computer forensics chapter 9 study guide

Which of the following strings in the Apache common log format represents "time" when the server receives the request in the format "[day/month/year:hour:minute:second zone]"?

%t

Identify the regular expression that is used to detect meta-characters in an SQL injection attack.

/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(%3B)|(;))/i

Jonas, a forensics professional, was tasked with investigating an application hosted on an Apache server running on an Ubuntu machine. As the first step of the investigation, Jonas navigated to the storage location of the log files to view all the access and error logs.Identify the storage location of the log files in Ubuntu where Jonas could find useful information for the investigation.

/etc/apache2/apache2.conf

Jaxton, a forensics expert, was analyzing the IIS logs in a Windows-based server that was compromised earlier. He initiated the investigation process by extracting the IIS log entries and monitored the "sc-status" field to identify how the attacker's request was fulfilled without error. Which of the following codes represents the "sc-status" in the IIS log entry?

200

1. The victim clicks the link and is redirected to the bank website.2. The attacker logs into the server using the victim's credentials with the same session ID.3. The attacker visits the bank website and logs in using their credentials.4. The attacker sends an email to the victim that contains a link with a fixed session ID.5. The web server sets a session ID on the attacker's machine.6. The victim logs in to the server using their credentials and fixed session ID.

3 -> 5 -> 4 -> 1 -> 6 -> 2

Given below is an example of an Apache access log entry in the common log format:"10.10.10.10 - Jason [17/Aug/2019:00:12:34 +0300] "GET/images/content/bg_body_1.jpgHTTP/1.0" 500 1458"From the above log entry, identify the status code indicating that the response was successful.

500

Malcolm, a professional hacker, was attempting to intrude into an organization's network. In this process, he obtained the credentials of an employee using packet sniffers. Using the stolen credentials, Malcolm impersonated the employee to intrude into the organization's network. Identify the type of attack performed by Malcolm in the above scenario.

Authentication hijacking

Boney, a forensics officer, was tasked with investigating a Windows Server machine suspected of being used for malicious online activities. He initiated the investigation process by executing a built-in Windows tool that helped him analyze NetBIOS over TCP/IP activity.Identify the command used by Boney in the above scenario.

C:\> nbstat -S

Which of the following commands is used by security specialists to check for any unusual network services?

C:\> net start

Which of the following commands is used to find any unusual listening on TCP and UDP ports?

C:\> netstat -na

Which of the following commands is used by investigators to find scheduled and unscheduled tasks on localhost?

C:\> schtasks.exe

Which of the following time standards is used by the IIS server to record IIS logs, helping synchronize servers in multiple time zones?

Coordinated Universal Time (UTC)

In which of the following attacks does the attacker make an authenticated user perform certain tasks on the web application chosen by the attacker?

Cross-site request forgery

Reid, an attacker, targeted an online COVID survey website, where citizens provide their personal and health-related details. He took advantage of a vulnerability present in the web application and manipulated the communication between the users and the server to make changes to the application data.Identify the type of attack performed by Reid in the above scenario.

Parameter/form tampering

Identify the attack in which the attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, and query strings to bypass security implementations.

Unvalidated Input

Tanner, a professional hacker, sent a fake email to Killian describing new offers on his credit card. Killian, without verifying the legitimacy of the email, clicked on the malicious link in the email. As a result, a malicious script was executed on Killian's system, granting backdoor access to Tanner. Identify the type of attack performed by Tanner in the above scenario.

Unvalidated redirects and forwards

Which of the following fields in the IIS log entry indicates that the user wanted to download a file from a folder?

cs-uri-stem

In which of the following URLs did attackers double-encode the input to perform an SQL injection attack?

http://www.bank.com/accounts.php?id=1%252f%252a/union%252f%252a/select%252f%252a/ 1,2,3%252f%252a/from%252f%252a/users—

Which of the following elements of Apache core handles server startups and timeouts?

http_main

Which of the following elements of Apache core is responsible for managing the routines and interacts with the client and handles all the data exchange and socket connections between the client and the server?

http_protocol