Info and Network Security Chapter 14
The Linux log file that contains activity related to the web server is ______. /var/log/apport.log /var/log/kern.log /var/log/lighttpd/* /var/log/apaches/*
/var/log/apaches/*
The Linux log file that can reveal attempts to compromise the system or the presence of a virus or spyware is ______________. /var/log/lighttpd/* /var/log/apache2/* /var/log/apport.log /var/log/kern.log
/var/log/apport.log
Ian is performing a forensic examination on a Linux server. He is trying to recover emails. Where does Linux store email server logs? /mail/log/mail.* /etc/log/mail.* /var/log/mail.* /server/log/mail.*
/var/log/mail.*
Which of the following are important to the investigator regarding logging? The logging methods Log retention Location of stored logs All of the above
All of the above
Mahmoud is using a range of Windows utilities to extract information from a computer he is triaging. He has just used the Openfiles command. The command Openfiles shows what? Any files that are opened Any shared files that are opened Any system files that are opened Any files open with ADS
Any shared files that are opened
In Windows, the log that stores events from a single application or component rather than events that might have system wide impact is the ____________ log. ForwardedEvents Application Applications and services System
Applications and services
Documentation of every person who had access to evidence, how they interacted with it, and where it was stored is called the ________________. Forensic trail Hiking trail Audit trail Chain of custody
Chain of custody
In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court? Policy of separation Rules of evidence Law of probability Chain of custody
Chain of custody
_________ can include logs, portable storage, emails, tablets, and cell phones. Network devices Computer evidence Ancillary hardware Security kit
Computer evidence
"Interesting data" is what Pornography Schematics or other economic-based information Documents, spreadsheets, and databases Data relevant to your investigation
Data relevant to your investigation
_______ is a free tool that can be used to recover Windows files. Disk Digger FileRecover SearchIt Outlook
Disk Digger
In Linux the command to set up a target forensics server to receive a copy of a drive is dd. True False
False
Most Windows logs are turned on automatically. True False
False
The Windows command fc lists all active sessions to the computer. True False
False
netstat is a command you can use with a forensic copy of a machine to compare two files. True False
False
You may use Linux to make a ______________ of the hard drive. Screen shot Bootable copy Forensically valid copy New version
Forensically valid copy
In Windows the log that contains events collected from remote computers is the ____________ log. Applications and services Application System Forwarded Events
Forwarded Events
Pedro is examining a Windows 7 computer. He has extracted the index.dat file and is examining that file. What is in the Index.dat file? General Internet history, file browsing history, and so on for a Linux machine All web history for Firefox Internet Explorer information General Internet history, file browsing history, and so on for a Windows machine
General Internet history, file browsing history, and so on for a Windows machine
Why should you note all cable connections for a computer you want to seize as evidence? To know what outside connections existed To know what hardware existed In case other devices were connected To know what peripheral devices exist
In case other devices were connected
If you fail to handle evidence properly ___________. You will be part of crime. Law enforcement may not look at it. It may be unusable in court. You may damage the hard drive.
It may be unusable in court.
When cataloging digital evidence, the primary goal is to do what? Prohibit the computer from being turned off Make bitstream images of all hard drives. Preserve evidence integrity Avoid removing the evidence from the scene
Preserve evidence integrity
Usually, the first thing you do to a computer to prevent further tampering is to _________. Make a backup Take it offline Lock it in a secure room. Make a copy
Take it offline
Frequently the first responder to a computer crime is ________. The network administrator. The news media College students A law enforcement officer
The network administrator.
Frequently the first responder to a computer crime is the network administrator. True False
True
Older versions of Internet Explorer stores web browsing information in a file called index.dat. True False
True
The Windows Registry contains a list of USB devices that have been connected to the machine. True False
True
The Windows Registry lists USB devices that have been connected to the machine. True False
True
The chain of custody accounts for the handling of evidence from the moment of seizure until it is presented in court, and documents that handling. True False
True
Windows logging can be turned on and off with a tool called auditpol.exe. True False
True
Using Linux to wipe the target drive, the command-line command would be ___ . cc md5sum dd nd
dd
What is the name of the Standard Linux command that is also available as a Windows application that can be used to create bitstream images and make a forensic copy? image mcopy MD5 dd
dd
Windows stores information on web address, search queries, and recently opened files in a file called___________. index.dat default.dat internet.txt explore.exe
index.dat
Using Linux to backup your hard drive, if you want to create a hash, you would use the command-line command ___________. md5sum nd cc dd
md5sum
Using Linux to backup your hard drive, if you want to create a hash, you would use the command-line command ___________. nd md5sum dd cc
md5sum
The Windows command to list any shared files that are currently open is ___________. netstat opennfiles fc ping
opennfiles