Forensics and Network Intrusion Exam Study Guide With Verified Solutions

Forensics and Network Intrusion Exam Study Guide With Verified Solutions Stego-only - answerOnly the stego-object is available for analysis. Known cover attack: - answerThe stego-object as well as the original medium is available. The stego-object is compared with the original cover object to detect any hidden information. Known message attack - answerThe hidden message and the corresponding stego-image are known. The analysis of patterns that correspond to the hidden information could help decipher such messages in future Chosen stego attack - answerThe steganography algorithm and stego-object are known. Chosen message attack - answerThe steganalyst generates a stego-object from some steganography tool or algorithm of a chosen message. The goal in this attack is to determine patterns in the stego-object that may point to the use of specific steganography tools or algorithms hexadecimal value should an investigator search for to find JPEG - answer0xFFD8 - Joint Photographic Experts Group Which computer crime forensics step requires an investigator to duplicate and image the collected digital information? - answerAcquiring data A computer forensic investigator finds an unauthorized wireless access point connected to an organization's network switch. This access point's wireless network has a random name with a hidden service set identifier (SSID). - answerCreate a backdoor that a perpetrator can use by connecting wirelessly to the network Which web-based application attack corrupts the execution stack of a web application? - answerBuffer overflow Known-stego - answerThe hidden message and the corresponding stego-image are known During the communication process, active attackers can change cover Original and stego-object are available and the steganography algorithm is known Only the steganography medium is available for analysis Which path should a forensic investigator use to look for system logs in a Mac? - answer/var/log/ Which tool should a forensic investigator use on a Windows computer to locate all the data on a computer disk, protect evidence, and create evidentiary reports for use in legal proceedings? - answerProDiscover Which tool should a forensic team use to research unauthorized changes in a database? - answerApexSQL DBA Which graphical tool should investigators use to identify publicly available information about a public IP address? - answerSmartWhois A first responder arrives at an active crime scene that has several mobile devices. What should this first responder do while securing the crime scene? - answerLeave the devices as found and fill out chain of custody paperwork A network log from a remote system is entered into evidence, and the proper steps are taken to protect the integrity of the data. The log contains network intrusion data but does not contain any information about the log. - answerName of the server A Mac computer that does not have removeable batteries is powered on. Which action must a first responder take to preserve digital evidence from the computer once volatile information is collected? - answerPress the power switch for 30 seconds First responders arrive at a company and determine that a non-company Windows 7 computer was used to breach information systems. The computer is still powered on. What is the correct procedure for powering off this computer once the volatile information has been collected? - answerUnplug the electrical cord from the wall socket RAID 0 - answeralso known as a stripe set or striped volume) splits ("stripes") data evenly across two or more disks, without parity information, redundancy, or fault tolerance RAID 1 - answerconsists of an exact copy (or mirror) of a set of data on two or more disks; a classic RAID 1 mirrored pair contains two disks. This configuration offers no parity, striping, or spanning of disk space across multiple disks, RAID 2 - answerStripes data at the bit (rather than block) level, and uses a with dedicated Hamming-code parity. OBSOLETE. RAID 3 - answerInformation is written at byte level across multiple drives, but only one is dedicated for parity. Rarely used in practice, consists of byte-level striping with a dedicated parity disk. RAID 5 - answerconsists of block-level striping with distributed parity. Unlike in RAID 4, parity information is distributed among the drives