C706 Study Set 3
Where is the trash directory located on a macOS? a. /etc/trash/ b. /%%user.homedir%%/Trash/Bin/ c. %%users.homedir%%/.Trash/ d. /user/lib/trash/
%%users.homedir%%/.Trash/
In Linux systems, where is local user information saved?
/etc/passwd file
CAN-SPAM Act
A federal law that placed guidelines on mass commercial emails.
POP3 (Post Office Protocol version 3)
A protocol used from retrieving email from a mailbox on the mail server.
Which android developer feature can be activated from the Developers Options menu and allows an Android device to establish communication with a computer/workstation that runs Android Software Developer Kit (SDK)? a. USB Restriction Mode b. USB Debugging Mode c. Developer Mode d. Communication API
B. USB Debugging Mode It is an Android developer feature that can be activated from the Developer Options menu. USB debugging allows an Android device to establish communication with a computer/workstation that runs Android Software Developer Kit (SDK). Therefore, the investigators should enable the USB debugging mode during evidence acquisition.
netstat -rn
Command to show routing table informtion. The n flag provides lists numerical addresses
Where is the startup item file directory located on a macOS?
Library/StartupItems/*, /System/Library/StartupItems/*
What command is used to determine the NetBIOS name table cache in Windows?
Nbtstat nbtstat helps troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses. ▪ -n: Displays the names that have been registered locally on the system by NetBIOS applications such as the server and redirector ▪ -r: Displays the count of all NetBIOS names resolved by broadcast and by querying a Windows Internet Naming Service (WINS) server ▪ -S: Lists the current NetBIOS sessions and their statuses ▪ -a: Shows details of the NetBIOS remote machine name table
Which Windows Registry hives are considered nonvolatile with respect to data persistence? a. HKEY_USERS, HKEY_CLASSES_ROOT b. HKEY_CURRENT_USERS, HKEY_LOCAL_MACHINE c. HKEY_LOCAL_MACHINE_ HKEY_USERS d. HKEY_LOCAL_MACHINE, HKEY_CURRENT_CONFIG
The main registry hives are: ▪ HKEY_CLASSES_ROOT ▪ HKEY_CURRENT_USER ▪ HKEY_CURRENT_CONFIG ▪ HKEY_LOCAL_MACHINE ▪ HKEY_USERS With respect to data persistence, Windows Registry hives are divided into two types: ▪ Non-volatile: HKEY_LOCAL_MACHINE, HKEY_USERS ▪ Volatile: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG
aggregation
To come together into a mass, sum, or whole
USB Restriction Mode
USB Restriction Mode (in iOS) This feature, available in iOS 11.4.1 and above, makes it difficult for hackers and law enforcement agencies/investigators to unlock an iPhone. The USB restriction mode improves security by not allowing any new data connections that have been terminated after an hour. The device should be unlocked to allow new or any previous connections. Therefore, once the USB restriction mode is activated, it is difficult to get any data from the iPhone. An investigator can either enter the DFU mode or install jailbreak to collect evidence. Therefore, when investigators obtain a device at the crime scene, they should use appropriate lightning cables to prevent the device from entering the USB restriction mode.
What operating system is macOS based on?
Unix MacOS is a Unix-based OS used by Apple in their Macintosh computing systems. The OS depends on Mach and Berkeley Software Distribution (BSD) kernel layers.
IMAP (Internet Message Access Protocol)
a common protocol for retrieving email messages via the Internet
Identify which code can be used to obtain the International Mobile Equipment Identifier (IMEI) number on a mobile phone. a. *#06# b. #*06* c. #*06# d. *06#
a. *#06# In an unlocked device, the IMEI number can be obtained by keying in *#06# IMEI is a 15-digit number that denotes the manufacturer, model type, and country of approval for GSM devices. The first eight digits, known as the Type Allocation Code (TAC), denote the model and origin of the device.
The Tor's hidden service protocol allows users to host websites anonymously with what domains and can only be accessed by users of the Tor network? a. .BIT b. .onion c. .Tor d. .Tornet
a. .BIT The Tor browser provides access to .onion websites available on the dark web. Tor's hidden service protocol allows users to host websites anonymously with .BIT domains and these websites can only be accessed by users on the Tor network
Which log files in a Linux system cannot be used by forensic investigators? a. /var/log/evtx.log b. /var/log/kern.log c. /var/log/pr.log d. /var/log/auth.log
a. /var/log/evtx.log
On a windows machine, the TOR browswer uses which port for establishing connections via Tor nodes? a. 9150/9151 b. 9115/9116 c. 9155/9152 d. 1050/1051
a. 9150/9151 When Tor browser is installed on a Windows machine, it uses port 9150/9151 for establishing connection via Tor nodes. When investigators test for the active network connections on the machine by using the command netstat -ano, they will be able to identify whether Tor was used on the machine.
The Apache web server follows a modular approach and consists of two major components: the Apache core and the _____________. a. Apache modules b. Apache config c. Apache main d. Apache client
a. Apache modules The Apache web server follows a modular approach. It consists of two major components, the Apache core and Apache modules. The Apache core addresses the basic functionalities of the server, such as the allocation of requests and the maintenance and pooling of connections, while the Apache modules, which are simply add-ons used for extending the core functionality of the server, handles other functions, such as obtaining the user ID from the HTTP request, validating the user, and authorizing the user. The Apache core consists of several components that have specific activities to perform.
What would not be found on a most recently used list? a. Bookmarks b. Opened documents c. Recently visited web pages
a. Bookmarks
What file format is used by Windows Vista and later versions to store event logs as simple text files in XML format? a. EVTX b. .log c. .txt d. TXTX
a. EVTX Windows event logs are simple text files in the XML format (EVTX) used by Windows Vista and later versions. Windows contains different types of logs, including administrative, operational, analytic, debug, and application logs.
To start the forensic acquisition and analysis process of an Amazon EC2 instance, what is the first step? a. Isolate the compromised EC2 instance from the production environment b. Photograph the datacenter c. Take a snapshot of the EC2 instance d. Provision and launch a forensic workstation
a. Isolate the compromised EC2 instance from the production environment Acquisition is an important part of a forensic investigation. However, the acquisition of compromised instances in a cloud environment follows a different methodology. Given below are the steps involved in the forensic acquisition of an EC2 instance if it is suspected to be compromised. 1. Isolating the compromised EC2 instance from the production environment 2. Taking a snapshot of the EC2 instance 3. Provisioning and launching a forensic workstation 4. Creating evidence volume from the snapshot 5. Attaching evidence volume to the forensic workstation 6. Mounting the evidence volume onto the forensic workstation
What is not a command used to determine logged-on users? a. LoggedSessions b. PSLoggedOn c. Net Sessions d. LogonSessions
a. LoggedSessions PsLoggedOn: is an applet that displays both the users logged on locally and via resources for either on the local, or a remote computer net session: command is used for managing server computer connections. It displays computer and usernames on a server, open files, and duration of sessions LogonSessions: when run without any options, lists the currently active logged-on sessions. If the -p option is used, it provides information on the processes running in each session.
Which of the file storing data and logs in SQL server is the starting point of a database and points to other files in the database? a. Primary data file (MDF) b. SQL data file (PDF) c. Transcation Log File (LDF) d. Secondary data file (NDF)
a. Primary data file (MDF)
Which RFC defines the internet email message format? a. RFC 5322 b. RFC 2050 c. RFC 5422 d. RFC 2525
a. RFC 5322
The information about the system users is stored in which file? a. SAM database file b. PAT database file c. NTUSER.DAT d. NTUSER.BAT
a. SAM database file Information about the system users is stored in the Security Account Manager (SAM) database file. Each user's registry settings for their specific account are stored in the NTUSER.DAT registry file.
Which of the following is an internet protocol thats designed for transmitting emails to a valid email address? a. Simple Mail Transfer Protocol (SMTP) b. Internet Message Access Protocol (IMAP) Server c. TCP/IP d. Post Office Protocol Version 3 (POP3) Server
a. Simple Mail Transfer Protocol (SMTP) The SMTP is an outgoing mail server that allows a user to send emails to a valid email address. Users cannot use the SMTP server to receive emails; however, in conjunction with the Post Office Protocol (POP) or IMAP, they can use the SMTP to receive emails with proper configuration.
What is non-volatile information? a. User accounts b. Mounted filesystems information c. Network information d. Loaded kernel modules
a. User accounts Volatile information includes: Hostname, date & time, and time zone Uptime Network information Open ports Open files Mounted filesystem information Loaded kernel modules User events Running processes Swap areas and Disk partition information Kernel messages
The Apache server generates two types of logs, one that records all the requests processed by the Apache web server and one that contains diagnostic information on errors that the server faced while processing requests. The two types of logs generated are _______________________________ . a. access log and error log b. error log and server log c. server log and access log d. apache log and error log
a. access log and error log Apache server generates the following two types of logs: 1. Access log: It generally records all the requests processed by the Apache web server 2. Error log: It contains diagnostic information and errors that the server faced while processing requests
The elements of the Apache core that address the basic functionalities of the server are http_protocol, http_main, http_request, http_core, alloc and _______________. a. http_config b. http_alloc c. http_core d. http_manage
a. http_config The elements of the Apache core are http_protocol, http_main, http_request, http_core, alloc, and http_config. ▪ http_protocol: This element is responsible for managing the routines. It interacts with the client and handles all the data exchange and socket connections between the client and server. ▪ http_main: This element handles server startups and timeouts. It also consists of the main server loop that waits for the connections and accepts them. ▪ http_request: This element controls the stepwise procedure followed among the modules to complete a client request and is responsible for error handling ▪ http_core: This element includes a header file that is not required by the application module ▪ Alloc.c: This element handles the allocation of resource pools ▪ http_config: This element is responsible for reading and handling configuration files. One of the main tasks of http_config is to arrange all the modules, which the server will call during various phases of request handling.
Which web application threat arises when a web application is unable to handle technical issues properly and the website returns information, such as database dumps, stack traces and codes? a. improper error handling b. buffer overflows c. cookie poisoning d. SQL injection
a. improper error handling This threat arises when a web application is unable to handle internal errors properly. In such cases, the website returns information, such as database dumps, stack traces, and error codes, in the form of errors.
Which Linux command lists the open files for the user currently logged into a system? a. lsof b. openfile c. ofopen d. lsopen
a. lsof To list the open files for the user currently logged into the system an investigator can run the lsof command in the following manner: Syntax: lsof -u <user_name>
Where do email archives store received and sent emails? a. On the system hard drive b. In the cache file c. On the internet d. On the mail server
a. on the system hard drive **keyword is "email archive" Email archives store received and sent emails, contacts, attachments and other email client related data and store them on the system hard drive.
Digital files generally have a signature that can be found in the first 20 bytes of the file a. true b. false
a. true Every digital file contains a signature that is stored in the first 20 bytes of the file
The CustomDestinations jump list is made of files that are created when a user pins a file or an application to a taskbar. a. true b. false
a. true The CustomDestinations jump list is made of files that are created when a user pins a file or an application to a taskbar.
In which location are IIS log files stored by default? a. %SystemDrive%\inetpub\LogFiles b. %SystemDrive%\inetpub\Logs\LogFiles c. %SystemDrive%\PerfLogs\LogFiles d. %SystemDrive%\PerfLogs\Logs\LogFiles
b. %SystemDrive%\inetpub\Logs\LogFiles
Which azure logs record information related to all successful and failed requests made to Azure blobs, Azure queue and Azure table, can be enabled via the Azure portal and record authenticated as well as anonymous requests? a. Azure Active Directory Reports b. Azure Storage Analytics Logs c. Azure Activity Logs d. Azure Resource Logs
b. Azure Storage Analytics Logs These logs record information related to all successful and failed requests made to Azure storage services such as Azure blobs, Azure queue, and Azure table. This logging feature can be enabled via the Azure portal. These logs record authenticated as well as anonymous requests. When enabled for a storage account, these logs are automatically placed in block blobs in a container called $logs. This container cannot be removed when the storage analytics are enabled.
On a windows machine, where are the prefetch files located? a. C:\WINDOWS\Fetch\Prefetch b. C:\WINDOWS\Prefetch c. C:\WINDOWS\Fetch d. C:\WINDOWS\Fetch\Prefetch
b. C:\WINDOWS\Prefetch The prefetch files are located in the directory, C:\WINDOWS\Prefetch on a Windows machine Using tools such a
What is considered the biggest threat to mobile devices? a. Mobile malware b. Data loss c. Social engineering attack d. Data integrity threat
b. Data Loss Employee or hacker exfiltrates sensitive information from the device or network. Can be unintentional or malicious. Remains biggest threat to mobile devices
By default, Windows XP and later create hidden administrative shares on a system? a. True b. False
b. False By default, Windows Vista, 7, 8.1 and 10 create hidden administrative shares on a system.
What is a cloud environment composed of two or more clouds that remain unique entities but are bound together to offer the benefits of multiple deployment models? a. Private cloud b. Hybrid cloud c. Community cloud d. Public cloud
b. Hybrid cloud It is a cloud environment comprising at least two private, public, or community cloud models that act as individual entities but are bound together for offering the benefits of multiple deployment models. In this model, the organization provides and manages some resources in-house, whereas others are provided externally. Example: An organization performs its critical activities on a private cloud (such as operational customer data) and non-critical activities on a public cloud.
What is not one of the three tiers a log management infrastructure typically comprises? a. Log generation b. Log rotation c. Log analysis and storage d. Log monitoring
b. Log rotation
Which command is used to determine open files? a. Openfile b. Net file c. PSFiles d. Open files
b. Net file
Which of the following is not a command used to determine running processes in Windows? a. Tasklist b. Netstat c. PSList d. Listdlls
b. Netstat Tasklist displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer Pslist Source: https://docs.microsoft.com pslist.exe displays basic information about the already running processes on a system, including the amount of time each process has been running (in both kernel and user modes). ListDLLs Source: https://docs.microsoft.com ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all DLLs loaded into all the processes, into a specific process, or to list the processes that have a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their digital signature, and it can also scan processes for unsigned DLLs.
Which tool is a mobile forensic acquisition and analysis tool for cell phones, smartphones, tablets and GPS devices which supports both logical and physical acquisition of data and also allows one to perform cloud data acquisition from mobile devices. a. Cellebrite UFED Logical Analyzer b. Paraben's E3 DS c. Oxygen Forensic Extractor d. XRY Logical
b. Paraben's E3 DS Paraben's E3 DS is a mobile forensic acquisition and analysis tool for cell phones, smartphones, tablets, and GPS devices which supports both logical and physical acquisition of data. It also allows one to perform cloud data acquisition from mobile devices. Cellebrite UFED Logical Analyzer extracts and analyzes data from mobile devices. It has a built-in SIM reader that allows the device to obtain data such as call logs, phonebooks, SMS, IMSI, and ICCID. The device also supports SIM card cloning. XRY LOGICAL is a software-based solution comprising the hardware required for the forensic investigation of mobile devices. It analyzes a wide range of mobile phones using a secure examination process to recover data in a forensically secure manner. It enables investigators to perform logical data acquisition on mobile phones. Oxygen Forensic Extractor enables wired (USB) and wireless (Bluetooth) data acquisition from mobile devices running on a variety of platforms.
Which identifies flaws in how vendors deploy the TCP/IP protocols? a. Anomaly detection b. Protocol anomaly detection c. Signature based intrusion detection d. Session recognition
b. Protocol anomaly detection Protocol Anomaly Detection: In this type of detection, models are built to explore anomalies in the way vendors deploy the TCP/IP specification Signature Recognition: also known as misuse detection, attempts to identify events that indicate an abuse of a system or network resource Anomaly Detection: It detects an intrusion based on the fixed behavioral characteristics of the users and components in a computer system
In Event Correlation Approaches, which approach is used to monitor the computers and computer users behaviors and provide an alert if something anomalous is found? a. Bayesian correlation b. Role-based approach c. Vulnerability-based approach d. Route correlation
b. Role-based approach Time (Clock Time) or Role-Based Approach: This approach leverages data on the behavior of computers and their users to trigger alerts when anomalies are found Bayesian Correlation: This approach is an advanced correlation method based on statistics and probability theory, which uses prior probabilities of conditions to predict what a hacker might do next after an attack. Vulnerability-Based Approach: This approach helps map IDS events that target a vulnerable host by using a vulnerability scanner. It deduces an attack on a specific host in advance and prioritizes attack data in order to respond to the affected points quickly. Route Correlation: This approach helps in extracting information about the attack route and uses that information to identify further data pertaining to the attack.
In Windows Event Log File Internals, the following file is used to store the Databases related to the system: a. Security.evtx b. System.evtx c. Database.evtx d. Application.evtx
b. System.evtx The Windows event log files are, essentially, databases with the records related to the system, security, and applications. The databases related to the system are stored in a file named System.evtx The databases related to security are stored in a file named Security.evtx The databases related to applications are stored in a file named Application.evtx Windows event logs are stored in: C:\Windows\System32\winevt\Logs folder
What tool enables you to retrieve information about event logs and publishers in Windows 10? a. MSconfig b. Wevtutil c. Regedit d. EventViewer
b. Wevtutil Windows 10 stores event logs in EVTX file format and are based on XML (Extension Markup Language). wevtutil command can be used to retrieve information about event logs and publishers that is not readily apparent via the Event Viewer user interface. This tool enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests; to run queries; and to export, archive, and clear logs. Command to display a list of available event logs on the system: wevtutil el
The investigator uses which of the following commands to view the ARP table in windows? a. arp -a b. arp .a c. arp /all d. arp //
b. arp -a The ARP table of a router is invaluable for investigating network attacks, as the table contains IP addresses associated with their respective MAC addresses An investigator can view the ARP table in Windows by issuing the command arp -a
In such scenarios, where the usage of the Tor network is restricted, what helps circumvent the restrictions and allows users to access the Tor network? The usage of these nodes makes it difficult for governments, organizations and ISPs to censor the usage of the Tor network. a. relay nodes b. bridge nodes c. anonymizer nodes d. tor nodes
b. bridge nodes Bridge nodes exist as proxies in the Tor network, and not all of them are publicly listed in the Tor directory of nodes; several bridge nodes are concealed/hidden. Hence, ISPs, organizations, and governments cannot detect their IP addresses or block them. Even if ISPs and organizations detect some of the bridge nodes and censor them, users can simply switch over to other bridge nodes. A Tor user transmits traffic to the bridge node, which transmits it to a guard node as selected by the user. Communication with a remote server occurs normally; however, an extra node of transmission is involved, i.e., the bridge node. The use of concealed bridge nodes as proxies help users circumvent the restrictions placed on the Tor network.
Investigators can use Linux commands to gather neccessary information from the system. Identify the following shell command that is used to display the kernel ring buffer or information about device drivers loaded into the kernel. a. pstree b. dmesg c. Stat d. Fsck
b. dmesg To display the kernel ring buffers or information related to the device drivers loaded into the kernel Command: dmesg FSCK - Linux based file system maintenance utilities pstree - shows the parent processes and the child processes running under them Stat - MAC command. Use the command line input "stat" to find the timestamp of any file
Which event correlation step compiles repeated events into a single event and avoids the duplication of the same event? a. event masking b. event aggregation c. event filtering d. root cause analysis
b. event aggregation Event aggregation is also called event de-duplication. It compiles the repeated events to a single event and avoids the duplication of the same event.
What is a static malware analysis technique that uses unique hash values to help investigators recognize files that are sensitive to tracking and identify similar programs from a database? a. identifying packing or obfuscation methods b. file fingerprinting c. performing strings search d. malware disasembly
b. file fingerprinting File fingerprinting is data loss prevention (DLP) method used for identifying and tracking data across a network. The process involves creating shorter text strings for the files called hash values. Unique hash values or fingerprints are developed using various cryptographic algorithms which utilize data such as strings, metadata, size, and other information.
Where can an investigator find information on the sender and the recipient of an email and on the path taken by an email while in transit? a. on the main server b. in the email header c. in SMTP log files d. in the body of the email
b. in the email header If an offending email has been identified or is suspected to be spoofed, investigators must examine its header information. The email header plays a vital role in forensic investigation as it holds detailed information on the email's origin, which can help investigators gather supporting evidence and identify the culprit behind the crime. Email header information can be retrieved after acquiring the email messages. If the investigator is physically accessing the suspect's computer, they can view the email header using the same email program as the one used by the suspect. This process is different for different email programs.
________________ command is used to display the network configuration of the NICs on the system. a. ipconfig \all b. ipconfig /all
b. ipconfig /all
Which command is used to find if TCP and UDP ports have unusual listening? a. netstat -n b. netstat -na c. netstat -s d. netstat -ns
b. netstat -na netstat -na: Find if TCP and UDP ports have unusual listening nbtstat -S: Analyze at NetBIOS over TCP/IP activity
Which type of jailbreak causes the device to boot into a non-jailbroken state after each rebooting? a. untethered jailbreak b. semi-untethered jailbreak c. tethered jailbreak d. semi-tethered jailbreak
b. semi-untethered jailbreak Semi-untethered Jailbreak In this type of jailbreak, the device reboots on its own and on each boot, the device sequence is modified; subsequently, the device boots in the non-jailbroken state. However, the users do not require the help of the computer to re-jailbreak the device. Instead, the users can use any application (usually sideloaded using Cydia Impactor) running on the device to re-jailbreak the device. Semi-tethered Jailbreak Unlike in tethered jailbreak, semi-tethered jailbreak allows users to reboot the device, but the jailbreak features are not loaded into the device. In semi-tethered jailbreaks, the device starts on its own when rebooted without a patched kernel and it can be used for normal functions such as making calls and sending text messages. To load the jailbreak extension in the device, a computer is required to run the jailbreak tool on the device. Checkra1n jailbreaking tool for iOS is an example of semi-tethered jailbreak.
Which directory has the printer log files for macOS? a. /var/log/printer b. /var/log/ c. /var/log/cups d. /var/printer/log
c. /var/log/cups /var/log/cups/access_log: Printer connection information /var/log/cups/error_log: Printer connection information
What prefetch does value 1 from the registry entry EnablePrefetcher tell the system to use? a. Both application and boot prefetching are enabled b. Boot prefetching is enabled c. Application prefetching is enabled d. Prefetching is enabled
c. Application prefetching is enabled EnablePrefetcher reg key values: 0: Prefetching is disabled 1: Application prefetching is enabled 2: Boot prefetching is enabled 3: Both application and boot prefetching are enabled
Which type of event correlation approach is an advanced correlation method based on statistics and probability theory that uses prior probabilities of conditions to predict what a hacker might do next after an attack? a. open port based correlation b. cross platform correlation c. Bayesian correlation d. route correlation
c. Bayesian correlation Bayesian Correlation: This approach is an advanced correlation method based on statistics and probability theory, which uses prior probabilities of conditions to predict what a hacker might do next after an attack.
What prefetch does value 3 from the registry entry EnablePrefetcher tell the system to use? a. Boot prefetching is enabled b. Application prefetching is enabled c. Both application and boot prefetching are enabled d. Prefetching is enabled
c. Both application and boot prefetching are enabled EnablePrefetcher reg key values: 0: Prefetching is disabled 1: Application prefetching is enabled 2: Boot prefetching is enabled 3: Both application and boot prefetching are enabled
What is not an IoT architecture layer? a. Access gateway layer b. Edge technology layer c. Bridge layer d. Internet layer
c. Bridge layer
In Windows, where is the default location of the spool folder located? a. C:\Windows\System32\spool b. C:\Windows c. C:\Windows\System32\spool\PRINTERS d. C:\Windows\Spool\PRINTERS
c. C:\Windows\System32\spool\PRINTERS By default in Windows OS, the .SPL and .SHD files are stored in the spool folder driver at C:\Windows\System32\spool\PRINTERS folder. Print spool files are temporary files that the software program stores in the system before completing the print task or to start printing at a scheduled time. Windows stores the file in print spooler directory before printing, while the local print provider (Localspl.dll) writes the contents to a spool file (.spl) and creates a separate graphics file (.emf) for each page. Localspl.dll also maintains detailed data on a print job, such as the username, filename, etc., in a shadow file (.shd).
Tor is a browser that is used to access the contents of the ________________________. a. surface web b. deep web c. dark web d. middle web
c. Dark Web Dark Web: This is the third (surface and deep are the other two layers) and the deepest layer of the web. It is used to carry out unlawful and antisocial activities. The dark web is not indexed by search engines and allows complete anonymity to its users through encryption. Cyber criminals use the dark web to perform nefarious activities such as drug trafficking, anti-social campaigns, and the use of cryptocurrency for illegal transactions. Accessing dark web involves the use of a specialized browser. The Tor browser is one of the browsers used to access the contents of the dark web.
What does analyzing Shellbags not provide forensic investigators with information about? a. Folders deleted by users b. Folders opened by users from a mounted external hard drive c. Folders not opened from an external hard drive after the drive is mounted d. Timestamps and MAC times of the accessed folder
c. Folders not opened from an external hard drive after the drive is mounted ShellBags hold information on deleted directories, deleted files, previously mounted drives, and user/intruder actions, which can be highly valuable in a forensic investigation.
When a Tor browser is installed and executed on a Windows machine, the user activity is recorded in which Windows Registry? a. HKEY_SOFTWARE\Mozilla\Launcher\LaunchTor b. HKEY_SOFTWARE\Mozilla\Tor\Launcher c. HKEY_SOFTWARE\Mozilla\Firefox\Launcher d. HKEY_SOFTWARE\Mozilla\Firefox\Tor\Launcher
c. HKEY_SOFTWARE\Mozilla\Firefox\Launcher Forensic investigators can obtain the path from where the TOR browser is executed in the following Registry key: HKEY_USERS\<SID>\SOFTWARE\Mozilla\Firefox\Launcher
Which of the following stakeholders are the first responders for all the security events or occurrences taking place on the cloud? a. IT professionals b. Investigators c. Incident handlers d. Law advisors
c. Incident handlers The incident handlers are the first responders for all security incidents on a cloud. They are the first line of defense against cloud security attacks and their primary role is to respond against any type of security incident immediately.
Which is true about the transport layer in the TCP/IP model? a. It is located between the network access layer and the internet layer b. It is the lowest layer in the TCP/IP model c. It is the backbone for data flow between two devices in a network d. It includes protocols with HTTP, FTP, SMTP and DNS
c. It is the backbone for data flow between two devices in a network The application layer contains many protocols with HTTP, Telnet, FTP, SMTP, NFS, TFTP, SNMP, and DNS being the most widely used ones.
The value 0 associated with the registry entry Enable Prefetcher tells the system to use which prefetch? a. Application prefetching is enabled b. Boot prefetching is enabled. c. Prefetching is disabled. d. Both application and boot prefetching are enabled.
c. Prefetching is disabled. EnablePrefetcher reg key values: 0: Prefetching is disabled 1: Application prefetching is enabled 2: Boot prefetching is enabled 3: Both application and boot prefetching are enabled
Which logs, when enabled, record information of all requests made to any bucket, including requests such as GET, PUT and DELETE which helps investigators to understand the actions that were performed on a bucket object along with the users who performed these actions? a. Amazon CloudWatch b. AWS CloudTrail c. S3 Server Access Logs d. VPC Flow Logs
c. S3 Server Access Logs S3 server access logging, when enabled, records information of all requests made to any bucket. Requests such as GET, PUT, and DELETE are captured, which helps investigators to understand the actions that were performed on a bucket object along with the users who performed these actions. If a bucket object is missing after a security breach, server access logging can help in tracing the perpetrator. AWS CloudTrail CloudTrail provides the AWS API call history for AWS accounts, including calls made via the AWS Management Console or Command Line tools, AWS Software Development Kits, and other AWS services. It is enabled by default when someone makes an AWS account. CloudTrail log analysis helps investigators in easily tracking the changes made to AWS resources and performing security analysis. Amazon CloudWatch provides a platform for AWS customers to store and monitor their system and application log data in a centralized location and analyze them by performing search queries. CloudWatch log analysis helps in determining the origin of a problem and troubleshooting the system or application-specific errors.
What is the most common MAC spoofing detection method in which investigators analyze the sequence number field in the MAC-layer frame header? a. Frame detection b. Signal strength-based detection c. Sequence number-based detection d. Address spoofing detection
c. Sequence number-based detection This is the most common MAC spoofing detection method in which investigators analyze the sequence number field in the MAC-layer frame header. The sequence number (SN) increments by one each time a genuine wireless device sends out data and management frames. This method assumes that the SN counters in the network cards of the attacker and the user would be different; hence the detection of any unexpected SN gaps in the frame sequence of the same MAC address can expose the attacker
The directory of the 'state' file where the Tor browser is executed is located where? a. \Tor\Browser\TorBrowswer\Data\Tor\ b. \Tor Browser\Browser\TorBrowser\Data\TorBrowser\ c. \Tor Browser\Browser\TorBrowser\Data\Tor\ d. \Browser\Tor Browser\Browser\TorBrowser\Data\Tor\
c. \Tor Browser\Browser\TorBrowser\Data\Tor\ The directory of the State file in the Tor browser folder is \Tor Browser\Browser\TorBrowser\Data\Tor\
Which technique is used to assign a new meaning for relating a set of events that occur in a fixed amount of time where few important events are identified among a large number of events? a. event filtering b. root cause analysis c. event correlation d. event masking
c. event correlation Event correlation is a technique used to assign a new meaning for relating a set of events that occur in a fixed amount of time. The following are two examples of event correlation: Example 1: If a user gets 10 login failure events in 5 minutes, this generates a security attack event. Example 2: If both the external and internal temperatures of a device exceed a threshold and the event "device is not responding" occurs, all within a span of 5 seconds, replace them with the event "device down due to overheating."
Which command line utility is used to take a backup of the database? a. mysqlbackup b. mysqldatabase c. mysqldump d. mysqldbdump
c. mysqldump Mysqldump It allows you to dump a database or a collection of databases for backup purposes. It generates a .sql file with CREATE table, DROP table, and INSERT into the SQL statement of the source database. It executes the .sql file on the destination database to restore the original database.
Which command will allow investigators to test for the active network connections on the machine and be able to identify whether Tor was used on that machine? a. nbtstat -a b. nbtstat -ano c. netstat -ano d. netstat -e
c. netstat -ano When investigators test for the active network connections on the machine by using the command netstat -ano, they will be able to identify whether Tor was used on the machine.
What is a challenge to performing forensics on containers? a. they use their own memory b. logging is disabled by default c. they have a short lifecycle d. their snapshot features are very complex
c. they have a short lifecycle Challenges of Performing Forensics on Containers Highly Dynamic Container workloads run within an ecosystem that includes popular public cloud platforms (AWS, Microsoft Azure etc.), hybrid clouds as well as private clouds. Container forensic methodologies that work on one platform might not be suitable for another Microservices Containers are deployed within an architecture involving microservices. Consequently, security team needs to look into multiple containers integrated with multiple microservices in the event of a security breach, which makes the forensic investigation process more complex Ephemeral in Nature Containers are light-weight and have shorter lifecycle. Hence, any data written to the filesystem of the container gets deleted as soon as it is stopped No Snapshot Feature It is not possible to take snapshot of containers. Investigator either need to commit the container to review its state at the time the incident took place or take a snapshot of the worker node hosting the affected container.
What prefetch does value 2 from the registry entry EnablePrefetcher tell the system to use? a. Both application and boot prefetching are enabled b. Application prefetching is enabled c. Prefetching is enabled d. Boot prefetching is enabled
d. Boot prefetching is enabled EnablePrefetcher reg key values: 0: Prefetching is disabled 1: Application prefetching is enabled 2: Boot prefetching is enabled 3: Both application and boot prefetching are enabled
Parsing Spotlight's central repository is of great forensic value. Which details can it not provide? a. MAC times b. Recently opened files c. Associated metadata d. Deleted file information
d. Deleted file information Parsing Metadata on Spotlight Spotlight on MacOS allows users to search for files/folders by querying databases occupied with filesystem attributes, metadata, and indexed textual content. It creates an index of all files/folders on the system and stores the metadata of all files/folders on the disk. The store.db database file in Spotlight's central repository is of great forensic value. This is because parsing that file provides investigator with details such as the MAC times, recently opened files, number of times an application or file is opened, and associated metadata. The store.db is a hidden file located at /.Spotlight-V100/Store-V2/<UUID> folder. Each individual partition on the MAC system contains a store.db file specific to the partition. When the database file is parsed, it extracts artifacts specific to that partition.
What is not one of CAN-SPAMs main requirements for senders? a. The commerical email must be identified as an ad. b. The email must have your valid physical postal address. c. Do not use false or misleading header information. d. Honor recipients opt-out request within 30 business days.
d. Honor recipients opt-out request within 30 business days.
Which of the following stakeholders is responsible for conducting forensic examinations against allegations made regarding wrongdoings, found vulnerabilities and attacks over the cloud? a. Law advisors b. IT professionals c. Incident handlers d. Investigators
d. Investigators The investigators in a cloud organization are responsible for conducting forensic examinations against allegations regarding wrongdoings, vulnerabilities, and attacks over the cloud. They should also work in collaboration with the external investigators and law enforcement agencies for forensic investigations on internal assets.
Which file storing data and logs in SQL servers is optional? a. SQL data file (PDF) b. Transaction log data file (LDF) c. Primary data file (MDF) d. Secondary data file (NDF)
d. Secondary data file (NDF) Secondary Data Files The secondary data files (NDF) are optional. A database contains only one primary data file, but it can contain zero/single/multiple secondary data files. The secondary data files can be stored on a hard disk, separate from the primary data file. The file name extension for the secondary data files is .ndf.
Which type of tool addresses the concern of managing increasing volumes of log data from multiple sources over a centralized platform to mitigate the chances of cyberattacks with real-time incident monitoring analysis? a. antivirus b. Intrusion Detection System (IDS) c. Honeypot d. Security information and event management (SIEM)
d. Security information and event management (SIEM) Security Information and Event Management (SIEM) solutions are used to correlate and analyze security events and identify unusual or suspicious activity on an organization's IT infrastructure. SIEMs have two main components: - a base layer of Log Management functionality - additional layer for Security Analytics The activities in both these layers are distributed between the security information management (SIM) and the security event management (SEM) components of SIEM. Main objectives of SIEM: Log Management: Performing efficient log management Security Analytics: Detecting security incidents in real-time Logs collected through the SIEM tools act as key evidence for investigators to identify the source of an incident and also to create a timeline of events that occurred during the incident
Which of the three different files storing data and logs in SQL servers holds the entire log information associated with the database? a. Primary data file (MDF) b. SQL data file (PDF) c. Secondary data file (NDF) d. Transaction log data file (LDF)
d. Transaction log data file (LDF) The transaction log data files (LDF) hold the log information associated with a database. A transaction log file helps a forensic investigator in examining the transactions that occur in a database and recover the deleted data, if required. The file name extension for the transaction log date files is .ldf and each file is divided into multiple virtual log files.
What does macOS store users settings in the form of? a. a settings file b. an uslist file c. a ulist file d. a plist file
d. a plist file MacOS stores user settings in the form of Property List Format (plist file). It uses XML or binary data format to store data.
What is a common technique used to distribute malware on the web with tactics such as keyword stuffing, doorway pages, page swapping and adding unrelated keywords to get higher search-engine ranking for malware pages? a. drive by downloads b. malvertising c. click-jacking d. blackhat SEO
d. blackhat SEO SEO (Search engine optimization) Blackhat SEO (also referred to as unethical SEO) uses aggressive SEO tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to get a higher search engine ranking for their malware pages.
What is the first thing to do once the sender's email address has been identified during an email investigation? a. check the date and time b. delete the email c. use a scanning tool for information about email address, including the mail exchange records d. check whether it is valid
d. check whether it is valid Once the sender's email address has been identified, investigators should check whether it is valid. Use Email Dossier, a scanning tool included in the CentralOps.net suite of online network utilities. This tool provides information about e-mail address, including the mail exchange records. It initiates SMTP sessions to check address acceptance, but it never actually sends e-mail.
Which relay provides an entry point to the Tor network? a. exit relay b. middle relay c. start relay d. entry/guard relay
d. entry/guard relay
Which relay is used for the transmission of data in an encrypted format? a. exit relay b. entry/guard relay c. start relay d. middle relay
d. middle relay
For Forensic Analysis, which of the following MySQL Ut Utility Programs is used to export metadata, data or both from one or more databases? a. mysqldatabase b. mysqldmeta c. mysqldbdata d. mysqldbexport
d. mysqldbexport The primary data file (MDF) is the starting point of a database; it points to other files in the database. Every database has a primary data file that stores all data in the database objects (tables, schema, indexes, etc.). The file name extension for the primary data files is .mdf.
What is most likely not an indicator of compromise (IOC) artifact? a. connections to malicious URLs b. a spike in outbound traffic c. Log-in anomalies or unusual log-in activities d. network traffic traversing on common ports
d. network traffic traversing on common ports The term Indicators of Compromise (IoCs) generally refers to an evidence items pointing to any security intrusion that has taken place on a host system or network. When a security incident such as an attack on network components, occurs, the activities of the attacker can be traced by examining the affected system and the log entries stored in it. Security intrusions can occur in many different forms and via various channels. Therefore, forensic investigators need to look for signs that indicate a breach, such as a sudden spike in outbound network traffic, and unusual login activities. Some of the common examples of IoCs are discussed below: ▪ Unusual outbound network traffic: Unusual increase in the outbound traffic could be a sign of ongoing attack ▪ Uniform Resource Locators or URLs: Malicious URLs that are often spread via phishing and spamming are considered potential IoCs ▪ User-agent strings: User-agent informs the server regarding visiting device's OS, browser information, etc. ▪ Log-in anomalies: Increase in the number of failed logins attempts on a user account could be sign of malicious activity ▪ Increased number of requests for same file: Attackers perform many requests to infiltrate a network, which leaves the traces of malicious activities ▪ Network traffic traversing on unusual ports: Programs using unusual ports and pretending to be legitimate
Which event correlation step is the most complex and identifies all devices that became inaccessible due to network failures? a. event filtering b. event masking c. event debugging d. root cause analysis
d. root cause analysis Root cause analysis is the most complex part of event correlation. During a root cause analysis, the event correlator identifies all devices that became inaccessible due to network failures. Then, the event correlator categorizes the events into symptom events and root cause events. The system considers the events associated with the inaccessible devices as symptom events, and the other non-symptom events as root cause events.
A SIEM is compromised of two layers, a base layer for log management and an additional layer for security analysis. The activities in both of these layers are distributed between the security information management (SIM) and the ________________________. a. security analytics management (SAM) b. security intrusion detection management (SIDM) c. investigative source management (ISM) d. security event management (SEM)
d. security event management (SEM) SEM performs real-time monitoring, correlation of events, and incident response, whereas SIM collects, stores, analyzes, and reports log data. Correlated logs and context data are input into SIEM to identify various activities in the organization's IT infrastructure. Logs collected through the SIEM tools act as key evidence for investigators to identify the source of an incident and also to create a timeline of events that occurred during the incident.
netstat -na | find "LISTENING"
looks for just listening ports. netstat -na will show TCP/UDP ports
Which tool helps collect information about network connections operating in a Windows system?
netstat A TCP/IP utility that shows the status of each active connection.
