8.4.12 - Cover Your Tracks (Practice Questions)
Who would be most likely to erase only parts of the system logs file?
A black hat hacker
Which of the following best describes CCleaner? A software that can clear cookies, stored data like passwords, browser history, and temporary cached files. It can clear the recycling bin, clipboard data, and recent documents lists as well. A tool that can remove files and clear internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines. A program that searches for carrier files through statistical analysis techniques, scans for data hiding tools, and can crack password-protected data to extract the payload. A command line tool in Windows 2000 that will dump a remote or local event log into a tab-separated text file. It can also be used to filter specific types of events.
A tool that can remove files and clear internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines.
Which of the following best describes a rootkit? Allows the user to create a password to make the hidden file more secure. Scans the system and compares the current scan to the clean database. Can modify the operating system and the utilities of the target system. Allows each file an unlimited number of data streams with unlimited size.
Can modify the operating system and the utilities of the target system. Rootkits can modify the operating system and the utilities of the target system. Rootkits contain packet sniffers, utilities that remove logs, DDoS programs, IRC bots, and backdoor programs.
Which of the following could a hacker use Alternate Data Streams (ADS) for?
Hiding evidence Alternate Data Streams (ADS) was created to allow compatibility with Macintosh files. One of its features is the ability to have multiple streams of data simultaneously. The alternate stream of data isn't seen in Windows Explorer. Executables can be activated from the command line, but remain unseen. This functionality allows the attacker to actively run programs undetected
Jerry runs a tool to scan a clean system to create a database. The tool then scans the system again and compares the second scan to the clean database. Which of the following detection methods is Jerry using? Behavior-based Cross view-based Signature-based Integrity-based
Integrity-based
Mark is moving files from a device that is formatted using NTFS to a device that is formatted using FAT. Which of the following is he trying to get rid of? Software programs that hackers use. Encrypted steganographic information. Antivirus and anti-spyware programs. Malicious alternate data streams.
Malicious alternate data streams. To get rid of malicious alternate data streams, move suspect files to a partition or device that is formatted using FAT. Since FAT doesn't support alternate data streams, the alternate file streams will be removed when the file is moved. Remember to keep your antivirus software updated. Tools that detect and remove infected ADS include LADS, Stream Detector, LNS, and Forensic Toolkit.
Which of the following best describes the heuristic or behavior-based detection method? Searches for execution path hooking, which allows a function value in an accessible environment to be changed. Uses an algorithm as it goes through the system files, processes, and registry keys to create a baseline that is compared to the data returned by the operating system's APIs. Scans a system's processes and executable files, looking for byte sequences of known malicious rootkit programs. Runs a tool to scan a clean system and create a database, then scans the system and compares the current scan to the clean database.
Searches for execution path hooking, which allows a function value in an accessible environment to be changed.
Which of the following is also known as ZeroAccess and has virus, Trojan horse, and rootkit components? GrayFish DeepSound Sirefef Touch
Sirefef
The method of embedding data into legitimate files like graphics to hide it and then extracting the data once it reaches its destination is called: Rootkits Steganography NTFS data streaming Execution path profiling
Steganography
Cameron wants to send secret messages to his friend Brandon, who works at a competitor's company. To secure these messages, he uses a technique to hide a secret message within a video. Which of the following technique is he using? RSA algorithm Public-key cryptograph Encryption Steganography
Steganography Steganography is the method of embedding data into legitimate files like graphics, banner ads, or plain text messages to hide it, and then extracting the data once it reaches its destination. Encryption is the translation of data into a secret code. RSA (Rivest, Shamir, Adleman) is an algorithm used to encrypt and decrypt messages. Public-key cryptography, or asymmetric cryptography, is an encryption scheme that uses two mathematically related but nonidentical keys, a public key and a private key.
You believe your system has been hacked. Which of the following is the first thing you should check?
System log files
James, a hacker, has hacked into a Unix system and wants to change the timestamps on some files to hide his tracks. Which of the following timestamp tools would he most likely use? Timestomp Meterpreter ctime Touch
Touch The touch command in Linux, Unix, and OSX can be used to alter the timestamp. It can change the time to the current time or to any specific time. Touch is already available on the system and nothing needs to be installed.
Phil, a hacker, has found his way into a secure system. He is looking for a Windows utility he can use to retrieve, set, back up, and restore logging policies. Which of the following utilities should he consider?
auditpol Auditpol is a utility you can use to retrieve, set, back up, and restore logging policies on Windows. Group Policy Editor (gpedit.msc) allows you to edit a Group Policy object in Active Directory. System Policy Editor (poledit.exe) allows you to edit the Local System policy. Windows Security Configuration Editor (secedit.exe) configures and analyzes system security by comparing your current configuration to specified security templates.
