EEE

About Flooding it is correct to say:

- A very easy solution is decreasing the resources you have - It is a volume-based attack - Its goal is just to utterly comsume the available resources.

What type of change in a text file content will generate a change in the hash value?

- Erasing a character - Removing a line break - ALL OF THE ABOVE - Adding a line break

A denial of service attack:

- Has as example making customers can't get to a web-based shopping applicaiton - Is about making a service unavailable to a user. - Has as main goal to deny service to the average user.

Which actions help to accountability and a historical record of how the evidence and artifacts were handled? (select all the correct answers)

- Keeping a-chain-of-custody document. - The use of cryptographic hashes.

In which activities would a forensic investigator be involved?

- Preparation - Eradication - Detection - ALL OF THE ABOVE

As a network forensic investigator, you need ____________________________. Check the right answers.

- Solid understanding of networking - Understanding of firewalls and intrusion detection systems - Understanding of common forensic procedure and evidence handling.

Which of the examples below are events? Check all the correct options.

- Someone attempting to ping a system behind a firewall where the messages are blocked and logged. - Plugging an external drive into a system - Single system infected with malware. - Updating system software, as in the case with a hot fix or a service pack.

Select the wrong affirmatives about services:

- The Service Control Manager may start the service automatically when the system shuts down; - A servicethat starts manually cannot be started by a user through the Service system utility; it can only be started if another system requires it as a dependency in order to operate correctly

Which information can be seen when using tcpdump for packet capture?

- Time the packet was captured. - Source and destination address - The protocol in use - ALL OF THE ABOVE

For which purposes can MD5 be used? (Select all the right options)

- To check summing a message. - To split stringss or files into separate sets. - To detect if a file content was modified.

About UDP Floods, it is correct to say:

- UDP flood has the potential to be a problem for services - If all an attacker is looking to do is flood the pipe, he can just send a large volume of UDP messages. - The purpose of a UDP flood would likely be to just consume all available network bandwidth.

Which sentence is true about port spanning?

- You can perform port spanning with enterprise grade switches. - It happens when you have the ability to have the switch copy traffic from one port to another. - Cisco refers to this as using a Swith Port Analyzer (SPAN) port - ALL OF THE ABOVE

Which of the following are superprocesses?

- init - system

How can we ensure the collected information is in its original condition?

- maintaining documentation demonstrating who handled it. - being able to have verifiable proof that the evidence you had at the end is the same as at the beginning.

When the Message Digest 5 (MD5) was created?

1992

Explain what a WiFi Positioning system is and how its data is obtained.

A Wi-Fi positioning system is a system that works to locate users of wireless networks through their wireless access points. These systems may complement or substitute for GPS systems or use GPS data to track users. Wi-Fi positioning is a location technique that uses characteristics of wireless access points (APs) to position connected devices. By knowing the ground truth of APs and the signal strength detected by Wi-Fi enabled devices, this approach can provide accurate and precise location simply by listening to AP signals without connecting to Wi-Fi networks.

Which sentence is not correct about cryptographic hashes?

A cryptographic hash takes into consideration the data resides within the file and metadata like filename and dates.

What protocol is used to find the hardware address of a local device?

ARP

_________________________ allows systems to perform lookups from IP addresses to ___________________________________.

Address resolution protocol (ARP), MAC addresses

Which one of the following functionalities isn't provided by TCP?

Adressing

About services, which affirmatives are TRUE? I. On a Windows system, a service is a program that has no user interface component, so it isn't visible to the user. II. Any computer system may have several services running and most of them will start when the computer boots. II. In the case of services, there is usually no visible component. IV. Windows offers the most options in terms of how services are started up.

All of the above

Which affirmative is wrong about Sysinternals?

All of the tools previously available in internals, are available through Microsoft's website.

About netstat, which are the TRUE affirmatives? I. Netstat is a command-line utility that provides a lot of network information II. Netstat provides a list of all of the open communication streams III. The netstat -a command displays all of the existing and active communications including their state. IV. To display the routing table, you can use the netstat -r command.

All the affirmatives.

Explain what a SQL Injection attack is.

An SQL Injection is a specific type of code injection that exploits the SQL data base. Attackers will often send SQL code to an input box on a website (i.e. password text box). If successful the server will return sensitive information from their SQL database.

About Incident response, which of the sentences is correct?

An incident is always an event, because every incident would result in some sort of observable change to the system.

What are the upper layers of the OSI model?

Application, presentation, and session.

ARP is not useful if you are communicating beyond the router

Arp only meaninful in local network

Which of the followings is not a direct implication of subnet masks in TCP/IP networks?

Assignment of more IP addresses

Which affirmatives are TRUE about Task Manager?

At the TCP Connections section, you can only see the following processes: the process ID, the local address, the remote address and the latency value.

Discuss about Backscatter and how it works.

Backscatter occurs when sppfed messages are able to the intended target. As a result, the target will respond to the IP address in the IP header, despite the fact that it is spoofed. You will be able to see a large number of SYN/ACK messages sent to hosts attempting to achieve Backscatter and exploit those host networks

About Packet Capture programs, which sentences are FALSE?

Because these programs aren't engaged in some of the input/output functions of the operating system, they don't require administrative privleges.

Malformed requests _________________________________________________________ .

Can be generated by poory written client porgrams.

In wireshark, the capture filter:

Can narrow the number of packets that will be captured.

Which class of IP address provides a maximum of only 254 host addresses per network ID?

Class C

Which type of information the Internet registries can provide?

Company's business informaiton. Service provider Location information ALL OF THE ABOVE

What does CERT mean?

Computer Emergency Response Team

Passive tap ______________________________________.

Consists in splitting the signal by shaving a small portion of it off.

You want to implement a mechanism that automates the IP configuration, including IP address, subnet mask, default gateway, and DNS information. Which protocol will you use to accomplish this?

DHCP

Besides whois, which other tool can you use to obtain location information?

DNS tools

A ______________ tries to formulate a web resource occupied or busy its users by flooding the URL of the victim with unlimited requests than the server can handle.

DoS attack

It's considerably _______ to spoof an address using ______ as the transport protocol because there is no verification of the source address at the operating system level as there is with _____

Easier, UDP, TCP

Which of these terms is not related to cryptographic hashes?

Encryption

The tool used to perform ARP poisoning is:

Ettercap

About Geolocation, which sentence is not true?

Even different databases always show same results.

Which ones are TCP Connection States?

FIN-WAIT, CLOSE-WAIT, TIME-WAIT

The Microsoft utility that will generate the different hash values for you is:

File Checksum Identity Verifier

What is the database WiGLE used for?

For wireless hotspot around the world.

The practice of creating malformed requests for testing purposes is called

Fuzzing

The time is maintained relative to what time zone?

GREENWICH MEAN TIME

What does hearsay mean and how is it related to digital evidence?

Hearsay is an out of court statement provided as evidence by a witness testifying under oath in court. Hearsay testimonies are not accepted in court when the primary source of the statement is not present during the trial, and therefore unable to be cross examined by the opposing party. In terms of digital evidence, they can be considered hearsay when the speaker or author is not present in court to testify its validity. In addition, digital evidence can be mishandled and manipulated at any point in its chain of custody. With that said, such evidence can be questioned in terms of its authenticity and accuracy, thus resulting to the evidence being hearsay.

About the same HTTP message from question 7, it is wrong to say:

Host: field indicates which specific host the request is coming from.

Which sentences are TRUE? I. The network itself is used to perform lookups on these addresses to resolve IP addresses to MAC addresses and vice versa II. On the local network, not all communication is done using MAC addresses III. The problem with ARP is there is simply no way to verify that the messages being sent on the network are legitimate IV. every system will typically cache an ARP resolution in a table locally to speed things up

I, III, and IV

Which sentences are correct about Location-based Services? I. Laptops and other mobile systems that don't have the capability to use GPS don't have a need for location-based services. II. The World Wide Web Consortium (W3C) has developed an application programming interface, called the Geolocation API, and a set of specifications that will allow devices that don't have GPS capability to also provide a location. III. The JavaScript makes calls to a navigator object looking for the GeoIP information.

II and III

Which statements are true regarding ICMP packets? I. They acknowledge receipt of a TCP segment. II. They guarantee datagram delivery. III. They can provide hosts with information about network problems. IV. They can be used for diagnostic purposes

III and IV

About the OSI Model, which sentence is false?

ISO made use of work done by the Siemens to create an abstract model

About SYN Flooding attack it is wrong to say:

Increasing the number of slots available unlimitedly to hold more half-open connections is a simple and realistic solution.

What is the name of macOS startup program?

Launchd

Which layer of the TCP/IP stack combines the OSI model physical and data link layers?

Link layer

Which alternative doesn't appear on Wireshark's capture screen during capture process?

List of interfaces available

Explain what a MAC address is and how it works.

MAC (Media Access Control Address) is a hardware identification number that uniquely identifies each device on a network. It is manufactured into every network card such as an Ethernet card or Wifi card which means it cannot be changed. Since there are millions of networkable devices in existence, each device has its own MAC address which is made up of six two-digit hexadecimal numbers separated by colons.

The data link layer uses ___ to route frames.

MAC addresses

The network interface:

Needs to be in promiscuous mode to capture packets.

Which tools is not a part of Sysinternals?

None

In network forensics, the data we want to collect is ________________________

Packet captures

The OSI layer which deals with the shape of connectors for network connections is the _________ Layer.

Physical

There are other ways to look at the Event Logs on Windows. One method is to use

Power Shell

What is Process Explorer? Explain what it does.

Process Explorer is a program that displays the DLLs processes and their state (opened or loaded). This can be used to track down problems regarding DLL and also provide a better understanding of how different applications and even Windows work. It shows the list of active processes along with the company name and description. It's also able to show the handles that are within the network.

How many layers does the OSI model have?

Seven

A ____________ relied on ___________ a source IP address and sending an __________ request, commonly known as a ping message, to the broadcast address of a network block.

Smurf attack, spoofing, ICMP echo

____________ is an old ____________ logging system. It was initially developed as part of the mail server Sendmail.

Syslog, Unix-based

Which of the layers is most similar between the OSI and TCP network models?

TCP Internetwork Layer and OSI Network Layer

_______________ is a graphical user application that provides information similar to _____________. Additionally, it is updated in real time, which ____________ can also do if you provide it an interval of time that you want to elapse before the information is updated.

TCPView, netstat, netstat

Which of the IP headers decides when the packet should be discarded?

TTL

Which tools are commonly used in Packet Capture and Analysis?

Tcdump Tshark Network Miner ALL OF THE ABOVE

Tcpdump is a program that has been available on Unix operating systems for decades. There has also been a port available for Windows called windump that runs on the same underlying packet capture library.

Tcpdump, Unix, Windows, windump

About connections, what is FALSE?

The CLOSED state happens when the application has bound to port and is waiting for connections.

Which sentences are TRUE?

The MAC address is required for two systems to communicate on a local network.

When it comes to addressing technical evidence in court cases, a couple of cases are worth understanding. Explain the Frye standard, its origins and how its rules.

The base rule of the Frye standard states that scientific procedures, principles, or techniques presented as evidence in court will not be admissible, unless they are generally accepted by a relevant scientific community. This standard was established following the case of Frye v. United States in 1923, in which a polygraph evidence was not deemed admissible in the District of Columbia Court, because this technical evidence was not generally accepted at the time. The Frye standard became a way for courts to place validity on technical evidence being presented for them to be admissible in trial.

Which sentence is false about Syslog?

The original syslog is the only implementation existing and functions remains the same even after updates.

Why a network interface in promiscuous mode on a switched network doesn't see more than in normal mode?

The promiscuous mode allows network devices to intercept and read each packet on a network as they arrive. The Ethernet LAN mode is a mode of operation in which every packet of data transmitted can be read and received by a network adapter. If a network interface is in promiscuous mode, all packets, including those not directed at the interface's MAC address, are sent to the kernel for processing. The reason this is a bad thing is because users on the system with a promiscuous network interface will be able to view any and all network packets.

What are the differences and similarities between OSI and TCP/IP models? Describe and explain.

The similarities between OSI and TCP/IP models are that both are protocol stack, divide the network communication process into layers, provide a framework for creating and implementing networking standards and devices, and define standard for networking. Both models simplify the troubleshooting process by dividing complex functions into simpler components and are also reference models.The differences between OSI and TCP/IP models are that in OSI model, the transport layer guarantees the delivery of packets while transport layer does not provide guarantee in case of TCP/IP model. Network layer of OSI model provides both connection oriented and connectionless service while in TP/IP network layer only provides connectionless service. Other differences are that TCP/IP model is more reliable, OSI model has 7 layer while TCP/IP has 4 layer, and the OSI Layer model is no longer used while the TCP/IP is still used in computer networking.

Based on the POP3 server interaction shown below:

The user command tells the server that we are passing in the username and that's the parameter that goes with the command

Which sentence is false about Windows Event Logs?

The windows Event Log has been around since Windows NT was released in 1991

The best way to demonstrate that evidence has not changed from the point of acquisition is:

To use a crytographic hash.

The Utility is named _______________ in Mac OS system, _____________ on a Linux system and __________________ on a Windows system.

Traceroute, traceroute, tracert.

What is VoIP?

Voice Over IP.

Discuss about the differences between Voice over IP (VoIP) and traditional phone services.

Voice over IP uses interface devices that can convert traditional phones and the signal they use to IP. The only thing necessary is the IP address and a server within the VoIP provider network in order to communicate, but since the Voice over IP uses internet connection it doesn't guarantee the physical address since it can be manipulated. As for traditional phone service they operate on hard-wired networks, which has a guaranteed physical address since the network is connected by wires. Also, VoIP services are beneficial since there are databases that will keep track of information and web interfaces that can perform lookups from IP addresses.

About traceroute is wrong to say:

When you run a traceroute you must save the results in a text file to check later.

Whereas Microsoft uses the _________________ to store configuration settings, ______________ uses property list files, sometimes called "plists."

Windows registry, Apple

Which sentence is wrong about packet analysis with Wireshark?

Wireshark doesn't keep track of a lot of informaiton as it gathers each frame and it also does a lot of the decoding and dissection for us.

What are the differences between Wireshark and tcpdump/tshark? What are the issues running Wireshark?

Wireshark is a graphical user interface tool that helps capture or view packets entering and leaving a network interface. Tcpdump is a CLI-based tool that accepts many filters and allows you to view packets entering and leaving an interface remotely. Wireshark maps more network interfaces than tcpdump, which is typically used for traditional system-based interfaces. Wireshark is also more flexible regarding protocol and packet types; it can decode data payloads if the encryption keys can be identified, while tcpdump only provides simple analysis of traffic types such as DNS queries. Dropped packets, latency issues, and malicious activity on your network are common problems that Wireshark can help you troubleshoot.

About Malformed Packets it is wrong to say:

Wireshark is often very good at identifying errors in the packet capture and always recognizes when the packet can't be reassembled.

Checksum is the value that is computed across different sections of the packet to ensure it hasn't been corrupted. About how Wireshark handles checksum, which sentence is false?

Wireshark will not provide you with the checksum

What are you looking for when you apply this filter HTTP.request.method == POST in Wireshark?

You are looking for where the client is sending information to the server.

Based on the Sample syslog configuration file below, which sentence is false?

You can't use one log setup for centralized logging

Not all ________________ attacks are distributed, but with large quantities of bandwidth being the normal state for businesses and even many end users, it's quite a bit harder to generate enough attack traffic as a solo practitioner than it used to be. As a result, we have ________________ which consists of multiple attackers distributed around the Internet.

denial of service, distributed denial of service attacks (DDos)

What is the purpose of using Ifconfig/ipconfig and which information can you find out through that tool?

ipconfig is a command line on windows used to find the TCP/IP configurations of a computer., on the other hand, we also have ifconfig which works the same way for Linux environments. TCP/IP configurations specify how data (packets, addresses, and destinations) is exchanged on the internet. This is a really useful tool in order to figure out the most efficient path through the network for internet architecture.

In Which OSI layer Routers work?

network

The passive scanning approach _____________________________________.

will just run quietly, observing data that is passing across the network interface.

___________ and ____________ are examples of geolocation providers

www.iplocation.net and db-ip.com