Forensics and Network Intrusion exam questions and answers fully passed
First Responder - AnswersIs responsible for protecting, integrating, and preserving the evidence
obtained from the crime scene. The first responder must investigate the crime scene in a lawful
matter so that any obtained evidence will be acceptable in a court of law.
Computer Forensics or Forensic Computing - AnswersComputer forensics is the application of
investigation and analysis techniques to gather and preserve evidence from a particular
computing device in a way that is suitable for presentation in a court of law. The goal of
computer forensics is to perform a structured investigation while maintaining a documented
chain of evidence to find out exactly what happened on a computing device and who was
responsible for it.
Forensic Investigator - AnswersIs an Investigator who helps organizations and law enforcement
agencies in investigating cybercrimes and prosecuting the perpetrators of those crimes. He is
responsible for the acquisition, identification, preservation, documentation and the creation of
an image back-up (bit by bit) of the evidence without affecting or changing same.
Forensic Science - AnswersIt's the application of physical sciences to law in search for truth in
civil, criminal, and social behavioral matters for the purpose of ensuring injustice shall not be
done to any member of society.
Network Forensics - AnswersNetwork Forensics is the capturing, recording, and analysis of
network events in order to discover the source, path and Intrusion techniques of security
attacks.
Chain of Custody - AnswersA method for documenting the history and possession of a sample
from the time of collection, though analysis and data reporting, to its final disposition.
Bit Stream copy - AnswersA bit by bit copy of the original storage medium and or evidence.
Ext3 - AnswersExt3 or third extended file system, is a journaled file system that is commonly
used by the Linux kernel. It is the default file system for many popular Linux distributions.
Logical block addressing (LBA) - Answersis a common scheme used for specifying the location of
blocks of data stored on computer storage devices, generally secondary storage systems such as
hard disks. LBA is a particularly simple linear addressing scheme; blocks are located by an
integer index, with the first block being LBA 0, the second LBA 1, and so on in a sequential
matter.
Cluster - AnswersIs the smallest logical unit on a hard drive.
,Lost Cluster - AnswersThe operating system assigns a unique number to each cluster and then
keeps track of files according to which clusters they use. Occasionally, the operating system
marks a cluster as being used even though it is not assigned to any file. This is called a lost
cluster.
Bad Cluster - AnswersIs a sector on a computer's disk drive or flash memory that is either
inacessible or unwriteable due to permanent damage, such as physical damage to the disk
surface or failed flash memory transistors.
Event Logs - AnswersWindows event log is a record of a computer's alerts and notifications.
Microsoft defines an event as "any significant occurrence in the OS or in a program that requires
users to be notified or an entry added to a log."
Tracking user logon activity via Audit Event ID's - Answers512 Start-up
513 Shutdown
528 Logon
531 Disabled Account
538 Logoff
Audit Policy Event ID's - AnswersEvent ID 4904: An attempt was made to register a security
event source.
Event ID 4902: The Per-user audit policy table was created.
E-mail Protocols POP3, SMTP and IMAP port numbers - AnswersPOP3 - Port 110
SMTP - Port 25
IMAP - Port 143
POP3 - AnswersA protocol for receiving e-mail by downloading it to your computer from a
mailbox on the server of an Internet service provider.
SMTP - AnswersA protocol for sending e-mail messages between servers. Most e-mail systems
that send mail over the Internet use SMTP to send messages from one server to another. The
messages can then be retrieved with an e-mail client using either POP3 or IMAP. SMTP is also
generally used to send messages from a mail client to a mail server.
Net Config - AnswersUse the net config command to show information about the configuration
of the Server or Workstation service.
Net File - AnswersDisplays the names of all open shared files on a server and the number of file
locks, if any, on each file.
, Net Use - AnswersThe net use command is used to display information about shared resources
on the network that you're currently connected to, as well as open sessions on other systems.
Net View - AnswersNet view is used to show a list of computers and network devices on the
network.
Net Name - AnswersNet name is used to add or delete a messaging alias at a computer.
Net Start - AnswersThe net start command is used to start a network service or list running
network services.
Net Sessions - AnswersThe net session command is used to list or disconnect sessions between
the computer and others on the network.
Slack Space - AnswersThe unused space in a disk cluster. The DOS and Windows file systems use
fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size,
an entire cluster is reserved for the file. The unused space is called the slack space.
Swap Space - AnswersSwap space is used when the amount of physical memory (RAM) is full. If
the system needs more memory resources and the RAM is full, inactive pages in memory are
moved to the swap space. While swap space can help machines with a small amount of RAM, it
should not be considered a replacement for more RAM. The name of this file is the pagefile.sys
(Swap file where evidence from RAM can be located) and is located in the root of the C:\.
Buffer Overflow - Answersis an anomaly where a program, while writing data to a buffer,
overruns the buffer's boundary and overwrites adjacent memory. This is a special case of
violation of memory safety. Buffer overflows can be triggered by inputs that are designed to
execute code, or alter the way the program operates. This may result in erratic program
behavior, including memory access errors, incorrect results, a crash, or a breach of system
security. Thus, they are the basis of many software vulnerabilities and can be maliciously
exploited.
IP Spoofing - AnswersIs the creation of Internet Protocol packets with a spoofed source IP
address, with the purpose of concealing the identity of the sender or impersonating another
person or computer system.
Session Hijacking - Answersis the exploitation of a valid computer session, sometimes also called
a session key, to gain unauthorized access to information or services in a computer system.
Cross-Site Request Forgery (CSRF) Attack - AnswersCross-Site Request Forgery (CSRF) is an attack
that forces an end user to execute unwanted actions on a web application in which they're
currently authenticated. With a little help of social engineering (such as sending a link via email
or chat), an attacker may trick the users of a web application into executing actions of the
First Responder - AnswersIs responsible for protecting, integrating, and preserving the evidence
obtained from the crime scene. The first responder must investigate the crime scene in a lawful
matter so that any obtained evidence will be acceptable in a court of law.
Computer Forensics or Forensic Computing - AnswersComputer forensics is the application of
investigation and analysis techniques to gather and preserve evidence from a particular
computing device in a way that is suitable for presentation in a court of law. The goal of
computer forensics is to perform a structured investigation while maintaining a documented
chain of evidence to find out exactly what happened on a computing device and who was
responsible for it.
Forensic Investigator - AnswersIs an Investigator who helps organizations and law enforcement
agencies in investigating cybercrimes and prosecuting the perpetrators of those crimes. He is
responsible for the acquisition, identification, preservation, documentation and the creation of
an image back-up (bit by bit) of the evidence without affecting or changing same.
Forensic Science - AnswersIt's the application of physical sciences to law in search for truth in
civil, criminal, and social behavioral matters for the purpose of ensuring injustice shall not be
done to any member of society.
Network Forensics - AnswersNetwork Forensics is the capturing, recording, and analysis of
network events in order to discover the source, path and Intrusion techniques of security
attacks.
Chain of Custody - AnswersA method for documenting the history and possession of a sample
from the time of collection, though analysis and data reporting, to its final disposition.
Bit Stream copy - AnswersA bit by bit copy of the original storage medium and or evidence.
Ext3 - AnswersExt3 or third extended file system, is a journaled file system that is commonly
used by the Linux kernel. It is the default file system for many popular Linux distributions.
Logical block addressing (LBA) - Answersis a common scheme used for specifying the location of
blocks of data stored on computer storage devices, generally secondary storage systems such as
hard disks. LBA is a particularly simple linear addressing scheme; blocks are located by an
integer index, with the first block being LBA 0, the second LBA 1, and so on in a sequential
matter.
Cluster - AnswersIs the smallest logical unit on a hard drive.
,Lost Cluster - AnswersThe operating system assigns a unique number to each cluster and then
keeps track of files according to which clusters they use. Occasionally, the operating system
marks a cluster as being used even though it is not assigned to any file. This is called a lost
cluster.
Bad Cluster - AnswersIs a sector on a computer's disk drive or flash memory that is either
inacessible or unwriteable due to permanent damage, such as physical damage to the disk
surface or failed flash memory transistors.
Event Logs - AnswersWindows event log is a record of a computer's alerts and notifications.
Microsoft defines an event as "any significant occurrence in the OS or in a program that requires
users to be notified or an entry added to a log."
Tracking user logon activity via Audit Event ID's - Answers512 Start-up
513 Shutdown
528 Logon
531 Disabled Account
538 Logoff
Audit Policy Event ID's - AnswersEvent ID 4904: An attempt was made to register a security
event source.
Event ID 4902: The Per-user audit policy table was created.
E-mail Protocols POP3, SMTP and IMAP port numbers - AnswersPOP3 - Port 110
SMTP - Port 25
IMAP - Port 143
POP3 - AnswersA protocol for receiving e-mail by downloading it to your computer from a
mailbox on the server of an Internet service provider.
SMTP - AnswersA protocol for sending e-mail messages between servers. Most e-mail systems
that send mail over the Internet use SMTP to send messages from one server to another. The
messages can then be retrieved with an e-mail client using either POP3 or IMAP. SMTP is also
generally used to send messages from a mail client to a mail server.
Net Config - AnswersUse the net config command to show information about the configuration
of the Server or Workstation service.
Net File - AnswersDisplays the names of all open shared files on a server and the number of file
locks, if any, on each file.
, Net Use - AnswersThe net use command is used to display information about shared resources
on the network that you're currently connected to, as well as open sessions on other systems.
Net View - AnswersNet view is used to show a list of computers and network devices on the
network.
Net Name - AnswersNet name is used to add or delete a messaging alias at a computer.
Net Start - AnswersThe net start command is used to start a network service or list running
network services.
Net Sessions - AnswersThe net session command is used to list or disconnect sessions between
the computer and others on the network.
Slack Space - AnswersThe unused space in a disk cluster. The DOS and Windows file systems use
fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size,
an entire cluster is reserved for the file. The unused space is called the slack space.
Swap Space - AnswersSwap space is used when the amount of physical memory (RAM) is full. If
the system needs more memory resources and the RAM is full, inactive pages in memory are
moved to the swap space. While swap space can help machines with a small amount of RAM, it
should not be considered a replacement for more RAM. The name of this file is the pagefile.sys
(Swap file where evidence from RAM can be located) and is located in the root of the C:\.
Buffer Overflow - Answersis an anomaly where a program, while writing data to a buffer,
overruns the buffer's boundary and overwrites adjacent memory. This is a special case of
violation of memory safety. Buffer overflows can be triggered by inputs that are designed to
execute code, or alter the way the program operates. This may result in erratic program
behavior, including memory access errors, incorrect results, a crash, or a breach of system
security. Thus, they are the basis of many software vulnerabilities and can be maliciously
exploited.
IP Spoofing - AnswersIs the creation of Internet Protocol packets with a spoofed source IP
address, with the purpose of concealing the identity of the sender or impersonating another
person or computer system.
Session Hijacking - Answersis the exploitation of a valid computer session, sometimes also called
a session key, to gain unauthorized access to information or services in a computer system.
Cross-Site Request Forgery (CSRF) Attack - AnswersCross-Site Request Forgery (CSRF) is an attack
that forces an end user to execute unwanted actions on a web application in which they're
currently authenticated. With a little help of social engineering (such as sending a link via email
or chat), an attacker may trick the users of a web application into executing actions of the
