Midterm Study 537

Ace your homework & exams now with Quizwiz!

Layer 6

Presentation Layer #

Transport (Protocols and Standards)

TCP & UDP

The combination of the TCP header and the encapsulated payload together is referred to as a ________________. Question 24 options: TCP segment TCP datagram TCP range TCP packet

TCP segment **pg**

Dumpcap automatically writes captured packets to a file. Question 56 options: True False

True **pg**

At what layer of the OSI model do proxy servers operate?

layer 7 (application)

Footprint

the impact investigators has on the systems under investigation

Network based evidence is highly

volatile bc of storage and retention. collecting this may leave footprints. Chances are higher than non volatile evidence (hard drives)

What three characteristics distinguish TCP from UDP?

connection-oriented, delivery guaranteed, data arrives in multiple packets

Network based digital evidence

digital evidence produced as a result of communication over a network

____ is used for confidentiality while ____ is used for integrity and authentication.

encryption, hashes

Layer 2

Data Link Layer #

A UNIX C library that provides an API for capturing and filtering data linklayer frames from arbitrary network interfaces is referred to as _________________ Question 51 options: winpcap libpdump tcpdump libpcap

libpcap **pg**

Application (Protocols and Standards)

DHCP, DNS, HTTP, NTP, SFTP, SMTP, SNMP, Telnet,

A mechanism used to map IP addresses to the human-readable names that are assigned to systems and networks is known as Question 21 options: Router DHCP Hub DNS

DNS 2.1.6 pg 26

The science of collecting, classifying, and analyzing facts of a numerical nature regarding any topic is known as ________________ Question 63 options: protocol statistics flow Record process

statistics 5.5 pg 172

Establishes network connections; translates network addresses into their physical counterparts and determines routing.

network layer duties

What utility in Linux provides standards for generating, storing, and processing messages about events on a system?

syslog

In bitmasking, "0" represents a bit of interest while "1" represents a bit we choose to ignore. Question 49 options: False True

False

A flow is always mapped one-on-one to a transport connection. Question 10 options: False True

False 4.3 pg 105

Physical Link (Standards)

IEEE 802.3 (Ethernet), 802.5 (Token Ring), 802.11 (Wi-Fi)

Which of the following protocol is designed to handle addressing and routing on a network? Question 20 options: IP v TCP ICMP

IP 2.3.2 pg 37

TCP works with

IP (internet protocol) which defines how computers send packets of data to each other

What is the primary protocol used at the Network layer?

IP internet procol

The combination of the IP header and encapsulated payload together are referred to as a/an ____________. Question 22 options: address range IP packet checksum IP segment

IP packet 2.3.2 pg 37

Which protocol's header would a Layer 4 device read and process?

TCP

Tcpdump captures traffic bit-by-bit as it traverses any physical media suitable for conducting link-layer traffic. Question 52 options: True False

True **pg**

The Berkeley Packet Filter language provides syntax to specify the byte offset relative to the beginning of common Layer 2, 3, and 4 protocols. Question 55 options: True False

True **pg**

WAP is a Layer 2 device that aggregates endpoint stations into a LAN.

True 6.2 pg 214

DNS is a higher-layer query-response protocol

True pg 128

How to minimize your footprint?

You will always have one. Must be weighed against the need for expediency in data collection, always be conscious, and tread lightly

Which of the following SNMP operation command can be used to retrieve multiple pieces of information during network device inspection and management? Question 59 options: "SET" "TRAP" "GET" "GETBULK"

"GETBULK"

A list of strings, names, patterns, etc., that may be related to the suspicious activities within a network traffic under investigation is referred to as __________ Question 3 options: "packet protocol list" "flow record list" "string pattern list" "dirty word list"

"dirty word list" pg 100 4.2.2.1

Layer 3

Network Layer #

Which of the following CANNOT be identified in the process of analyzing encrypted wireless traffic Question 23 options: Payload Suspicious stations that may be attacking the wireless network MAC addresses of legitimate unauthenticated stations MAC addresses of legitimate authenticated stations

- Payload

Which of the following does NOT belong on the OSI model? (Choose all that apply) Question 19 options: Protocol Network Service Data link Transport

- Protocol - Service 2.2.2 pg 32

Which of the following is a means of identifying protocol? (Choose all that apply) Question 6 options: Leverage information in the encapsulating protocol Leverage the TCP/UDP port number, many of which are associated with standard default services Test for the presence of recognizable protocol structures Extract the contents of protocol fields. Search for common binary/hexadecimal/ASCII values that are typically associated with a specific protocol

- Search for common binary/hexadecimal/ASCII values that are typically associated with a specific protocol - Leverage the TCP/UDP port number, many of which are associated with standard default services - Test for the presence of recognizable protocol structures - Leverage information in the encapsulating protocol

Which of the following is a technique used in conducting packet analysis? (Choose all that apply) Question 13 options: Separate packets based on the values of fields in protocol metadata. Extract the contents of protocol fields. Test for the presence of recognizable protocol structures Leverage information in the encapsulating protocol Identify packets of interest by matching specific values within the packet capture.

- Separate packets based on the values of fields in protocol metadata. - Identify packets of interest by matching specific values within the packet capture. - Extract the contents of protocol fields. 4.2.2 pg 99

Which of the following is a common attack on a wireless network? Question 30 options: Physical attack Sniffing attack Targeted attack

- Sniffing attack

How many bits does an IPv6 address contain?

128

The TCP header includes _________ fields for "source port" and "destination port." Question 25 options: 64-byte 8-byte 32-byte 16-byte

16-byte **pg**

What decimal number corresponds to the binary number 11111111?

255

How many bits of a Class A IP address are used for host information?

24 bits

Every network card on an Ethernet network has a ____________MAC address, assigned by the manufacturer. Question 12 options: 2-byte 64-byte 6-byte 32-byte

6-byte 4.4.1.2 pg 122

Which of these is an example of real evidence? Question 42 options: The serial number of the USB device An eye witness account of events A file recovered from the hard drive A short gun recovered from the crime scene

A short gun recovered from the crime scene

Cryptographic hash

A unique footprint to a piece of data. Used for the integrity of the data also known as checksum. If 2 have the same hash=broken

Network (Protocols and Standards)

ARP, IP

APT1

Advanced persistent threat 1 first threat to the US

Presentation Layer (Duties)

Allows hosts and applications to use a common language; performs data formatting, encryption, and compression.

Which of the following is the correct definition of Circumstantial Evidence? Question 45 options: The testimony or evidence offered by a direct witness of the act or acts in question. The testimony or evidence offered second-hand by someone who was not a direct witness of the act or acts in question. An evidence that does not directly support a specific conclusion, but may be linked together with other evidence and used to deduce a conclusion. Any documentation that satisfies the requirements of "evidence" in a court proceeding.

An evidence that does not directly support a specific conclusion, but may be linked together with other evidence and used to deduce a conclusion. **pg**

Layer 7

Application Layer #

A user complains that he cannot access a particular Web site, although he is able to access other Web sites. At which layer of the OSI model should you begin troubleshooting the problem?

Application layer (L7)

A bit-for-bit snapshot of a network transaction is an example of what type of evidence? Question 47 options: Circumstantial Best Direct Real

Best **pg**

Which of the following is NOT a category of meaningful and specific evidence? Question 40 options: Circumstantial Direct Business Rules Hearsay

Business Rules **pg**

What field in a TCP segment is used to determine if an arriving data unit exactly matches the data unit sent by the source?

Checksum

Which of the following cables consists of a single copper wire core wrapped in insulation and covered with a copper shield and then sealed with an outer insulation? Question 60 options: Fiber optic cables Insulated copper cables Coaxial cables Twisted Pair cables

Coaxial cables

Which of the following is NOT a challenge posed by network-based evidence? Question 43 options: Admissibility Content Seizure Concept

Concept

Data Link Layer (Duties)

Devices that run to a network

Transport Layer (Duties)

Ensures accurate delivery of data through flow control, segmentation and reassembly, error correction, and acknowledgement.

Session Layer (Duties)

Establishes, maintains, and terminates user connections.

Which is an element to be considered essential in analyzing evidence? Question 46 options: Evidence correlation Evidence information Evidence importance Evidence collection

Evidence correlation

At the Network layer, what type of address is used to identify the receiving host?

Ip address

A wireless access point (WAP) is a _____________ device that aggregates endpoint stations into a local area network. Question 31 options: Layer 2 Layer 1 Layer 3 Layer 4

Layer 2 6.2 pg 214

What is the lowest layer of the OSI model at which wired and wireless transmissions share the same protocols?

Layer 3 (network)

At the Link layer, which type of network address is used to identify the receiving node?

MAC address (media access control)

Physical Layer (Duties)

Manages signaling to and from physical network connections through primary mediums (networks). All pass through an access way or switch

NTP

Newtwork time protocol- how computer keeps time

Which of the following is a dumb Layer 1 device that physically connects all stations on a local subnet to one circuit? Question 54 options: Network firewall Network hub Network router Network switch

Network hub **pg**

The first step in the methodological framework of recovering and analyzing digital evidence is ___________ Question 44 options: Collecting information Analyzing evidence Obtaining information Reporting evidence

Obtaining information

Which of the following is NOT an example of Packet Analysis Tools? Question 2 options: ngrep PSML Hex Editors Wireshark

PSML pg. 96 4.2.1

The art and science of examining the contents and/or metadata of one or more protocols within a set of packets is referred to as ______. Question 7 options: Packet matching Flow Analysis Packet Analysis Protocol Analysis

Packet Analysis pg 95 4.2

Which of the following is NOT a fundamental technique used to analyze a packet? Question 4 options: Parsing Protocol Fields Packet Filtering Pattern Matching Packet Detail Markup

Packet Detail Markup pg 99 4.2.2

Layer 1

Physical Layer #

A set of formal rules describing how to transmit data, especially across a network is referred to as ____________ Question 15 options: Firewalls Database Server Protocol Routers

Protocol 2.2.1 pg 30

The technique of interpreting the data in a frame according to a specific known structure, in order to correctly understand the meaning of each bit in the communication is known as ________. Question 8 options: Packet Analysis Protocol Analysis Protocol Decoding Packet Decoding

Protocol Decoding pg 90 4.1.3.2

Application Layer (Duties)

Provides Interface between software applications and network for interpreting application requests and requirements.

_________________ is a physical, tangible object that played a relevant role in an event that is being adjudicated. Question 41 options: Real Evidence Best Evidence Circumstantial Evidence Direct Evidence

Real Evidence

Which of the following is a technique in decoding network traffic according to a specific protocol specification? Question 9 options: Search for common binary/hexadecimal/ASCII values of the traffic protocol Refer to publicly available documentation and manually decode the traffic Leverage the TCP/UDP port number, Leverage information in the encapsulating protocol

Refer to publicly available documentation and manually decode the traffic pg 91 4.1

Which of the following is NOT a network forensic investigative methodology? Question 48 options: Release evidence Analyze evidence Collect evidence Strategize

Release evidence **pg**

Which of the following device connect different subnets or networks together and facilitate transmission of packets between different network segments, even when they have different addressing schemes? Question 26 options: Switches Wireless network Router Hub

Router **pg**

Which of the following is an alternative protocol used in conjunction with SSH for secure file transfer and manipulation? Question 58 options: Telnet SFTP TFTP SNPM

SFTP

Examples of cryptographic hashes

SHAW1 (secure hashing algorithm 1) MD5

Using TCP, a client takes the active role to initiates and establish a connection by sending a TCP message known as ____________ Question 27 options: ACK message SYN message URG message FIN message

SYN message **pg**

Which of the following is NOT a field on a TCP segment header? Question 18 options: Checksum Reserved Session Window size

Session 2.3.3 pg 41

Layer 5

Session Layer #

A user complains that Skype drops her videoconference calls and she must reconnect. At which layer of the OSI model should you begin troubleshooting? Which OSI layer is responsible for not dropping the Skype connection?

Session Layer (L5), Application Layer (L7)

What process is used to establish a TCP connection?

Three-way handshake

TCP

Transmission control protocol standard the defines how to establish and maintain a network conversation & which application programs can exchange data

Layer 4

Transport Layer #

Which of the following is NOT a tool for intercepting traffic on a network cable? Question 50 options: Inline network taps Induction coils taps Fiber optic taps Twisted pair taps

Twisted pair taps **pg**

Which of the following is commonly used within enterprises to improve performance by locally caching web pages and to log, inspect, and filter web surfing traffic. Question 17 options: Router Firewall Hub Web Proxies

Web Proxies 2.1.10 pg 28

The process of capturing traffic from devices while the system is still running, perhaps even still on the network is referred to as ________________. Question 57 options: direct evidence acquisition passive evidence acquisition indirect evidence acquisition active evidence acquisition

active evidence acquisition **pg**

Special devices designed to perform deeper inspection of network traffic in order to make more intelligent decisions as to what traffic should be forwarded and what traffic should be logged or dropped are called ___________ Question 14 options: hubs switches ame server firewalls

firewalls 2.1.9 pg 28

Which of the following statement best describe the BPF syntax shown below: ip [9] ! = 1 Question 53 options: matches frames whose single byte field at the ninth byte offset of the IP header does not equal "1." matches all packets in which the single byte field starting at the ninth byte offset of the IP header, is equal to 1. introduces the notation for specifying a multibyte field (2 bytes) at the 9 byte offset of the TCP header isolates all ICMP traffic where the one-byte field at the 0 byte offset of the ICMP header is equal to 9

matches frames whose single byte field at the ninth byte offset of the IP header does not equal "1."

OSCAR

network forensics investigative methodology includes obtain info, strategize, collect evidence, analyze, and report

At which OSI layer does IP operate?

network layer (3)

A computer is unable to access the network. When you check the LED lights near the computer's network port, you discover the lights are not lit. Which layer of the OSI model are you using to troubleshoot this problem? At which two layers does the net- work adapter work?

physical layer (L1), data link layer (L2)

What number does a host use to identify the application involved in a transmission?

port number

Which of the following BPF primitives qualifier restrict the match to a particular protocol? Question 61 options: type net proto dir

proto


Related study sets

Openstax Sociology Midterm Review Chapters 1-10

View Set

NR368 Ch. 57: Management of Patients with Burn Injury

View Set

The Individual Life Insurance Contract Quizzes

View Set

marketing 4th test true or false

View Set

Reproductive System Practice Questions

View Set

Physics Chapter 22, Physics Final

View Set

Ch 4: Human Digestion, Absorption and Transport

View Set

chapter 22 and 23 maternal newborn

View Set