Itn 276 final
You are working on a business impact analysis. You are calculating the single loss expectancy (SLE) for a laptop computer. The laptop cost $2,500, which is its asset value (AV). You determined its exposure factor (EF) is 25%. What is the SLE?
$625
A business impact analysis indicates an organization cannot operate without its web server for more than 5 days and still recover. The mean time to repair is 3 days. How many days do you have after a disaster to initiate repairs or the organization will not be able to recover? 2 3 4 5
2
What is the definition of business continuity plan (BCP)? A plan for maintaining minimal operations until the business can return to full normal operations Continuous online backup storage An analysis of how specific incidents might impact the business operations A plan for returning the business to full normal operation
A plan for maintaining minimal operations until the business can return to full normal operations
You are the infrastructure manager. You are performing a business impact analysis (BIA) to consider the cost of likely disasters and the impact on your organization. How do you calculate the single loss expectancy (SLE)? By dividing the annualized loss expectancy (ALE) by the exposure factor (EF) By multiplying the asset value (AV) times the exposure factor (EF) By multiplying the annual rate of occurrence (ARO) times the exposure factor (EF) By dividing the annual rate of occurrence (ARO) by the exposure factor (EF)
By multiplying the asset value (AV) times the exposure factor (EF)
A cybercriminal wants to deliver steganized files to covert customers on a third-party cache. What method must be used so that the third party is unaware of these transactions and the customer can access the files? Delivery zone FTK server Dead drops Echo method
Dead drops
True or False? A business continuity plan (BCP) is a process whereby the disaster recovery team contemplates likely disasters and what impact each would have on the organization.
False
True or False? A business continuity plan (BCP) is focused on executing a full recovery to normal operations.
False
True or False? A cryptographic hash is reversible.
False
True or False? A disaster recovery plan (DRP) is focused on keeping the organization functioning as well as possible until a full recovery can be made.
False
True or False? An analysis of how specific incidents might impact business operations is the definition of business continuity plan (BCP).
False
True or False? Data Encryption Standard (DES) is a stream cipher.
False
True or False? Diffie-Hellman is a symmetric algorithm.
False
True or False? Journaling file systems, such as NTFS 5.0 and Ext3, help to reduce the incidence of physical damage to a hard disk.
False
True or False? The Vigenère cipher uses a 5 × 5 table that contains a keyword or key phrase.
False
True or False? Two techniques are common for recovering data after physical damage: consistency checking and zero-knowledge analysis.
False
True or False? With the consistency checking file system repair technique, a computer's file system is rebuilt from scratch using knowledge of an undamaged file system structure.
False
You are the infrastructure manager for your company's IT department. You are preparing to add forensics to your incident response policies. Which is the absolute first step you must take? Purchase intrusion detection systems. Update your forensic procedures. Add a line item to next year's budget. Identify forensic resources.
Identify forensic resources.
Many different kinds of computer disasters can disrupt normal operations for an organization's systems. What type of disaster is most likely to require a computer forensic expert? Hurricane Fire Flood Intrusion
Intrusion
A forensic expert sometimes uses specific measurements to describe an incident in order to analyze it. Which of the following is helpful in tracing the root cause of an incident and involves depiction of something resembling a fish head and fish bones? Mean percentage error DREAD Mean squared deviation Ishikawa diagram
Ishikawa diagram
Which operating system commonly uses the Ext file system? Mac OS UNIX Linux Windows
Linux
When performing a manual recovery on a Linux system, what is the first step to recovering manually deleted files? Install the Linux recovery toolkit. Boot into the recovery menu and select to run diagnostics. Move the system to single-user mode. Log in with root.
Move the system to single-user mode.
________ is the preferred file system of Windows 2000 and later operating systems. Ext3 FAT32 NTFS FAT16
NTFS
Miriam is a forensic investigator. She assisted in an investigation of a computer incident for a company that processes payment card information. She is writing the report on the breach and has been informed that all companies that process payment card data must issue a report if a breach violates which of the following? NIST FISMA PCI DSS IETF
PCI DSS
You are successful in recovering data files from a damaged disk. You attempt to open a few files and receive a message that the files have been corrupted. What is the best approach to take to gain access to the data? Perform file carving. Perform consistency checking. Open the files in a text editor. Perform a second recovery.
Perform file carving.
In a business impact analysis, which of the following refers to how much data will be lost in a computer disaster RPO RTO MTTF SLE
RPO
Regarding incident response, what step involves restoring software and data from a backup source that has been verified to be free from malware infection? Containment Follow-up Recovery Eradication
Recovery
Devaki is a new forensic investigator. She is examining a recently seized hard drive. She was told by the individuals who collected the device that the owner indicated that it did not work. Devaki notices some damage on the case of the hard drive, agrees that it likely does not work, and processes the disk as if it is "lost" or inaccessible. What mistake did Devaki make? She should have verified with the hard drive owner that the hard disk did not work. She should have shredded the disk because it was damaged. She should have processed the disk as damaged instead of as inaccessible. She should have fully evaluated the disk by leveraging multiple techniques to attempt to retrieve the data.
She should have fully evaluated the disk by leveraging multiple techniques to attempt to retrieve the data.
_______ is the process of analyzing a file or files for hidden content. Steganalysis Asymmetric cryptography Steganophony Symmetric cryptography
Steganalysis
In Windows, what does the file allocation table (FAT) store? The data types stored on the disk A view of disk overages that are available The list of applications installed and their corresponding files The mapping between files and their cluster location on the hard drive
The mapping between files and their cluster location on the hard drive
In steganography, what is meant by carrier? The signal, stream, or data file in which the payload is hidden The type of medium used to send covert communications The information to be covertly communicated Using the last bit or least significant bit to store data
The signal, stream, or data file in which the payload is hidden
What is the definition of "transposition" in terms of cryptography? The art and science of writing hidden messages The swapping of blocks of ciphertext The determination of whether a file or communication hides other information A method of using techniques other than brute force to derive a cryptographic key
The swapping of blocks of ciphertext
You are attempting to recover deleted files from a storage device. The device's operating system uses the FAT32 file system. What is the most important advantage you have when attempting to recover specific deleted files? Read permissions to the files Open source tools rather than commercial tools Commercial tools rather than open source tools Time; files that were deleted relatively recently are more likely to be recovered
Time; files that were deleted relatively recently are more likely to be recovered
What is the purpose of overwriting data on a hard disk with random characters seven times? To forensically scrub a file or folder To prepare to shred the hard disk To test the file allocation table (FAT) update process To verify that the file is consistent and will not cause disk errors
To forensically scrub a file or folder
True or False? "Chosen plaintext attack" and "ciphertext-only" are two cryptanalysis methods for cracking encryption.
True
True or False? A collision occurs when two different inputs to the same hashing algorithm produce the same output (or hash).
True
True or False? A traditional backup plan includes backup media rotation, in which backup media is overwritten with newer backups.
True
True or False? After an organization recovers from a disastrous computer incident, if the root cause is not discovered and addressed, the chances of it occurring again are significant.
True
True or False? All modern block-cipher algorithms use both substitution and transposition.
True
True or False? End users generally cannot repair most physical damage to storage media, such as a hard disk.
True
True or False? Forensically scrubbing a file or folder may involve overwriting data with random characters seven times.
True
True or False? Infinitely recursing directories is a symptom of logical damage to a file system.
True
True or False? Logical damage to a file system may prevent the host operating system from mounting or using the file system.
True
True or False? Mean time to failure (MTTF) is the amount of time, on average, before a given device is likely to fail through normal use.
True
True or False? Regarding incident response, after an external intrusion, all logs should be preserved prior to a full recovery for forensic purposes.
True
True or False? The exclusive OR (XOR) operation checks whether there is a 1 in a binary number in a given place, but not in two binary numbers at the same place.
True
True or False? The forensics process begins once an incident has been discovered, but it does not get fully under way until after the disaster or incident is contained.
True
True or False? The four primary types of backups are full, incremental, differential, and continuous.
True
True or False? The purpose of adding forensics to incident response policies is to ensure that evidence is not destroyed in the process of recovering from an incident or disaster.
True
True or False? Turning off a computer while it is booting or shutting down can lead to logical damage of its file system.
True
The __________ cipher is a method of encrypting alphabetic text by using a series of different monoalphabetic ciphers selected based on the letters of a keyword. Vigenère ROT13 Atbash Scytale
Vigenère
A common approach for manually managed backups is the Grandfather-Father-Son scheme. Consider a server using traditional tape backup that is backed up daily. At the end of the week, a weekly backup is made. At the end of the month, there is a monthly backup made. Which of the following is not true of the Grandfather-Father-Son scheme? Weekly backups are not reused, only sons and grandfathers. Weekly backups are reused after a grandfather is made. Each daily backup is the son, the weekly backup is the father, and the monthly backup is the grandfather. Daily backups begin to be reused after a father is made.
Weekly backups are not reused, only sons and grandfathers.
You are a forensic examiner. The logical structure of a hard disk that you are analyzing appears almost destroyed. You are not able to get the system to boot up despite your best efforts. You choose to perform a zero-knowledge analysis. Is this an appropriate choice for the next step? No. This is a file system repair technique that involves scanning a disk's logical structure and ensuring that it is consistent with its specification. It will not help in this case. Yes. This process includes searching memory in real time, typically for working with compromised hosts or to identify system abuse. No. This approach includes the process of searching for specific text in binary files even if the file has a reference count of zero. It does not apply in this case. Yes. Using this technique, the file system is rebuilt from scratch using knowledge of an undamaged file system structure. It should allow for data retrieval.
Yes. Using this technique, the file system is rebuilt from scratch using knowledge of an undamaged file system structure. It should allow for data retrieval.
A symbolic link is ________ another file. a copy of the deletion of the decommissioning of a pointer to
a pointer to
A ________ is a plan for returning the business to full normal operations. maximum tolerable downtime (MTD) business continuity plan (BCP) business impact analysis (BIA) disaster recovery plan (DRP)
disaster recovery plan (DRP)
A(n) __________ is a data structure in the Linux file system that stores all the information about a file except its name and actual data. table cluster partition inode
inode
The amount of time a system can be down before it is impossible for an organization to recover is addressed by: maximum tolerable downtime (MTD). a business continuity plan. a business impact analysis. mean time to repair (MTTR).
maximum tolerable downtime (MTD).
Consistency checking protects against: improper scanning. disk fragmentation. physical damage to a hard disk. software bugs and storage hardware design compatibilities
software bugs and storage hardware design compatibilities
The type of medium used to hide data in steganography is referred to as __________, which may be a photo, video, sound file, or Voice over IP (VoIP), for example. the carrier the channel steganophony the payload
the channel
Kerckhoffs' principle states that the security of a cryptographic algorithm depends only on the secrecy of: the algorithm. the plaintext. the substitution. the key.
the key.
