security Information and Event Management

The term tunneling is open used to?

Send data encrypted over port 80

The logs from Antivirus programs

Should be able to indicate not only if and when a file has been isolated as potentially problematic

Using the approach of identifying bad events and determining what they look like is called

Signature-based detection

_______ intrusion detection systems rely on someone to identify a pattern in the malicious ________.

Signature-based, network traffic

A stateful firewall adds another layer of complexity. In addition to the simple port, protocol, and address rules, you can also determine whether to allow traffic based on its state.

Stateful firewall

Storage as a Service is typically available to?

Store data in the cloud

Which option presents the correct relationship in NTP's hierarchy to determine the reliability of time?

Stratum 0 - atomic clock or a global positioning system (GPS) - accurate to milliseconds

____________ is an old ____________ logging system. It was initially developed as part of the mail server Sendmail.

Syslog / Unix-based

Which program would know exactly what time the frame arrived while performing a packet capture?

Tcpdump

About NIDS is correct to say:

The NIDS would be limited to looking at the headers through the transport layer, which cannot be encrypted.

When you Clear Event Logs it is correct to say:

The Security log will leave behind an audit event indicating that the log had been cleared.

Which sentences are true about Router and Switch Logs?

The logs will indicate who has accessed the administrative interfaces for these devices

Which sentence is false about Syslog?

The original syslog is the only implementation existing and functions remains the same even after updates.

Select the correct sentence about proxy and its logs

The web proxy takes in requests from the user, then re-originates those requests as though it were doing the requesting for itself.

About Signature-based intrusion detection systems, which sentence is FALSE?

These systems enable identifying and preventing a crime before it happens for the first time.

In nmap, the -sU command consucts what type of scan?

UDP

About heuristic detection systems it is wrong to say:

Unlike signature-based systems, there is total control over what gets detected

About Windows logs, it is WRONG to say:

Windows doesn't enable other applications to generate log data even if that data doesn't have any impact on the operating system

Based on the Sample syslog configuration file below, which sentence is false?

You can't use one log setup for centralized logging

About Security Information and Event Management (SIEM):

all of the above

What is the HeartBleed bug?

the potential to take an encrypted communication stream and offer a way to decrypt it