Term
| Which three disciplines make up the "investigations triad"? |
|
Definition
| Vulnerability/Threat Assessment and Risk Management; Network Intrusion Detection and Incident Response; Digital Investigation |
|
|
Term
| Which of the following is an example of hearsay evidence? |
|
Definition
Hearsay:
“They guy told me he did it”
“He said he knew who did it, and could testify”
“I saw a recording of the whole thing go down”
A text file containing a personal letter |
|
|
Term
| In which phase of the attack methodology do we try to identify hosts that we can then look for vulnerabilities on? |
|
Definition
|
|
Term
| In which phase of the attack methodology do we use google and social media to learn about our target? |
|
Definition
|
|
Term
| In which phase of the attack methodology do we correlate open ports and running services to a potential attack vector? |
|
Definition
|
|
Term
| In which phase of the attack methodology do we actually "break in" to a system? |
|
Definition
Phase #4. Privilege Escalation/
Exploitation |
|
|
Term
| Which of the following is an example of Technical Reconnaissance? |
|
Definition
1. Social Engineering
2. Registration Info
3. Open Source Intel
4. OSINT via Social Media |
|
|
Term
| Which of the following is an example of "Low-Tech" Reconnaissance? |
|
Definition
1. Visiting Target
2. Breaking into Target
3. Dumpster Diving
4. Social Engineering |
|
|
Term
| Baiting is an example of Social Engineering using? |
|
Definition
|
|
Term
| Pretending to be a vendor or recruiter and calling a target is an example of? |
|
Definition
|
|
Term
| The Domain Name Registration records provide which of the following? |
|
Definition
1. Administrative info on the target
2. Points of contact
3. Domain expiration date |
|
|
Term
| Open Source Intelligence requires us to access the target systems directly? |
|
Definition
|
|
Term
|
Definition
| Open Source Intel (OSINT) |
|
|
Term
| Which of the following is the best search engine to find all Linksys WRT54G routers attached to the internet? |
|
Definition
|
|
Term
| Bing can be BEST used to identify? |
|
Definition
|
|
Term
| In TCP/IP, what is the correct way to open a connection to a remote system using the 3-way handshake? |
|
Definition
1. Send SYN
2. Rec. SYN, send SYN-ACK
3. Rec SYN-ACK, Send ACK |
|
|
Term
| In TCP/IP, what is the correct way to close a connection with a remote system using the 3-way handshake? |
|
Definition
1. 1st app sends FIN (active close)
2. 2nd app rec's SYN, sends ACK (passive close)
3. 1st app rec's ACK
4. Later, 2nd app send FIN (active close)
5. 1st app rec's FIN, sends ACK
6. 2nd app rec's ACK |
|
|
Term
| Which NMAP scan type attempts to complete the 3-way handshake with each scanned port? |
|
Definition
|
|
Term
| Which NMAP scan type only sends the initial SYN request and waits for an ACK to detect the open port? |
|
Definition
|
|
Term
| Which NMAP scan type allows an attacker to get past some packet filtering devices? |
|
Definition
|
|
Term
| Which of the following NMAP command line strings will scan a target for specific web ports, and perform version detection of those ports? |
|
Definition
|
|
Term
| A vulnerability is known as the intersection of which three elements? |
|
Definition
1. System susceptability/flaw
2. Access to the flaw
3. Exploitation of the flaw |
|
|
Term
| A vulnerability is known as the intersection of exploiting a flaw, access to a flaw, and what? |
|
Definition
| System susceptability/flaw |
|
|
Term
| Which of the following is a publicly available vulnerability list? |
|
Definition
1. US-CERT
2. SANS ISC
3. SANS Top 20
4. Vendor Advisories
5. NIST Vulnerability Database
6. Mitre CVE Database
7. Open Source Vulnerability Database |
|
|
Term
|
Definition
| A piece of software, chunk of data, or sequence of commands that takes advantage of a bug, glitch, or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software or hardware |
|
|
Term
| Which of the following are types of exploits? |
|
Definition
1. Remote (runs over a network)
2. Local (runs directly on victim)
3. Client Side (runs on client, such as browser or other application) |
|
|
Term
| Core Impact is an example of what? |
|
Definition
| an exploit framework/penetration testing suite |
|
|
Term
| Exploit-DB is a resource to find? |
|
Definition
| fully functional exploits |
|
|
Term
| Packet Storm is a resource to find? |
|
Definition
fully functional exploits, proof-of-concept code
|
|
|
Term
|
Definition
| started in 2003 by HD Moore |
|
|
Term
| Metasploit was originally written in which programming language? |
|
Definition
|
|
Term
| Metasploit was ported to which programming language in 2006? |
|
Definition
|
|
Term
| Which company purchased Metasploit in 2009? |
|
Definition
|
|
Term
| What is the name of the Graphical Front End to Metasploit? |
|
Definition
|
|
Term
| Malware is code that has an adverse impact on which of the following? |
|
Definition
| Confidentiality, integrity, availability |
|
|
Term
| Malicious code triggered by user action is an example of what? |
|
Definition
|
|
Term
| What phase of a virus is when it is replicating iteself? |
|
Definition
|
|
Term
| What phase of a virus is when it performs its malicious action or payload? |
|
Definition
|
|
Term
| When a logical condition causes a virus to move from a dormant or propagation phase is which phase? |
|
Definition
|
|
Term
| A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself is a? |
|
Definition
|
|
Term
| Conficker is an example of which malware? |
|
Definition
|
|
Term
| Which malware is named after ancient Greek history? |
|
Definition
|
|
Term
| What malware modified an operating system to hide the existence of itself or other malware? |
|
Definition
|
|
Term
| What ISO standard was ratified for digital forensics in October 2012? |
|
Definition
| ISO 27037 Information Technology - Secuirty Techniques |
|
|
Term
| The Federal Rules of Evidence (FRE) was created to ensure what? |
|
Definition
| consistency in federal proceedings (many states base laws on the FRE) |
|
|
Term
| When did the FBI form the Computer Analysis and Response Team (CART)? |
|
Definition
|
|
Term
| Which US Constitutional Amendment protects everyone's right to be secure from search and seizure? |
|
Definition
|
|
Term
| Investigating digital devices include? |
|
Definition
| Collecting data securely; examining suspect data to edetermine details such as origin and content; presenting digital information to courts; applying laws to digital device practices |
|
|
Term
| Digital Evidence is the same as Data Recovery? |
|
Definition
| No, forensics includes retrieving information that was deleted by mistake or lost during a power surge or server crash |
|
|
Term
| Which Digital Evidence role arrives on the incident scene assesses the situation, and takes precautions to acquire and preserve evidence? |
|
Definition
| Digital Evidence First Responder (DEFR) |
|
|
Term
| Which Digital Evidence role has the skill to analyze the data and determine when another specialist should be called in to assist? |
|
Definition
| Digital Evidence Specialist (DES) |
|
|
Term
| What policy defines rules for using a company's computers and networks? |
|
Definition
|
|
Term
| How can a business avoid litigation and inform end users that the organization reserves the right to inspect computer systems and network traffic at will? |
|
Definition
| Business displays a warning banner that says the system owner reserves the right to inspect and monitor use and there should be no expectation of privacy |
|
|
Term
| Which of the following situations are most common for private sector investigations? |
|
Definition
Abuse or misuse of computing assets
Email abuse
Internet abuse |
|
|
Term
| The route evidence takes from the time it is found until the case is closed or goes to court is called? |
|
Definition
|
|
Term
| What do you secure evidence in? |
|
Definition
| Antistatic evidence bags or pads |
|
|
Term
| Which of the following would you use to secure your evidence? |
|
Definition
| Locker in digital lab facility/Forensic workstation |
|
|
Term
| Which of the following is a basic requirement for setting up your forensics workstation? |
|
Definition
Basic requirements
A workstation running necessary OS (usually Windows)
A write-blocker device
Digital forensics acquisition tool
Digital forensics analysis tool
Target drive to receive the source or suspect disk data
Spare PATA or SATA ports
USB ports
Additional useful items
Network interface card (NIC)
Extra USB ports
FireWire 400/800 ports
SCSI card
Disk editor tool
Text editor tool
Graphics viewer program
Other specialized viewing tools |
|
|
Term
| How often should you plan to schedule equipment upgrades in your forensics lab? |
|
Definition
| Plan on every 18 months, preferably every 12 months |
|
|
Term
| Which of the following is an example of best evidence? |
|
Definition
Best Evidence:
A photo of the crime scene
A copy of a signed contract
A file recovered from a hard drive
A bit-for-bit snapshot of a network transaction (pcap) |
|
|
Term
| Which of the following is an example of business records? |
|
Definition
Business Records
Contracts and other employment agreements
Invoices and records of payment received
Routinely kept access logs
/var/log/messages |
|
|
Term
| Which of the following is an example of circumstantial evidence? |
|
Definition
Circumstantial Evidence:
An email signature
file containing password hashes on the defendant’s computer
The serial number of the USB device |
|
|
Term
| Which of the following is an example of digital evidence? |
|
Definition
Digital Evidence
Emails and IM sessions
Invoices and records of payment received
Browser activity, including web-based email
Routinely kept access logs
/var/log/messages |
|
|
Term
| Which of the following is an example or real evidence? |
|
Definition
Real Evidence:
Murder weapon
Fingerprint/footprint
Signed paperwork or contract
Physical hard drive or USB device
Computer itself |
|
|
Term
| A bit-by-bit copy of the original storage medium is known as? |
|
Definition
|
|
Term
| A bit-stream copy of all data on a disk or partition is known as? |
|
Definition
| “image” or “image file” or Bit-stream Image |
|
|
Term
| What is the first rule of computer forensics? |
|
Definition
| Preserve the original evidence |
|
|
Term
| Which of the following is not a storage format for digital evidence? |
|
Definition
The following ARE:
- Raw format
- Proprietary formats
- Advanced Forensics Format (AFF) |
|
|
Term
| Which of the following is an advantage of the RAW format? |
|
Definition
- Fast data transfers
- Ignores minor data read errors on source drive
- Most computer forensics tools can read raw format |
|
|
Term
| Which of the following is a disadvantage of the RAW format? |
|
Definition
- Requires as much storage as original disk or data
- Tools might not collect marginal (bad) sector |
|
|
Term
| Which of the following is a disadvantage of using a proprietary format? |
|
Definition
- Inability to share an image between different tools
- File size limitation for each segmented volume |
|
|
Term
| Who developed the Advanced Forensics Format? |
|
Definition
| - Dr. Simson L. Garfinkel |
|
|
Term
| Is the Advanced Forensics Format open source? |
|
Definition
|
|
Term
| Which acquisition method is the most common method and offers the most flexibility? |
|
Definition
| Creating a disk-to-image file |
|
|
Term
| Sparse acquisition has which of the following characteristics? |
|
Definition
Can take several hours
- Logical acquisition captures only specific files of interest
- Sparse acquisition collects fragments of unallocated (deleted) data
- For large disks
- PST or OST mail files, RAID servers |
|
|
Term
| At least how many images of digital evidence should you make for contingency planning purposes? |
|
Definition
|
|
Term
| In order to validate data acquisitions, what utility is required? |
|
Definition
| Hashing algorithm utility |
|
|
Term
| Windows does not have a built-in hashing algorithm tool for forensics? |
|
Definition
|
|
Term
| RIAD 0's biggest disadvantage is? |
|
Definition
|
|
Term
| RAID 1 is less expensive than RAID 0? |
|
Definition
|
|
Term
| RAID 5 is similar to which of the following RAIDs? |
|
Definition
|
|
Term
| Which of the following are components of a disk drive? |
|
Definition
- Geometry
- Head
- Tracks
- Cylinders
- Sectors |
|
|
Term
| Given 512 bytes per sector, and using a disk with 1024 cylinders, 64 read/write heads and 63 sectors, how large is the disk in GB? |
|
Definition
- 1024 x 64 x 63 = 4,128,768 sectors
- 4,128,768 x 512 / sector = 2,113,929,216
- 2.114 GB |
|
|
Term
| It is crucial to make a full forensic copy of a solid-state drive as soon as possible due to what feature? |
|
Definition
|
|
Term
| A partition is known as a ? |
|
Definition
|
|
Term
| The Windows OS assigns logical addresses to ? |
|
Definition
|
|
Term
| Physical addresses refer to ? |
|
Definition
|
|
Term
| The unused space between partitions is known as ? |
|
Definition
|
|
Term
| The Master Boot Record (MBR) is located at sector? |
|
Definition
|
|
Term
| The File Allocation Table (FAT) database is typically written to a disk's innermost track? |
|
Definition
|
|
Term
| Which of the following is not contained in the File Allocation Table (FAT) database? |
|
Definition
- Filenames
- Directory names
- Date and time stamps
- Starting cluster number
- File attributes |
|
|
Term
| Unused space in a cluster between the end of an active file and the end of the cluster is known as? |
|
Definition
|
|
Term
| In Microsoft Windows, when a file is deleted which HEX character is used to replace the first letter of the filename? |
|
Definition
|
|
Term
| Which of the following is an improvement NTFS has over FAT file systems? |
|
Definition
- NTFS provides more information about a file
- NTFS gives more control over files and folders |
|
|
Term
| On an NTFS disk, the first data set is what? |
|
Definition
|
|
Term
| Records in the NTFS Master File Tabe is called? |
|
Definition
|
|
Term
| When reviewing the registry, which file contains the computer's security settings? |
|
Definition
| Windows\system32\config\Security.dat |
|
|
Term
| When reviewing the registry, which file contains the user-specific configuration settings? |
|
Definition
|
|
Term
| Firefox stores its information in what? |
|
Definition
|
|
Term
| What table would you reference to uncover visited URLs from a Firefox browser? |
|
Definition
|
|
Term
| What table would you reference to uncover typed data from a user in a Firefox browser? |
|
Definition
|
|
Term
| EXIF data was originally developed for which image format? |
|
Definition
|
|
Term
| When using Volatility to perform memory forensics, which of the following modules provide a list of processes that were running on the computer when the image was taken? |
|
Definition
|
|
Term
| When using Volatility to perform memory forensics, what module can be used to reveal any keyboard information typed into the computer at bootup? |
|
Definition
|
|
Term
| On mobile devices, the Operating System is stored in? |
|
Definition
|
|
Term
| On mobile devices, the system data is stored in? |
|
Definition
| electronically erasable programmable read-only memory (EEPROM) |
|
|
Term
| A SIM card serves which of the following purposes? |
|
Definition
- Identifies the subscriber to the network
- Stores service-related information
- Can be used to back up the device |
|
|
Term
| Which of the following is NOT a concern with acquiring mobile devices? |
|
Definition
The following ARE:
- loss of power
- synchronization with cloud services
- remote wiping |
|
|
Term
| Which of the following is NOT a way to isolate a mobile device from incoming signals? |
|
Definition
The following ARE:
- Place the device in airplane mode
- Place the device in a paint can
- Use the Paraben Wireless StrongHold Bag
- Turn the device off |
|
|
Term
| When isolating a mobile device from incoming signals, the battery drains slower? |
|
Definition
| False (it goes into roaming mode so drains fast) |
|
|
Term
| The file system of a SIM card is in a hiefarchical structure? |
|
Definition
|
|
Term
| There are many free mobile device forensics tools? |
|
Definition
| False (Many tools but most aren’t free) |
|
|
Term
| Does Apple implement Address Space Layout Randomization (ASLR) in iOS as part of it's security model? |
|
Definition
|
|
Term
| When reviewing a forensic copy of an android device, where would we find the contents of the SD card? |
|
Definition
|
|
Term
| When reviewing a forensic copy of an android device, where would we find the contents of any encrypted SD card applications? |
|
Definition
|
|
Term
| When reviewing a forensic copy of an android device, where would we find all wireless network configuration saved within the device? |
|
Definition
| /data/misc/wifi/wpa_supplicant.conf |
|
|
Term
| When reviewing a forensic copy of an iOS device, which directory would we look in for access to the voicmail database? |
|
Definition
| /private/var/mobile/Library/Voicemail |
|
|
Term
| When reviewing a forensic copy of an iOS device, which directory would we look in for information on all application screenshots for review? |
|
Definition
| /private/var/mobile/Library/Caches/Snapshots |
|
|
Term
| When reviewing a forensic copy of an iOS device, which directory would we look in for information on Mobile Safari browsing history? |
|
Definition
|
|
Term
| Which of the following is a feature offered by using a proprietary format? |
|
Definition
- Option to compress or not compress image files
- Can split an image into smaller segmented files
- Can integrate metadata into the image file |
|
|
