Digital Forensics Quiz 9-12

" "PDAs

For personal use, ____ have been replaced by iPods, iPads, and other mobile devices. SDHCs MMCs CFs PDAs

" "zombies

Machines used on a DDoS are known as ____ simply because they have unwittingly become part of the attack. ISPs soldiers zombies pawns

" "Memoryze

Mandiant ____ lists all open network sockets, including those hidden by rootkits. R-Tools Knoppix EnCase Memoryze

" "key escrow

Many commercial encryption programs use a technology called ____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure. key escrow password backup steganography key splitting

" "MD5

Many password-protected OSs and applications store passwords in the form of ____ or SHA hash values. AES SSH SSL MD5

" "FAT

Marking bad clusters data-hiding technique is more common with ____ file systems. HFS FAT NTFS Ext2fs

" "smartphones

Mobile devices can range from simple phones to ____. smartphones flip phones PDAs feature phones

" "Order of volatility

____ determines how long a piece of information lasts on a system. Continuity level Order of volatility Liveness Longevity

" "Digital forensics tools, hexadecimal editors

____ have some limitations in performing hashing, however, so using advanced ____ is necessary to ensure data integrity. HTML editors, hexadecimal editors Digital forensics tools, hexadecimal editors Hexadecimal editors, digital forensics tools High-level languages, assembler

"Layered network defense strategies

____ hide the most valuable data at the innermost part of the network. Protocols Firewalls NAT Layered network defense strategies

" "Type 1

____ hypervisors are typically, but not exclusively, loaded on servers or workstations with a lot of RAM and storage. Type 4 Type 3 Type 1 Type 2

" "Scope creep

____ increases the time and resources needed to extract, analyze, and present evidence. Investigation plan Litigation path Court order for discovery Scope creep

" "MOBILedit

____ is a forensics software tool containing a built-in write blocker. GSMCon SIMedit 3GPim MOBILedit

" "tcpslice

____ is a good tool for extracting information from large Libpcap files. tcpslice memfetch john oinkmaster

" "Defense in Depth

____ is a layered network defense strategy developed by the National Security Agency (NSA). Order of volatility Anti-Rootkit Defense in Depth PsShutdown

" "Argus

____ is a session data probe, collector, and analysis tool. Nmap Pcap TCPcap Argus

" "Etherape

____ is a tool for viewing network traffic graphically. john Etherape Ethereal Tcpdump

" "www.dkim.org

____ is a way to verify the names of domains a message is flowing through. www.google.com www.juno.com www.dkim.org www.whatis.com

" "Steganography

____ is defined as hiding messages in such a way that only the intended recipient knows the message is there. Marking bad clusters Encryption Steganography Bit shifting

" "Password

____ recovery is becoming more common in digital forensic analysis. Image Data Password Partition

" "Forensic linguistics

____ trains people to listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question. Email trafficking Email forensics Forensic linguistics Communication forensics

" "Netdude

____ was designed as an easy-to-use interface for inspecting and analyzing large tcpdump files. Tcpdump Netdude Etherape Ethertext

" "client/server architecture

E-mail messages are distributed from a central server to many connected client computers, a configuration called ____. peer-to-peer architecture client/server architecture client architecture central distribution architecture

" "transaction

Exchange logs information about changes to its data in a(n) ____ log. tracking transaction checkpoint communication

" "MF

The SIM file structure begins with the root of the system (____). EF MF DF DCS

" "Honeynet

The ____ Project was developed to make information widely available in an attempt to thwart Internet and network hackers. Honeyweb Honeypot Honeywall Honeynet

" "TDMA

The ____ digital network divides a radio frequency into time slots. TDMA EDGE FDMA CDMA

" "EDGE

The ____ digital network, a faster version of GSM, is designed to deliver data. TDMA D-AMPS EDGE iDEN

" "D-AMPS

The ____ network is a digital version of the original analog standard for cell phones. EDGE TDMA D-AMPS CDMA

" "bit-shifting

The data-hiding technique ____ changes data from readable code to data that looks like binary executable code. partition-shifting partition hiding bit-shifting marking bad clusters

" "hierarchical

The file system for a SIM card is a ____ structure. hierarchical volatile circular linear

" "configuration

The files that provide helpful information to an e-mail investigation are log files and ____ files. .rts scripts batch configuration

" "hypervisor

The software that runs virtual machines is called a ____. computer server hypervisor host

" "steganography

The term ____ comes from the Greek word for "hidden writing." hashing escrow steganography creep

" "Tcpdump

A common way of examining network traffic is by running the ____ program. Coredump Slackdump Netdump Tcpdump

" "Micro Systemation XRY

A lesser known tool used widely by government agencies is ____, which retrieves data from smartphones, GPS devices, tablets, music players, and drones. MOBILedit Forensic Micro Systemation XRY DataPilor BitPim

" "KFF

AccessData ____ compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data. NSRL KFF PKFT NTI

" "Notepad+

After you open e-mail headers, copy and paste them into a text document so that you can read them with a text editor, such as Windows ____. vim Notepad+ Nano TextEdit

" "3G

By the end of 2008, mobile phones had gone through three generations: analog, digital personal communications service (PCS), and ____. D-AMPS CDMA OFDM 3G

" "UFED Reader

Cellebrite includes ____, a mobile forensics tool that's often used by law enforcement and the military. BitPim MOBILedit Forensics UFED Reader DataPilot

" "warrant

Criminal investigations are limited to finding data defined in the search ____. order warrant rule scope

" "hiding

Data ____ involves changing or manipulating a file to conceal information. integrity recovery hiding creep

" "CDMA

Developed during WWII, this technology,____, was patented by Qualcomm after the war. GSM iDEN CDMA EDGE

" "Time Division Multiple Access

Global System for Mobile Communications (GSM) uses the ____ technique, so multiple phones take turns sharing a channel. Time Division Multiple Access Orthogonal Frequency Division Multiplexing Enhanced Data GSM Environment Code Division Multiple Access

" "checkpoint

In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk. temporary checkpoint milestone tracking

" "basic subscriber

In Facebook the ____ info simply tells you the last time a person logged on. Neoprint extended subscriber basic subscriber advanced subscriber

" ".edb

In Microsoft Exchange, a(n) ____ file is responsible for messages formatted with MAPI. .edb .cfg .mbx .mapi

" ".pst

In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____. .msg .eml .pst .ost

" "My Documents\BitPim

In a Windows environment, BitPim stores files in ____ by default. My Documents\BitPim My Documents\BitPim\Files My Documents\BitPim\Forensics Files My Documents\Forensics Files\BitPim

" "SYN flood

In a(n) ____ attack, the attacker keeps asking your server to establish a connection. brute-force attack ACK flood PCAP attack SYN flood

" "@

In an e-mail address, everything after the ____ symbol represents the domain name. - # . @

" "subpoenas

In civil and criminal cases, the scope is often defined by search warrants or ____, which specify what data you can recover. investigation plans subpoenas scope creeps risk assessment reports

" "Virtualization Technology (VT)

Intel ____ has responded to the need for security and performance by producing different CPU designs. Parallels Virtualization Hyper-V KVM Virtualization Technology (VT)

" "Telecommunications Industry Association

Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ____. Telecommunications Industry Association Global System Communications Industry International Telecommunications Union Global Telecommunications Association

" "Pcap

Most packet analyzer tools can read anything captured in ____ format. Pcap DOPI AIATP SYN

" "3

Most packet analyzers operate on layer 2 or ____ of the OSI model. 1 3 5 7

" "diskpart

One way to hide partitions is with the Windows disk partition utility, ____. diskpart Norton DiskEdit System Commander PartitionMagic

" "E3:DS

Paraben Software, a vendor of mobile forensics software, offers several tools, such as ____, for mobile device investigations. DataPilot MOBILedit! BitPim E3:DS

" "BestCrypt

People who want to hide data can also use advanced encryption programs, such as PGP or ____. FTK PRTK BestCrypt NTI

" "mbox

Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format. SMTP POP3 mbox MIME

" "Zoho

Some popular Web-based e-mail service providers are Gmail, ____, Outlook Online, and Yahoo! Twitter Greatmail Zoho Facebook

" "IS-136

TDMA refers to the ____ standard, which introduced sleep mode to enhance battery life. IS-136 IS-195 IS-236 IS-361

" "International Telecommunications Union

The 3G standard was developed by the ____ under the United Nations. International Telecommunications Union Global System Communications Industry Global Telecommunications Association Telecommunications Industry Association

" "NSRL

To enhance searching for and eliminating known OS and application files, Autopsy has an indexed version of the NIST ____ of MD5 hashes. NSRL NRP YAFF UFSL

" "Properties

To retrieve e-mail headers in Microsoft Outlook, double-click the e-mail message, and then click File, ____. The ""Internet headers"" text box at the bottom of the dialog box contains the message header. Options Properties Message Source Details

" "Show original

To view Gmail Web e-mail headers open the e-mail, click the down arrow next to the Reply circular arrow, and click ____. More options Show original Message properties Options

" "More

To view e-mail headers on Yahoo! click the ____ list arrow, and click View Raw Message. Advanced Message Properties More General Preferences

" "/var/log

Typically, UNIX installations are set to store logs in the ____ directory. /log /etc/var/log /etc/Log /var/log

" "EEPROM

Typically, phones store system data in ____, which enables service providers to reprogram phones without having to access memory chips physically. ROM EEPROM EROM PROM

" " SHA-1

WinHex provides several hashing algorithms, such as MD5 and ____. CRC SHA-1 AES RC4

" "GUI

With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or drive. command-line GUI prompt-based shell-based

" "investigation plan

You begin a digital forensics case by creating a(n) ____. risk assessment report investigation report investigation plan evidence custody form

" "Circular logging

____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size. Circular logging Automatic logging Server logging Continuous logging

" "Salting passwords

____ alters hash values, which makes cracking passwords more difficult. Hybrid attack Rainbow table Salting passwords PRTK

" "Packet analyzers

____ are devices or software placed on a network to monitor traffic. Packet analyzers Bridges Hubs Honeypots

" "Brute-force

____ attacks use every possible letter, number, and character found on a keyboard when cracking a password. Dictionary Profile Brute-force Statistics

" "tethereal

____ can be programmed to examine TCP headers to fin the SYN flag. Memorizer memfetch tethereal john

" "Network forensics

____ can help you determine whether a network is truly under attack or a user has inadvertently installed an untested patch or custom program. Broadcast forensics Network forensics Computer forensics Traffic forensics

" "SIM

____ cards are usually found in GSM devices and consist of a microprocessor and internal memory. SIM SDD SD MMC

" "/etc/sendmail.cf

____ contains configuration information for Sendmail, helping the investigator to determine where the log files reside. /etc/syslog.conf /var/log/maillog /etc/sendmail.cf /etc/var/log/maillog