NETWORK FORENSICS 7-12
In nmap, what type of scan does the -sT command perform?
A connect scan
In nmap, what type of scan does the command -sS perform?
A half-scan
The term Diffie-Hellman is known to achieve?
A key exchange protocol
What is the Caeser cipher?
A letter substitution process
Which of the following is a type of symmetric encryption algorithm?
AES
Restoring encrypted information to the original message, commonly called plaintext, is?
Decryption
The tools Nessus, is used for?
Determine system vulnerabilities
What is the objective of using SSLScan?
Determines cipher suites supported in SLL or TLS
When conducting normal frequency distribution of letters, which letter is more often encountered?
E
All the sentences present correct information about SIEM, EXCEPT:
Each SIEM will generate rules in different ways, but always with same complexity level.
Syslog was configured with a level 1 trap. Which types of logs would be generated?
Emergencies
Syslog defines a priority as being the facility code multiplied by 8 then adding the severity code. In that case, which Severity would automatically give you a priority of 0?
Emergency
Why does the nmap -sS require sudo before the command?
So it can use raw sockets
Which technology allows syslog messages to be filtered to different devices based on event importance?
Syslog severity levels
Which of the options below are primary categories of Windows logs? (Select all the correct alternatives)
System / Application / Security
Which sentence is false about Windows Event Logs?
The Windows Event Log has been around since Windows NT was released in 1991
The Onion Router (TOR) provides access to what system?
The dark web
Which option represents a correct correlation between Severity, Keyword and Description
Warning - warning - May indicate that an error will occur if action is not taken
Which sentence is FALSE?
When it comes to monitoring IDS alerts, no additional infrastructure is necessary.
What information is obtained from using fping -g 192.168.86.0/24?
Which systems are alive
What does cloud computing means?
a computing service is being provided somewhere in a network
Snort rules
can be used across multiple packages, which makes learning how to read and create the rules useful, even if you aren't using Snort itself
There are other ways to look at the Event Logs on Windows. One method is to use
powershell
To perform banner grabbing, which tools would you use?
telnet
About time synchronization, select the correct affirmatives:
- Each system within a network would be configured to synchronize with a local time source. - Linux, systems would commonly use one of the pool servers maintained by ntp.org to synchronize. - Operating systems like Windows and Mac OS X are configured by default to synchronize with a time server maintained by Microsoft and Apple, respectively.
Nmap can determine the operating system of its target, what option would perform this action?
- O
Why does NTP transmits and receives over UDP? (Select all the correct options)
-Because speed is the most important factor. -Because in that case you want to receive the messages from the NTP server with the shortest delay absolutely possible. - Because in the case of a time synchronization message, it is less important that it get there guaranteed.
As Syslog defines a priority as being the facility code multiplied by 8 then adding the severity code, what is the priority of a local7 debug message?
191
Convert the hexadecimal number 2C to decimal:
44
What does the following command accomplish, nmap -sn 192.168.86.0/24?
A ping sweep
About firewall logs it is WRONG to say:
All firewalls will automatically log dropped messages, but they can often be directed to log drops.
Firewall logs are another important tool when it comes to looking into network incidents. What is possible to see in the log entries below?
All of the above
A Host-based IDS:
All the above
When synchronizing time across systems regardless the time zone they are located in, it is correct to say:
All the above
A type of Infrastructure as a Service is?
AmazonEc2
Certificates are normal used in which type of encryption?
Asymmetric
Which affirmative is wrong about OSSEC?
Besides the evidence that can be provided by the network traffic, OSSEC cannot provide any additional evidence of what is happening on the local system.
Which of the following is NOT a characteristic of an intrusion detection system?
Blocks attacks
About Bro is wrong to say:
Bro doesn't provide a lot of flexibility, as compared to an IDS like Snort, that provides a large number of actions that can be triggered.
Windows uses the ____________ to store log information.
Event Log
Where syslog runs on Unix-like systems as the de facto logging system, on Windows systems, you can count on the Event Logs and being able to view them using the:
Event Viewer
The term port knocking refers to?
Externally opening ports
When conducting ports scanning, what is the main objective?
Find open ports
Suricata
Had the advantage of being multithreaded where Snort was single-threaded, when it was developed.
The search engine Ahmia searches for?
Hidden services on the Tor Network
In the Syslog severity Levels, the _______ severities have ______ numbers. The most severe log entry will have a severity level of ___
Higher, higher, 10
Tripwire is a ____________ IDS and was long focused on identifying file changes.
Host-Based
Nxlog is a tool owned by:
IBM
About Logging, which sentences are true? I.From a networking perspective analyzing only the operating system and application logsismore than enough to investigate network incidents. II.While logging systems often store the log data on the device where it is generated, largerenterprises may be more likely to store their logs on centralized logging systems. III.Any device that interacts with users in some way or is exposed to a larger network has thepotential to be compromised IV.An attacker couldn't manipulate the log files even if he gains the necessary access, whichmay include administrative privileges
II and III
Which one is not a problem of the Heuristic detection system?
It requires multiple rules which may increase over time, increasing the processing needs.
Syslog defines a priority as being the facility code multiplied by 8 then adding the severity code. In that case, which Facility would automatically give you a priority of 0?
Kernel
In the Common Log format, all the options are present except:
MAC address
The scanner OpenVas is more closely related to which other scanner?
Nessus
_______________ is a protocol that was developed by_____________ as a way of providing data that could be used to troubleshoot a network.
NetFlow / Cisco Systems
A tool very similar to Nessus is?
Nexpose
Which of these tools are commonly used to perform Log Management? (Select all the correct options) (Select all)
Nxlog / Splunk / Windows Event Viewer / Syslog
About NetFlow, the false sentence is:
Once you have devices generating NetFlow data, you need a system in place to handle the collection. This system is called a NetFlow Compiler
How can keys are required for a symmetric encryption?
One
About packages timing and capture, all the options are correct, EXCEPT:
Packet captures always include their own per-frame times.
Which tool is capable of doing analysis on potential malware samples?
PacketTotal
When using Wireshark, which file format is used to store timestamps for all frames in Epoch time?
Pcap
Wireshark is a tool that can be used to the following purposes, EXCEPT:
Perform log aggregation and management
Select the correct sentences about the tool known as Plaso.
Plaso is a collection of software that provides the ability to ingest several data types. log2timeline is a Plaso's component, which does the work of taking the input, performing any parsing, and filtering then outputting a storage file useful to other tools.
What are hypervisors?
Power system that allow for system virtualization
By default, the Snort source doesn't come with rules. Because rules are regularly being contributed, these additional signatures need to be downloaded. This means that new rules need to be pulled, and Snort doesn't come with the ability to do that without help. Which program can you use to regularly download the new sets of rules that are available?
Pulledpork
What does this command accomplish, sudo nmap --script=ssh-hostkey.nse 192.168.86.111 ?
Runs scripts against target
The _________ will leave behind an audit event indicating that the log had been cleared. The same is true of the __________. In fact, the ________ will also generate an event saying that the _________ has been cleared, if the it was to be cleared.
Security / System / System / Application
What does SIEM stands for?
Security Information and Event Management
The term tunneling is open used to?
Send data encrypted over port 80
The logs from Antivirus programs
Should be able to indicate not only if and when a file has been isolated as potentially problematic
Using the approach of identifying bad events and determining what they look like is called
Signature-based detection
_______ intrusion detection systems rely on someone to identify a pattern in the malicious ________.
Signature-based, network traffic
A stateful firewall adds another layer of complexity. In addition to the simple port, protocol, and address rules, you can also determine whether to allow traffic based on its state.
Stateful firewall
Storage as a Service is typically available to?
Store data in the cloud
Which option presents the correct relationship in NTP's hierarchy to determine the reliability of time?
Stratum 0 - atomic clock or a global positioning system (GPS) - accurate to milliseconds
____________ is an old ____________ logging system. It was initially developed as part of the mail server Sendmail.
Syslog / Unix-based
Which program would know exactly what time the frame arrived while performing a packet capture?
Tcpdump
About NIDS is correct to say:
The NIDS would be limited to looking at the headers through the transport layer, which cannot be encrypted.
When you Clear Event Logs it is correct to say:
The Security log will leave behind an audit event indicating that the log had been cleared.
Which sentences are true about Router and Switch Logs?
The logs will indicate who has accessed the administrative interfaces for these devices
Which sentence is false about Syslog?
The original syslog is the only implementation existing and functions remains the same even after updates.
Select the correct sentence about proxy and its logs
The web proxy takes in requests from the user, then re-originates those requests as though it were doing the requesting for itself.
About Signature-based intrusion detection systems, which sentence is FALSE?
These systems enable identifying and preventing a crime before it happens for the first time.
In nmap, the -sU command consucts what type of scan?
UDP
About heuristic detection systems it is wrong to say:
Unlike signature-based systems, there is total control over what gets detected
About Windows logs, it is WRONG to say:
Windows doesn't enable other applications to generate log data even if that data doesn't have any impact on the operating system
Based on the Sample syslog configuration file below, which sentence is false?
You can't use one log setup for centralized logging
About Security Information and Event Management (SIEM):
all of the above
What is the HeartBleed bug?
the potential to take an encrypted communication stream and offer a way to decrypt it