Digital Forensics
Cloud storage only allows one customer or business to use it so there is no concern over what your data neighbor is or is not doing. True False
False
Hackers always compromise systems with the goal of obtaining access to funds. True False
False
When performing forensics in a business environment, the timestamp information is always configured in the local and relevant settings for the machine that it occurred on. True False
False
What can you learn from a database schema? How the data is organized and what relationships exist What relationships exist How the data is organized The emails of the customers
How the data is organized and what relationships exist
Define domain. Human readable form of site's IP address translated by DNS. A set of computers connected together for the purpose of sharing resources. A query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource.
Human readable form of site's IP address translated by DNS.
What is the weakest link of a company's security system and a method to hack it? Physical security - Social Engineering Firewall - Hacking Humans - Social Engineering Anti-virus software - Malware
Humans - Social Engineering
What is the US system that a person who has been a victim of carding should use to file a report? DOJ CIA FBI IC3
IC3
Computers and devices that communicate over the internet are identifiable using their _________ domain address DNS address IP address URL
IP address
The Home Depot and CEO family email hacking cases mentioned in the slides had two things in common about the target: Neither initially compromised the target, yet both had a reach broader than the target. Both compromised the target initially, and both only affected the target. Both involved well known large retail brands, and both involved a loss of customer PII. Both involved malware, and both were attributed to state sponsored actors.
Neither initially compromised the target, yet both had a reach broader than the target.
Why do only 15% of romance victims file an IC3 report about the scam and monetary loss they have fallen victim to? The victim only loses a little, not the required minimum to file a report. The victim is embarrassed to disclose being scammed and losing money. Victims cannot use IC3 directly--only banks or LE can file IC3 reports. The victim can't afford the lawyer required to file the report.
The victim is embarrassed to disclose being scammed and losing money.
What is the most correct reason criminology theories should be studied? These theories help understand why victims continue to fall for scams but do not address why bad actors scam in the first place. They still help explain motivation, as people's actions change but motivations carry through the generations. Because it is interesting to understanding what once led to criminal behavior, though those theories do not apply to cybercrime at all. Out of respect of academic tradition, theories should be understood though not applied.
They still help explain motivation, as people's actions change but motivations carry through the generations.
What is the best definition of state-sponsored actors? Threat actors funded, supported, or working on behalf of a government. US state level economic gangs operating undercover to trap international cybercrime gangs. International threat groups working independent of their own national government but in line with their state-level governments. Threat actors backed by national-level private banking industry establishments.
Threat actors funded, supported, or working on behalf of a government.
What are two example methods that a social engineering fear attack vector would employ? Executive request and company lingo usage Crisis situation and name dropping of colleague Time pressure for task and crisis situation Name dropping of colleague and vendor familiarity
Time pressure for task and crisis situation
Hackers are selling credit card numbers from a recent compromise on the Dark Web. Investigators want to figure out what bank is affected. What two things will they need to determine this? Tor browser and BIN numbers CCV codes and PII information Tor browser and PII codes BIN numbers and CVV code
Tor browser and BIN numbers
What is the name for that which allows individuals to remotely access files in off site data centers? mobile phones thumb drives wearable devices cloud storage
cloud storage
You are investigating a case that you find the suspect and their crime to be highly offensive to your belief system, and therefore immediately judge the suspect as guilty. Being suspect-led and assuming the suspect's computer contents are the suspect's responsibility are both an excellent way to introduce a dangerous investigative concept known as: confirmation bias. Locard's exchange principle. exculpatory evidence. timing corroboration.
confirmation bias.
A (Blank) recovery occurs when a computer is powered off and imaged, while a (blank recovery occurs when a computer is still on and a snapshot is taken.
dead live
A phishing email is received from <[email protected]>. Given the presence of a unique handle and unique domain, an OSINT search could be conducted on the _______ to learn more . domain handle email
domain handle email
Type exactly what should be entered in Whoxy website in order to investigate the domain registrant of the following URL: http://crimepays-college.educationchallenge.edu/zippedetails/folder3/haha.jpg
educationchallenge.edu
You are investigating a set of files and attempting to corroborate file-related actions with the timing of someone logging into a bank account from the same computer to narrow down possible culprits. In order to learn when an individual file was created, last changed, and last opened, you would want to review the: cache file metadata file extension operating system properties
file metadata
Type exactly what should be entered in Whoxy website in order to investigate the domain registrant of the following URL: http://paypal.com.realsite.net/index.html
realsite.net
Type exactly what should be entered in the Whoxy website in order to investigate the domain registrant of the following URL: https://guineapigfreedom.joeshouse.tragicphisher.com/hopskip/jump.html
tragicphisher.com
What is the US system for a person to report having been a victim of an economic cybercrime? #911 IRS.gov IC3.gov FTC.com
IC3.gov
A phishing email is received from <[email protected]>. To find all the domains that are registered to this email, a (blank) search could be conducted on the (blank)
reverse WhoIs email
Define exploit. A device in a computer network that connects other devices together. A weakness which can be taken advantage of by a threat actor, such as an attacker, to perform unauthorized actions within a computer system. A software tool or piece of code designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware.
A software tool or piece of code designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware.
Define vulnerability. A software tool designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware. A weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system. A device in a computer network that connects other devices together.
A weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system.
In order to avoid detection that could stop it from operating and provide insight to analysts, the goals of all malware are: (select all that apply) Destroy every system it installs on Avoid patterns and recognizable strings Maintain size Report every keystroke on the machine in real time Only perform its one task and then become harmless Operate quietly
Avoid patterns and recognizable strings Maintain size Operate quietly
A business fraud investigation that involves a network presents interesting challenges if it is deemed necessary to physically image the server or a storage device, instead of the more typical data recovery analysis. This is because (select all that apply) Business never keep their servers on site. Business cannot be interrupted while the server is offline being imaged.. Cloud storage means storage is not always on-site. Storage devices cannot be quickly imaged.
Business cannot be interrupted while the server is offline being imaged. Cloud storage means storage is not always on-site.
The first step in uncovering digital evidence is to make a copy of the original files for examination in a way that makes them available for analyses and minimizes the likelihood of error. This is also known as: Data Analysis Data Verification Data Examination Data Preservation
Data Preservation
Why are ways for automating data handling needed by an investigator? Data is abundant and every line of every data source can't be read Investigators have just 3 days to complete an investigation Investigators are lazy and just want to blast through an investigation as fast as possible Automation is not actually useful and should be avoided
Data is abundant and every line of every data source can't be read
A suspect is being investigated with records being the primary source of evidence. The records were passed from suspect to victim but the suspect denies some aspects of the files contained in the received transmission, stating they were somehow changed and thereby specifically questioning the files' Encryption Integrity Availability Confidentiality
Integrity
When gathering intel for a state sponsored case, it's important to understand what type of malware was involved in an attack because: It's interesting to trace the history of that malware. It always includes emails for the bad actor and involved server. It helps you know which laws do or do not apply. It can help with attribution and damage assessment.
It can help with attribution and damage assessment.
One of the primary reasons hacktivists deface websites is to: Make a statement about their cause. Steal PII of the website users. Use it make money for their own business. To take down business competition.
Make a statement about their cause.
A city's power grid has been hacked and malware planted that created a three day, city wide black out. What type of hacker are investigators likely dealing with? Nation State Script Kiddies Hacktivists Black Hat Professionals
Nation State
An investigation begins with only a user name on a forum site where a target discusses higher education beliefs. However, you were able to manually find that same user name on three other websites--one where family pictures are posted, one where daily running routes and completions times are shown, and one where cities once lived are discussed. All of these findings demonstrate the use of __________ to develop a better understanding of this target. the Intelligence Cycle OSINT Encase forensic tools
OSINT
How is carding a way of money laundering? Products are bought with bought stolen CC numbers and items are then pawned for cash. You exchange old worthless bills for new bills worth more. Real checks are sent to mules who proceed to write fake checks for the same amount but to different people than originally intended. Fake paper money is printed and then deposited using ATM cards.
Products are bought with bought stolen CC numbers and items are then pawned for cash.
What is an operating system? Systematic searching and investigation process of a device that an investigation must legally operate within. Programs that allow users to browse the Internet. Storage aspects of a hard drive. Provides the basic functions of a computer that allows programs to be run on the underlying hardware.
Provides the basic functions of a computer that allows programs to be run on the underlying hardware.
In penetration testing, the offensive side is called the "________" and is focused on ___________________________________. Red Team, finding vulnerabilities in the network Blue Team, repairing vulnerabilities found in the network Red Team, repairing vulnerabilities found in the network Blue Team, finding vulnerabilities in the network
Red Team, finding vulnerabilities in the network
Which select statement queries the Orders table to output all the information about orders costing between 15 to 25 dollars? SELECT * FROM Orders WHERE Cost BETWEEN 15 AND 25; SELECT Cost FROM Orders; SELECT Cost BETWEEN 15 AND 25 FROM Orders; SELECT * FROM Orders IF Cost IS ONLY BETWEEN 15-25;
SELECT * FROM Orders WHERE Cost BETWEEN 15 AND 25;
Which select statement queries the Orders table to output only the cost information about all the orders? SELECT Cost FROM Orders; SELECT * FROM Orders WHERE Cost = 10; SELECT * FROM Orders WHERE Order_ID = 100006; SELECT Cost FROM Orders WHERE Order_ID = 100006;
SELECT Cost FROM Orders;
Which select statement correctly queries the Customer_Details table to output only the Emails of customers who live in Hilo? SELECT Email FROM Customer_Details WHERE City = 'Hilo'; SELECT * FROM Customer_Details WHERE City = 'Hilo'; SELECT * FROM Customer_Details WHERE Email LIKE '%gt.com'; SELECT Email FROM Customer_Details;
SELECT Email FROM Customer_Details WHERE City = 'Hilo';
The textbook case study at the end of Chapter 8 reinforces a concept from an earlier chapter: quickly settling on a conviction for a suspect is a key result. incomplete investigations can still lead to reliable findings. if you have a device in an investigation, it is the most important piece of evidence and other types, such as witnesses, are not needed. a person must have the means, motive and opportunity to commit the crime suspected.
a person must have the means, motive and opportunity to commit the crime suspected.
Repeatability requires (select both answers that apply): frequent testing. using a checklist. Answer watching for bias. teamwork.
using a checklist. Answer watching for bias.
Reproducibility requires (select one): team work. certifications. a personal checklist. using industry best practices.
using industry best practices.
What a person knows, possesses, and is are requirements involved in Password hygiene Naming conventions Pen testing 2FA access
2FA access
Which scenario describes a typical cybercrime romance scam? A bad actor messages a new widow, offering her a job as a secret shopper. This job entails her shopping for products at various stores. Funds are provided for the shopping sprees via checks mailed to her home address. She is instructed each time to use all but $100 of the funds provided and then ship the products to a stateside friend of the bad actor who then pawns the items and wires the money overseas. A bad actor engages in a Facebook conversation with a widower who quickly becomes attached. The bad actor expresses a desire to visit but explains a recently job loss leaves no room in the budget for travel. The widower is asked to send funds for a plane ticket. However, the trip is never booked due a sudden hospital stay the bad actor now needs help paying for, again requesting the widower for assistance (though the hospital does not exist in the city claimed). A bad actor pretends to be a model recruiter and requests photos via messaging from a Twitter influencer. These photos are then seen live on the bad actor's Twitter. New victims are contacted as possible models, with the bad actor showing the received photos as proof of being a recruiter. A bad actor reaches out to ten different potential mates on Instagram. After engaging in private messaging conversations for three months, leading them on to believe they have a true relationship, the bad actor suddenly ceases all conversation, never to be heard from again.
A bad actor engages in a Facebook conversation with a widower who quickly becomes attached. The bad actor expresses a desire to visit but explains a recently job loss leaves no room in the budget for travel. The widower is asked to send funds for a plane ticket. However, the trip is never booked due a sudden hospital stay the bad actor now needs help paying for, again requesting the widower for assistance (though the hospital does not exist in the city claimed).
Which scenario describes a bad actor using social media to commit identity theft? A bad actor posts on her Twitter that she is looking to find a cash-out service for an account she has already siphoned funds into. A bad actor with their newly minted Disney credit card, to purchase a new computer that is then shipped to an intermediary to sell and wire funds to the bad actor. A bad actor hacks America Bank's email system and sends out password reset emails with www.a8.com as a look-alike URL instead of www.ab.com legitimate URL. A bad actor contacts an older lady on Facebook saying he and his wife need funds for a lifesaving surgery and asks her to wire money to him.
A bad actor with their newly minted Disney credit card, to purchase a new computer that is then shipped to an intermediary to sell and wire funds to the bad actor.
Select all the scenarios below that describe a hacking attack. A person wakes up to find their social media profile has suddenly had five posts bad mouthing their company that they did not make. An accounting company CEO redirects payments to personal accounts and acts unaware when company issued checks begin bouncing. Employees of a school system receive bogus Bank of America emails with a link leading to a generic banking site for supposed account access. Yahoo emails accounts using the password "pwd1234"are accessed by an international cybergang and phishing links are sent to their entire address books.
A person wakes up to find their social media profile has suddenly had five posts bad mouthing their company that they did not make. Yahoo emails accounts using the password "pwd1234"are accessed by an international cybergang and phishing links are sent to their entire address books.
Define the term "mule" in the context of cybercrime. A victim of a cybercrime economic scam who unknowingly cashes a fake check. A ringleader of a cybercrime gang who interviews additional employees to further the scam. A person who prints real checks and mails them to intermediaries to cash and wire overseas. A person who transfers money acquired illegally on behalf of others, usually for a small portion of the money transferred.
A person who transfers money acquired illegally on behalf of others, usually for a small portion of the money transferred.
The best definition of Business Email Compromise (BEC) is: Phishing emails sent to a business versus sent to an individual person. Acts of deception which target a company to affect a malicious action unintended by that company. Scams pressuring vendors to use social engineering to compromise their business customers. Hacking of any business email to steal company secrets and employee details.
Acts of deception which target a company to affect a malicious action unintended by that company.
What is a "mule" in regards to work at home scams? A check creator and casher in the targeted country. The ring leader of the operations in the offending country who is fully aware of the aspects of the scam and the various actors and tasks involved. A lead generator and communicator in the offending country. Anyone besides the head ring leader could be considered a mule regardless of location or task. The victim who sends money from the targeted country.
Anyone besides the head ring leader could be considered a mule regardless of location or task.
The best definition of phishing is: Using fake accounts to lure customers to make real bank transactions on hacked brand websites. Using fake personas to hack real accounts in the healthcare or financial industry. Attempting to fraudulently obtain information by disguising oneself as a trustworthy entity in an electronic communication. Attempting to get information for executives to pass on to the competitors for marketing purposes.
Attempting to fraudulently obtain information by disguising oneself as a trustworthy entity in an electronic communication.
Hacking requires a high level of programming abilities in order to gain unauthorized access to a computer system. True False
False
In penetration testing, the defensive side is called the "________" and is focused on ___________________________________. Blue Team, repairing vulnerabilities found in the network Red Team, finding vulnerabilities in the network Red Team, repairing vulnerabilities found in the network Blue Team, finding vulnerabilities in the network
Blue Team, repairing vulnerabilities found in the network
A Bank of America HR employee receives an email from a Josh Smith, the name of the COO of BOA, instructing the employee to please send a .csv file containing the social security numbers of the newest group of new hires. The email came from [email protected] and had the explanation that the IRS was requesting this information so he needed it to pass along. This scenario is an example of: Email hacking Business email compromise Vendor phishing Executive compromise
Business email compromise
Keeping an operating system patched is enough prevention against a business network hacking attack. True False
False
OSINT is collecting data by way of pretending to be the suspect and logging into their accounts using the password provided or guessing at the password until correct using known life facts. True False
False
Phishing sites only occur when the real brand site is hacked and the credential request box entries are rerouted to a bad actor. True False
False
What are two credit card details you would expect to find included in every carding sales post? CC# and CVV Name and address Seller's contact email and card locations CC# and name on card
CC# and CVV
A bad actor calls pretending to be a confused new employee, unable to log in, asking you to walk him through the exact steps of your system procedures. What type of social engineering attack vector is this method according to the SANS vectors presented in class? Comfort Zone Attack Phishing Attack Helplessness Attack Incompetent Attack
Comfort Zone Attack
Part of application security involves: Only using static analysis for security gaps. Instituting strong security measures only after the programming stage is complete. Only using dynamic analysis to identify security vulnerabilities. Considering and building in security measures during the design and programming stage.
Considering and building in security measures during the design and programming stage.
Victims of advanced fee scams do not lose money, they just do not always get paid what they thought they had earned. True False
False
Taking into consideration time, damage and mitigation, the goals of typical malware analysis are: Determine attribution Test it yourself in a sandbox or virtual environment Nothing really, as long as there is no discernable damage done Block the spread Understand each process and line of code Detect and remove Report on findings Make a copy to take home
Determine attribution Block the spread Detect and remove Report on findings
An email from the fraudulent domain of b0a.com alerts customers that their Bank of America account has been compromised and prompts them with a link to reset their password. What is one thing customers who receive this should DO and one thing they should NOT do with the link contained in the email body? Do hover over the link to see the real destination, but do not click the link Click the link but do not bother calling the bank Click the link but do not forward it on
Do hover over the link to see the real destination, but do not click the link
Anti-virus programs are the silver bullet for any device or network. Once one is installed, there needs to be no extra effort to protect a network or machine. True False
False
BEC scams standalone and do not overlap with romance scams so the purpose of each victim is clear. True False
False
If an investigator wanted to recover files from a hard drive s/he could use: A relational database Encase SQL SHA-1
Encase
Two investigators need to transmit a private email about a case. They should use the process of transforming information (plaintext) so that it is no longer legible (ciphertext), which is known as Password protecting Encryption Hashing Ciphering
Encryption
All browsers produce the same types of data and changes to data when private browsing is selected for a session. True False
False
A local neighborhood is experiencing an economic downturn. Many of the youth are unemployed and unable to help their aging parents keep the family afloat financially. This leads to depression across the entire community. Out of frustration, some of the youth give up on job hunting and instead use their skills to start intricate check printing and wire fraud scams, something new to all of them, that results in money quickly flowing into their community. What criminology theory does this crime scenario illustrate? General theory of crime Techniques of neutralization Social learning theory General strain theory
General strain theory
Choose each of the following characteristics that Hackers for Charity leverages when applying a strengths-based approach in the country they partner with and work in: Goals of the teens in the classes Community electricity and internet availability Laws of the country that apply to cybercrime Inherent abilities of the kids in the programs
Goals of the teens in the classes Community electricity and internet availability Inherent abilities of the kids in the programs
An email from the fraudulent domain of b0a.com alerts customers that their Bank of America account has been compromised and prompts them with a link to reset their password. If you are on the BOA Investigations team, what are the two major parts of the email you investigate to work towards attribution and purpose/method? Header and body Body and receiver Sender and receiver Header and IPs
Header and body
How has the European privacy law, GDPR, greatly affected domain investigations? Forced all domain registers to only accept bitcoin Hidden domain new registrant details Limited the number of ccTLDs Completely wiped historical domain registration details back to 2000
Hidden domain new registrant details
A(n) __________ is a device that watches for particular network traffic patterns that have been previously associated with attack traffic. Modem Intrusion Detection System Firewall Wireshark Network Sniffer
Intrusion Detection System
You are conducting a business investigation revolving around an insider threat. Insider threats can arise from (select all): Bad actors who have hacked a company infrastructure Lack of appropriate access controls Routers inappropriately coded with malware from the manufacturer. Knowledge of the system.
Lack of appropriate access controls Knowledge of the system.
A bad actor spoofs the IT department and emails all the employees at Bud's Dog Food saying it is time they click the link to reset their password. What detail in the header would indicate this is a suspicious email? Mismatched from/sender and reply-to emails Using Bcc for all recipients of the email Including the sending IP Marking the email as urgent for priority level
Mismatched from/sender and reply-to emails
Is Google able to search the entire Internet of networked sites? Yes No
No
Good password hygiene that helps guard against a dictionary attack would include: Passwords that are passphrases. Passwords that are multisyllabic words. Passwords that include numbers. Passwords that use odd capitalization.
Passwords that are passphrases.
When looking at a cybercriminal, many systems impact them and vice versa that may explain the purpose and motivation of their misbehavior. Based on the lecture, what is this model called and what are some of the systems included? Point of View with systems including beliefs, moral and values. Perspective with systems including social network, common stressors and work environment. Person in Environment with systems including degrees, income, and health problems. Person in Environment with systems including political, family and education.
Person in Environment with systems including political, family and education.
Which select statement query of the Customer_Details table would have resulted in the following output? SELECT * FROM Customer_Details WHERE CID = 103; SELECT * FROM Customer_Details WHERE CID IN (103, 104); SELECT FName, LName FROM Customer_Details WHERE CID = 103; SELECT CID FROM Customer_Details;
SELECT * FROM Customer_Details WHERE CID = 103;
A Twitter influencer is highly recommending buying stock in VexAI. He posts multiple articles claiming they are developing a soon-to-be AI tool that he is sure will smash the market in the best of ways. Considering he has 40K Twitter followers, the stock responds to this great press he is offering and quickly climbs. What is the next step the influencer takes that would confirm this is a pump-and-dump scam? Spam out more great news about this company Sell all his shares in the company Buy additional stock in this company Hold his shares while awaiting the product release
Sell all his shares in the company
Choose all that are considered a common outcome of a BEC scam. Sharing of employee PII with the compromised accounting software business department Redirection of a paycheck to an account the employee does not actually control CEO threatened with physical harm over a personalized and accurate email Confidential company data passed over email to a spoofed vendor domain
Sharing of employee PII with the compromised accounting software business department Redirection of a paycheck to an account the employee does not actually control Confidential company data passed over email to a spoofed vendor domain
Joe is scrolling through Facebook one night and stumbles upon a buddy's repost with pills pictured and a price. He can't believe that Steven is associated with selling drugs on social media—Joe could never imagine taking such a risk! Curious, though, Joe decides to check out the group where the picture was originally posted. After hanging out in the group, becoming friends with the other members, and reading the conversations for a few months, Joe decides this is actually a good side hustle and learns how to post in ways that fly under the radar when he starts selling his mom's pain pills. What theory does this crime scenario illustrate? Routine Activity Theory General Strain Theory General Crime Theory Social Learning Theory
Social Learning Theory
If you want to use tree walking to attempt to locate a phishing kit being used, what do you do? Start at the far left of a URL and delete the protocol then one subdomain at a time, reloading what is left of the partial URL, in order to find the phishing kit folder. Start at the far right of a URL and delete one subdirectory at a time, reloading the URL each time, in order to find the phishing kit zip folder index. Try different protocols with the URL to see which loads the html containing a bad actor's email. Use OSINT to attempt to find duplicate subdirectories via google hacks.
Start at the far right of a URL and delete one subdirectory at a time, reloading the URL each time, in order to find the phishing kit zip folder index.
____________ is an offline process, with notable steps being: open code, walk-through it, look into the child processes, and look for the strings. Unpacking Dynamic Analysis Static Analysis Sandboxing
Static Analysis
Reproducibility means: The same results are obtained by the same investigator on a different device. The same results are obtained by a different investigator on the same device. The same results are obtained by a different investigator on a different device. The same results are obtained by the same investigator on the same device.
The same results are obtained by a different investigator on the same device.
As discussed in the lecture slides, how does social learning theory best apply to economic crimes and scams? The scam artists learn their craft from digital communities only such as Facebook groups. The scam artists use social media to conduct their conversations. The scam artists learn their craft from real life communities, including their friends and family. The scam artists socialize with others online to exchange victim information to learn more about their targets.
The scam artists learn their craft from real life communities, including their friends and family
How does social learning theory best apply to financial scams, such as work at home, romance or advanced fee types? The scam artists learn their craft from real life communities, including their friends and family. The scam artists use social media to conduct their conversations. The scam artists socialize with others online to exchange victim information to learn more about their targets. The scam artists learn their craft from digital communities only such as Facebook groups.
The scam artists learn their craft from real life communities, including their friends and family.
A data cluster is data that has at least one data point in common or all links to the same data point. True False
True
A flow of data analysis for investigators is often: 1) manually review a data 2)determine signals 3) apply signals to new data set 4) review outcome True False
True
An outlier is a point(s) that are not like the other data point in the set True False
True
Beyond files and programs, analyzing a computer image can produce evidence demonstrating the state of mind and possible intent of the user, such as emails and browser search history. True False
True
Scale, targets, damage and value should all be considered when investigating a hacking attack. True False
True
In the textbook Ch.6 case study, what aspect of info security was lacking for the business involved in the case? User access control for the server Inaccessible employee emails Technical files with no decryption keys Infrequent data management auditing
User access control for the server
Social Engineering is: Using people in your network to obtain a better position or insight into a hiring company. Engineering the social-focused aspects of a company including human resources, hiring practices, and employee mental health tracking. User-focused programming for social media sites that takes into account clicking habits, browser vantage and phishing risks. Using found knowledge about a person or company to gain improved access or additional knowledge by manipulative psychological attacks.
Using found knowledge about a person or company to gain improved access or additional knowledge by manipulative psychological attacks.
The best definition for spearphishing is: "Spray and pray" email blast to all banking customers in a certain region with a generic financial login site included. Using some knowledge to elicit an action from a specific individual target or target audience, via an electronic communication. A job applicant attempting to understand what type of new hire a company is looking for. Attack on an entire business by way of a compromised vendor.
Using some knowledge to elicit an action from a specific individual target or target audience, via an electronic communication
Red and blue teams are both focused on understanding a company's: Vulnerabilities Online presence. Financial system. Vendor relations.
Vulnerabilities
A phishing email is received from [email protected]. Given the presence of a unique handle and unique domain, a blank search could be utilized for the blank domain to learn more about the registrant.
WhoIS 9goodfood.net
What are two most used ways to quickly and initially investigate the attribution and associated domains of the fraudulent b0a.com domain? Ping and traceroute Whois and OSINT search Whoxy and traceroute pings IPs and OSINT search
Whois and OSINT search
A device that prevents the editing/saving/writing functions on a mounted media drive is called a Write blocker External mount Partition Reader
Write blocker
A bad actor wants to get the bank account number of a company. Which is a SE attack the company should be on guard for? An employee receiving a generic email stating their bank password has expired with a link to reset it. The IT department sending a company-wide email stating all systems should be updated immediately with a new operating system patch. An email from a company vendor with company banking information already pre-filled in the invoice wiring instructions. Yahoo email in the name of an executive requesting account info from the finance department with crisis explanation of drained funds.
Yahoo email in the name of an executive requesting account info from the finance department with crisis explanation of drained funds.
Messaging systems are often used by bad actors to communicate plans, scripts, code snippets and transfer files. Do messaging systems leave evidence behind on computers for investigators to analyze? Yes No
Yes
A live recovery of a device, while risky due to possible alterations, has the key benefit of (select all): being a bit-for-bit clone imaged. allowing for a quick incidence response focused triage. having no concerns with regards to admissibility in a court case. capturing volatile data, such as that which is stored in RAM.
allowing for a quick incidence response focused triage. capturing volatile data, such as that which is stored in RAM.
If someone tampers with a file, that file's hash is changed corrupted deleted remains the same
changed
The textbook's case study at the end of chapter 3 illustrates both the key role metadata plays in investigations, as well as the pertinent reminder that digital communications are gone forever once deleted and cannot be retrieved from anywhere else. cannot be contaminated or altered and therefore are reliable as found. do not just exist on a single device and can be obtained from elsewhere if deleted from the initial location. always exist on the device in question so businesses should not waste data space or cost with backup versions.
do not just exist on a single device and can be obtained from elsewhere if deleted from the initial location.
What is PII? Any data that could potentially be used to identify a particular person such as birthdate and email. Only health information such as insurance and medical record number. Any anonymous financial data such as credit cards with no names. A formula used by mules to determine how much stolen credit card numbers are worth on the dark market.
Any data that could potentially be used to identify a particular person such as birthdate and email.
What are naming conventions? The US Government established naming rules used for labeling antagonistic international cybercrime actors. The annual conference of vendors to name state sponsored groups so that the industry is aligned on these choices. The system for naming economic gangs that operate phishing campaigns that is established by government entities . The system of naming state sponsored groups that is established by the vendor tracking and reporting on the group.
The system of naming state sponsored groups that is established by the vendor tracking and reporting on the group.
You're in a hurry and want to examine the file on a computer you've collected as evidence. The best course of action if doing a live recovery is to: open it as-is but only if connected to the network. open the file and copy the contents into another file for further review, knowing that altered metadata can be sorted out later or not affect the case. not open it without write protection in place because the metadata will be altered. never open a file and instead only examine the hexadecimal in an image.
not open it without write protection in place because the metadata will be altered.
Data model building is assisted by an investigator's input of: signals, which should be specific enough alone or in combination to lead to low false positives and high generalization. qualitative explanations including stories of past cases by that same bad actor. numbers and SQL code. signals, which should be vague, therefore capturing many false positives for the investigator to have to sift through for weeks on end.
signals, which should be specific enough alone or in combination to lead to low false positives and high generalization.
What is an SQL query? A search and request to output data from a database that meets some criteria to further analyze. A request for more information than what is contained in the database. A search for help. A randomized search across a data set for information linked to vague details.
A search and request to output data from a database that meets some criteria to further analyze.
What industry should be concerned about an attack from a nation state actor? Automobile industries Financial industries Only those who do international business All industries Governmental industries
All industries
____________ is an interactive process, with notable steps being: actually running the program, monitoring activity with analysis tools, allowing it to infect your non-network virtual environment, and mapping the relations. Dynamic Analysis Static Analysis Unpacking Sandboxing
Dynamic Analysis
An investigator needs to review the timestamps of file to see if it was created or accessed during the time period in question. Where are these times stored? Permissions of the file File table within the file system First 8 magic bytes of a file Nowhere, as they are not recorded
File table within the file system
A person saves a document that has illegal images contained in it. Where would an investigator expect to find this file during a forensic analysis of the the person's computer? RAM Browser memory Hard drive Cache
Hard drive
What is the most dangerous aspect of RAT malware? It is a combination of many older viruses combined to create a super virus. It avoids detection by most A/V systems . It is a one-time access program that disconnects the backend of a system from the front end. It allows continued and/or future access to the system.
It allows continued and/or future access to the system. RAT = remote access trojan
An investigator arrives to an apartment with a search warrant that includes the occupant's computer. Upon arrival, the computer is on with a highly suspicious process running. The investigator recognizes this involves RAM, so he/she should: Anything that happens in RAM is stored on the hard drive, so no special process is needed. Not unplug the computer, as RAM is volative. Turn off but not unplug the computer, because RAM is only volatile after 24 hours of nonuse. Immediately unplug the computer to pause the process.
Not unplug the computer, as RAM is volative.
Security threats are ever evolving as bad actors look for vulnerabilities in a company's security. In much the same way, a company must always continue to understand their own evolving security vulnerabilities to outside threats through methods that include: Internal network mapping. Pen testing and vulnerability scanning. In-house testing with no community involvement. Scanning for insider access issues.
Pen testing and vulnerability scanning.
Which two select statements could be used to correctly query the Customer_Details table to output all the information only about the customer named Jill Jones? SELECT * FROM Customer_Details WHERE FName = 'Jill'; SELECT * FROM Customer_Details; SELECT * FROM Customer_Details WHERE FName = 'Jill' and LName = 'Jones'; SELECT FName FROM Customer_Details;
SELECT * FROM Customer_Details WHERE FName = 'Jill'; SELECT * FROM Customer_Details WHERE FName = 'Jill' and LName = 'Jones';
Which select statement queries the Orders table to output all the information about only the order costing $10? SELECT * FROM Orders WHERE Cost = 10; SELECT * FROM Orders WHERE Order_ID = 100006; SELECT Cost FROM Orders; SELECT Cost FROM Orders WHERE Cost = 10;
SELECT * FROM Orders WHERE Cost = 10;
Which select statement queries the Orders table to output all the information about orders costing exactly 10 or 15 or 50 dollars? SELECT * FROM Orders WHERE Cost IN (10, 15, 50); SELECT * FROM Orders WHERE Cost BETWEEN 10 and 50; SELECT Cost FROM Orders; SELECT * FROM Orders IF ONLY COST IS (10 or 15 or 50);
SELECT * FROM Orders WHERE Cost IN (10, 15, 50);
Which select statement query of the Orders table would have resulted in the following output? Cost: 21,10,18,15,50 SELECT Cost FROM Orders; SELECT * FROM Orders WHERE Cost BETWEEN 10 AND 50; SELECT Cost FROM Orders WHERE Order = 100001 - 100006; SELECT * FROM Orders IN (10,50);
SELECT Cost FROM Orders;
Which select statement correctly queries the Customer_Details table to output the Emails of customers with a "gt.com" domain email? SELECT Email FROM Customer_Details WHERE Email LIKE '%gt.com'; SELECT * FROM Customer_Details; SELECT * FROM Customer_Details WHERE Email LIKE '%gt.com'; SELECT Email FROM Customer_Details;
SELECT Email FROM Customer_Details WHERE Email LIKE '%gt.com';
Which select statement correctly queries to output only the emails from the Customer_Details table? SELECT Email FROM Customer_Details; SELECT * FROM Customer_Details WHERE Email = True; SELECT * FROM Customer_Details WHERE Email LIKE '%gt.com'; SELECT Email FROM Customer_Details WHERE City = 'Hilo';
SELECT Email FROM Customer_Details;
Which Select statement correctly queries the Customer_Details table to output only FName of customer's whose first name begins with J? SELECT FName FROM Customer_Details WHERE FName LIKE 'J%'; SELECT FName FROM Customer_Details WHERE FName LIKE '%J'; SELECT FName FROM Customer_Details WHERE FName LIKE '%J%'; Select * FROM Customer_Details WHERE FName LIKE 'J%';
SELECT FName FROM Customer_Details WHERE FName LIKE 'J%';
Which select statement correctly queries the Customer_Details table to output only the complete names about only the customers living on a road named Elm? SELECT FName, LName FROM Customer_Details WHERE Street LIKE '%Elm'; SELECT City FROM Customer_Details WHERE FName; SELECT * FROM Customer_Details; SELECT * FROM Customer_Details WHERE Street LIKE '%Elm';
SELECT FName, LName FROM Customer_Details WHERE Street LIKE '%Elm';
Which select statement query of the Customer_Details table would have resulted in the following output? (STATES) SELECT State FROM Customer_Details; SELECT * FROM Customer_Details WHERE State IN (AL, HI, CO); SELECT State FROM Customer_Details WHERE CID = 104; SELECT State FROM Customer_Details WHERE BETWEEN AL AND CO;
SELECT State FROM Customer_Details;
Repeatability means: The same results are obtained by a different investigator on the same device. The same results are obtained by the same investigator on a different device. The same results are obtained by a different investigator on a different device. The same results are obtained by the same investigator on the same device.
The same results are obtained by the same investigator on the same device.
What is a typical explanation for carding bad actors being so open about their crime, leaving their social media posts visible to the public? They are bragging and recruiting mules. They don't know how to use privacy settings. They are not public at all and keep only to the dark web. They aren't careful about privacy settings.
They are bragging and recruiting mules.
Confirmation bias is the tendency to accept information that confirms our beliefs while rejecting or ignoring information that contradicts our beliefs and contradicts the neutral stance investigators should take when examining evidence. True False
True
In a traditional computer network map, a router connects many computers/servers that are all to be on the same network. True False
True
The job of firewall is to decide whether a "SOURCE" computer (the computer originating a network request) should be allowed to talk to a "DESTINATION" computer based on a table of rules that describe allowed behavior on that network. True False
True
The search for evidence is not a one-time event. After a device is searched for evidence and that evidence is selected for analysis, during the analysis, an investigator may find new leads that require additional searching for yet more evidence. True False
True
Which of the following explains subverting or misusing computers as a communications medium? metadata on a phone indicating where a picture of missing minor was taken hackers gaining access to systems they do not own blocking all incoming connection on port 80 finding a community of people with similar interests in fake drug sales
finding a community of people with similar interests in fake drug sales
Which of the following explains subverting or misusing computers as a targeted device? metadata on a phone indicating where a picture of missing minor was taken finding a community of people with similar interests in fake drug sales blocking all incoming connection on port 80 hackers gaining access to systems they do not own
hackers gaining access to systems they do not own
What is the term used to describe the use of hacking techniques to promote an activist agenda or express a political/social opinion? hacktivism red team hacking noobing flash mob
hacktivism
When an examiner validates that the hard drive image they are working with is an authentic duplicate image of the original, they use a unique algorithm to generate a: copy digi-bit hash value partitioned file
hash value
Define the parts of the URL below. http://blog.funnyotters.org/photos
http = protocol blog = subdomain funnyotters = domain com = tld (top level domain) photos = subdirectory
A thorough OSINT investigation will: focus on the surrounding aspects of a target, such as employment and family, but leave the target's specific data insight to be revealed during the analysis of a hard drive. rely solely on tools, as they ensure every site on the web is reviewed for your key data points. involve multiple sites, connecting the dots of the data found, to build the most complete understanding of the target. review only social media posts by the target.
involve multiple sites, connecting the dots of the data found, to build the most complete understanding of the target.
Within the file system, when a file is deleted, it is marked as potentially free space to be used. is gone forever. is turned into all binary 0's. You Answered is moved physically to a "garbage" area of the hard drive.
is marked as potentially free space to be us
Which of the following explains subverting or misusing computers as an incidental device/evidence? metadata on a phone indicating where a picture of missing minor was taken finding a community of people with similar interests in fake drug sales blocking all incoming connection on port 80 hackers gaining access to systems they do not own
metadata on a phone indicating where a picture of missing minor was taken
OSINT evidence will change over time as data gets deleted or altered. Six months after you completed an investigation, you are asked to walk the new investigator on the case through your old findings. This request underscores the importance of: not relying on OSINT findings in a criminal case. finishing a case and refusing to let another investigator pick it up. relying on the Wayback Machine website and tools to recreate your old investigation. taking notes and screenshots as you did the investigation.
taking notes and screenshots as you did the investigation.
Instead of examining a computer as a typical user through the GUI, forensic tools are an aspect of best practice when it comes to forensically investigating a computer because: they identify gaps in knowledge and flag them so an investigator can search for additional evidence. they help ensure the data is not altered, while providing important options such as keyword searches and deleted file recovery. they show only hard drive files and programs so an investigator can analyze those in isolation before logging into a suspect's online accounts to examine those. they fully automate the investigative process so an investigator only needs to look at the output report, thereby saving time and cost.
they help ensure the data is not altered, while providing important options such as keyword searches and deleted file recovery.
Which of the following is not a specific criteria identified for imaging tools by NIST? tools shall be affordable the tool shall log I/O errors tools shall not alter the original disk tools shall make a duplicate or image of an original disk
tools shall be affordable