Network Forensics I Final Exam Review
Select the number which represents the bit value for "source port" and "destination port" fields in the TCP header. 8 32 16 24 all of the above none of the above
16
Internet Protocol (IP) operates at Layer ______ of the OSI model, which is called the ______ layer.
3; Network
Which of the following are designed to log successful and/or failed login attempts? DHCP Servers Authentication Servers Name Servers all of the above none of the above
Authentication Servers
Which of the following are designed to help security professionals identify and respond to network security incidents? Central Log Servers Application Servers Web Proxies all of the above none of the above
Central Log Servers
The ____ is often used with IP to provide feedback about problems in the communication environment. TCP UDP ICMP all of the above none of the above
ICMP
Which of the Real-World Cases involved leveraging wireless access point logs to pinpoint a time and location? Network Server Desktop Laptop
Laptop
Which of the following may contain logs that reveal connection attempts from internal to external systems? DHCP Servers Authentication Servers Name Servers all of the above none of the above
Name Servers
Which of the following is referred to as a TCP segment? Demultiplexing, TCP header Encapsulation, IP header Demulitplexing, IP header TCP header, encapsulated payload all of the above none of the above
TCP header, encapsulated payload
Network forensic investigators can tap into physical cabling to copy and preserve network traffic as it is transmitted across the line. True False
True
The Real-World Case involving the government server was based on an alert of suspicious files True False
True
Which of the following can be described as the most rudimentary network-based intrusion detection system and the most widely deployed? Wire Air Switches Routers all of the above none of the above
Routers
Which of the following are examples of network-based digital evidence? /var/log/messages browser activity IM sessions emails all of the above all of the above except /var/log/messages none of the above
all of the above
According to the author, we define evidence in the _____ sense as any _____ and _____ event or artifact of an event, that can be used to establish a _____ understanding of the cause and nature of an observed occurrence. restricted, observable, recordable, true broadest, observable, recordable, true largest, observable, recordable, perfect broadest, plain, recordable, true
broadest, observable, recordable, true
Which of the following is evidence that does not directly support a specific conclusion? best evidence real evidence circumstantial evidence hearsay
circumstantial evidence
Which of the following represents the Internet Protocol (IP)? connectionless protocol operates at layer 2 has a method for indicating the initiation of a conversation has a method for indicating the closing of a conversation all of the above none of the above
connectionless protocol
Which of the following is a label given to testimony by someone who was not a direct witness best evidence real evidence circumstantial evidence hearsay
hearsay
Refer to the illustration above and select the layer which represents a frame. layer 1 layer 3 layer 4 layer 7 layer 2
layer 2
Refer to the illustration above and select the layer which represents a source media access control address. layer 3 (left side) layer 1 (right side) layer 1 (left side) layer 2 (right side) layer 2 (left side) layer 3 (right side)
layer 2 (left side)
Refer to the illustration above and select the layer which represents segment. layer 1 layer 3 layer 4 layer 7 layer 2
layer 4
Refer to the illustration above and select the layer which represents the UDP protocol. layer 1 layer 3 layer 4 layer 7 layer 2
layer 4
Refer to the illustration above and select the layer which represents the DNS protocol. layer 1 layer 3 layer 4 layer 7 layer 2
layer 7
Match the tcpdump command-line options. listen on interface do not resolve addresses to names read packets from a pcap file write packets to a pcap file Options: -i -n -r -w
listen on interface: -i do not resolve addresses to names: -n read packets from a pcap file: -r write packets to a pcap file: -w
Which of the following requirements for admissibility are murky, whereas the source of the evidence is not obtainable or cannot be identified? direct records digital evidence network-based digital evidence real evidence
network-based digital evidence
The length of the IP packet is specified in: the footer the source address the destination address all of the above none of the above
none of the above
Write the complete command using "tcpdump" to read the file mypcapfile.pcap, and display the output in three (3) separate columns to show offsets, hexadecimal details, and ASCII details.
tcpdump -nn -AX -r mypcapfile.pcap
Write the complete command for using "tshark" to read the file mypcapfile.pcap
tshark -r mypcapfile.pcap
Write the complete command for using "tshark" to read the file mypcapfile.pcap and print the fields for frame number (frame.number) and IP address (ip.addr).
tshark -r mypcapfile.pcap -T fields -e frame.number -e ip.addr
Write the complete command using "tshark" to read the file mypcapfile.pcap, and include a display filter to show only the IP address (ip.addr) equal to 192.168.1.15.
tshark -r mypcapfile.pcap -f "ip.addr == 192.168.1.15"
Which of the following stores mappings between physical ports and each network interface card's media access control address? Wire Air Switches Routers all of the above none of the above
Switches
TCP is a connectionless-oriented protocol. True False
False
The IP Protocol includes mechanisms to augment end-to-end data reliability. True False
False
The IPv6 protocol was developed with 127 bits for each of the source and destination addresses. True False
False
The Internet Protocol (IP) is designed to ensure reliability of transmission. True False
False
The Internet Protocol (IP) version 4 uses a 32-byte address space to identify the source and destination systems. True False
False
The Real-World Case involving the laptop was based on an alert from a centrally managed intrusion detection system. True False
False
The TCP protocol indicates the state of transmissions using fields in the TCP header. True False
False
The UDP datagram consist of the IP header and the payload. True False
False
The possible values for TCP ports range from 0 to 69,535. True False
False
According to the author network-based evidence is often highly volatile and must be collected "only" through passive means that inherently modify the system. True False
False
Cabling which consist of fiber-optic lines are made of very thin strands of copper. True False
False
Which of the following is NOT a key characteristic of the Internet Protocol (IP)? Support for addressing and routing Connectionless Header plus payload is called a segment Unreliable Includes a header none of the above
Header plus payload is called a segment
Which of the Real-World Cases involved a routine antivirus scan alerting the system administrator of suspicious files? Network Server Desktop Laptop
Server
Which of the following can store the web surfing logs for an entire organization? Central Log Servers Application Servers Web Proxies all of the above none of the above
Web Proxies
Match the SMTP terms with the correct descriptions ____ MX ____ MSA ____ MTA ____ MUA ____ MDA 1.the end-user's mail client 2.handles local mail submission 3.transfers mail between mail servers 4.accepts incoming messages for a domain 5.handles local mail delivery
__4__ MX __2__ MSA __3__ MTA __1__ MUA __5__ MDA
