ITC 765 Quiz Questions Chapter 9-16
The linux ____ file is where the boot-up process and operation are set. It contains entries such as label, run_level, process, and boot
/etc/inittab
Which law includes the following text? "Whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a person into viewing something constituting obscenity shall be fined under this title or imprisoned not more than 2 years or both."
18 U. S. C. 2252B
SSH port?
22
A(n) _______ is an email server that strips identifying information from an email message before forwarding it with the third-party mailing computer's IP address
Anonymizer
The process of sending an email message to an anonymizer is the definition of
Anonymous remailing
In linux, as with Windows the ______ is the first sector on any disk
Boot sector
Linux is often used on embedded systems, such as smartphones and medical equipment. In such cases, when the system is first powered on, loading the ____ is the firm step
Bootstrap environment
Linux is often used on embedded systems, such as smartphones and medical equipment. In such cases, when the system is first powered on, loading the _______ is the first step
Bootstrap environment
Devaki teaches a mobile device forensics course. During a class discussion about mobile devices, she asks her students to identify a type of evidence that typically provides indirect, rather than direct, evidence of a crime, except in the case of cyberstalking crimes. In a cyberstalking case, the evidence may show a pattern of contact with the victim. What type of evidence is Devaki referring to?
Call history
There are four layers to iOS, the operating system used by the iPhone, iPod, and iPad. The _______ layer responds to gestures, such as swipe drag pinch and tap
Cocoa Touch
The CAN-SPAM Act applies only to _____ emails.
Commercial
There are four layers to iOS, the operating system used by iPhones, iPod, and iPad. The _______ layer is how applications interact with iOS.
Core services
The Linux ____ shell command makes a physical image of what is live in memory
Dd
Someone has attempted to gain unauthorized access to data files in Robert's machine. He would like to investigate if any forensic evidence has been left behind. Of the following, where should Robert start his search.
Event Viewer Security log
In Windows, file permissions never change when moving a file
False
In modern versions of Windows, you can view event logs in File Explorer
False
The Windows Security log contains events logged by Windows system components
False
True or False? In a ping flood attack, the attacker sends fragments of packets with bad values in them, which causes the target system to crash when it tries to reassemble fragments
False
True or False? In a ping flood attack, the attacker sends fragments of packets with bad values in them, which causes the target system to crash when it tries to reassemble the fragments
False
True or False? The secure version of Internet Message Access Protocol operates on port 110
False
True or False? Wireshake is a type of router forensic tool
False
True or false? The Windows ShellBag tracks compatibility issues with executed programs
False
True or false? The Windows security log contains event logged by windows system components
False
True or false? The fundamental building block of random access memory is the memory stack
False
True or flase? In Linux, Bash is a type of graphical user interface
False
Which linux shell command lists various partitions
Fdisk
The Windows Registry is organized into five sections. The ______ section is critical to forensic investigations. It has profiles for all the users, including their settings
HKEY_USERS (HKU)
A hacker installed an application on a computer to recover deleted files, and then uninstalled the application to hide her tracks. Where would a forensic examiner most likely find evidence that the application was once installed?
HKLM\ SOFTWARE
_______ is a Windows file that is an interface for the hardware
Hal.dll
Packets are divided into three sections:
Header, payload, and cluster
A(n) ______ monitors network traffic, looking for suspicious activity
IDS
What is one advantage to the IMAP email protocol has over the POP3 email protocol
IMAP allows the client to download only the email headers, so that the user can choose which messages are to be downloaded completely
A(n) _____ is a unique serial number that identifies each mobile device's subscriber identity module engraved on the SIM during manufacturing
Integrated circuit card identfier
In Mobile devices, the subscriber identity module (SIM) is a memory chip that stores the
International Mobile Subscriber Identity (IMSI)
In mobile devices the subscriber identity module (SIM) is a memory chip that stores the
International Mobile Subscriber Identity (IMSI)
______ is the Windows program that handles security and logon policies
Lsass.exe
_______ is the Windows program that handles security and login policies
Lsass.exe
What is the definition of "stack(S)"?
Memory that is allocated based on the last-in, first-out principle
File with .pst extension belong to which email client?
Microsoft outlook
Files with .pst extensions belongs to which email client
Microsoft outlook
The national institute of Standards and technology lists four different states a mobile device can be in when you extract data. Devices are in the _____ state when received from the manufacturer
Nascent
Data that is sent across a network is divided into chunks called:
Packets
The 802.11 (Wi-Fi) and Ethernet protocols run at which layer of the Open Systems Interconnection (OSI) model?
Physical
Which of the following is not true of paging and computer memory
Physical memory is always contiguous
A port is a number that identifies a channel in which communication can occur. Which port is used by the Internet Message Access Protocol (IMAP) email service.
Port 220
For many years, _____ was the only protocol used to retrieve email
Post Office Protocol version 3
Carl is a forensic specialist. He has extracted volatile memory from a computer to a memory dump file. Now he needs to analyze it using the volatility tool. Which command is the best one to begin with, which will give him a simple overview of processes that were in memory
Pslist
Volatility is a tool used for analyzing computer memory dump files. Which volatility command displays memory dump processes in a hierarchical form, making it clear what process started a particular process
Pstree
What is the Windows swap file used to augment
Random Access Memory (RAM)
One form of _____ encrypts sensitive files, communicates with a command-and-control server, and takes a screenshot of the infected machine
Ransomware
What email header field includes tracking info generated by mail servers that have previously handled a message, in reverse order
Received
Which linux shell command deletes or removes a file
Rm
All of the following are true of Android and rooting, except:
Rooting an Android phone today is much easier than in the past
All of the following are true of Android and rooting except:
Rooting an android phone today is much easier that in the past
Hajar is a forensic examiner. She suspects that hackers have infiltrated a network through a Cisco router, so she wants to perform forensics on the router. She uses the HyperTerminal tool to connect to the router safely, which is live and running, Which command should she enter to display the routing table?
Show ip route
All of the following are true of Internet Protocol (IP) addresses, except:
Subnetting is the process of redistributing a network into larger portions
What is a Microsoft Windwos process that hosts, or contains, other individual services that Windows uses to perform various functions? For example, Windows Defender uses a service that is hosted by this process
Svchost.exe
Because a ______ operates based on the MAC address in a packet and that is not routable; it cannot send data to ______ or across a WAN
Switch, The internet
What is the repository of all information on a Windows system?
The Windows registry
What is a wiretapping law passed in 1994 that allows law enforcement to lawfully conduct electronic surveillance
The communication assistance to law enforcement act
In a Linux directory, what circumstance must occur for a file to be deleted
The inode link count must reach zero
In a linux directory, what circumstance must occur for a file to be deleted
The inode link count must reach zero
There are two boot loaders in Linux. Which boot loader or portion of a boot loader displays the splash screen when loaded into random access memory
The second-stage boot loader
You are a linux forensic investigator. You suspect that one of the hard disks in a server has been compromised by a malicious actor. You attempt to use some common forensic methods during your examination but are not successful. You consider the fsck command but hesitate, why?
The use of a file system utility could erase some data and lose evidence
Which layer of the Open Systems Interconnection (OSI) model provides end-to-end communication control
Transport (Layer 4)
A virtual machine is a software program that appears to be a physical computer and executes programs as if it were a physical computer
True
Regarding the Windows boot process, the term power-on self test (POST) refers to a brief hardware test that the basic input/output system (BIOS) performs upon boot-up.
True
The passphrase needed to connect to a Wi-Fi network on a Windows computer is stored in the Windows Registry
True
True or False? 192.168.0.0 to 192.168.255.255 is a private Internet Protocol (IP) address range
True
True or False? Dumpit and FTKImager are tools used to capture computer memory from a live machine
True
True or False? In a decoy scan strategy, an attacker spoofs scans that originate from a large number of decoy machines and adds his or her internet protocol (IP) address somewhere in the mix
True
True or False? In windows, the system resource Usage monitor database collects data on executables
True
True or False? Information in a computer's volatile memory must first be "dumped" or captured before that memory dump can be analyzed
True
True or False? Microsoft Exchange is an email server program
True
True or False? Open-source software means that the source code is available for anyone who wants to modify, repackage, and distribute it
True
True or False? Routers maintain a routing table to keep track of routes or which connections are to be used for different networks
True
True or False? Some malware on Windows computer can modify the Windows Registry
True
True or False? The Linux ps command shows the currently running processes for the current user.
True
True or False? The linux ext4 file system can support single files up to 16 TBs in size
True
True or False? The software program used to compose and read email messages is the email client
True
True or False? When analyzing a volatile memory dump, a process with a parent process ID that is not listed should be considered suspicious.
True
True or false? In Windows 10, the recycle bin is located in a hidden directory
True
True or false? In Windows, the System Resource Usage Monitor (SRUM) database collects data on executables
True
Userdump is a command-line tool for dumping basic user information from Windows-based systems
True
When dumping memory on a Windows computer, the forensic examiner may have to work with two types of memory heap and stack
True
Maria is a forensic specialist. She is examining an Android mobile device for evidence of a crime. In which of the following partitions is Maria most likely to find forensically important data
User data partition
A ______ is a software program that appears to be a physical computer and executes programs as if it were a physical computer
Virtual machine
Carl is beginning a digital forensic investigation. He has been sent into the field to collect a machine. When he arrives he sees that the computer is running and has applications. He decides to preserve as much data as possible by capturing data in memory. What should Carl perform?
Volatile memory analysis
Most mobile devices are able to connect to _____ networks which have become the norm and are found freely available in restaurants, coffee shops, hotels, homes and many other locations.
Wi-Fi
A _______ is essentially a computer virus that self-propogates
Worm
Stanley is a linux administrator. He wants to copy a directory from one part of the system to another. He is going to issue the command in a shell. He wants the contents of the directory copied as well as the directory itself. What command must stanley use?
cp -R
_________ is the Windows program that handles security and logon policies
lsass.exe
Which linux shell command lists all currently running processes (programs or daemons) that the user has started?
ps
If you type the _______ command at the Linux shell, you are asked for the root password, if you successfully supply it, you will then have root privileges
su
If you type the _______ command at the linux shell, you are asked for the root password. If you successfully supply it, you will then have root privileges
su
