WGU - C702 Forensics and Network Intrusion -Exam Questions and Answers

Aspects of Organizational Security - ANSWER-IT Security; Physical Security; Financial Security; Legal Security; IT Security - ANSWER-Consists of: Application security; Computing security: Data security: Information security; Network security; Application Security [IT Security] - ANSWER-Applications should be secured to overcome security weaknesses, vulnerabilities, and threats. Any loopholes in Web-based and other custom applications serve as opportunities for attackers. Computing Security [IT Security] - ANSWER-Computers should be secured from threats like viruses, Trojans, and intruders. organizations must have an effective security policy which involves security management, systems engineering, protection against insider threats, and general workplace policies, standards, guidelines, and procedures. Data Security [IT Security] - ANSWER-important information about the organization. It is important to secure data to avoid any manipulation of data, data loss, or threats to data secrecy. Any change in the identity of data or any loss of data causes a huge amount of damage, financial loss, and loss of goodwill for the organization. Information Security [IT Security] - ANSWER-Securing information protects information and information systems from illegal access, use, modification, or destruction. It ensures confidentiality, integrity, and availability of data. Network Security [IT Security] - ANSWER-Networks are used to send important and private data from one system to another. Networks should be secured for safe transfer of data. Damage to the network makes the data transfer vulnerable and may crash the system. Physical Security - ANSWER-Consists of: Facilities security: Human security: Border security; Biometric security; Facilities Security [Physical Security] - ANSWER-Facilities and an organization's equipment should be properly and highly secured. Damage to facilities can cause physical harm such as a system crash or power failure. Human Security [Physical Security] - ANSWER-The employees of an organization should be given security awareness training and be involved in the entire business security process in order to gain their trust and acceptance of the security policy. Ignoring human security concerns can cause employees to leave, leading to loss of business. Financial Security - ANSWER-Consists of: Security from frauds; Phishing attacks; Botnets; Threats from cyber criminals; Credit card fraud; Security from fraud [Financial Security] - ANSWER-To function properly and negate losses, an organization must be financially secure from both internal and external threats. Security breaches may be caused by data manipulations, system vulnerabilities and threats, or data theft. Legal Security - ANSWER-Consists of: National security; Public security; Defamation; Copyright information; Sexual harassment; National security [Legal Security] - ANSWER-National security is threatened if there are any governmental problems, improper management, economic slowdown, or other nationwide issues. Public Security [Legal Security] - ANSWER-Public security is threatened if there are any internal riots, strikes, or clashes among the people of the country. Forensic Readiness - ANSWER-involves an organization having specific incident response procedures in place, with designated trained personnel assigned to handle any investigation. It enables an organization to collect and preserve digital evidence in a quick and efficient manner with minimal investigation costs First Responder: - ANSWER-Is responsible for protecting, integrating, and preserving the evidence obtained from the crime scene. The first responder must investigate the crime scene in a lawful matter so that any obtained evidence will be acceptable in a court of law Computer Forensics or Forensic Computing: - ANSWER-Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. Computer Forensics [goals] - ANSWER-The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it Forensic Investigator: - ANSWER-an Investigator who helps organizations and law enforcement agencies in investigating and prosecuting cyber crimes. He is responsible for the acquisition, identification, preservation, documentation and the creation of an image back-up [bit by bit] of the evidence without affecting or changing same Forensic Science: - ANSWER-It's the application of physical sciences to law in search for truth in civil, criminal, and social behavioral matters for the purpose of ensuring injustice shall not be done to any member of society Network Forensics: - ANSWER-Network Forensics is the capturing, recording, and analysis of network events in order to discover the source, path and Intrusion techniques of security attacks Chain of Custody: - ANSWER-A method for documenting the history and possession of a sample from the time of collection, though analysis and data reporting, to its final disposition Bit Stream copy: - ANSWER-A bit by bit copy of the original storage medium and or evidence Ext3: - ANSWER-Ext3 or third extended file system, is a journaled file system that is commonly used by the Linux kernel. It is the default file system for many popular Linux distributions Logical block addressing [LBA]: - ANSWER-used for specifying the location of blocks of data stored on computer storage devices such as hard disks. LBA is a particularly simple linear addressing scheme, blocks are located by an integer index, with the first block being LBA 0, the second LBA 1, and so on in a sequential matter Cluster: - ANSWER-Is the smallest logical unit on a hard drive Lost Cluster: - ANSWER-The operating system assigns a unique number to each cluster and then keeps track of files according to which clusters they use. Occasionally, the operating system marks a cluster as being used even though it is not assigned to any file. This is called a lost cluster Bad Cluster: - ANSWER-Is a sector on a computer's disk drive or flash memory that is either inacessible or unwriteable due to permanent damage, such as physical damage to the disk surface or failed flash memory transistors Event Logs: - ANSWER-Windows event log is a record of a computer's alerts and notifications. Microsoft defines an event as "any significant occurrence in the OS or in a program that requires users to be notified or an entry added to a log." Tracking user logon activity via Audit Event ID's: - ANSWER-512 Start-up 513 Shutdown 528 Logon 531 Disabled Account 538 Logoff Audit Policy Event ID's: - ANSWER-Event ID 4904: An attempt was made to register a security event source. Event ID 4902: The Per-user audit policy table was created. E-mail Protocols - ANSWER-POP3: Port 110; SMTP: Port 25; IMAP: Port 143 POP3: - ANSWER-A protocol for receiving e-mail by downloading it to your computer from a mailbox on the server of an Internet service provider SMTP: - ANSWER-A protocol for sending e-mail messages between servers over the Internet use. The messages can then be retrieved with an e-mail client using either POP3 or IMAP. SMTP is also generally used to send messages from a mail client to a mail server. Net Commands - ANSWER-Net Config; Net file; Net Use; Net View; Net Name; Net start; Net sessions; Net Config: - ANSWER-Use the net config command to show information about the configuration of the Server or Workstation service Net File: - ANSWER-Displays the names of all open shared files on a server and the number of file locks, if any, on each file Net Use: - ANSWER-The net use command is used to display information about shared resources on the network that you're currently connected to, as well as open sessions on other systems Net View: - ANSWER-Net view is used to show a list of computers and network devices on the network Net Name: - ANSWER-Net name is used to add or delete a messaging alias at a computer Net Start: - ANSWER-The net start command is used to start a network service or list running network services Net Sessions: - ANSWER-The net session command is used to list or disconnect sessions between the computer and others on the network Slack Space: - ANSWER-The unused space in a disk cluster. The DOS and Windows file systems use fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file. The unused space is called the slack space Swap Space: - ANSWER-used when the amount of physical memory [RAM] is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space, called [Swap file where evidence from RAM can be located] and is located in the root of the C:. Buffer Overflow: - ANSWER-is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. IP Spoofing: - ANSWER-Is the creation of Internet Protocol packets with a spoofed source IP address, with the purpose of concealing the identity of the sender or impersonating another person or computer system Session Hijacking: - ANSWER-is the exploitation of a valid computer session, sometimes also called a session key, to gain unauthorized access to information or services in a computer system Cross-Site Request Forgery [CSRF] Attack: - ANSWER-an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. Through social engineering an attacker may trick the users of a web application into executing actions of the attacker's choosing. Cross-Site Scripting [XSS] Attack: - ANSWER-a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user Directory Traversal Attack: - ANSWER-Aims to access restricted files and directories that are stored outside the web root folder. By browsing the application, the attacker looks for absolute links to files stored on the web server. It can be identified by several forward slashes such as ////////////////// Hidden Field Manipulation Attack: - ANSWER-Hidden fields is a poor coding practice that has been known and publicized for some time, although it still continues. It's the practice of using hidden HTML fields as the sole mechanism for assigning price or obscuring a value. These fields can be manipulated by the attacker Denial of Service [DOS] Attack: - ANSWER-A denial of service [DoS] attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet Man in the middle Attack: - ANSWER-Is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other Dumpster Diving: - ANSWER-Is the practice of sifting through commercial or residential waste to find items that have been discarded by their owners, but that may prove useful to the garbage picker or hacker. This can include any sensitive information related to computer systems. Microsoft Outlook / Express: - ANSWER-Microsoft Outlook uses .pst and .ost data files. While Microsoft Outlook Express uses .idx and .dbx data files E-mail Spoofing: - ANSWER-the creation of email messages with a forged sender address. It is easy to do because the core protocols do not have any mechanism for authentication. It can be accomplished from within a LAN or from an external environment using Trojan horses. It can also be forged in the e-mail header Common E-mail Headers - ANSWER-Content-Transfer-Encoding; Errors-To; Content-Type; Content-Transfer-Encoding: - ANSWER-This header relates to MIME, a standard way of enclosing nontext content in e-mail. It has no direct relevance to the delivery of mail, but it affects how MIME-complainant mail programs intercept the content of the message Errors-To: - ANSWER-This header specifies an address for mailer-generated errors such as bounce messages, to go to [instead of the sender's address] Content-Type: - ANSWER-This is another MIME header, telling MIME-complainant mail programs what type of content to expect in the message Password cracking methods - ANSWER-Rainbow Table Attack; Rule-Based Attack; Brute-Force Attack; Syllable Attack; Hybrid Attack; Rainbow Table Attack: - ANSWER-A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters Rule-Based Attack: - ANSWER-attack where the attacker already has some information about the password. The attacker can then write a rule so that the password-cracking software will only generate passwords that meet that particular rule. Brute-Force Attack: - ANSWER-This attack, the attacker tries every possible combination of characters until the correct password is found. It's a very slow method and takes a large amount of time for longer passwords Syllable Attack: - ANSWER-A Syllable attack is the combination of both brute-force attack and a dictionary attack. This attack is often used when the password is a nonexistent word Hybrid Attack: - ANSWER-This attack is based on the dictionary attack. In this attack, the program adds numbers and symbols to the words from the dictionary Hashing Algorithm Lengths: - ANSWER-SHA-1: 160 Bits SHA-512: 512 Bits MD5: 128 Bits CRC-32: 32 Bits MD6: 512 Bits SQL Injection: - ANSWER-Is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution [Web Application]. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database Netstat Commands - ANSWER- Netstat - ANSWER--a Displays all connections and listening ports; -e Displays Ethernet statistics; -n Displays addresses and port numbers in numerical form; -r Displays the routing table; -o Displays the owning process ID associated with each connection; INFO2 File: - ANSWER-When a user deletes a file, it's not actually permanently deleted. Instead, the file is copied into the recycle bin's systems folder for further instructions in how to deal with the file. In this case it's the INFO2 file SCSI [Small Computer System Interface]: - ANSWER-The Small Computer System Interface [SCSI] is a set of parallel interface standards developed by the American National Standards Institute [ANSI] for attaching printers, disk drives, scanners and other peripherals to computers Hard drive Tracks: - ANSWER-Hard drive tracks are logical rather than a physical structure, and are established when the disk is low-level formatted. Track numbers start at 0, and track 0 is the outermost track of the disk. If the disk geometry is being translated, the highest numbered track would typically be 1023 Lossless Compression: - ANSWER-Is a class of data compression algorithms that allows the original data to be perfectly reconstructed from the compressed data that maintains data integrity Lossy Compression: - ANSWER-Refers to data compression techniques in which some amount of data is lost. Lossy compression technologies attempt to eliminate redundant or unnecessary information. Some of the data is lost Steganography: - ANSWER-Steganography [from Greeksteganos, or "covered," and graphie, or "writing"] is the hiding of a secret message within an ordinary message and the extraction of it at its destination to maintain the confidentiality of data Technical Steganography: - ANSWER-In technical steganography, physical or chemical methods are used to hide the existence of a message. It can include two methods: Invisible ink and Microdots Open Codes Steganography: - ANSWER-Open codes make use of openly readable text. This text contains words or sentences that can be hidden in a reversed or vertical order. The letters should be in selected locations of the text in a specifically designed pattern. Open codes can be either jargon codes or covered ciphers DNS Poisoning: - ANSWER-DNS spoofing [or DNS cache poisoning] is a computer hacking attack, whereby data is introduced into a Domain Name System [DNS] resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer [or any other computer] Cookie Poisoning: - ANSWER-Is a process in which an unauthorized person changes the content within a user's cookie file in order to gain access to sensitive information that may be stored in the cookie or on the server for the website that the user is browsing DNS Redirection: - ANSWER-DNS redirection is the controversial practice of serving a Web page to a user that is different from either the one requested or one that might reasonably be expected, such as an error page Session Poisoning: - ANSWER-is a method to exploit insufficient input validation within a server application. Typically a server application that is vulnerable to this type of exploit will copy user input into session variables Hash Injection Attack: - ANSWER-It's when the attacker injects a compromised hash into a local session and use that same hash to validate the network resources of that particular network Wireless Attacks - ANSWER-Warchalking; Wardriving; Warflying; Warchalking: - ANSWER-A technique involving using a chalk to place a symbol on a sidewalk or another surface to indicate a nearby wireless network that offers Internet access Wardriving: - ANSWER-A technique hackers use to locate insecure wireless networks while driving around Warflying: - ANSWER-A technique hackers use to locate insecure wireless networks while flying around Wireless Standards: - ANSWER-802.11a: 5 GHz and up to 54 Mbits per second; 802.11g: 2.4 GHz and up to 54 Mbits per second; 802.11b: 2.4 GHz and up to 11 Mbits per second; 802.11n: 2.5 / 5 GHz and up to 54 / 600 Mbits per second; Wireless Active Scan: - ANSWER-The client radio transmits or broadcasts a probe request and listens for a probe response from an Access Point Wireless Passive Scan: - ANSWER-The client radio listens on each channel for beacons sent periodically by an Access Point. A passive scan generally takes more time, since the client must listen and wait for a beacon WPA2: - ANSWER-Is more secured then WPA and uses AES-CCMP encryption algorithm WPA: - ANSWER-Wi-Fi Protected Access [WPA] is a security standard for users of computers equipped with Wi-Fi wireless connection. It changes its TKIP [Temporal Key Integrity Protocol] keys every 10,000 packets MAC Filtering: - ANSWER-In computer networking, MAC Filtering [or GUI filtering, or layer 2 address filtering] refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network Client mis-association: - ANSWER-Client Mis-association can be accidental, deliberate [for example, done to bypass corporate firewall] or it can result from deliberate attempts on wireless clients to lure them into connecting to attacker's Access Point Steganography Techniques - ANSWER-Cover Generation Technique; Substitution Technique; Transform Domain Technique; Spread Spectrum Technique; Cover Generation Technique: - ANSWER-A cover generation method actually creates a cover for the sole purpose of hiding information Substitution Technique: - ANSWER-Replaces redundant or unneeded bits of a cover with the bits from the secret message Transform Domain Technique: - ANSWER-Hides the message data in the transform space of a signal. Can be commonly used in JPEG's photos Spread Spectrum Technique: - ANSWER-There are two types of spread spectrum techniques, direct sequence and frequency hopping. direct sequence [Spread Spectrum Technique] - ANSWER-the stream information to be transmitted is divided in small pieces, each of which is allocated to a frequency channel spread across the spectrum. Frequency hopping [Spread Spectrum Technique] - ANSWER-is when a broad slice of the bandwidth spectrum is divided into many possible broadcast frequencies ASCLD [American Society of Crime Laboratory Directors]: - ANSWER-To promote the effectiveness of crime laboratory leaders throughout the world by facilitating communication among members, sharing critical information, providing relevant training, promoting crime laboratory accreditation/certification, and encouraging scientific and managerial excellence in the global forensic community Chain of Custody: - ANSWER-Chain of custody [CoC], in legal contexts, refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer between sender and receiver, analysis, and disposition of physical or electronic evidence Daubert Standard: - ANSWER-The Daubert standard provides a rule of evidence regarding the admissibility of expert witnesses' testimony during United States federal legal proceedings Frye Standard: - ANSWER-Frye standard, Frye test, or general acceptance test is used to determine the admissibility of scientific evidence and examinations. It provides that expert opinion based on a scientific technique is admissible only where the technique is generally accepted as reliable in the relevant scientific community Task List Commands: - ANSWER-tasklist /u; tasklist /p; tasklist /s; tasklist /v; tasklist /u: - ANSWER-Runs the command with the account permissions of the user specified by User or DomainUser. The default is the permissions of the current logged on user on the computer issuing the command; tasklist /p: - ANSWER-Specifies the password of the user account that is specified in the /u parameter. tasklist /s: - ANSWER-Specifies the name or IP address of a remote computer. The default is the local computer. tasklist /v: - ANSWER-Specifies that verbose task information be displayed in the output. Also list all process id's for application and services Syslog: - ANSWER-A protocol for transmitting event messages and alerts across an IP network that uses TCP to communicate and log messages are sent in clear text Host-Based intrusion detection: - ANSWER-Host based intrusion detection [HIDS] refers to intrusion detection that takes place on a single host system Network-Based intrusion detection: - ANSWER-A network-based ID system monitors the traffic on its network segment as a data source Router Cache: - ANSWER-The database of addresses and forwarding information of network traffic stored in a router. It can also provide information about attacks Bit Depth: - ANSWER-Is either the number of bits used to indicate the color of a single pixel, in a bitmapped image or video frame buffer, or the number of bits used for each color component of a single pixel Raster Image: - ANSWER-Raster image dimensions are measured in pixels & cannot be enlarged without losing quality. different suppliers have specific size requirements for their processes. The amount of pixels within each inch in the image represents the image pixel resolution which also determines its quality SAM [Security Accounts Manager]: - ANSWER-The System Account Manager [SAM] database stores user's passwords in a hashed format. Since a hash function is one-way, this provides some measure of security for the storage of the passwords. This file is located at C:windowssystem32configSAM ARP Table Commands: - ANSWER-arp -d; arp -a; arp -s; arp -v; arp -d: - ANSWER-Delete the host specified by the IP Address; arp -a: - ANSWER-Display the current ARP entries. This includes the IP and MAC addresses. arp -s: - ANSWER-Add the host and associates the IP Address with the physical address. arp -v: - ANSWER-Display the information verbosely. HKEY_LOCAL_MACHINE: - ANSWER-Contains the majority of the configuration information for the software / hardware you have installed and for the OS itself. Cold Boot: - ANSWER-It's turning the computer on from an off state. Warm Boot: - ANSWER-Restarting the computer via the Operating System. Raid Levels: - ANSWER-Raid 0; Raid 1; Raid 3; Raid 5; RAID 0: - ANSWER-RAID 0 [aka a stripe set or striped volume] splits data evenly across two or more disks [striped], without parity information and with speed as the intended goal. RAID 0 was not one of the original RAID levels and provides no data redundancy. RAID 1: - ANSWER-Disk mirroring, also known as RAID 1, is the replication of data to two or more disks. Disk mirroring is a good choice for applications that require high performance and high availability such as transactional applications, email, and operating systems. RAID 3: - ANSWER-RAID 3 is a RAID configuration that uses a parity disk to store the information generated by a RAID controller instead of striping it with the data. RAID 5: - ANSWER-A popular disk subsystem that increases safety by computing parity data among all drives and increasing speed by interleaving data across three or more drives [striping]. 18 US Code 1029: - ANSWER-Fraud and related activity in connection with access devices. 18 US Code 1030: - ANSWER-Fraud and related activity in connection with computers. Configuration management - ANSWER-The process of keeping track of all changes made to hardware, software, and firmware throughout the life of a system; source code management and revision control are part of this Risk management - ANSWER-The decision-making process involving considerations of political, social, economic, and engineering factors with relevant risk assessments relating to a potential hazard so as to develop, analyze, and compare regulatory options and to select the optimal regulatory response for safety from that hazard Business case - ANSWER-The justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading your facility Investigators should consider the following issues when asking whether a government search of a computer requires a warrant: - ANSWER-Does the search violate a reasonable expectation of privacy? And if so, is the search nonetheless permissible because it falls within an exception to the warrant requirement? Katz Test [expectation of privacy] - ANSWER-1) Does the individual's conduct reflects an actual expectation of privacy. 2) Is the individual's actual expectation of privacy one that society is prepared to recognize as reasonable. Title 18 U.S.C. 2252A [pertains to child pornography] - ANSWER-The provisions of this law are as follows: A person cannot intentionally transport by any means, including but not limited to through the mail or through a computer, child pornography. A person cannot intentionally receive or distribute child pornography that has been transported by any means, including but not limited to through the mail or through a computer. A person cannot intentionally reproduce any child pornography for distribution by any means, including but not limited to through the mail or through a computer. A person cannot advertise, promote, present, distribute, or solicit child pornography. A person cannot intentionally possess or sell child pornography in any form, including books, magazines, films, and digital media Guidelines for Evidence Collection - ANSWER-[RFC 3227] provides a list of the volatile data that should be captured first: 1. System date and time, 2. Current network connections, 3. Current open ports and applications listening on those ports, 4. Applications that are currently running forensic investigations in a wireless environment: - ANSWER-1. Obtain a search warrant. 2. Identify wireless devices. 3. Document and maintain chain of custody. 4. Detect wireless connections. 5. Determine wireless field's strength. 6. Map wireless zones and hot spots. 7. Connect to the wireless network. 8. Acquire and analyze data. 9. Generate a report. A computer forensic expert makes sure that the following rules are upheld during an investigation process: - ANSWER-1. Preservation of evidence 2. Prevention of contamination of evidence 3. Extraction and preservation of evidence 4. Accountability of evidence 5. Limited interference of the crime scene on normal life 6. Ethics of investigation Steps to evaluate and secure a scene: - ANSWER-1. Follow the policies of the legal authority for securing the crime scene. 2. Verify the type of incident. 3. Ensure that the scene is safe for responders. 4. Isolate other persons who are present at the scene. 5. Locate and help the victim. 6. Verify any data that is related to the offense. Steps to evaluate and secure a scene: (continued) - ANSWER-7. Transmit flash messages to responding units. 8. Request help as needed 9. Establish a security perimeter. 10. Protect volatile evidence. 11. Document the devices that contain perishable data. 12. Observe the situation and record observations. 13. Protect physical evidence or hidden fingerprints. The generic processes of the First Responder Procedures are to: - ANSWER-1. Protect the system and resources. 2. Contain the intrusion. 3. Preserve the evidence [logs, files, etc.] in a legally acceptable way. 4. Notify Management, Incidence Response, etc. Federal Rules of Evidence [OPINIONS AND EXPERT TESTIMONY] - ANSWER-Rule 701 - Opinion Testimony by Lay Witnesses; Rule 702 - Testimony by Expert Witnesses; Rule 703 - Bases of an Expert's Opinion Testimony; Rule 704 - Opinion on an Ultimate Issue; Rule 705 - Disclosing the Facts or Data Underlying an Expert's Opinion; Rule 706 - Court-Appointed Expert Witnesses; Federal Rules of Evidence [Rule 702 - Testimony by Expert Witnesses] - ANSWER-an expert is a person with "scientific, technical, or other specialized knowledge" who can "assist the trier of fact".