ITC 765 Quiz Questions Chapter 9-16

The linux ____ file is where the boot-up process and operation are set. It contains entries such as label, run_level, process, and boot

/etc/inittab

Which law includes the following text? "Whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a person into viewing something constituting obscenity shall be fined under this title or imprisoned not more than 2 years or both."

18 U. S. C. 2252B

SSH port?

22

A(n) _______ is an email server that strips identifying information from an email message before forwarding it with the third-party mailing computer's IP address

Anonymizer

The process of sending an email message to an anonymizer is the definition of

Anonymous remailing

In linux, as with Windows the ______ is the first sector on any disk

Boot sector

Linux is often used on embedded systems, such as smartphones and medical equipment. In such cases, when the system is first powered on, loading the ____ is the firm step

Bootstrap environment

Linux is often used on embedded systems, such as smartphones and medical equipment. In such cases, when the system is first powered on, loading the _______ is the first step

Bootstrap environment

Devaki teaches a mobile device forensics course. During a class discussion about mobile devices, she asks her students to identify a type of evidence that typically provides indirect, rather than direct, evidence of a crime, except in the case of cyberstalking crimes. In a cyberstalking case, the evidence may show a pattern of contact with the victim. What type of evidence is Devaki referring to?

Call history

There are four layers to iOS, the operating system used by the iPhone, iPod, and iPad. The _______ layer responds to gestures, such as swipe drag pinch and tap

Cocoa Touch

The CAN-SPAM Act applies only to _____ emails.

Commercial

There are four layers to iOS, the operating system used by iPhones, iPod, and iPad. The _______ layer is how applications interact with iOS.

Core services

The Linux ____ shell command makes a physical image of what is live in memory

Dd

Someone has attempted to gain unauthorized access to data files in Robert's machine. He would like to investigate if any forensic evidence has been left behind. Of the following, where should Robert start his search.

Event Viewer Security log

In Windows, file permissions never change when moving a file

False

In modern versions of Windows, you can view event logs in File Explorer

False

The Windows Security log contains events logged by Windows system components

False

True or False? In a ping flood attack, the attacker sends fragments of packets with bad values in them, which causes the target system to crash when it tries to reassemble fragments

False

True or False? In a ping flood attack, the attacker sends fragments of packets with bad values in them, which causes the target system to crash when it tries to reassemble the fragments

False

True or False? The secure version of Internet Message Access Protocol operates on port 110

False

True or False? Wireshake is a type of router forensic tool

False

True or false? The Windows ShellBag tracks compatibility issues with executed programs

False

True or false? The Windows security log contains event logged by windows system components

False

True or false? The fundamental building block of random access memory is the memory stack

False

True or flase? In Linux, Bash is a type of graphical user interface

False

Which linux shell command lists various partitions

Fdisk

The Windows Registry is organized into five sections. The ______ section is critical to forensic investigations. It has profiles for all the users, including their settings

HKEY_USERS (HKU)

A hacker installed an application on a computer to recover deleted files, and then uninstalled the application to hide her tracks. Where would a forensic examiner most likely find evidence that the application was once installed?

HKLM\ SOFTWARE

_______ is a Windows file that is an interface for the hardware

Hal.dll

Packets are divided into three sections:

Header, payload, and cluster

A(n) ______ monitors network traffic, looking for suspicious activity

IDS

What is one advantage to the IMAP email protocol has over the POP3 email protocol

IMAP allows the client to download only the email headers, so that the user can choose which messages are to be downloaded completely

A(n) _____ is a unique serial number that identifies each mobile device's subscriber identity module engraved on the SIM during manufacturing

Integrated circuit card identfier

In Mobile devices, the subscriber identity module (SIM) is a memory chip that stores the

International Mobile Subscriber Identity (IMSI)

In mobile devices the subscriber identity module (SIM) is a memory chip that stores the

International Mobile Subscriber Identity (IMSI)

______ is the Windows program that handles security and logon policies

Lsass.exe

_______ is the Windows program that handles security and login policies

Lsass.exe

What is the definition of "stack(S)"?

Memory that is allocated based on the last-in, first-out principle

File with .pst extension belong to which email client?

Microsoft outlook

Files with .pst extensions belongs to which email client

Microsoft outlook

The national institute of Standards and technology lists four different states a mobile device can be in when you extract data. Devices are in the _____ state when received from the manufacturer

Nascent

Data that is sent across a network is divided into chunks called:

Packets

The 802.11 (Wi-Fi) and Ethernet protocols run at which layer of the Open Systems Interconnection (OSI) model?

Physical

Which of the following is not true of paging and computer memory

Physical memory is always contiguous

A port is a number that identifies a channel in which communication can occur. Which port is used by the Internet Message Access Protocol (IMAP) email service.

Port 220

For many years, _____ was the only protocol used to retrieve email

Post Office Protocol version 3

Carl is a forensic specialist. He has extracted volatile memory from a computer to a memory dump file. Now he needs to analyze it using the volatility tool. Which command is the best one to begin with, which will give him a simple overview of processes that were in memory

Pslist

Volatility is a tool used for analyzing computer memory dump files. Which volatility command displays memory dump processes in a hierarchical form, making it clear what process started a particular process

Pstree

What is the Windows swap file used to augment

Random Access Memory (RAM)

One form of _____ encrypts sensitive files, communicates with a command-and-control server, and takes a screenshot of the infected machine

Ransomware

What email header field includes tracking info generated by mail servers that have previously handled a message, in reverse order

Received

Which linux shell command deletes or removes a file

Rm

All of the following are true of Android and rooting, except:

Rooting an Android phone today is much easier than in the past

All of the following are true of Android and rooting except:

Rooting an android phone today is much easier that in the past

Hajar is a forensic examiner. She suspects that hackers have infiltrated a network through a Cisco router, so she wants to perform forensics on the router. She uses the HyperTerminal tool to connect to the router safely, which is live and running, Which command should she enter to display the routing table?

Show ip route

All of the following are true of Internet Protocol (IP) addresses, except:

Subnetting is the process of redistributing a network into larger portions

What is a Microsoft Windwos process that hosts, or contains, other individual services that Windows uses to perform various functions? For example, Windows Defender uses a service that is hosted by this process

Svchost.exe

Because a ______ operates based on the MAC address in a packet and that is not routable; it cannot send data to ______ or across a WAN

Switch, The internet

What is the repository of all information on a Windows system?

The Windows registry

What is a wiretapping law passed in 1994 that allows law enforcement to lawfully conduct electronic surveillance

The communication assistance to law enforcement act

In a Linux directory, what circumstance must occur for a file to be deleted

The inode link count must reach zero

In a linux directory, what circumstance must occur for a file to be deleted

The inode link count must reach zero

There are two boot loaders in Linux. Which boot loader or portion of a boot loader displays the splash screen when loaded into random access memory

The second-stage boot loader

You are a linux forensic investigator. You suspect that one of the hard disks in a server has been compromised by a malicious actor. You attempt to use some common forensic methods during your examination but are not successful. You consider the fsck command but hesitate, why?

The use of a file system utility could erase some data and lose evidence

Which layer of the Open Systems Interconnection (OSI) model provides end-to-end communication control

Transport (Layer 4)

A virtual machine is a software program that appears to be a physical computer and executes programs as if it were a physical computer

True

Regarding the Windows boot process, the term power-on self test (POST) refers to a brief hardware test that the basic input/output system (BIOS) performs upon boot-up.

True

The passphrase needed to connect to a Wi-Fi network on a Windows computer is stored in the Windows Registry

True

True or False? 192.168.0.0 to 192.168.255.255 is a private Internet Protocol (IP) address range

True

True or False? Dumpit and FTKImager are tools used to capture computer memory from a live machine

True

True or False? In a decoy scan strategy, an attacker spoofs scans that originate from a large number of decoy machines and adds his or her internet protocol (IP) address somewhere in the mix

True

True or False? In windows, the system resource Usage monitor database collects data on executables

True

True or False? Information in a computer's volatile memory must first be "dumped" or captured before that memory dump can be analyzed

True

True or False? Microsoft Exchange is an email server program

True

True or False? Open-source software means that the source code is available for anyone who wants to modify, repackage, and distribute it

True

True or False? Routers maintain a routing table to keep track of routes or which connections are to be used for different networks

True

True or False? Some malware on Windows computer can modify the Windows Registry

True

True or False? The Linux ps command shows the currently running processes for the current user.

True

True or False? The linux ext4 file system can support single files up to 16 TBs in size

True

True or False? The software program used to compose and read email messages is the email client

True

True or False? When analyzing a volatile memory dump, a process with a parent process ID that is not listed should be considered suspicious.

True

True or false? In Windows 10, the recycle bin is located in a hidden directory

True

True or false? In Windows, the System Resource Usage Monitor (SRUM) database collects data on executables

True

Userdump is a command-line tool for dumping basic user information from Windows-based systems

True

When dumping memory on a Windows computer, the forensic examiner may have to work with two types of memory heap and stack

True

Maria is a forensic specialist. She is examining an Android mobile device for evidence of a crime. In which of the following partitions is Maria most likely to find forensically important data

User data partition

A ______ is a software program that appears to be a physical computer and executes programs as if it were a physical computer

Virtual machine

Carl is beginning a digital forensic investigation. He has been sent into the field to collect a machine. When he arrives he sees that the computer is running and has applications. He decides to preserve as much data as possible by capturing data in memory. What should Carl perform?

Volatile memory analysis

Most mobile devices are able to connect to _____ networks which have become the norm and are found freely available in restaurants, coffee shops, hotels, homes and many other locations.

Wi-Fi

A _______ is essentially a computer virus that self-propogates

Worm

Stanley is a linux administrator. He wants to copy a directory from one part of the system to another. He is going to issue the command in a shell. He wants the contents of the directory copied as well as the directory itself. What command must stanley use?

cp -R

_________ is the Windows program that handles security and logon policies

lsass.exe

Which linux shell command lists all currently running processes (programs or daemons) that the user has started?

ps

If you type the _______ command at the Linux shell, you are asked for the root password, if you successfully supply it, you will then have root privileges

su

If you type the _______ command at the linux shell, you are asked for the root password. If you successfully supply it, you will then have root privileges

su