CS305 Chapter 10
The Honeynet Project was developed to make information widely available in an attempt to thwart Internet and network attackers. T/F
True
The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput. T/F
True
What processor instruction set is required in order to utilize virtualization software?
Virtual Machine Extensions (VMX)
Virtual Machines
help offset hardware costs for companies and are handy when you want to run legacy or uncommon OSs and software along with the other software on your computer
What file(s) are used in VirtualBox to create a virtual machine?
.ova
The _______ disk image file format is associated with the VirtualBox hypervisor.
.vdi
What file type associated with VMWare, stores VM paging files that are used as RAM for a virtual machine?
.vmem
The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of Ubuntu?
12.04
At what layers of the OSI model do most packet analyzers function?
2 or 3
In VirtualBox, ______ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters.
6
What is a packet analyzer, and how is it used?
Packet analyzers are devices or software placed on a network to monitor traffic. Most network administrators use them for increasing security and tracking bottlenecks. However, attackers can use them to get information covertly. Most packet analyzers work at Layer 2 or 3 of the OSI model.
The tcpdump and Wireshark utilities both use what well known packet capture format?
Pcap
The NSA's defense in depth (DiD) strategy contains three modes of protection?
People, Technology, Operations
The _______ utility from Sysinternals shows what files, Registry keys, and DLLs are loaded at a specific time.
Process Explorer
What program within the PsTools suite, allows you to run processes remotely?
PsExec
In a _______ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections.
SYN flood
The Mandiant Memoryze
Software lists all open network sockets, including those hidden by rootkits, and also works on both 32-bit and 64-bit systems.
What Windows Registry key contains associations for file extensions?
HKEY_CLASSES_ROOT
What is a VM snapshot, and why is a live acquisition typically required for VMs?
A VM snapshot simply records the state of a VM at a particular moment. However, it's recording only changes in state; it's not a complete backup. Many network administrators depend on snapshots when working with VMs in case updates or software installations fail. When you're acquiring an image of a VM file, snapshots might not be included, depending on the software your using. In this case, you have only the original VM, which might not have any of the changes made to it after it was created. Therefore, doing live acquisitions of VMs is important to make sure snapshots are incorporated.
Honeypot
A computer or network set up to lure an attacker
What is the difference between a type 1 and a type 2 hypervisor?
A type 1 hypervisor runs on "bare metal," meaning it loads on physical hardware and doesn't require a separate OS, although many type 1 hypervisors incorporate Linux-based operating systems. Literally, thousands of VMs can be hosted on a single type 1 hypervisor and many more on a cluster of these hosts. A type 2 hypervisor rests on top of an existing OS, such as Windows, Linux, or Mac OS
Distributed Denial-of-Service (DDoS) Attacks
A type of DoS attack in which other online machines are used, without owners' knowledge, to launch an attack.
Type 1 hypervisor
A virtual machine interface that loads on physical hardware and contains its own OS.
Type 2 hypervisor
A virtual machine interface that's loaded on top of an existing OS.
layered network defense strategy
An approach to network hardening that sets up several network layers to place the most valuable data at the innermost part of the network.
Zero Day Attacks
Attacks launched before vendors or network administrators have discovered vulnerabilities and patches for them have been released.
Zombies
Computers used without the owners' knowledge in a DDoS attack.
The ______ utility can be used to view network traffic graphically.
Etherape
Forensics tools can't directly mount VMs as external drives. T/F
False
The Sysinternals Handle utility shows only file system activity but does not show what processes are using files on the file system. T/F
False
Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage. T/F
False
In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters?
Get-VMNetworkAdapter
Describe a zero day attack.
In a typical zero day attack, attackers look for holes in networks and OSs and exploit these weaknesses before patches are available. Vendors usually aren't aware that these vulnerabilities exist, so they haven't developed and released patches for them. Penetration testers attempt to break into networks to find undiscovered vulnerabilities and then predict where the next onslaught of network attacks will come from.
Honeywalls
Intrusion prevention and monitoring systems that track what attackers do on honeypots.
The _______ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and freeware forensics tools.
Kali Linux
The _______ is the version of Pcap available for Linux based operating systems.
Libpcap
Why are live acquisitions becoming a necessity, and why don't live acquisitions follow typical forensics procedures?
Live acquisitions, which are performed before taking a system offline, are becoming a necessity due to the possibility that attacks might leave footprints only in running processes or RAM; for example, some malware disappears after a system is restarted. In addition, information in RAM is lost after you turn off a suspect system. However, after you do a live acquisition information on the system has changed because your actions affect RAM and running processes which also means the information can't be reproduced
What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses?
Ngrep
Updating security patches, antivirus Software, and OSs fall into the _____ category of the defense in depth strategy
Operations
What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided as shareware?
Oracle VirtualBox
The _______ command line program is a common way of examining network traffic, which provides records of network activity while it is running, and produce hundreds or thousands of records.
Tcpdump
The ________ is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to examine.
Tcpslice
Defense in Depth (DiD)
The NSA's approach to implementing a layered network defense strategy. It focuses on three modes of protection: people, technology, and operations
What is the biggest problem with live acquisitions?
The problem investigators face with live acquisitions is the order of volatility (OOV), which determines how long a piece of information lasts in a system. Data such as RAM and running processes might exist for only milliseconds, other data, such as files stored on the hard drive, might last for years.
Network Forensics
The process of collecting and analyzing raw network data and systematically tracking network traffic to determine how security incidents occur.
