Final Exam Review-2

Student submitted questions: F9-Common Forensic Analysis Techniques

1. is used to identify relevant files and fragments of relevant files.A. string searchingB. cryptographic filesC. relevant dataD. undeleted files

2. When trying to recover deleted files make sure the forensic duplication is so that it is not modified during our analysis.

A. On correct diskB. Read-onlyC. Write-onlyD. Locked

3. To reconstruct a file, you can use the tool included with the Sleuth Kit.A. SkypeB. NetscanC. IcatD. Lscat

4. A better way to ignore known files is to compare the of every file in a forensic duplication with a known set of hashes and ignore any matches.

A. MD5 hashesB. Active hashesC. Forensic hashesD. Cryptography

5. gives us output we can parse into other programs such as a spreadsheet or database.

A. PDFB. SCSIC. FlsD. FAT-32

F8-Noncommercial-Based Forensic Duplications1. Use to create a partition for the destination drive.

A. Win_XPB. FdiskC. Duplicate diskD. Forensic duplications

2. You can make an exact copy of the hard drive by first cleaning the destination drive by placing in all the blocks:

A. Random bitsB. Binary bitsC. ZerosD. Reliable data

3. dd-rescue is a variation of the dd command. You can use this command to copy it forward or backward from the end to the beginning. This is useful if you encounter .

A. blank diskB. errorsC. full diskD. negative integers

4. You can use to duplicate hard drives over the networkA. network evidence duplicator(NED)B. RAID 1C. Remote connectionD. VM-Ware

5. The reason to place zeros in all of the hard drive blocks is because , A. Movies are left in thereB. Data is corruptedC. Unwanted data might have been left there and this will damage forensic evidence.D. The ones in the blocks have to cancel with the zeros.

F6- F7-Commercial-based Forensic duplications1. By default enCase will duplicate the media and create a series of mb files in a

directory you specify.A. 700B. 640C. 1500D. 32

2. In forensics, each piece of hardware must be with make model, serial number, evidence tag number, etc.

A. Put in closetB. DocumentedC. SignedD. Shared

3. One very well known software used for forensic analysis is .A. IBMB. GoogleC. EncaseD. Forensic-ripper

4. This format is the most versatile as it can be imported to any forensic toolkit.A. Raw disk image (dd)B. RAID 0C. EncaseD. NTFS

5. The evidence custodian should,A. Give the evidence to the secretaryB. Place evidence in the storage placeC. Keep logs of who has the evidence, when was it check out, etc.D. Use the evidence for personal use.

1. is forensics applied to information stored or transported on computers

A. Information forensics B. Data forensicsC. Computer forensicsD. Network forensics

2. is some method of modifying data so that it is meaningless and unreadable in

A. data hidingB. encryptionC. data miningD. address resolution protocol

3. when working on computer forensics always work from of the evidence and never from the original to prevent damage to the evidence.

A. Original hard driveB. Live computerC. Remote desktopD. An image

4. preserving evidence means that that the information contained on the drive down to the last bit never changes during seizing, analysis and storage.

A. MentallyB. LogicallyC. PhysicallyD. Carefully

5. Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.

A. Data blokersB. Write blockersC. Read blockersD. Metadata blockers

Created by Humberto Banda 4/22/10

F9-Common Forensic Analysis Techniques

1. is used to identify relevant files and fragments of relevant files.A. string searchingB. cryptographic filesC. relevant dataD. undeleted files

2. When trying to recover deleted files make sure the forensic duplication is so that it is not modified during our analysis.

A. On correct diskB. Read-onlyC. Write-onlyD. Locked

3. To reconstruct a file, you can use the tool included with the Sleuth Kit.A. SkypeB. Netscan

C. IcatD. Lscat

4. A better way to ignore known files is to compare the of every file in a forensic duplication with a known set of hashes and ignore any matches.

A. MD5 hashesB. Active hashesC. Forensic hashesD. Cryptography

5. gives us output we can parse into other programs such as a spreadsheet or database.

A. PDFB. SCSIC. FlsD. FAT-32

Chapter 10 Web browsing activity reconstructionHow many ways are there to keep track of browsing history?

A. 5B. 7C. 3D. 6

The setting\<profilename>\cookies contain an file that links each cookie to a domain on the internet where it was downloaded.

A. HomepageB. Index.datC. ScriptD. Internet explorer

3. is an open source used to used to examine index.dat files and how they were populated when a suspect browses the internet. A. Firefox B. Pasco C. cookie finder D. Encase

4. A activity record contains less information than the URL or LEAK records and is symbolic of a website that redirects you to another website. A. phone

B. Pasco C. suspect D. REDR

5. Keith J. Jones developed a tool named to translate the information inside an IE cookie to something a human can understand.

A. CookieB. GalletaC. PascoD. Internet explorer

Chapter 11, Email activity reconstruction1. One of the commercial tools used for reconstruction of email is .A. PascoB. GalletaC. FTKD. Outlook

2. Outlook and outlook express tend to be the two most utilized clients.A. ExplorersB. EmailC. AOLD. Chat

3.The first choice to read outlook express email repositories is to use a took name .A. Google itB. EindeutigC. Hack itD. Snort3. 34. One of the differences between email DMX file format and Folders DBM file format is

.A. The file signatures is slightly differentB. Messages are similar C. Data entries are sameD. DBX is not good

5. Nestcape and Mozilla stores their mailboxes in plain format.A. DuplexB. HexC. ASCII

D. Unix

1. The d contains significant information that helps us determine the “who”, “how”, and possible “why” of the incident.

A. Encrypted dataB. Volatile dataC. Network dataD. Linux data

2. Through examining the , we hope to discover any backdoors the attacker may have established.

A. Closed portsB. Wired portsC. Open portsD. Configured ports

3. is the single most powerful tool in our live response toolkit for UNIX systems. A. list open files(lsof)B. critical files(cf)C. intruder open files(iof)D. non-volatile files(nf)

4. When an attacker runs a file such as datapipe, it deletes the original file and we would not be able to have a copy of the file. This is when we would use that does not actually exist on the hard drive. It exists in memory and references running processes and other system information.

A. Execute file systemB. /proc file systemC. /32 bit file systemD. /test corrupt file system

5. In Collecting all computer activities and Intercepting all packets and record takes a lot of disk space and takes a lot of time for analysis

A. Alert data B. Session dataC. Full content dataD. Full time monitoring

6. In intrusion detection system is a device or application used to inspect all network traffic and alert the user or administrator when there has been unauthorized attempts or access.A. Alert DataB. Security checkC. Network securityD. Traffic control

7. is similar to recording one conversation between suspects. A. Suspicious conversationsB. Session DataC. Private conversationsD. Full content data

8. For , the source sends one packet, and the destination replies with one packetA. Openf portsB. Securityf portsC. Closef portsD. Dedicatedf ports

9. is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. A. Instant messengerB. server message BlockC. encrypted message blockD. data handshake block

10. is used to resolve IP addresses to MAC addresses.

A. IP configB. CatscanC. NetcatD. Address resolution table

1. are the simplest and cheapest way to gain control to network traffic.A. NAS

B. HubsC. RepeatersD. Wireless router

2.Which is not a type of NBE?A. Raw dataB. Statistical dataC. MetadataD. Registry keys

3. what is the command to load all the loaded kernel modules?A. Load kernelB. MSCONFIGC. IsmodD. PING

4. is designed to interpret traffic in batch mode?A. Peer NetworkB. TcpTraceC. BittorrentD. Red Hat

5. The measure used to prevent attacks are called ?.A. Anti-attacksB. ProactiveC. ReactiveD. Revenge

1 ____ analysis is when data from the suspect is copied without the assistance of the suspect’s operating system.

a. Liveb. Deadc. Datad. Forensic

2 ____ analysis uses the operating system or resources of the system being investigated to find evidence.a. Liveb. Deadc. Datad. Forensic

3 ____ is information we would use if the machine is turned off.a. Registry information b. Volatile informationc. Non-volatile informationd. Cached information

4 ____ involves capturing the memory space of the suspect processes.a. Fportb. Undeletec. Defragmentingd. Memory dump

5 While analyzing registry data, RegDmp provides the following general information except ____.a. user nameb. date and timec. domain membershipd. profile information

1 – Windows Live ResponseKey

1 ____ analysis is when data from the suspect is copied without the assistance of the suspect’s operating system.b. Dead

2 ____ analysis uses the operating system or resources of the system being investigated to find evidence.a. Live

3 ____ is information we would use if the machine is turned off.b. Volatile information

4 ____ involves capturing the memory space of the suspect processes.d. Memory dump

5 While analyzing registry data, RegDmp provides the following general information except ____.b. date and time

F1a – Computer Foundations1 Computers know the layout of the data because of ____, which act like templates or maps.a. data structuresb. data tablesc. registersd. arrays

2 In order to get to a particular sector, we need the following except_____.

a. headb. cylinderc. sectord. stack

3 A special area of the disk that can be used to save some system information added there by the manufacturer.a. read protected areab. write protected areac. host protected aread. user protected area

4 The software must load data such as the sector address and sizes into the CPU registers and execute interrupt 13h in order to access ATA hard drives through_____.a. direct accessb. BIOSc. SCSId. remote access

5. A data structure is composed of which two parts?a. number and stringb. flag and registerc. byte and stringd. flag and byte

F1a – Computer FoundationsKey1 Computers know the layout of the data because of ____, which act like templates or maps.a. data structures

2 In order to get to a particular sector, we need the following except_____.d. stack

3 A special area of the disk that can be used to save some system information added there by the manufacturer.c. host protected area

4 The software must load data such as the sector address and sizes into the CPU registers and execute interrupt 13h in order to access ATA hard drives through_____.b. BIOS

5. A data structure is composed of which two parts?a. number and string

2 UNIX Live Response

1. The single most powerful tool in the live reponse toolkit for UNIX systems.a. Netstatb.Ncc. Lsofd.lsmod

2. Sorts all files by the time the inode was last changed.a. ctimeb.unamec. timed.netcat

3. A 128-bit mathematical fingerprint of the contents ina file, for every file on the filesystem.a. lpd loginb. zap2c. MD5 Checksumd.LKM

4. Transfers relevant logs to a forensic workstation for further analysis.a. mountb. netcatc. netbiosd.netstat

5. Contain commands the user typed at the prompt, may contain commands that failed, and can be used to discover the hacker’s methodology.a. History Filesb. Command Logs c. Browser Historyd.Security Logs

2 UNIX Live Response

Key

1. The single most powerful tool in the live reponse toolkit for UNIX systems.c. Lsof

2. Sorts all files by the time the inode was last changed.a. ctime

3. A 128-bit mathematical fingerprint of the contents ina file, for every file on the filesystem.c. MD5 Checksum

4. Transfers relevant logs to a forensic workstation for further analysis.b. netcat

5. Files containing commands the user typed at the prompt, may contain commands that failed, and can be used to discover the hacker’s methodology.a. History Files

F3 Collecting Network Based Evidence (NBE)

a. Full Content Datab. Session Datac. Alert Datad. Statistical Data

____ 1. Most active IP addresses, ports, data length.

____ 2. Summary of sessions with date and time, from source and destination addresses and how it was terminated.

____ 3. Collecting all computer activities, intercepting and recording all packets, requires a lot of disk space and time for analysis.

____ 4. Analyzing NBE for predetermined items of interest

5. Forwards to all ports. A monitoring station can detect all packets.a. Bridgesb. Tapsc. Switched Port Analyzerd. Hubs

F3 Collecting Network Based Evidence (NBE)

Key

1. Most active IP addresses, ports, data length.d. Statistical Data

2. Summary of sessions with date and time, from source and destination addresses and how it was terminated.b. Session Data

3. Collecting all computer activities, intercepting and recording all packets, requires a lot of disk space and time for analysis.a. Full Content Data

4. Analyzing NBE for predetermined items of interestc. Alert Data

5. Forwards to all ports. A monitoring station can detect all packets.d. Hubs

F4 Analyzing Network-based evidence for a windows intrusion

1. What tool was used by running it against the Libcap data to transform it into session data?a. McAfeeb. Argusc. Symantecd. WireShark

2. Multiple protocols with low number of packets may indicate of activity?a. Packet Sniffingb. Blue Snarfingc. War Drivingd. Port Scanning

3. What tool was used in this chapter to find patterns of malicious activity?a. Snortb. WireSharkc. BackTrack4d. McAfee

4. A single SYN packet is sent through a port and a RST ACK packet is received. What does this mean?a. Port is busyb. Port is closedc. Port is opend. Port is available

5. As opposed running Snort in “live mode” to inspect traffic actively passed on the wire, what mode can Snort be running under to inspect previously captured data?a. dead modeb. capture modec. batch moded. response mode

F4 Analyzing Network-based evidence for a windows intrusionKey

1. What tool was used by running it against the Libcap data to transform it into session data?b. Argus

2. Multiple protocols with low number of packets may indicate of activity?d. Port Scanning

3. What tool was used in this chapter to find patterns of malicious activity?a. Snort

4. A single SYN packet is sent through a port and a RST ACK packet is received. What does this mean?b. Port is closed

5. As opposed running Snort in “live mode” to inspect traffic actively passed on the wire, what mode can Snort be running under to inspect previously captured data?c. batch mode

F6 - Preparing for Forensic Duplication

1. Items included in a forensic toolkit should include the following except…a. Screwdriversb. Power Cablesc. Printerd. Permanent Markers

2. Each piece of hardware must be documented with the item’s information which includes…a. Driver’s Licenseb. Make/Modelc. Date of Birthd. Maiden Name

3. The information written on each label should include the following except…a. Number of Partitionsb. Datec. Type of file systemd. Price

4. Which item is used to document evidence.a. Digital Camerab. Firewirec. Flash Drived. Flashlight

5. The following should be recorded when evidence is checked out except…a. Date of Birthb. Case Numberc. Named. Date

F6 - Preparing for Forensic DuplicationKey

1. Items included in a forensic toolkit should include the following except…c. Printer

2. Each piece of hardware must be documented with the item’s information which includes…b. Make/Model

3. The information written on each label should include the following except…d. Price

4. Which item is used to document evidence.a. Digital Camera

5. The following should be recorded when evidence is checked out except…a. Date of Birth

F7- Commercial-based Forensic Duplication

1. EnCase is used to… a. backup system informationb. retrieve data from a storage devicec. print labelsd. surf the internet

2. When using EnCase or FTK, use which of the following to connect to the source hard drive (evidence)a. serial cableb. read-only Firewire-to-IDE modulec. read-write Firewire-to-IDE moduled. coaxial cable

3. When EnCase duplicates an evidence hard drive, it crates evidence files on a destination media. This usually means a…a. DVD-Rb. Floppy Diskc. Flash drived. formatted storage hard drive

4. FTK can acquire the forensic duplication in the following three different formats excepts…a. Portable Network Graphicsb. SMART formatc. Raw Disk Image (dd)d. EnCase Evidence Files (.E01)

5. When using a laptop with Encase, two additional items are usually needed. This includes a 2.5” to 3.5” laptop hard drive converter and a…a. Graphics cardb. PCMCIA Firewire cardc. Sound cardd. Data Acquisition card

F7- Commercial-based Forensic Duplication

Key1. EnCase is used to… b. retrieve data from a storage device

2. When using EnCase or FTK, use which of the following to connect to the source hard drive (evidence)?b. read-only Firewire-to-IDE module

3. When EnCase duplicates an evidence hard drive, it crates evidence files on a destination media. This usually means a…d. formatted storage hard drive

4. FTK can acquire the forensic duplication in the following three different formats except…a. Portable Network Graphics

5. When using a laptop with Encase, two additional items are usually needed. This includes a 2.5” to 3.5” laptop hard drive converter and a…b. PCMCIA Firewire card

F8 – Noncommercial-based Forensic Duplications

1. The most basic of all noncommercial forensic duplication tools is definitely dd which stands for…a. data dumpb. drive dumpc. data drived. digital dump

2. You want to make sure the BIOS is configured so that the computer will…a. boot from a dvdb. boot from your Linux operating systemc. boot from the evidence hard drived. boot from a flash drive

3. The command ‘if’ designates the…a. if statementb. independent filec. conditional statementd. input file

4. Which command is useful when encountering errors?a. dd_recoverb. dd_rescuec. dd_reversed. dd_record

5. Typically, we would cop the NED client onto a bootable CD-ROM environment which would be loaded into _____ and booted.a. a third computer on the same networkb. the forensic workstationc. the suspect’s computerd. remote computer

F8 – Noncommercial-based Forensic Duplications

Key1. The most basic of all noncommercial forensic duplication tools is definitely dd which stands for…a. data dump

2. You want to make sure the BIOS is configured so that the computer will…b. boot from your Linux operating system

3. The command ‘if’ designates the…d. input file

4. Which command is useful when encountering errors?b. dd_rescue

5. Typically, we would cop the NED client onto a bootable CD-ROM environment which would be loaded into _____ and booted.c. the suspect’s computer

F9 – Common Forensic Analysis Techniques

1. In order to recover deleted files, the recommended tool is TASK, later renamed to…a. Encaseb. The Sleuth Kitc. Undeleted. Date Recovery

2. Both EnCase and FTK will recover deleted files…a. automaticallyb. by selecting undelete on menuc. from the destination hard drived. only

3. Metadata can include which of the following?a. disk sizeb. registration keysc. MD5 hashesd. fat/ntsf

4. A better way to ignore known files is to compare the _____ of every file in a forensic duplication.a.MAC timesb. file sizesc. MD5 hashesd. full file names

5. We can download _____ and save ourselves a lot of time in ignoring known files.a. EnCaseb. Undeletec. FTKd. NISTS NSRL distribution

F9 – Common Forensic Analysis Techniques

1. In order to recover deleted files, the recommended tool is TASK, later renamed to…b. The Sleuth Kit

2. Both EnCase and FTK will recover deleted files…a. automatically

3. Metadata can include which of the following?c. MD5 hashes

4. A better way to ignore known files is to compare the _____ of every file in a forensic duplication.c. MD5 hashes

5. We can download _____ and save ourselves a lot of time in ignoring known files.d. NISTS NSRL distribution

F10 – Web Browsing Activity Reconstruction

1 Internet explorer uses these three facilities where we can find evidence except ____.a. system32b. web browsing historyc. cookiesd. temp internet files

2 ____ was developed to examine the contents of Internet Explorer’s cache files.a. Pascob. Data Dumpc. Galletad. Fport

3 ____ examine cookies by parsing the information in Internet Explorer’s cookie files into a human readable format.a. Pascob. Data Dumpc. Galletad. Fport

4 Encase utilizes a script referred to as a(n) ____ to parse the web browsing information found in the evidence and present it to the investigator.a. E-Scriptb. Fportc. ddd. FTK

5 The cookies, History.IE5, and Content.IE5 folders contain a ____ file with forensic evidence.a. index.exeb. index.datc. index.xlsd. index.txt

F10 – Web Browsing Activity ReconstructionKey

1 Internet explorer uses these three facilities where we can find evidence except ____.a. system32

2 ____ was developed to examine the contents of Internet Explorer’s cache files.a. Pasco

3 ____ examine cookies by parsing the information in Internet Explorer’s cookie files into a human readable format.

c. Galleta

4 Encase utilizes a script referred to as a(n) ____ to parse the web browsing information found in the evidence and present it to the investigator.a. E-Script

5 The cookies, History.IE5, and Content.IE5 folders contain a ____ file with forensic evidence.b. index.dat

F11 – Email Activity Reconstruction

1 Which commercial tool can be used for e-mail reconstruction/a. Galletab. Undeletec. FTKd. Outlook

2 When creating a report with FTK during e-mail reconstruction, it will contain ____ versions of the e-mails.a. HTMLb. EnCasec. textd. excel

3 Which file contains actual e-mail messages for Outlook Express?a. Sent E-Mailsb. E-Mail DBXc. TypedURLsd. Folders DBX

4 ____ is a utility that undecodes MIME file attachments in e-mails.a. Regeditb. Munpackc. FTKd. Eindeutig

5 This tool can be used to read Outlook Express e-mail repositories.a. eindeutigb. ddc. Pascod. regedit

F11 – Email Activity Reconstruction

KEY1 Which commercial tool can be used for e-mail reconstruction/c. FTK

2 When creating a report with FTK during e-mail reconstruction, it will contain ____ versions of the e-mails.a. HTML

3 Which file contains actual e-mail messages for Outlook Express?b. E-Mail DBX

4 ____ is a utility that undecodes MIME file attachments in e-mails.b. Munpack

5 This tool can be used to read Outlook Express e-mail repositories.a. eindeutig

F12 – Windows Registry

1 Registry contains information such as which of the following?a. MAC addressb. most visited websitesc. ip addressd. e-mails

2 Registry is often overlooked because the files are in proprietary format. In this case, which tool can be used?a. undeleteb. Back Trackc. FTKd. dd

3 Which command can be used to locate registry.a. Fportb. startxc. cmdd. regedit

4 Which keyword denotes a registry with documents that were recently viewed.

a. IISb. MRUc. RECd. EXE

5 Microsoft Windows records information of URLs typed into IE in a registry folder called ____.a. Typed URLsb. Recent URLsc. History.IE5d. Temporary Internet Files

F12 – Windows Registry

1 Registry contains information such as which of the following?b. most visited websites

2 Registry is often overlooked because the files are in proprietary format. In this case, which tool can be used?c. FTK

3 Which command can be used to locate registry.d. regedit

4 Which keyword denotes a registry with documents that were recently viewed.b. MRU

5 Microsoft Windows records information of URLs typed into IE in a registry folder called ____.a. Typed URLs

Computer Forensic Additional Notes1 ____ is the method of modifying data so that it is meaningless and unreadable in its current form.a. decryptionb. obfuscationc. stenographyd. encryption

2 ____ is the science of writing hidden messages I such a way that no one apart from th sender and intended recipient even realizes there is a hidden message.a. decryptionb. obfuscationc. stenographyd. encryption

3 The following is used as forensic software except ____.a. The Coroner’s Toolkitb. Outlookc. ILookd. Forensic Toolkit

4 ____ are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contentsa. write blockersb. hubsc. IDE Convertersd. Firewire Cards

5 A ____ function is any well defined procedure or mathematical function for turning some kind of data into a relatively small integer.a. hashb. metadatac. encryptiond. decryption

Computer Forensic Additional NotesKey1 ____ is the method of modifying data so that it is meaningless and unreadable in its current form.d. encryption

2 ____ is the science of writing hidden messages I such a way that no one apart from th sender and intended recipient even realizes there is a hidden message.c. stenography

3 The following is used as forensic software except ____.b. Outlook

4 ____ are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contentsa. write blockers

5 A ____ function is any well defined procedure or mathematical function for turning some kind of data into a relatively small integer.a. hash

Chapter 11. When collecting data from a victim machine to determine the “who, “how,” and

possibly “why” of an incident, which is a viable source:

a. Open TCP or UDP Portsb. Users Currently Logged Onc. Open Filesd. All the above

2. An open rogue port usually denotes:a. The system date and timeb. A backdoor running on the victim machine c. Volatile datad. Users currently logged on

3. FPort does the following:a. Opens a backdoorb. Closes all ports c. Links open ports to executables that opened them d. Launches live response

4. Group Policy information does not contain:a. Redirected folders that are and their detailsb. The last time policy was applied for both user and computerc. IIS logsd. Registry settings that were applied and their details

5. Most attacks happen over port:a. 10b. 1c. 50d. 80

Chapter Computer Foundations1. Which is not a type of data organization?

a. ASCIIb. HDMI c. Unicode

d. EBCDIC2. Little endian is read which way?

a. Top to bottomb. Left to rightc. Bottom to topd. Right to left

3. Drives can be configured as which of the following:a. Servantb. Driverc. Master d. Dictator

4. LBA addressing stands for:a. Logical block addressing b. Load balancing areac. Logic block authenticatord. Light battalion armor

5. Which SCSI cables can be interchanged with Ultra 320?a. Ultra2 SCSIb. Fast SCSI c. Ultra 3 SCSId. SCSI cables are not interchangeable

Chapter 2

1. The Live Response process for a Unix machine is____ to a Windows machine.A. Completely different B. Almost identical C. Exactly the sameD. Unix has not released a version

2. Which of the following is a common password cracking program that attackers employ to learn users’ passwords discussed in chapter 2?A. Jack the RipperB. The Headless HorsemanC. The Minotaur D. John the Ripper

3. When issuing the command uname –a you will receive what information?A. All the available operating system version information

B. A review of all the loaded kernel modulesC. A display of the mounted file systemsD. A list of all the running processes on the system

4. A quick way to eliminate redundant data in the file system is to ____:A. Calculate and analyze the MD5 checksum B. Use a “Poor Man’s FTP” using netcatC. Go to www.Facebook.comD. Do a search for “.kde”

5. A hacker would search for a keyword such as datapipe with ____?A. $B. | C. \D. ?

Chapter 3 & 4

1. The acronym NBE stands for which of the following?A. Network-based exposureB. Network-based evidence C. Non-Biological ExtraterrestrialsD. None of the above

2. What type of data is the easiest form of data to understand and manipulate?A. Full Content DataB. Statistical DataC. Session Data D. Alert Data

3. Taps (also known as Test Access Ports) are placed ____.A. Between the firewall and router B. Between mirroring portsC. Between switches

D. A and C

4. When looking at alert data ____ is helpful when searching for something suspicious.A. Wire SharkB. Snort C. ArgusD. Netstat

5. ARP is used to _____.A. Rebuilds sessions of interestB. Resolve IP addresses to MAC addresses C. Get better retirement benefitsD. Check for Common Vulnerabilities and Exposure (CVE)

Chapter 6

1. All but which of the following is something that you would want to record in an Evidence Worksheet: A. ModelB. Serial numberC. Anti-static bags D. Jumper settings

2. What principle is paramount to any investigation and should not be overlooked.A. Documentation B. NotationC. EvidenceD. Smoking Gun

3. Any time evidence changes hands, which form should be filled out?A. Agent Notes worksheetB. Evidence WorksheetC. Chain of Custody Form D. Evidence Access Log

4. Which of the following is recommended to have in a toolkit mentioned in the chapter?A. Swiss Army KnifeB. Gerber Knife

C. Pens D. HDMI cable

5. The following is unique information found on a hard drive that is recorded in the Evidence Worksheet:A. CalculusB. TrigonometryC. AlgebraD. Geometry

Chapter 7

1. _____ is one of the most widely used forensic duplication and analysis software tools available today.A. SnortB. TechNetC. TraceFirstD. EnCase

2. When you hot swap a drive, you ____ or _____ it from a running computer system without powering off the forensic workstation.A. Add ; deleteB. Swap ; takeC. Read; writeD. Add; remove

3. By default, EnCase will duplicate the media and create a series of _____ files in a directory you specify.A. 56kB. 640 MB C. 32 GBD. 100 Mbps

4. Laptop hard drive converters come in _____ to _____.A. 1.5” to 2.5”B. 5.5” to 7.5”C. 1.0” to 5.0”D. 2.5” to 3.5”

5. A benefit when acquiring evidence using EnCase is that it allows us to preview and ______ the drive in forensically sound manner.A. Analyze B. SendC. CorruptD. Destroy

Chapter 9

1. One limitation of The Coroner’s Toolkit was that the authors pointed out involved an emphasis on recovering deleted files from a ___________ when in fact FAT 32 and NTFS are the types of file systems we investigate the most.

A. Microsoft Windows file systemB. Linux file systemC. Unix file systemD. Both B and C

2. Downloading and installing The Sleuth Kit is a relatively ________ task.

A. Arduous B. TrivialC. CumbersomeD. Difficult

3. Commercial methods to undelete files are more _________ and will show you the logical and deleted files in one view. A. Time consumingB. EnablingC. Fee-basedD. User-friendly

4. A notable hash distribution is the National Software Reference Library provided by the National Institute of Standards and Technology. It is can be obtained by _____ or ____?A. Downloaded freelyB. Bought at the storeC. Purchased as a subscriptionD. Both A and C

5. The process of looking for data when you know a portion of it is called?

A. String searchingB. Unicode searchingC. Microsoft officeD. File searching

Chapter 101. At the time the book was written, __________ was the most popular Web browser

utilized by the general computing population.A. Google ChromeB. Mozilla FirefoxC. OperaD. Microsoft Internet Explorer

2. Which of the following is not a facility where we can find evidence to view Web browsing history?A. Temporary Internet FilesB. Web browsing historyC. CookiesD. GNU directory

3. Why are cookies necessary for browsing the internet?A. HTTP is a stateless protocol B. URI is a stateless protocolC. TCP/IP is a stateless protocolD. RFC is a stateless protocol

4. A cookie contains _____?A. Unallocated spaceB. FTK displayC. Expiration time D. Executables

5. A REDR activity record contains ____ information than the URL or LEAK records. A. MoreB. The sameC. Less D. None of the

Chapter 11

1. FTK will not recognize which of the following e-mail repository formats?A. YahooB. EarthlinkC. Lotus Notes D. Outlook Express

2. How many types of DBX files are there?A. 1B. 2 C. 3D. 4

3. The file _______ begins at the first byte of the Folders DBX file.A. HeaderB. LocationC. FolderD. Signature

4. _______ and _______ tended to be the most utilized e-mail clients discovered

during the author’s investigations.A. Yahoo; GoogleB. Outlook ; Outlook Express C. Google; OutlookD. AOL; Google

5. The E-Mail DBX file format is very similar to the Folders DBX file format. Which of the following is not among the three main differences between the two?A. The data entries contain different values.B. The e-mail repository has a different file offset. C. A new internal structure called an “email entry” is added to the file.D. The file signature is slightly different.

Chapter 12

1. When investigating Microsoft Windows systems, there are basically three different types of log files you can examine, which of the following is not one of them? A. Windows Event Logging

B. Application LogsC. The Microsoft Windows RegistryD. All are used

2. By examining a few ______, we can determine some of the currently installed programs and programs that may have been installed in the past but have since been uninstalled. A. ApplicationsB. Registry keys C. Registry viewerD. Event logs

3. There are currently ______ open source tools that can examine registry files directly.A. Plenty ofB. Really expensive C. No available D. Scarcely any

4. MRU stands for _______?A. Most Redundantly Used B. Maximum Receive UnitC. Most Recently Used D. Malware Removal Unit

5. Installed programs usually contain a mechanism that will enable them to be

_________.A. RunB. Uninstalled C. CopiedD. Exported

Ayme PenaChapters 2, 3 & 4

1. Lsof is the single most powerful tool in our live response toolkit for UNIX systems; what does it stand for. a) list software operating filesb) list open filtersc) list open filesd) list several open files

2) In windows, an executable cannot be deleted while it is running in memory. Who locks the file and it cannot be removed?a) kernelb) file system c) operating system d) none of the above

3) In Unix, an attacker can run a file, such as _________ and delete the original binary. a) lsofb) datapipec) mounted filed) all of the above

c____4) Full Content Data a) Similar to time of the day of the regular calls between subjects, duration, etc.

b____5) Session Data b) Similar to recording one conversation between suspects

d____6) Alert Data c) Similar to recording all conversations of suspects.

a____7) Statistical Data d) Similar to a red light going off when a particular word is heard

8) What answers can session data provide?a) Is the web server compromised? b) Did the intruder visit other machines using the webserver? c) Is the intruder present now? d) How frequent are the visits?e) all of the above9) ____________ means running Snort against previously captured data.

a) batch modeb) live modec) close moded) run mode

10) Snort’s signature-matching can find patterns of ___________________.

a) daily activities

b) malicious activitiesc) time activitiesd) a and c only

Chapter 5

1. The portscan.log is a simple?a) open portb) filec) text filed) none of the above

2. Tcptrace first provides __________ on the _______it sees. Next, it lists a record number, followed by the source Ip and port and destination IP and port.a) data:informationb) statistics:datac) conection:networksd) service:device

3. What is the command to exit from the FTP server?a) exitb) logoffc) endd) bye

4. If the comman used by the intruder is mget knark* what is he going to retrieve?a) passwordsb) create a file with the name “knark”c) files beginning with the word “knark”d) that command is not recognized5. What command shows the directory listings?a) lob) lac) lsd) al

Chapter 6

1. Each piece of hardware must be documented with all except?a) Different colorb) Peripheral connectionsc) Evidence tag numberd) Make model

2. Your toolkit needs to have every type of computer hardware interface going back how many years?a) 2 yearsb) Manyc) 6 monthsd) Not applicable

3. Agent notes, Evidence labels, Chain of custody forms, Evidence custodian logs are all part of which important part?a) tagsb) labelsc) documentsd) printer

4. By what is the evidence safe maintained?a) evidence custodianb) evidence registerc) evidence janitord) evidence computer

5. Evidence custodian keeps a log:a)Date, name, case number, time in, time outb)Date, name, fontc)Date, case number, placed)none of the above

Chapter 7

1. What is used by many law enforcement agencies and corporations around the world to support civil/criminal investigations, network investigations, data compliance and electronic discovery?a) Northernb) Windows Securityc) Encased) FBI Security

2. Encase enables you to acquire your evidence in a forensically sound manner, and will perform on ______ by default.a) 64 Bitesb) MD5 hashc) SCA-1 Hashd) CS Hash

3. Two important devices that do not come with Fire wire duplication kit by default are?a) Fire wire card and softwareb) Fire wire disk and laptopc) Fire wire card and hard drive converterd) laptop and a plug

4. What is FTK?a) Files Tool Kitb) Fire wire Transport Kitc) Forensic Tool Kitd) None of the above

5. Why is it recommended not to put a password in your EnCase?a) because you will secure your informationb) it’s to many stepsc) if you forget you are out of luckd) it cannot be encryptedChapter 8

1. Data dump is part of the most basic of all a) commercial toolsb) noncommercial forensic duplication toolsc) commercial forensic duplication toolsd) all of the above

2. After Linux has finished booting, what do you want to see?a) if the computer will restartb) the color of the screenc) Which device represents your suspect’s hard drived) the device empty space

3. By running [root@localhost root]# md5sum –c md5sums.txt you are trying to ?a) validate the evidence fileb) separate the memoryc) hack the computerd) delete

4. The ______ indicates the number of blocks that are skipped from the input before the copying begins.a) timeb) datec) refreshd) skip

5. So that data left on the storage hard drive previously is not introduced into the evidence, the first order of business is to ______?

a) buy a new hard driveb) wash the hard drivec) cleanse the evidence d) unplug the hard drive

Chapter 9

1. When conducting _________ analysis, the first step is to recover undeleted files.a) researchb) forensicc) processd) security

2. In order so that you can associate a file with a local loopback device such as /dev/loop0 the _________ has to be altered?a) memoryb) hard drivec) deviced) kernel

3.Metadata includes ___________, file sizes, MAC times, MD5 hashes, and more.a) full file namesb) brandc) exact sizesd) none of the above

4. What must you select from the menu bar to perform a keyword search with EnCase?a) View->Wordsb) View->Hidden wordsc) View->Keywordsd) View->Menu bar

5. Keyword searching is a very important step for ________________________ and ___________________ throughout your evidence data set.a) identifying relevant files : file fragmentsb) finding time of data : file namec) identifying images : relevant fragmentsd) forensic analysis : security treats

Chapter 10

1. Who utilizes the E-script, to parse the Web browsing information found in the evidence and present it to the investigator?a) FTKb) IE Historyc) E-Scriptd) EnCase

2.C:\Documents and Settings\<<profilename>>\Cookies\ is an example of one of the ____________________________________?a) profile names b) main directory associated with web browsing historyc) web browsing history d) documents and settings

3. Each cookie is saved as a small text file that contains?a) variable names and values, time the cookie was downloaded b) time the cookie expires, some information about its statusc) time the cookie was downloaded and time the cookie expires onlyd) a and b

4. IE History can examine not only IE index.dat files but also __________________?a) Microsoft Recordsb) EnCase Solutionsc) Recycle Bin recordsd) Main directory records

5. Pasco and Galleta are two main tools that were released within the past few years that enable us to reconstruct ______________ browsing activity?a) Keith J. Jonesb) Lewis’s Webc) Linuxd) Curtis W. Rose

F-12 Windows Registry1. What is the command to open a windows registry?

a. Registryb. Edit

c. RegEdit d. EditRegistry

2. What is the Microsoft program used to modify which process is run at start-up?a. MSConfigb. Regedit c. MMSd. cmd

3. Which are the three basic event logging logs for windows?a. System, Application, Security b. Audit, Application, Securityc. Application, Security, Domaind. User events, System, Application

4. Where is the windows registry file kept? a. C:\windows\system32\config b. C:\Programs\Windows\configc. C:\Registry\logs\configd. C:\system32\registry\config

5. What tools are normally available to examine windows registry files? a. Open source toolsb. Encase, FTK, Windows Regedit c. Notepadd. Winword

F-131. What command is used in Linux to complete a source code C program?

a. Gcc b. Compilec. Bccd. None of the above

2. What are self contained programs that do not require any other file reference to run called?

a. Static Executables b. Self Contained programsc. Stand alone programd. None of the above

3. What are executive programs that reference outside files of libraries or code called?a. Dynamic Executables b. Dependent programsc. Referenced programsd. Data executables

4. The approach used to examine a file by actually executing the code/file is called?a. Static Analysisb. Exec Analysisc. Dynamic Analysis d. Runtime analysis

5. Which program allows user in Linux to peer inside an executable as it executes?a. GNU Debugger b. MMCc. BBd. GCC Debuger

Question for Chapters F7, F8, F9Chapter F7

1. What is the file system used by MS Windows Vista or 7?a. FAT16b. FAT32c. NTFS d. EXT3

2. What is the main advantage of NTFS of FAT?a. Encryption b. Access timec. Drive speed

3. What file system is used by Linux?a. EXT3 b. NTFSc. FAT32

d. FAT164. drawback of FAT16?

a. Restricted disk size. b. Slow speedc. Easily corruptible

5. What is the Linux command to make a new file system?a) Mkfs b) Fdiskc) Mkdird) Format

Chapter F81. What is the fastest and most reliable drive type available?

a. IDEb. SATAc. SCISI d. ATA

2. What is the term for a chronological documentation of evidence?a. Chain of custody b. Evidencec. Evidence logd. Custody log

3. What is the most modern form of booting device are currently used in computers today?

a. 5 ¼ Floppy diskb. 3 ½ Floppy diskc. USB boot drives d. CDROMS

4. Computer forensics deals with which of the following:a. Virus softwareb. Spywarec. Legal evidence found in computer media d. Intellectual property

5. What is the most important rule to remember in dealing with digital forensic evidence?a. Do not disturb the original disk image evidence b. Recover deleted filesc. Access the information as fast as possibled. Discover digital evidence

Chapter F91. What is the best digital investigation tool current available commercially?

a. Symanticb. Encase c. Dfragd. Undelete

2. Encase is published by which company:a. Guidance Software

b. Encase Softwarec. Microsoftd. Oracle

3. What is the recommended way of obtaining a digital copy of an evidence disk?a. Bit by bit disk copy b. Copy Pastec. Logging into the computer in question.

4. What is the extension for an EnCase media type?a. .exeb. .batc. .enc d. .ewf

5. What type of software is FTK?a. Virus programb. Disk copy programc. Scanning programd. Computer forensic tool kit

Real Digital Forensics chapter F2,F3,F4

1. What is the Linux or Unix system command to display a list of active internet connections:a. Netstat –nb. Fportc. FTPd. Ipconfig

2. Different drives in Linux or Unix often also have to be_____ to be accessed.a) Referencedb) Loadedc) Mountedd) Accessed

3. What is the best way to determine if a system file has been modified?a) Do a virus scanb) Do an LS commandc) Run a checksumd) Try to run the file.

4. Where is the system log stored in Linux?a) /etc/bin/syslog.confb) /etc/syslog.confc) /windown32/system.logd) /bin/syslog.conf

5. Which system file in Linux/Unix contains a list of user accounts?a) /etc/passwdb) /etc/bin/passwdc) /windows/passwdd) It does not exist

6. Which type of equipment joins networks together?a. Hubb. Switchc. Routerd. Access Point

7. What type of device is used to filter network traffic?a. Firewallb. A serverc. Hubd. Switch

8. What is a standard packet capture program?a. TCPdumpb. Fportc. Telnetd. Netstat

9. What is an appropriate alert data tool to collect network traffic?a. Snortb. SSHc. Netstatd. Telnet

10. In a standard intrusion scenario, when an intruder conducts probes against a target system it is called?

a. Consolidationb. Exploitationc. Reconnaissanced. Pillage

11. What type of data gives you a general pattern of network traffic?a. Alert datab. Statistical datac. Total capture datad. Sample data

12. What type of sample technique looks for particular patterns in the network traffic?a. Signature based alert datab. Statistical datac. Sample datad. Raw data

13. The intercepting of network data directly from the network via a hardware device is known as?

a. Exploitb. Tapc. Signatured. Sample

14. The data that records all network activity that occurred during a specific period is know as?

a. Raw datab. Full content datac. Sample datad. Alert data

15. Gaining “root” privileges in a linux/unix system usually refers to the following?a. Gaining administrative level accessb. Gaining access to the c: drive.c. Compromising a guest accountd. Mounting a drive

1. Which of these elements is classified as volatile data?a. File timestampsb. Location of registry filec. Internal routing tabled. System version and patch level

2. Which of the following is not a system event log?a. Securityb. Systemc. Auditd. Application

3. Which command can be used to see the routing table?a. netstatb. regeditc. atd. psexecsvc

4. Which command line tool can help test file integrity?a. regeditb. md5sumc. netcatd. inspect

5. Which set of tools provide enhanced functionality for viewing volatile data in Windows?

a. IISb. Policy Managerc. pstoolsd. Windows XP Service Pack 3

1. Which of these elements is classified as volatile data?a. File timestampsb. Location of registry filec. Internal routing tabled. System version and patch level

2. Which of the following is not a system event log?a. Securityb. Systemc. Auditd. Application

3. Which command can be used to see the routing table?a. netstatb. regeditc. atd. psexecsvc

4. Which command line tool can help test file integrity?a. regeditb. md5sumc. netcatd. inspect

5. Which set of tools provide enhanced functionality for viewing volatile data in Windows?

a. IISb. Policy Managerc. pstoolsd. Windows XP Service Pack 3

1. In Unix, which command is used to display a list of running processes

a. procb. PSc. lpd. ps -aux

2. What is required before a disk drive can be viewed in Unix?

a. open file explorerb. mount the drivec. refresh the device managerd. connect the computer and restart the machine

3. Regarding Unix, which one of these statements is not true

a. the netstat command can be used just like in Windowsb. The process list includes the name of the user that launched the processc. Standard TCP ports are different in the Unix environmentd. The volatile and non-volatile types of data are the same as Windows

4. What is the purpose of the netcat utility?

a. To acquire non-volatile datab. To obtain output without disturbing the victim computer in a live responsec. To detect trojans currently on the victim computerd. A utility used to perform a network route inventory

5. What utility provides a list of open files?

a. psb. flistc. fopend. lsof

1. What is NBE?

a. NetBios Environmentb. Network-Based Evidencec. Non-Breakable Executiond. Network Bound E-mail

2. Which one of these is not a type of NBE

a. Session Datab. Alert Datac. Application Datad. Statistical Data

3. Which of these is not a method to intercept network traffic

a. Multimeterb. Tapsc. Hubsd. Inline devices

4. What function does the snort program perform

a. performs a core dumpb. eavesdrop through the telephone systemc. perform statistical analysisd. captures interesting network packets

5. Which event is a likely precursor to an attack

a. server begins to power off without warningb. a disgruntled employee was firedc. a threatening emaild. a port scan

1. Which of these is not a factor in a Chain of Custody

a. source individualb. locationc. ethernet port numberd. transfer Date

2. Which is the most widely used commercial forensic software

a. data dumpb. abadoxc. forensic toolkitd. encase

3. What function does the fdisk command perform?

a. create a partitionb. duplicate a diskc. mount a diskd. show an enumerated list of external disks

4. What must be done immediately after performing a duplication

a. compress the files to save spaceb. change file permissions on the victim drive to read-onlyc. perform an md5 hash on the filesd. disconnect drive and give it to the evidence custodian

5. Why is it important to lock writes to the source drive

a. a single access or write will contaminate the evidenceb. it is a faster data transferc. the firewire device converter is relatively inexpensived. the victim can sue for property damage

1. What command is used to make a hard drive accessible in Unix

a. fdiskb. mountc. loadd. ls

2. Which of these is not a step in duplicating a hard drive

a. generate md5 hashesb. make hash file read-onlyc. use the dd commandd. open file on the source hard drive to make sure you are duplicating the correct drive

3. What technique is key to reducing fileset

a. delete all mp3 files if music files are not relevant to the caseb. delete c:\Windows folder since no user data is stored therec. remove all files that irrelevant file extensions, such as DLL filesd. compare file hashes to remove known files, such as C:\Windows folder

4. Commercial forensic solutions recover deleted files automatically

a. trueb. false

5. Which of these is not a non-commercial forensic software

a. DCFLDD b. ddc. encased. NED

1. Which Windows program can be used to examine the registry

a. regeditb. openregc. registry expressd. windows explorer

2. What type of information is not kept in the registry?

a. Installed applicationsb. MRU c. Cookiesd. Windows configuration settings

3. Which technique is used to make data unreadable (gibberish) but is not considered a serious form of encryption?

a. maskingb. file defragmentationc. hidden filesd. obfuscation

4. Which hardware device is sometimes required for software to function normally

a. keyboardb. printerc. modemd. dongle

5. A computer forensic investigator should assume that any unknown code is hostile.

a. trueb. false

6. Which one of these is not a method used to calculate a hash value

a. RCAb. SHA-256c. MD5d. SHA-512

7. Data cannot be recovered from a hard drive after the user has deleted all the files

a. trueb. false

8. What device can be used to avoid disturbing the data on a suspect drive when accessing it?

a. Write blockerb. donglec. MTUd. Just set all the file to read-only.

9. Data can be hidden in the spaces between files

a. trueb. false

10. What is the default file system used in Windows XP?

a. UFSb. FAT32c. FAT16d. NTFS

1. Under which directory are Microsoft Windows Registry files found?a. C:\Windows\system32\configb. C:\Program Files\system32\configc. C:\Windows\system42\bind. C:\Registry Files\system32\config

2. _________ forensics is forensics applied to information stored or transported on computers

a. Systemb. Filec. Computerd. Hard Drive

3. What are the two ways encrypting data could guard the data?a. Protect Data and Prove Integrityb. Lock and Keyc. Data Integrity and Prove Datad. Passwords and Authentication

4. _______ is some method of modifying data so that it is meaningless and unreadable in it’s encrypted form.

a. Encryptionb. Decryptionc. Bicryptiond. Monocryption

5. A _____ function is any well-defined procedure or mathematical function for turning some kind of data into a relatively small integer.

a. Mashb. Hashc. Lineard. Quadratic

6. What does SHA stand for?a. System Hit Algorithmb. Secure Hash Algorithmc. Science History Agencyd. Secure Hail Algorithm

7. Use a __________device to prevent accidentally writing to the suspect media.a. Systemb. Filec. Read-Blockingd. Write-blocking

8. The _____ algorithm takes as input a message of arbitrary length and produces as output a 128-bit fingerprint of the input.

a. MD8b. MD5c. MD6d. MD7

9. It is important that an _____ is made of the hard drive and not a copy or a backup.a. Iconb. Filec. Pictured. Image

10. Which is NOT a name for a returned value of hash function?a. Hash valuesb. Hash codesc. Hashishd. Hashesh

Moises Flores Jr

CSCI 6318Dr. John Abraham

Chapter 6 Questions1. Which of the following tools is an essential tool when conducting forensic

duplication?a. Hammerb. Digital Camerac. Cell Phoned. Pager

2. is paramount when conducting a forensic investigation.a. Storing hardware and software.b. Ensuring data is backed up.c. Documentation of evidence worksheets, system worksheets, agent

notes, evidence labels, etc.d. Keeping time of the work you put in to the investigation.

3. Which of the following IS NOT contained on the evidence labels?a. Type of data retrieved.b. Case Number.c. Evidence Tag Number.d. Contents.

4. On the Evidence Custodian Log, what information is contained?a. Date, Name, Information, Time in, Time out.b. Date, Name, Case Number, Time in, Time out.c. Date, Name, Computer Number, Time in, Time out.d. None of the above.

5. On the Chain of Custody Form, what information is contained?a. Source individual, Source location, Destination individual, Destination

location, Transfer date.b. Source individual, Source description, Destination individual,

Destination location, Transfer date.c. Source information, Source address, Destination individual, Destination

location, Transfer date.d. None of the above.

Chapter 7 Questions

1. The duplication device contains a number of components that must be assembled correctly to successfully acquire your evidence. Which of the following IS NOT one of those components?

a. A read-only Firewire-to-IDE module.b. A read-write Firewire-to-IDE module.c. Firewire cables.d. Duplication cables.

2. When acquiring a forensic duplication, which of the following programs can be used to assist you in this process?

a. EnChase.b. Ncasec. E-cased. EnCase.

3. It is highly recommended to use controls for evidence access rather than a software solution.

a. Active.b. Hardware.c. Physical.d. Password.

4. FTK can acquire the forensic duplication in three different formats, what are they?

a. EnChase Information Files, Raw Disk Image, SMART Format.b. EnCase Evidence Files, Row Disk Image, SMART Format.c. EnCase Evidence Files, Raw Disk Image, SMART Format.d. EnCase Evidence Files, Raw Disk Image, SNORT Format.

5. To acquire a forensic duplication with FTK, you must open the FTK .

a. Instant program.b. Initiation program.c. Imager program.d. Imaging program.

Chapter 8 Questions

1. The most basic of all noncommercial forensic duplication tools is definitely

a. Desk dumpb. Data dunkc. Date dumpd. Data dump

2. What does if stand for in the dd command?a. Inter fileb. Inner filec. Input filed. In file

3. The dmesg command displays four hard drives used to boot into Linux. What are they?

a. Suspect’s hard drive, OS drive, Speed drive, CD-ROM drive.b. Suspect’s hard drive, OS drive, Separate drive, CD-ROM drive.c. Suspect’s hard drive, OS drive, Storage drive, CD-ROM drive.d. Suspect’s hard drive, OS drive, Storage drive, CD-RMO drive.

4. When creating an evidence hard drive, the first thing one should do is?a. Delete the evidence hard drive so that data left on the storage hard drive

previously is not introduced into the evidence.b. Detect the evidence in the hard drive so that data left on the storage hard

drive is introduced into the evidence.c. Cleanse the evidence hard drive so that date left on the storage hard drive

previously is not introduced into the evidence.d. None of the above.

5. The is a variation of the standard dd that provides functionality for greater authentication using a built-in MD5 hashing algorithm.

a. DCFLLDb. DCFLDDc. DDFLCDd. DDFLDD

Chapter 9 Questions1. When conducting forensic analysis, what is the first step you want to take?

a. Delete files.b. Undelete files.c. Recover files.d. Take pictures.

2. The is altered so that you can associate a file (the forensic duplication) with a local loopback device such as /dev/loop0.

a. Operating system.b. Memory.c. Kernel.d. Shell.

3. The first step to recover deleted files is to load our evidence into . a. Hard drive.b. USB.c. EnCase.d. Forensic Work Station.

4. What is one of the advantages of using open source tools to undelete files?a. It is easier to use than commercial alternatives.b. No licensing fees associated.c. It retrieves more undeleted files than commercial solutions.d. None of the above.

5. What does Metadata include?a. Full file names, file sizes, MAC times, MD5 hashes.b. Full user names, file names, MAC dates, MD 5 hashes.c. Full file names, file sizes, MAC size, MD 5 hashes.d. None of the above.

Created By: Jerry Garza Dr. Abraham

CSCI 6318

Chapter 2 - Questions - Key

1. What is the name of logs in unix?A. EventsB. SystemC. SysLog D. Event Viewer

2. What command will give you the version and patch level in unix?A. userB. netcat -statC. uname -aD. print -system

3. What is the unique mathematical fingerprint of a file called?A. fingerprintsB. MD5 ChecksumC. encryptionD. file properties

4. What command will show the current network connections?A. netcat -listB. net show portsC. netD. netstat -an

5. In the address 102.60.21.3:1827, what is 1827?A. The Number of connections being made.B. The user IDC. The port numberD. IP address

Chapter 3 & 4 - Questions - KEY

1. Capturing data when a rule or signature is met is calledA. Session DataB. Alert DataC. Full Content DataD. Statistical Data

2. Capturing all the data of network connection is calledA. Session DataB. Alert DataC. Full Content DataD. Statistical Data

3. This device will repeat all traffic from a port to all the other ports on the deviceA. SwitchB. TapC. HubD. Inline Device

4. An application that can capture network data and run as an IDS is

A. argusB. tcpdumpC. snortD. fport

5. What command will capture data on linux and dump to a fileA. fportB. argusC. tcpdumpD. netstat

Chapter - 10 Questions

1. An open source Cookie Investigation ToolA. FTKB. GalletaC. PascoD. Encase

2. Internet Explorer utilizes all EXCEPT the following were digital forensics evidence can be found.

A. Web browsing historyB. Temporary Internet FilesC. CookiesD. Local User Settings

3. An open source tool to reconstruct web browsingA. PascoB. FTKC. GalletaD. Encase

4. In order to rebuild web history, commercial and open source tools look at what Internet Explorer File

A. index.htmlB. history.datC. index.datD. ie.dat

5. The following are valid types for an activity record in internet explorer’s history EXCEPT:

A. LEAKB. REDRC. URLD. COOKIE

1. The aim of an information management strategy is to: A. gain value from information resources. B. assign appropriate responsibilities for information resources. C. protect information resources.

D. improve the quality of information resources. E. none of the above.

2. An information policy is typically aimed at improving: A. opportunities from better usage of information. B. a culture of knowledge sharing. C. openness of communications within an organization. D. the utilization of data storage on servers. E. errors from poor quality information. 3. The Information Technology School of information management of Marchand et al.

(2002) has focus on: A. managing the information lifecycle for different types of information. B. improving people's information usage, behaviors and values. C. none of the above. D. selecting appropriate technology to support decision making. E. using information to manage people and link their performance to business

performance. 4. The Management Control School of information management of Marchand et al.

(2002) has focus on: A. selecting appropriate technology to support decision making. B. improving people's information usage, behaviors and values. C. managing the information lifecycle for different types of information. D. none of the above. E. using information to manage people and link their performance to business

performance. 5. The Behaviour and Control School of information management of Marchand et al.

(2002) has focus on: A. none of the above. B. selecting appropriate technology to support decision making. C. using information to manage people and link their performance to business

performance. D. improving people's information usage, behaviors and values. E. managing the information lifecycle for different types of information.

6. The Information Management School of information management of Marchand et al. (2002) has focus on:

A. none of the above. B. improving people's information usage, behaviors and values. C. using information to manage people and link their performance to business

performance. D. selecting appropriate technology to support decision making.

E. managing the information lifecycle for different types of information. 7. Information management strategy development uses starts with: A. defining responsibilities. B. reviewing current information resource characteristics and usage (an information

audit). C. putting in place security control. D. setting objectives. E. none of the above.

8. Responsibilities for information management need to be defined at this level. A. Board level. B. None of the above. C. User-level. D. Middle manager level. E. Partner-level.

9. The Hawley Committee recommendation that dealt with information security was: A. the identification of information assets... B. none of the above. C. the protection of information from theft, loss, unauthorized access and abuse... D. the harnessing of information assets and their proper use for maximum benefit of

the organization... E. the proper use of information with applicable legal, regulatory, operational and

ethical standards... 10. The Hawley Committee recommendation that dealt with information information

auditing was: A. the harnessing of information assets and their proper use for maximum benefit of

the organization... B. the identification of information assets... C. none of the above. D. the protection of information from theft, loss, unauthorized access and abuse... E. the proper use of information with applicable legal, regulatory, operational and

ethical standards...

CSCI631803/28/2010Liang Ding

Lecture 1: Live Incident Response1. Which option is not included in Volatile Data?

A. The System Date and TimeB. Which Executables Are Opening TCP or UDP PortsC. A History of LoginsD. Open Files

2. Which symbol can we use to write information printed on screen into file?A. ^B. <<C. &D. >

3. Which command do we use to get information about Scheduled Jobs?A. atB. PslistC. FportD. Date

4. Which option is not included in Nonvolatile Data?A. File System Time and Data StampsB. Registry DataC. IIS LogsD. Cached NetBIOS Name Table

5. Which command in our book do we use to get File System Time and Date Stamps?A. dirB. findC. psinfoD. time

Lecture 2: Computer Foundations1. Which not belong to data organization in following items?A. HexadecimalB. DecimalC. BinaryD. byte

2. Numbers are stored and transmitted inside a computer in

A. binary formB. ASCII code formC. decimal formD. alphanumeric form

3. Computer knows the layout of data through _____?A. Data OrganizationB. Data RecoveryC. Data StructureD. Data Analysis

4. A byte correspond to_____.A. 4 bitB. 8 bitC. 16 bitD. 32 bit

5. Which are two ways to access ATA hard drives?A. Through BIOSB. Indirect AccessC. Through DatalinkD. Direct AccessLecture1 Answers: 1. C2. D3. A4. D5. B

Lecture2 Answers:1. D2. A3. C4. B5. AD

CSCI631803/28/2010Liang Ding

Lecture 3: Unix Live Incident Response

1. Which option is not included in Volatile Data for Unix?A. The System Date and Time

B. Which Executables Are Opening TCP or UDP PortsC. A History of LoginsD. Open Files

2. Which command in our book do we use to get current network connections for Unix?

A. netstatB. dateC. psD. dir

3. Which command do we use to get information about a history of logins for Unix?A. atB. PslistC. lastD. Date

4. Which option is not included in Nonvolatile Data for Unix?A. System version and patch levelB. File system time and date stampsC. A history of loginsD. Mounted File systems

5. Which command in our book do we use to get information of mounted file systems for Unix?

A. dfB. findC. psinfoD. time

Lecture 4&5: Collecting Network-Based Evidence & Analyzing Network-Based Evidence for a Windows Instrusion

6. Which are included in Network-Based Evidence?A. Full content dataB. Session dataC. Alert dataD. Statistical dataE. All of above

7. Which are included in a standard intrusion scenario?A. ReconnaissanceB. ExploitationC. ReinforcementD. All of above

8. Network security specialists use four main ways to access network traffic. These methods include:A. HubsB. TapsC. Inline devicesD. Switch SPAN portsE. All of above

9. Which description is for Full Content Data?A. Consists of the actual packets, typically including headers and application information.B. Shows aggregations of packets into “flows” or groups of associated packets.C. Created by network IDSs, when the IDSs see traffic that matches its signature or rule

base, it informs the administrator via an alert reported to a database, console, or e-mail.

D. For stepping back and looking at the big picture, provides perspective.

10. Which description is for Alert Data?A. Consists of the actual packets, typically including headers and application information.B. Shows aggregations of packets into “flows” or groups of associated packets.C. Created by network IDSs, when the IDSs see traffic that matches its signature or rule

base, it informs the administrator via an alert reported to a database, console, or e-mail.

D. For stepping back and looking at the big picture, provides perspective.

Answer:a) C.b) A.c) C.d) B.e) A.f) E.g) D.h) E.i) A.j) C.

CSCI631804/15/2010Liang Ding

Chapter 6 & 7:

2. Tools needed for Forensic Duplications?E. Digital cameraF. Screwdriver with several sizes and types of bitsG. FlashlightH. Dremel toolI. All of above

3. Which documentations do we need for Forensic Duplications?E. Evidence WorksheetsF. System WorksheetsG. Agent NotesH. Evidence LabelsI. All of above

4. What is the purpose of Evidence tape for Forensic Duplications?E. Cut a cable tie in the suspect’s computer to acquire a duplicationF. Connect the suspect’s media to your forensicG. Show tampering if you store your evidence in a standard business envelopeH. Modify a boot disk

5. What is the purpose of Blank floppies for Forensic Duplications?A. Cut a cable tie in the suspect’s computer to acquire a duplicationB. Connect the suspect’s media to your forensicC. Show tampering if you store your evidence in a standard business envelopeD. Modify a boot disk

6. Which is the commercial software we use to accomplish a forensic duplication? It is one of the most widely used forensic duplication and analysis software tools available today.

A. FTKB. EnCaseC. DDD. DCFLDD

Chapter 8: Noncommercial-Based Forensic Duplications

7. Commercial software for forensic duplication includes ______A. FTKB. EnCaseC. DDD. All of aboveE. Both A and B

7. Which is the most basic of all noncommercial forensic duplication tools?A. NEDB. FTKC. EnCaseD. DD

8. The ______ is a variation of the standard dd that provides functionality for greater authentication using a built-in MD5 hashing algorithm.A. NEDB. DCFLDDC. FTKD. EnCase

9. Which is the newest open source forensics tool that runs in linux environment?A. NEDB. FTKC. EnCaseD. DD

10. Noncommercial software for forensic duplication includes _________A. DDB. DCFLDDC. NEDD. All of above

Answer:1 E2 E3 C4 D5 B6 E7 D8 B9 A10 D

CSCI631804/15/2010Liang Ding

Chapter 6 & 7:

8. Tools needed for Forensic Duplications?J. Digital cameraK. Screwdriver with several sizes and types of bitsL. FlashlightM. Dremel toolN. All of above

9. Which documentations do we need for Forensic Duplications?J. Evidence WorksheetsK. System WorksheetsL. Agent NotesM. Evidence LabelsN. All of above

10. What is the purpose of Evidence tape for Forensic Duplications?I. Cut a cable tie in the suspect’s computer to acquire a duplicationJ. Connect the suspect’s media to your forensicK. Show tampering if you store your evidence in a standard business envelopeL. Modify a boot disk

11. What is the purpose of Blank floppies for Forensic Duplications?E. Cut a cable tie in the suspect’s computer to acquire a duplicationF. Connect the suspect’s media to your forensicG. Show tampering if you store your evidence in a standard business envelopeH. Modify a boot disk

12. Which is the commercial software we use to accomplish a forensic duplication? It is one of the most widely used forensic duplication and analysis software tools available today.

E. FTKF. EnCaseG. DDH. DCFLDD

Chapter 8: Noncommercial-Based Forensic Duplications

13. Commercial software for forensic duplication includes ______F. FTKG. EnCaseH. DDI. All of aboveJ. Both A and B

7. Which is the most basic of all noncommercial forensic duplication tools?A. NEDB. FTKC. EnCaseD. DD

8. The ______ is a variation of the standard dd that provides functionality for greater authentication using a built-in MD5 hashing algorithm.A. NEDB. DCFLDDC. FTKD. EnCase

9. Which is the newest open source forensics tool that runs in linux environment?A. NEDB. FTKC. EnCaseD. DD

10. Noncommercial software for forensic duplication includes _________A. DDB. DCFLDDC. NEDD. All of above

Answer:1 E

2 E3 C4 D5 B6 E7 D8 B9 A10 D

CSCI631804/22/2010Liang Ding

Chapter 9: Common forensic analysis techniques

14. Before analysis, we should make sure that forensic duplication is________. O. Read and writeP. Write onlyQ. Read onlyR. Hidden

15. Which is the most notable forensic tool in the open source movement to recover deleted files?

O. The Coroner’s ToolkitP. EnCaseQ. JBRWWWR. FTK

16. After we finish forensic duplication and files recovering, we should do______.M. Load evidenceN. Acquire the metadata from all files that exist in the evidenceO. Create new imageP. Create MD5 hashes for the files

17. What is the better way to ignore known files?I. Delete known files at firstJ. Make marks for the known filesK. Copy the known files into another hard driveL. Compare the MD5 hashes of every file in a forensic duplication with a known set of

hashes and ignore any matches

18. If you do not know what you will find on the subject’s hard drive, but you know

specifics of a case, what you should do?I. Perform a search across the whole hard drive and detect files or file fragments that

contain the information you are looking forJ. Determine the file signaturesK. Remove known filesL. Forensic duplication

Chapter 10: Web Browsing Activity Reconstruction

19. IE utilizes ______ facilities where we can find evidence:K. Web browsing historyL. CookiesM. Temporary Internet FilesN. All of above

20. Which is commercial tools to parse the Web browsing information found in the evidence and present it to the investigator?

A. NEDB. FTKC. EnCaseD. DD

8. Pasco examines ______ files and how they were populated when a suspect browses the internet.A. index.htmlB. index.sysC. index.datD. index.zip

9. Which is the tool to translate the information inside an IE cookie file to something a human can understand?A. PascoB. FTKC. EnCaseD. Galleta

10. Cookie files are store in _____.A. Remote computerB. ServerC. Native computerD. Switch

Answer: 1. C 2. A 3.B 4.D 5.A 6.D 7.C 8.C 9.D 10.C

1.-When using Nikto web server scanning tool, status code ______________means that the Access was successful.A)400 D)200B)300 E)8002.-Activity web server logs are automatically saved in ____________A)Winnt\System32\Savedfiles B) Winnt\System32\LogfilesC) Winnt\Webservices\logfiles D) Winnt\System32\Recentactivity3.-A utility named _________________, is used to transmit encrypted data to the forensic workstation.A)Netcat B)CryptcatC)MD5 D)FPort4.-_________, a utility used to check open ports and associates the executables that opened them.A)Netcat B)CryptcatC)MD5 D)FPort5.-_________, is an application to list the process table in order to know what processes the attacker executed.A)PsExec B)PsToolsC)PsList D)Netstat

1.-______________, refers to collecting every electronic element of a data connection.A)Session data D)Full content dataB)Statistical data E)Alert data2.-____________, is data that shows predefined items of interest (e.g. a red light flashes each time the word “shipment” is detected) A)Alert data B) Full content dataC) Session data D) Statistical data

3.- _________________, is the last step in a standard intrusion scenario. It could involve stealing information or damage a computer.A)Recoinnassance B)Session endC)Reinforcement D)Pillage4.-_________, is a tool used to split a file into smaller files.A)Netcat B)CryptcatC)MD5 D)Tcpslice5.-In order to identify the most active hosts on a network, the analyst should use ____________.A)Session data B)Full content dataC)Statistical data D)Local data

1.-______________, network security monitoring. Is used when the attack has already happened.A)Threat response D)Proactive NBEB)Reactive NSM E)Resulting NSM2.-____________, a java program that reads information from a MYSQL database and produces a 3-D map of network traffic. A)scanmap3d B) TcpdumpC)3-D visualizer D)IDS3.-In a Linux environment, if an administrator want to check if a kernel module have been trojaned, he must use the ________ command to review all the loaded kernel modules.A)lsmod B)CryptcatC)MD5 D)FPort4.-_________, network security monitoring. Is used to prevent attacks.A)Proactive NSM B)CryptcatC)Reactive NBE D)FPort5.- ___________, is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers.A)Active Directory B)Sharepoint ServicesC)Server Message Block D)System Services

Prepared by: Edgar Garcia

1.-In a standard intrusion scenario, _________, refers to preliminary examination before an attack happens and check for vulnerable versions of software.A)Pillage D)ConsolidationB)Reconnaissance E)Reinforcement2.-Full content data, _________, alert data, statistical data, are the four main types of data collected during network based evidence. A)Session data B) Log dataC)System data D)History data3.-_________, is the most useful tool to analyze full content data on a packet-level basis.A)lsmod B)EtherealC)MD5 D)FPort4.-_________, is the best open source tool for network intrusion detection.A)Proactive NSM B)EtherealC)Snort D)Tcpview5.- In a standard intrusion scenario, _________, refers to download attack tools, attempt to elevate privileges at the target, perhaps using a backdoor.A)Pillage B)Privilege escalationC)Consolidation D)Reinforcement

Prepared by: Edgar Garcia

1.-When handling evidence, the first task is to document________.A)Agent NotesSession data D)Evidence WorksheetsB)Chain of custory forms E)Evidence Access Logs2.-____________, is a form used to document any time the evidence change hands. A)Agent Notes B) Evidence WorksheetC)Chain of Custody Forms D)System Worksheets3.- _________________,this log contains information about new evidence submission, old evidence disposition, and any evidence auditing.A)Evidence Custodian Log B)Evidence Access LogC)System Logs D)Chain of Custody Forms4.-_________, is a worksheet next to the evidence safe, is used when an individual desires access to evidence in the safe.A)Evidence Custodian Log B)CryptcatC)Evidence Access Logs D)Safe Access Logs

5.-When documenting the specifics of a hard drive. One worksheet is used for each unique______. They usually start at one and increase by one for each unique piece of evidence.A)Geometry B)Serial NumberC)Capacity D)Evidence Tag

1.-__________, is the most widely used commercial-based forensic duplication software tool.A)Undelete D)EncaseB)Partition Recover E)System Restore2.-When acquiring a forensic duplication, the evidence hard drive should be connected using______________. A)Standard SATA Cable B) Standard IDE CableC)read-only Firewire-to-IDE module D)read-write Firewire-to-IDE module3.- If we want to duplicate more than one drive at a time, simply requires_________________.A)Purchase additional read-only Firewire to IDE module B)Purchase an extra computerC)It can’t be done D)Purchase a Server4.-Forensic Tool Kit (FTK) can acquire the forensic duplication in the following formats:_________.A)EXE, COM and DOC files B)PPT, XLS, TXT filesC)E01, dd, SMART format D)IDS, IPS, PSD files5.-When acquiring a forensic duplication, the storage drive(the drive on which the duplication will be stored) should be connected using______________. A)Standard SATA Cable B) Standard IDE CableC)read-only Firewire-to-IDE module D)read-write Firewire-to-IDE module

1.-________, is a variation of dd and can traverse a hard drive forward or backward.A)dd_forward D)dd_rescue

B)dd_backward E)Encase2.-When using dd, if= is used to ____________. A)Specify the output file B)Specify the network nameC)Specify the input file D)Is not used in dd3.- _________________,is an evidence duplicator, originally named ODESSA. Operates using client and server model.A)NED B)CryptcatC)dd D)Netcat4.-_________, is a variation of dd. It provides functionality for greater authentication using a built-in MD5 hashing algorithm.A)NED B)CryptcatC)DCFLDD D)Netcat5.- When using dd, of= is used to ____________. A)Specify the output file B)Specify the network nameC)Specify the input file D)Is not used in dd

1.-________, is an open source tool used to examine the contents of Internet Explorer’s cache files. It will parse the information in an index.dat file and output the results in a field delimited manner.A)FTK D)PascoB)EnCase E)NBE2.-________, is an open source tool used to examine the contents of a cookie file. It will parse the information in a cookie file and output the results in a field delimited manner.A)FTK D)PascoB)NBE E)Galleta

3.- _________________,a file that can be used to reconstruct the Web browsing activity. It contains three activity records, LEAK, URL and REDR.A)index.dat B)iehistory.datC)browser.dat D)ielogs.dat4.-_________,this record shows information about a browser’s redirection to another site.A)URL B)LEAKC)REDR D)WebRecord5.-It does the same as URL, it contains information about websites visited______ record.A)REDR B)WebrecordC)FTK D)LEAK

1.-__________, is an open source tool that can be used to reconstruct an E-Mail DBX file.A)Encase D)EindeutigB)MailRecover E)MailRestore2.-An open source tool named __________, can be used to undecode MIME file attachments in email.A)EnCase B)PASCOC)Munpack D)Undelete3.- Lotus Notes e-mail repositories can be directly analyzed. They do not need to be converted to another format before analysis.A)True B)False4.-AOL E-mail repositories can be directly analyzed without having to download the AOL client.A)False B)True5.-Is a file format used by Outlook Express and contains the actual e-mail messages’ content and attachments, is called______________. A)E-Mail DBX file B) Standard IDE CableC)Folders DBX File D)Express E-Mail File

1.-Using the Sleuth Kit, ______ tool provides a file listing.A)fls D)dir listB)ls E)File list2.-When using The Sleuth Kit, the fls tool together with the ________ shows a recursive directory listing of the whole hard drive. A)-s switch B)-x switchC)-r switch D)No switch can be used together with fls3.- _________________,is a program that recursively computes the MD5 hash for files.A)NED B)CryptcatC)md5deep D)Netcat4.-_________, are a common tool attackers use to control your computer remotely.

A)IRC bots B)VirusC)DCFLDD D)Netcat5.- The command: file /usr/include/stdio.h is intended to:________. A)Specify the output file B)Specify the network nameC)Specify the input file D)determine the file signature of a file

1. What does the flag “-n” under the command netstat display?a. Displays addresses and port numbers in numerical form.b. Displays the owning process ID associated with each connection.c. Displays all connections and listening ports.d. Displays the owning process ID associated with each connection.

2. Under the PsTools suite, which command allows you to execute processes remotely?a. PsKillb. PsExecc. PsServiced. PsLogList

3. Under the PsTools suite, lists the files on the local system that are open by remote systems.?a. PsLogListb. PsServicec. PsExecd. PsFile

4. Which command displays protocol statistics and current TCP/IP connections using NetBIOS over TCP/IP?1. nc2. Ipconfig3. Nbtstat4. Fport

5. What tool opens TCP/IP and UDP ports and maps them to the owning application?a. Fportb. ShoWinc. NTLastd. Fpipe

1. Which is NOT a tool needed when preparing for forensic duplication?a. Evidence worksheetsb. System Worksheetsc. Agent Notesd. Scan Disk

2. What is used as safety measure to prevent static damage to brand new unused hard drives?a. Anti-Static bagsb. Cable tiesc. Plastic bagd. Endust

3. Which of the following is unique information that is found on a hard drive that should be collected on an evidence worksheet?

a. Serial Numberb. ID numberc. IP Addressd. Port Number

4. All evidence should be contained in a _________envelope.a. First classb. UPSc. Plasticd. Tamper-proof

5. _________is paramount to any investigation and should not be overlooked.a. Documentationb. Licensingc. Cleaningsd. Listening

6. Which is most powerful and most expensive forensic software on the market?a. Norton Anti Viusb. Encasec. Ftkd. AVG

7. _________ converts traditional 3.5 IDE connections to read-only firewall connectionsa. Connections Converterb. Read-only IDE-to-Firewall devicec. SCSId. SATA

8. What forensics tool-kit is used obtain forensic duplication in DD format?a. FTKb. VTKc. AVGd. Norton

9. When EnCase duplicates an evidence hard darive, it creates ________files on a destination media.

a. Systemb. Logc. Evidence

d. Sound10. Which is not a format supported by FTK?

a. .e01b. ddc. Smart Formatd. .doc

11. What does DD stand for?a. Dymanic Driveb. Data Dumpc. Disk Drived. Device Data

12. _________is a variation of the standard dd that provides functionaility for greater authentication using a built-in Md5 algorithm.

a. DCFLDDb. DD v2c. IpDDd. DD Blaster

13. ____ operates using a client and server model so that the client component can be run directly from the suspect’s computer.

a. Share wareb. P2Pc. NEDd. FTP

14. Which file contains the completed actions inside NED in XML format?a. Audit.xmlb. Check.xmlc. File.xmld. Hash.xml

15. Which directory contains the compressed image of the forensic duplication?a. Gif_compressedb. Pic_compressed filec. Image_compressedd. File_compressed

16. __________is a library and collection of command line tools that allow you to investigate volume and file system data.

a. The Sleuth Kitb. Visualization Tool kitc. Data Command Tool kitd. System Analysis Tool kit

17. What is the most notable hash distribution provided by the National Institute of Standards and Technology (NIST)?

a. NSRLb. HTTPc. XHTMLd. MD5

18. With The Sleuth Kit, using the __ switch you see the full path of every file listed rather than the pseudo-graphical directory structure.

a. –rb. –nc. –cd. –p

19. ________is used to associate loop devices with regular files or block devices a. Losetupb. Psexecc. Logmgrd. TSK

20. Which is one of the types of file systems that the Sleuth Kit supports?a. File Serverb. FTPc. FAT32d. HTTP

Chapter 21. The ______file system can be obtained from issuing either the mount command or the

dfcommand.a. Mountb. Internalc. Windowsd. Linux

2. Which of the following is not a form of nonvolatile data?a. User accountsb. User history accountsc. Syslog logsd. Open files

3. What command must you use to review all loaded kernel modules?a. Nbtstatb. Netstat c. Lsmodd. Md5sum

4. You can view open processes and the users running them by issuing the _____ command.

a. Ps –auxb. Ps –rnc. Pt –xd. Pq –rt

5. _______are commands the user types at the prompt.

a. User log filesb. History filesc. Event log filesd. System log files

Chapter 31. Which of the following a type of NBE?

a. Statistical datab. Raw datac. Registry Keysd. Metadata

2. Which of the followings is NOT a way to access network traffic?a. Hubsb. Tapsc. Switch SPAN portsd. Radio waves

3. Under which standard intrusion scenario does the intruder perform reconnaissance against the target to validate connectivity, enumerate services, and check for vulnerable versions?

a. Pillageb. Consolidationc. Reconnaissanced. Exploitation

4. ________data is created by analyzing NBE for predefined items of interest.a. Alertb. Sessionc. Physicald. New

5. _____are the simplest and cheapest way to gain access to network traffic.a. Hubsb. Wireless routersc. Repeatersd. NAS

Chapter 41. _______ mode runs Snort against previously captured data.

a. Stealthb. Livec. Batchd. Silent

2. _______ is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots.

a. Server Message Block (SMB)b. MACc. FTPd. HTTP

3. An identification request, commonly used with email and Internet Relay Chat (IRC) is known as_________.

a. ICMPb. SNTPc. IDENTd. HTML

4. What does the “-n” do in the command tcpdump –n –I eth0 –s 1515 capture_file.lpc?a. Disable translation of IP addresses to host names and port number services to

names.b. Enables trandlsation of IP addresses to host names and port number services to

names.c. Changes the port numbers and IP addresses.d. Disables the all functions of TCP/IP

5. Which Microsoft service contains a dedicated scripting engine for advanced file types such as ASP, ASA, and HTR files.

a. WebClientb. IIS 5.0c. W32Time

d. RapiMgr

Jennifer Garcia AvilaApril 22, 2010CSCI 6318

Answer Key

1. FTK can acquire forensic duplication in three different formats:a. EnCase Evidence Files (.E01)b. Microsoft Excel files (.xls)c. Raw Disk Image (DD)d. A. and C. e. None of the above

2. When using DD, always boot make sure that the BIOS boots from:a. Your LINUX operating system b. The suspect’s hard drivec. None of the above

3. Sync tells DD to place:a. Zeros in any blocks in the output when an error is encountered b. Ones in any blocks in the output when an error is encounteredc. Twos in any blocks in the output when an error is encounteredd. None of the above

4. DD-rescue is different from DD in that:a. It outputs a statistics screen so one can observe how much duplication has been

completed.b. Copies the hard drive a lot faster because it uses the optimal block sizes to

transfer data.c. Both A and B d. None of the above

5. NED stands for a. Network Editing Diagramb. Network Evidence Duplicator c. All of the aboved. None of the above

6. NED is built around an architecture that acceptsa. Plugins b. Words

c. Scriptsd. All of the abovee. None of the above

7. NED also containsa. Pre-processing capabilitiesb. Post-processing capabilities c. All of the above d. None of the above

8. Odessa is also known as:a. ClosedDDb. OpenDD c. All of the aboved. None of the above

9. DSFLDD is a variation of:a. OpenDDb. EnCasec. Standard dd d. All of the abovee. None of the above

10. DCFLDD contains the following extra switch(es):a. Hashwindowb. Hashlogc. A and B d. None of the above

Jennifer Garcia AvilaApril 22, 2010CSCI 6318

Questions

11. FTK can acquire forensic duplication in three different formats:a. EnCase Evidence Files (.E01)b. Microsoft Excel files (.xls)c. Raw Disk Image (DD)d. A. and C.e. None of the above

12. When using DD, always boot make sure that the BIOS boots from:

a. Your LINUX operating systemb. The suspect’s hard drivec. None of the above

13. Sync tells DD to place:a. Zeros in any blocks in the output when an error is encounteredb. Ones in any blocks in the output when an error is encounteredc. Twos in any blocks in the output when an error is encounteredd. None of the above

14. DD-rescue is different from DD in that:a. It outputs a statistics screen so one can observe how much duplication has been

completed.b. Copies the hard drive a lot faster because it uses the optimal block sizes to

transfer data.c. Both A and Bd. None of the above

15. NED stands for a. Network Editing Diagramb. Network Evidence Duplicatorc. All of the aboved. None of the above

16. NED is built around an architecture that acceptsa. Pluginsb. Wordsc. Scriptsd. All of the abovee. None of the above

17. NED also containsa. Pre-processing capabilitiesb. Post-processing capabilitiesc. All of the above d. None of the above

18. Odessa is also known as:a. ClosedDDb. OpenDDc. All of the aboved. None of the above

19. DSFLDD is a variation of:a. OpenDDb. EnCasec. Standard ddd. All of the abovee. None of the above

20. DCFLDD contains the following extra switch(es):a. Hashwindowb. Hashlogc. A and Bd. None of the above

Jennifer Garcia Avila

Questions for Chapters 6,7,8,9 (due 4/15/10)

1. Your forensics toolkit should have items like:a. Hard Drivesb. Cablesc. Flashlightd. Power cordse. All of the above

2. One should include the following in documentation:a. Evidence worksheetsb. Chain of custody formsc. A menu from Jason’s Delid. A and Be. None of the above

3. Encase is a:a. Freeware applicationb. Commercial applicationc. None of the aboved. All of the above

4. FTK can acquire forensic duplication in the following formats:a. Encase evidence filesb. Raw disk imagec. Smart format

d. All of the abovee. None of the above

5. DD does:a. High level copyingb. Low level copyingc. All of the aboved. None of the above

6. DD is also used to:a. Copy a specified number of bytes or blocksb. On-the-fly byte order conversionsc. Copy regions of raw device filesd. All of the abovee. None of the above

7. NED’s original name wasa. Charlotteb. Odessac. Mariad. None of the above

8. In conducting forensic analysis, the investigator must execute a few steps, including:a. Recovering any deleted files to add to the analysisb. Reduce the data set to the smallest numberc. String searchingd. All of the abovee. None of the above

9. Fdisk shows what the _________ looks like.a. BIOSb. Partition tablec. Operating systemd. All of the abovee. None of the above

10. Metadata includes:a. Full tile namesb. File sizesc. MD5 hashesd. All of the abovee. None of the above

Jennifer Garcia Avila

Questions for Chapters 6,7,8,9 (due 4/15/10)

11. Your forensics toolkit should have items like:a. Hard Drivesb. Cablesc. Flashlightd. Power cordse. All of the above

12. One should include the following in documentation:a. Evidence worksheetsb. Chain of custody formsc. A menu from Jason’s Delid. A and B e. None of the above

13. Encase is a:a. Freeware applicationb. Commercial application c. None of the aboved. All of the above

14. FTK can acquire forensic duplication in the following formats:a. Encase evidence filesb. Raw disk imagec. Smart formatd. All of the above e. None of the above

15. DD does:a. High level copyingb. Low level copying c. All of the aboved. None of the above

16. DD is also used to:a. Copy a specified number of bytes or blocks

b. On-the-fly byte order conversionsc. Copy regions of raw device filesd. All of the above e. None of the above

17. NED’s original name wasa. Charlotteb. Odessa c. Mariad. None of the above

18. In conducting forensic analysis, the investigator must execute a few steps, including:a. Recovering any deleted files to add to the analysisb. Reduce the data set to the smallest numberc. String searchingd. All of the above e. None of the above

19. Fdisk shows what the _________ looks like.a. BIOSb. Partition table c. Operating systemd. All of the abovee. None of the above

20. Metadata includes:a. Full tile namesb. File sizesc. MD5 hashesd. All of the above e. None of the above