chapter 7 computer forensics
Santino, a forensic expert, was investigating a victim's Ubuntu system, which had been accessed by an attacker from a remote location. he collected network-related information from the system and executed a netstat command to extract the details of the routing table from the system. Identify the netstat parameter that helps Santino extract the routing table information.
-rn
Identify the location of the logs on a Linux system that records details about the running services, such as squid and ntpd
/var/log/daemon.log
Which of the following is the default Mac application that helps retrieve specific files and folders and sort them in the required order?
Finder
Which of the following commands is used to identify the current system name and examine the logs, DNS, and network traffic?
Hostname
Allen, a forensics expert, was analyzing a forensically extracted memory dump from an Ubuntu machine. While attempting to extract lost files from the dump, Allen employed an open-source tool that uses data carving techniques to recover deleted files or lost data. Which of the following tools did Allen employ in the above scenario?
PhotoRec
Which of the following features of Mac OS is an integrated search feature that indexes files by type, making it easy for forensic investigators to trace suspicious files and applications on a system?
Spotlight
which of the following refers to non-volatile data that do not change when the machine is powered off?
System logs
Which of the following tools can an investigator use to investigate disk images as well as analyze a volume and file-system data?
The Sleuth kit
Which of the following features of Mac OS includes a BackupAlias file containing binary information related to the hard disk used to store backups?
Time Machine
Franklin, a forensics investigator, was working on a suspected machine to gather evidence. He employed a forensic tool on the suspected device and quickly extracted volatile data as such data would be erased as soon as the system is powered off.
User events
Identify the tool that provides the pslist plugin to retrieve information on all the processes executing on the system when the memory dump was collected.
Volatility Framework
Which of the following commands is executed by forensic investigators to calculate the epoch time of a suspected machine?
date +%s
Williams, a forensics investigator, was performing forensics analysis on a suspected Linux system. In this process, Williams used a command from The Sleuth Kit to extract the details of the file system from the evidence image. Identify the command executed by Williams in the above scenario.
fsstat
While inspecting a suspected machine, Kaison, a forensics investigator, discovered that a malicious file was uploaded on the system that caused disruptions in the system's functionality. Kaison wanted the view the metadata of the file, such as MAC times, file size, and file access permissions. Which of the following commands will help Kaison retrieve the metadata of the file?
istat
Joselyn, a forensic investigator in an organization, was investigating a cyber-attack. In this process, she found that the attack was performed from within the office premises. To obtain the list of users logged into the office system, she executed a command to extract the login history and system boot time. Identify the command executed by Joselynin theabove scenario.
last -f /var/log/wtmp
Which of the following commands helps forensic investigators retrieve information about all active processes and open files?
lsof
Identify the Volatility Framework plugin that helps forensic investigators detect hidden or injected files, which are generally DLL files, in the memory.
malfind
Peyton, a forensic investigator, was inspecting a suspected machine to gather details of malicious activities related to a security incident. In this process, he employed a tool to collect information related to all open TCP and UDP ports, routing tables, multicast memberships, interference statistics, and masquerade connections. Identify the tool employed by Peyton in the above scenario.
netstat
Which of the following commands helps forensic investigators identify open TCP ports on a system and obtain information on them?
netstat -p
Identify the command that helps forensic investigators check the Linux kernel version on a system.
uname -r