quiz 1 Mid, Quiz 2, Quiz 3 Mid, quiz 4 mid, quiz 5 Mid, quiz 6 Mid

What protocol is used to find the hardware address of a local device? ARP IP RARP ICMP

ARP

The Microsoft utility that will generate the different hash values for you is: File Identity Checker Hash Calculator File Checksum Identity Verifier Hash Identity Verifier

File Checksum Identity Verifier

What is the database WiGLE used for? Group of answer choices A list of Wifi configuration standards. Maintains the location of WPS. For wireless hotspots around the world. Indicates a collection of communication speeds.

For wireless hotspots around the world.

When the Message Digest 5 (MD5) was created? 1991 1992 1990 1994

1992

Which sentence is not correct about cryptographic hashes? there should be no way to have two files with different contents generate the same hash value If you change the name of the file, the hash value for that file will remain the same The only way to get the original hash value is for the data to remain unaltered A cryptographic hash takes into consideration the data that resides within the file and metadata like filename and dates

A cryptographic hash takes into consideration the data that resides within the file and metadata like filename and dates

In network forensics, the data we want to collect is ________________________ Packet captures Static data RAM image Deleted files

Packet captures

The OSI layer which deals with the shape of connectors for network connections is the _________ Layer. Physical Transport Data Link Network

Physical

_________________________ allows systems to perform lookups from IP addresses to ___________________________________. Address resolution protocol (ARP), DNS ICMP, MAC addresses Address resolution protocol (ARP), MAC addresses TCIP/IP, MAC addresses

Address resolution protocol (ARP), MAC addresses

Which one of the following functionalities isn't provided by TCP? Proper sequencing of the packets Addressing Flow control Retransmission of packets as required

Addressing

A denial of service attack: Has as example making customers can't get to a web-based shopping application Is about making a service unavailable to a user. Has as main goal to deny service to the average user All the above

All the above

About UDP Floods, it is correct to say: UDP flood has the potential to be a problem for services If all an attacker is looking to do is flood the pipe, he can just send a large volume of UDP messages The purpose of a UDP flood would likely be to just consume all available network bandwidth. All the above

All the above

About services, which affirmatives are TRUE? I. On a Windows system, a service is a program that has no user interface component, so it isn't visible to the user. II. Any computer system may have several services running and most of them will start when the computer boots. II. In the case of services, there is usually no visible component. IV. Windows offers the most options in terms of how services are started up. I and II I, II and III All the above II and III

All the above

About the image bellow, it Is correct to say: It's a long repetition of a legitimate GET request, which is the client attempting to retrieve a page or file Because the server can't guess what is intended, all it knows is that the message isn't legitimate based on the protocol definition of HTTP All the above This shows Malformed HTTP requests

All the above

In which activities would a forensic investigator be involved? Detection Eradication Preparation All the above

All the above

The best way to demonstrate that evidence has not changed from the point of acquisition is: Making a copy of it Having someone to testify the data collection process To use a cryptographic hash All the above

All the above

What type of change in a text file content will generate a change in the hash value? Removing a line break Adding a line break Erasing a character All the above

All the above

Which information can be seen when using tcpdump for packet capture? Source and destination address Time the packet was captured The protocol in use All the above

All the above

Which sentence is true about port spanning? You can perform port spanning with enterprise-grade switches. All the above Cisco refers to this as using a Switch Port Analyzer (SPAN) port It happens when you have the ability to have the switch copy traffic from one port to another.

All the above

Which tools are commonly used in Packet Capture and Analysis? Tcpdump Network Miner Tshark All the above

All the above

Which type of information the Internet registries can provide? Group of answer choices Service provider Company's business information All the above Location information

All the above

About netstat, which are the TRUE affirmatives? I. Netstat is a command-line utility that provides a lot of network information II. Netstat provides a list of all of the open communication streams III. The netstat -a command displays all of the existing and active communications including their state. IV. To display the routing table, you can use the netstat -r command. II and III I, II, IV All the affirmatives. I, II and III

All the affirmatives.

Which affirmative is wrong about Sysinternals? Born from a website which contained several programs that exposed some of internals of windows OS. All the tools previously available in Internals. are available through Microsoft's website. One significant advantage to the Sysinternals tools is that they run standalone, meaning they don't need to be installed in order to get all of the libraries and registry keys created. You can run the tools from a directory on your system or from an external drive like a USB storage device.

All the tools previously available in Internals. are available through Microsoft's website.

About Incident response, which of the sentences is correct? The process of incident response can be boiled down to three stages: preparation; detection and analysis; and post-incident activity An event is commonly something that is attributable to human interaction and is often malicious An incident is a change that has been detected in a system An incident is always an event, because every incident would result in some sort of observable change to the system

An incident is always an event, because every incident would result in some sort of observable change to the system

What are the upper layers of the OSI model? Physical, data link and network Data link and network Transfer Application, presentation, and session

Application, presentation, and session

ARP is not useful if you are communicating beyond the router ARP increases the speed of using IPv4 Arp is needed to address the server on the Internet ARP is necessary in IPv6 Arp only meaninful in local network

Arp only meaninful in local network

Which of the followings is not a direct implication of subnet masks in TCP/IP networks? Assignment of more IP addresses Better network management Reduce network traffic Increase network security

Assignment of more IP addresses

Which affirmatives are TURE about Task Manager? At the TCP Connections section, you can only see the following processes: the process ID, the local address, the remote address and the latency value. provides No view of the network activity it can not show a running graph of how much network traffic is coming into and going out of your system. Resource Monitor disallows you to get more specific information about various resources

At the TCP Connections section, you can only see the following processes: the process ID, the local address, the remote address and the latency value.

About Packet Capture programs, which sentences are FALSE? They insert themselves into the network stack Before the frames are handed up to the higher layers of the network stack, they will take copies They grab copies of the frames and store them Prior to the frames being sent to the network interface Because these programs aren't engaged in some of the input/output functions of the operating system, they don't require administrative privileges.

Because these programs aren't engaged in some of the input/output functions of the operating system, they don't require administrative privileges.

Which alternative doesn't appear on Wireshark's capture screen during capture process? Capture filter box List of interfaces available List of frames captured Bottom pane showing raw data

Bottom pane showing raw data

Malformed requests _________________________________________________________ . Can be generated by poorly written client programs attackers can't use testing softwares to determine whether or not a piece of software is vulnerable to a malformed packet attack. can be created in a number of ways, and none of them can potentially cause problems. are always malicious.

Can be generated by poorly written client programs

In Wireshark, the capture filter: can be used to start captures Can indicate network usage next to interfaces that are actually sending or receiving network traffic None of the above Can narrow the number of packets that will be captured.

Can narrow the number of packets that will be captured.

Which class of IP address provides a maximum of only 254 host addresses per network ID? Class D Class A Class B Class C

Class C

About the same HTTP message from question 7, it is wrong to say: The expression GET / HTTP/1.1 says we are trying to GET the default index page at the top level. Host: field indicates which specific host the request is coming from HTTP/1.1 means the version of the protocol The / is the top level of the web server and if there is no specific page request, the web server is expected to just reply with the default page in that directory

Host: field indicates which specific host the request is coming from

Which sentences are TRUE? I. The network itself is used to perform lookups on these addresses to resolve IP addresses to MAC addresses and vice versa II. On the local network, not all communication is done using MAC addresses III. The problem with ARP is there is simply no way to verify that the messages being sent on the network are legitimate IV. every system will typically cache an ARP resolution in a table locally to speed things up I, III and IV I, II, III and IV II and III I and II

I, III and IV

Which sentences are correct about Location-based Services? I. Laptops and other mobile systems that don't have the capability to use GPS don't have a need for location-based services. II. The World Wide Web Consortium (W3C) has developed an application programming interface, called the Geolocation API, and a set of specifications that will allow devices that don't have GPS capability to also provide a location. III. The JavaScript makes calls to a navigator object looking for the GeoIP information.

II and III

Question 101 / 1 pts Which statements are true regarding ICMP packets? I. They acknowledge receipt of a TCP segment. II. They guarantee datagram delivery. III. They can provide hosts with information about network problems. IV. They can be used for diagnostic purposes II and III I only III and IV II, III and IV

III and IV

You want to implement a mechanism that automates the IP configuration, including IP address, subnet mask, default gateway, and DNS information. Which protocol will you use to accomplish this? ARP DHCP SMTP SNMP

DHCP

Besides whois, which other tool can you use to obtain location information? Group of answer choices DNS toolsWireshark Ipconfig Tcpdump

DNS

A ______________ tries to formulate a web resource occupied or busy its users by flooding the URL of the victim with unlimited requests than the server can handle. d. MiTM attack Phishing attack Website attack DoS attack

DoS attack

About the OSI Model, which sentence is false? The International Organization for Standardization (ISO) decided a single model was needed to fit all communication protocols ISO made use of work done by the Siemens to create an abstract model The OSI model was created in 1983 The OSI model consists separate and distinct layers

ISO made use of work done by the Siemens to create an abstract model

What does CERT mean? Computer Emergency Response Team Certified Emergency response Team Computer Effective Response Team Computer Emergency Response Tutorial

Computer Emergency Response Team

Passive tap ______________________________________. Is called passive because active electronics are involved. Consists in splitting the signal by shaving a small portion of it off. You must use it if you are concerned about inadequate signal at the far end. Approach increases the signal, because you are diverting a portion of it.

Consists in splitting the signal by shaving a small portion of it off.

Which ones are TCP Connection States? FIN-WAIT, CLOSE-WAIT, TIME-WAIT CLOSED, CLOSING, OPENED OPENED, ESTABLISHED, CLOSED ESTABLISHED, LISTENING, FINISHED

Correct Answer

It's considerably _______ to spoof an address using ______ as the transport protocol because there is no verification of the source address at the operating system level as there is with _____ Harder, TCP, UDP Easier, TCP, UDP. Easier, UDP, TCP Harder, UDP, TCP

Easier, UDP, TCP

Which of these terms is not related to cryptographic hashes? One-way function Birthday paradox Encryptation Collision

Encryptation

The tool used to perform ARP poisoning is: Network Miner Tcpdump Ettercap Wireshark

Ettercap

About Geolocation, which sentence is not true? Group of answer choices In some cases, all the lookup service is doing is running a whois, getting the owner of the IP address, and providing the city for that owner Even different databases always show same results a number of geolocation providers and some of the websites that you can do lookups from will provide information from the different databases some of the challenges associated with looking up geographic location from an IP address, you will sometimes get different locations

Even different databases always show same results

The following HTTP message bellow is an example of a ___________ request. GET POST PUT HEAD

GET

About SYN Flooding attack it is wrong to say: Its initial target is the operating system, where the slots for the half-open connections are recorded The objective of a SYN flood is to simply fill up the slots that the target system has available for half-open connections Increasing the number of slots available unlimitedly to hold more half-open connections is a simple and realistic solution. Once the attack takes place, no one else can start a connection, which means that no one can complete a connection and get access to whatever service is listening on that port.

Increasing the number of slots available unlimitedly to hold more half-open connections is a simple and realistic solution.

What is the name of macOS startup program? Init daemons Launchd perTools

Launchd

Which layer of the TCP/IP stack combines the OSI model physical and data link layers? Application layer Transport layer Internet layer Link layer

Link layer

The data link layer uses ___ to route frames. hexadecimal code IP addresses broadcasts MAC addresses

MAC addresses

Which tools is not a part of Sysinternals? TCPView None Process Explorer TCPCon

None

How many layers does the OSI model have? Nine Six Seven Four

Seven

A ____________ relied on ___________ a source IP address and sending an __________ request, commonly known as a ping message, to the broadcast address of a network block. ARP poisoning, spoofing, ARP Teardrop attack, spoofing, ICMP echo Smurf attack, spoofing, ICMP echo UDP flooding, spoofing, UDP echo

Smurf attack, spoofing, ICMP echo

Which of the examples below are events? Check all the correct options. Someone attempting to ping a system behind a firewall where the messages are blocked and logged Single system being infected with malware Updating system software, as in the case with a hot fix or a service pack Plugging an external drive into a system

Someone attempting to ping a system behind a firewall where the messages are blocked and logged Single system being infected with malware Updating system software, as in the case with a hot fix or a service pack Plugging an external drive into a system

Which of the layers is most similar between the OSI and TCP network models? TCP Internetwork Layer and OSI Network Layer TCP Application Layer and OSI Session Layer TCP Link Layer and OSI Data Link Layer TCP Transport Layer and OSI Transport Layer

TCP Internetwork Layer and OSI Network Layer

_______________ is a graphical user application that provides information similar to _____________. Additionally, it is updated in real time, which ____________ can also do if you provide it an interval of time that you want to elapse before the information is updated. netstat, TCPView, netstat TCPView, Sysinternals, Sysinternals. TCPView, netstat, TCPView TCPView, netstat, netstat

TCPView, netstat, netstat

Which of the IP headers decides when the packet should be discarded? TTL Fragment control Checksum Header length

TTL

Tcpdump is a program that has been available on Unix operating systems for decades. There has also been a port available for Windows called windump that runs on the same underlying packet capture library. Tcpdump, Unix, Windows, windump Windump, Unix, Linux, windump Tcpdump, Windows, Unix, windump Tcpdump, Linux, Windows, tcpdump

Tcpdump, Unix, Windows, windump

About connections, what is FALSE? A network service is a program that is listening on a network interface. The CLOSED state happens when the application has bound to a port and is waiting for connections. Once the three-way handshake is completed, the communication is considered to be ESTABLISHED. TCP communication can be thought of as stateful because there is always a state to any communication.

The CLOSED state happens when the application has bound to a port and is waiting for connections.

Which sentences are TURE? Operating systems that have a TCP/IP protocol stack will typically have the arp utility installed. The MAC address is required for two systems to communicate on a local network router is necessary as the destination address in the Ethernet header. MAC address of the router

The MAC address is required for two systems to communicate on a local network

Select the wrong affirmatives about services: A service that starts manually cannot be started by a user through the Services system utility; it can only be started if another system requires it as a dependency in order to operate correctly. Services that aren't running have no entry in the Status column The Service Control Manager may start the service automatically when the system shuts down; Service is expected to be able to start and stop, based on messages from the Service Control Manager.

The Service Control Manager may start the service automatically when the system shuts down;

Which actions help to accountability and a historical record of how the evidence and artifacts were handled? (select all the correct answers) Advise everyone who handles these documents to be careful Make several copies of the files The use of cryptographic hashes Keeping a chain-of-custody document

The use of cryptographic hashes Keeping a chain-of-custody document

Based on the POP3 server interaction shown below: The retr command provides a message number followed by the number of lines in the message as an indication of the message size. The list command is used to provide the password list The pass command is used to retrieve a message The user command tells the server that we are passing in the username and that's the parameter that goes with the command

The user command tells the server that we are passing in the username and that's the parameter that goes with the command

For which purposes can MD5 be used? (Select all the right options) To split strings or files into separate sets To check summing a message To detect if a file content was modified To order packets from network traffic

To split strings or files into separate sets To check summing a message To detect if a file content was modified

The Utility is named _______________ in Mac OS system, _____________ on a Linux system and __________________ on a Windows system. Group of answer choices Tracert, traceroute, traceroute Traceroute, tracert, tracert Traceroute, traceroute, traceroute Traceroute, traceroute, tracert

Traceroute, traceroute, tracert

What is VoIP? Group of answer choices Variations Over Internet Protocols. Value of IP. Voice Over IP. Validate Other Intellectual Property.

Voice Over IP.

About traceroute is wrong to say: Group of answer choices The sender only has the IP address, though, which means that the system running traceroute has to do a DNS lookup to get the hostname that is associated with the IP address. When you run a traceroute you must save the results in a text file to check later. Traceroute is a diagnostic tool used by technical professionals looking to identify a problem with network routing Traceroute works by making use of the time to live (TTL) IP header field

When you run a traceroute you must save the results in a text file to check later.

How can we ensure the collected information is in its original condition? a & b being able to have verifiable proof that the evidence you had at the end is the same as at the beginning maintaining documentation demonstrating who handled it none

a & b

Whereas Microsoft uses the _________________ to store configuration settings, ______________ uses property list files, sometimes called "plists." Windows Libraries, Apple Windows Registry, Linux Windows Service, Apple Windows registry, Apple

Windows registry, Apple

___________ and ____________ are examples of geolocation providers Group of answer choices Whois and www.iplocation.net Wireshark and GeoIP Wireshark and MaxMind www.iplocation.net and db-ip.com

Wireshark and MaxMind

Which sentence is wrong about packet analysis with Wireshark? Wireshark will also gather all of the related frames together for us, presenting us with a plaintext view of the data from the conversation Using Wireshark, we can extract a lot of information because Wireshark will do a lot of analysis for us without us needing to go digging into messages one at a time Wireshark is a free decent alternative to very expensive packet capture software, and it has evolved into a very mature and useful program Wireshark doesn't keep track of a lot of information as it gathers each frame and it also does a lot of the decoding and dissection for us

Wireshark doesn't keep track of a lot of information as it gathers each frame and it also does a lot of the decoding and dissection for us

About Malformed Packets it is wrong to say: A particular attack based on this concept was called Teardrop issues with large packets that require fragmentation are one example of when malformed packets are generated When the fragmentation offsets overlap, the target system may not be able to correctly assemble the packet Wireshark is often very good at identifying errors in the packet capture and always recognizes when the packet can't be reassembled.

Wireshark is often very good at identifying errors in the packet capture and always recognizes when the packet can't be reassembled.

Checksum is the value that is computed across different sections of the packet to ensure it hasn't been corrupted. About how Wireshark handles checksum, which sentence is false? If checksum validation is enabled, Wireshark will be able to tell you whether the checksum is valid Wireshark will not provide you with the checksum You can have Wireshark compute the checksum or not By default, Wireshark will not compute the checksum for you because often modern operating systems along with the network drivers will offload the checksum computation to the network hardware.

Wireshark will not provide you with the checksum

About Flooding it is correct to say: A very easy solution is decreasing the resources you have a & b It is a volume-based attack Its goal is just to utterly consume the available resources

a & b

Not all ________________ attacks are distributed, but with large quantities of bandwidth being the normal state for businesses and even many end users, it's quite a bit harder to generate enough attack traffic as a solo practitioner than it used to be. As a result, we have ________________ which consists of multiple attackers distributed around the Internet. denial of service, distributed denial of service attacks (DDoS) Denial of service, Direct Distribution of Server (DDoS) denial of service, Distributed Denial of Server (DDoS) Denial of service, Direct Distribution of Service (DDoS)

denial of service, distributed denial of service attacks (DDoS)

The practice of creating malformed requests for testing purposes is called Spoofing Poisoning Fuzzing Sniffing

fuzzing

The time is maintained relative to

greenwich mean time

The network interface: Needs to be in promiscuous mode to capture packets. Doesn't need to be configured to operate in a special mode. will only respond to messages that are addressed directly to them c. need to be specially to be able to be placed into promiscuous mode nowadays.

need to be specially to be able to be placed into promiscuous mode nowadays.

In Which OSI layer Routers work? network Transport data link physical

network

As a network forensic investigator, you need ____________________________. Check the right answers. solid understanding of networking understanding of firewalls and intrusion detection systems understanding of TCP/IP suite of protocols only understanding of common forensic procedure and evidence handling

solid understanding of networking understanding of firewalls and intrusion detection systems understanding of common forensic procedure and evidence handling

Which of the following are superprocesses? reboot init ssh system

system

The passive scanning approach _____________________________________. will just run quietly, observing data that is passing across the network interface watches the data that passes across the network and but is not capable of reporting specific details to you provide all of the information that you would using a full packet capture that you were analyzing in Wireshark will not present you with useful details from all of the different layers

will just run quietly, observing data that is passing across the network interface

What are you looking for when you apply this filter HTTP.request.method == POST in Wireshark? None of the above. you are looking for where the client is sending information to the server you want to just display packets where the IP address is 172.30.42.1 you only want to see the packets where the source address is a particular address

you are looking for where the client is sending information to the server