Digital Forensics Chain of Custody Form

Document Sample
Digital Forensics Chain of Custody Form Powered By Docstoc
					Final Exam Review

Please check this site frequently. I will be adding material as I get them

BRING BLUEBOOKS FOR THE EXAM.
There will be 30 to 40 multiple choice questions from the Forensics lectures. These
questions will be picked from those submitted by students.

Write an essay on digital crime scene process. Include a paragraph on each of the
following:
       System preservation
       Evidence Searching
       Event Reconstruction

Differentiate between and live and dead analysis.

What is involved in collecting network based evidence (NBE)?

Describe documentation required in Forensics workup.

Describe how to analyze web browsing and email activities.

How would you go about duplicating forensics evidence found on a hard drive?
How would you safeguard the integrity of the data? How would you eliminate
known files?

There will be questions on practical part of the course. Here are some sample
questions:

   1. When creating a live analysis cd, you used a program called Process Monitor to monitor
      what dependencies were used by the tools you chose to place on the cd. Explain the
      importance of this step.
   2. Throughout the labs, you have been introduced to several open-source tools to do your
      analysis of system characteristics. List and describe three tools that you feel are
      significant in forensic analysis.
   3. In one of the labs, you exploited a version of Windows 2003 Server using Back Track 4.
      Explain the process of the exploitation, i.e. how you were able to gain control of the
      compromised system. What steps would you take to prevent this from occurring?
   4. Drive duplication can be done by physically connecting to a hard drive (such as with the
      adapters provided), or over the network. Other than the obvious reason of duplication,
      what significance does the dd command play in the cyber forensics field in each
      situation?
  5. What information can you gain by capturing and analyzing cache files? How might this
     prove useful in the court of law?
  6. In the “Hello World” lab, you are asked to observe the behavior of an executable on a
     compromised system. Describe a situation where this practice proves beneficial.




Student submitted questions:
                               F9-Common Forensic Analysis Techniques
  1.                     is used to identify relevant files and fragments of relevant files.
  A.   string searching
  B.   cryptographic files
  C.   relevant data
  D.   undeleted files


  2. When trying to recover deleted files make sure the forensic duplication is
     so that it is not modified during our analysis.
  A. On correct disk
  B. Read-only
  C. Write-only
  D. Locked


  3.   To reconstruct a file, you can use the             tool included with the Sleuth Kit.
  A.   Skype
  B.   Netscan
  C.   Icat
  D.   Lscat

  4. A better way to ignore known files is to compare the             of every file in a
     forensic duplication with a known set of hashes and ignore any matches.
  A. MD5 hashes
  B. Active hashes
  C. Forensic hashes
  D. Cryptography

  5.               gives us output we can parse into other programs such as a spreadsheet or
     database.
  A. PDF
  B. SCSI
  C. Fls
D. FAT-32




                     F8-Noncommercial-Based Forensic Duplications
1.   Use                     to create a partition for the destination drive.
A.   Win_XP
B.   Fdisk
C.   Duplicate disk
D.   Forensic duplications

2. You can make an exact copy of the hard drive by first cleaning the destination drive by placing
                 in all the blocks:
A. Random bits
B. Binary bits
C. Zeros
D. Reliable data


3. dd-rescue is a variation of the dd command. You can use this command to copy it forward or
   backward from the end to the beginning. This is useful if you encounter               .
A. blank disk
B. errors
C. full disk
D. negative integers

4.   You can use               to duplicate hard drives over the network
A.   network evidence duplicator(NED)
B.   RAID 1
C.   Remote connection
D.   VM-Ware

5.   The reason to place zeros in all of the hard drive blocks is because       ,
A.   Movies are left in there
B.   Data is corrupted
C.   Unwanted data might have been left there and this will damage forensic evidence.
D.   The ones in the blocks have to cancel with the zeros.


                                  F6- F7-Commercial-based Forensic duplications
1. By default enCase will duplicate the media and create a series of            mb files in a
   directory you specify.
          A.   700
          B.   640
          C.   1500
          D.   32

          2. In forensics, each piece of hardware must be                    with make model, serial number,
             evidence tag number, etc.
          A. Put in closet
          B. Documented
          C. Signed
          D. Shared


          3.   One very well known software used for forensic analysis is                    .
          A.   IBM
          B.   Google
          C.   Encase
          D.   Forensic-ripper

          4.   This format is the most versatile as it can be imported to any forensic toolkit.
          A.   Raw disk image (dd)
          B.   RAID 0
          C.   Encase
          D.   NTFS

          5.   The evidence custodian should,
          A.   Give the evidence to the secretary
          B.   Place evidence in the storage place
          C.   Keep logs of who has the evidence, when was it check out, etc.
          D.   Use the evidence for personal use.


     1.                                  is forensics applied to information stored or transported on
          computers
A.   Information forensics
B.   Data forensics
C.   Computer forensics
D.   Network forensics


     2.                             is some method of modifying data so that it is meaningless and
        unreadable in
A. data hiding
B. encryption
C. data mining
D. address resolution protocol



      3. when working on computer forensics always work from                          of the evidence and
           never from the original to prevent damage to the evidence.
A.   Original hard drive
B.   Live computer
C.   Remote desktop
D.   An image


      4.                        preserving evidence means that that the information contained on the
          drive down to the last bit never changes during seizing, analysis and storage.
A.   Mentally
B.   Logically
C.   Physically
D.   Carefully


      5. Write blockers are devices that allow acquisition of information on a drive without creating
          the possibility of accidentally damaging the drive contents.
A.   Data blokers
B.   Write blockers
C.   Read blockers
D.   Metadata blockers


                                                                           Created by Humberto Banda
      4/22/10

                              F9-Common Forensic Analysis Techniques
           1.                     is used to identify relevant files and fragments of relevant files.
           A.   string searching
           B.   cryptographic files
           C.   relevant data
           D.   undeleted files


           2. When trying to recover deleted files make sure the forensic duplication is
              so that it is not modified during our analysis.
           A. On correct disk
           B. Read-only
   C. Write-only
   D. Locked


   3.       To reconstruct a file, you can use the          tool included with the Sleuth Kit.
   A.       Skype
   B.       Netscan
   C.       Icat
   D.       Lscat

   4. A better way to ignore known files is to compare the             of every file in a
      forensic duplication with a known set of hashes and ignore any matches.
   A. MD5 hashes
   B. Active hashes
   C. Forensic hashes
   D. Cryptography

   5.                   gives us output we can parse into other programs such as a spreadsheet or
            database.
   A.       PDF
   B.       SCSI
   C.       Fls
   D.       FAT-32




     Chapter 10 Web browsing activity reconstruction
How many ways are there to keep track of browsing history?
  A.    5
  B.    7
  C.    3
  D.    6

The setting\<profilename>\cookies contain an                file that links each cookie to a
domain on the internet where it was downloaded.
   A.       Homepage
   B.       Index.dat
   C.       Script
   D.       Internet explorer

3.              is an open source used to used to examine index.dat files and how they
were populated when a suspect browses the internet.
   A. Firefox
   B. Pasco
   C. cookie finder
   D. Encase

4. A                activity record contains less information than the URL or LEAK
records and is symbolic of a website that redirects you to another website.
 A. phone
 B. Pasco
 C. suspect
 D. REDR

5. Keith J. Jones developed a tool named              to translate the information
inside an IE cookie to something a human can understand.
   A.   Cookie
   B.   Galleta
   C.   Pasco
   D.   Internet explorer


                                Chapter 11, Email activity reconstruction
   1.   One of the commercial tools used for reconstruction of email is      .
   A.   Pasco
   B.   Galleta
   C.   FTK
   D.   Outlook


   2.   Outlook and outlook express tend to be the two most utilized         clients.
   A.   Explorers
   B.   Email
   C.   AOL
   D.   Chat

   3.The first choice to read outlook express email repositories is to use a took name
   .
   A. Google it
   B. Eindeutig
   C. Hack it
   D. Snort
   3.        3
   4.        One of the differences between email DMX file format and Folders DBM file
      format is          .
   A.        The file signatures is slightly different
   B.        Messages are similar
   C.        Data entries are same
D.          DBX is not good

5.          Nestcape and Mozilla stores their mailboxes in plain               format.
A.          Duplex
B.          Hex
C.          ASCII
D.          Unix


1. The           d contains significant information that helps us determine the “who”,
   “how”, and possible “why” of the incident.
A. Encrypted data
B. Volatile data
C. Network data
D. Linux data


2. Through examining the                , we hope to discover any backdoors the attacker may have
   established.
A. Closed ports
B. Wired ports
C. Open ports
D. Configured ports



3.              is the single most powerful tool in our live response toolkit for UNIX
     systems.
A.   list open files(lsof)
B.   critical files(cf)
C.   intruder open files(iof)
D.   non-volatile files(nf)



4. When an attacker runs a file such as datapipe, it deletes the original file and we would
   not be able to have a copy of the file. This is when we would use               that does
   not actually exist on the hard drive. It exists in memory and references running
   processes and other system information.
A. Execute file system
B. /proc file system
C. /32 bit file system
D. /test corrupt file system
5. In              Collecting all computer activities and Intercepting all packets and record
   takes a lot of disk space and takes a lot of time for analysis
A. Alert data
B. Session data
C. Full content data
D. Full time monitoring



6. In                   intrusion detection system is a device or application used to inspect
   all network traffic and alert the user or administrator when there has been
   unauthorized attempts or access.
   A. Alert Data
   B. Security check
   C. Network security
   D. Traffic control

7.                     is similar to recording one conversation between suspects.
      A.   Suspicious conversations
      B.   Session Data
      C.   Private conversations
      D.   Full content data



8. For             , the source sends one packet, and the destination replies with one
   packet
   A. Openf ports
   B. Securityf ports
   C. Closef ports
   D. Dedicatedf ports




9.                    is the protocol Microsoft uses to share files, printers, serial ports, and
      also to communicate between computers using named pipes and mail slots.
      A. Instant messenger
      B. server message Block
      C. encrypted message block
      D. data handshake block

10.                  is used to resolve IP addresses to MAC addresses.
          A.   IP config
          B.   Catscan
          C.   Netcat
          D.   Address resolution table


1.                      are the simplest and cheapest way to gain control to network traffic.
     A.   NAS
     B.   Hubs
     C.   Repeaters
     D.   Wireless router


2.Which is not a type of NBE?
  A. Raw data
  B. Statistical data
  C. Metadata
  D. Registry keys


3. what is the command to load all the loaded kernel modules?
   A. Load kernel
   B. MSCONFIG
   C. Ismod
   D. PING


4.                   is designed to interpret traffic in batch mode?
     A.   Peer Network
     B.   TcpTrace
     C.   Bittorrent
     D.   Red Hat


5. The measure used to prevent attacks are called                         ?.
   A. Anti-attacks
   B. Proactive
   C. Reactive
   D. Revenge
1 ____ analysis is when data from the suspect is copied without the assistance of the
suspect‟s operating system.
a. Live
b. Dead
c. Data
d. Forensic

2 ____ analysis uses the operating system or resources of the system being investigated to
find evidence.
a. Live
b. Dead
c. Data
d. Forensic

3 ____ is information we would use if the machine is turned off.
a. Registry information
b. Volatile information
c. Non-volatile information
d. Cached information

4 ____ involves capturing the memory space of the suspect processes.
a. Fport
b. Undelete
c. Defragmenting
d. Memory dump

5 While analyzing registry data, RegDmp provides the following general information
except ____.
a. user name
b. date and time
c. domain membership
d. profile information
                              1 – Windows Live Response
Key

1 ____ analysis is when data from the suspect is copied without the assistance of the
suspect‟s operating system.
b. Dead

2 ____ analysis uses the operating system or resources of the system being investigated to
find evidence.
a. Live

3 ____ is information we would use if the machine is turned off.
b. Volatile information

4 ____ involves capturing the memory space of the suspect processes.
d. Memory dump

5 While analyzing registry data, RegDmp provides the following general information
except ____.
b. date and time




                              F1a – Computer Foundations
1 Computers know the layout of the data because of ____, which act like templates or
maps.
a. data structures
b. data tables
c. registers
d. arrays

2 In order to get to a particular sector, we need the following except_____.
a. head
b. cylinder
c. sector
d. stack

3 A special area of the disk that can be used to save some system information added there
by the manufacturer.
a. read protected area
b. write protected area
c. host protected area
d. user protected area

4 The software must load data such as the sector address and sizes into the CPU registers
and execute interrupt 13h in order to access ATA hard drives through_____.
a. direct access
b. BIOS
c. SCSI
d. remote access

5. A data structure is composed of which two parts?
a. number and string
b. flag and register
c. byte and string
d. flag and byte




                              F1a – Computer Foundations
Key
1 Computers know the layout of the data because of ____, which act like templates or
maps.
a. data structures

2 In order to get to a particular sector, we need the following except_____.
d. stack

3 A special area of the disk that can be used to save some system information added there
by the manufacturer.
c. host protected area

4 The software must load data such as the sector address and sizes into the CPU registers
and execute interrupt 13h in order to access ATA hard drives through_____.
b. BIOS

5. A data structure is composed of which two parts?
a. number and string




                                 2 UNIX Live Response

1. The single most powerful tool in the live reponse toolkit for UNIX systems.
a. Netstat
b.Nc
c. Lsof
d.lsmod
2. Sorts all files by the time the inode was last changed.
a. ctime
b.uname
c. time
d.netcat

3. A 128-bit mathematical fingerprint of the contents ina file, for every file on the
filesystem.
a. lpd login
b. zap2
c. MD5 Checksum
d.LKM

4. Transfers relevant logs to a forensic workstation for further analysis.
a. mount
b. netcat
c. netbios
d.netstat

5. Contain commands the user typed at the prompt, may contain commands that failed,
and can be used to discover the hacker‟s methodology.
a. History Files
b. Command Logs
c. Browser History
d.Security Logs




                                  2 UNIX Live Response

Key

1. The single most powerful tool in the live reponse toolkit for UNIX systems.
c. Lsof

2. Sorts all files by the time the inode was last changed.
a. ctime
3. A 128-bit mathematical fingerprint of the contents ina file, for every file on the
filesystem.
c. MD5 Checksum

4. Transfers relevant logs to a forensic workstation for further analysis.
b. netcat

5. Files containing commands the user typed at the prompt, may contain commands that
failed, and can be used to discover the hacker‟s methodology.
a. History Files




                       F3 Collecting Network Based Evidence (NBE)

a. Full Content Data
b. Session Data
c. Alert Data
d. Statistical Data

____ 1. Most active IP addresses, ports, data length.

____ 2. Summary of sessions with date and time, from source and destination addresses
and how it was terminated.
____ 3. Collecting all computer activities, intercepting and recording all packets, requires
a lot of disk space and time for analysis.

____ 4. Analyzing NBE for predetermined items of interest




5. Forwards to all ports. A monitoring station can detect all packets.
a. Bridges
b. Taps
c. Switched Port Analyzer
d. Hubs




                      F3 Collecting Network Based Evidence (NBE)

Key

1. Most active IP addresses, ports, data length.
d. Statistical Data

2. Summary of sessions with date and time, from source and destination addresses and
how it was terminated.
b. Session Data


3. Collecting all computer activities, intercepting and recording all packets, requires a lot
of disk space and time for analysis.
a. Full Content Data
4. Analyzing NBE for predetermined items of interest
c. Alert Data



5. Forwards to all ports. A monitoring station can detect all packets.
d. Hubs




             F4 Analyzing Network-based evidence for a windows intrusion

1. What tool was used by running it against the Libcap data to transform it into session
data?
a. McAfee
b. Argus
c. Symantec
d. WireShark

2. Multiple protocols with low number of packets may indicate of activity?
a. Packet Sniffing
b. Blue Snarfing
c. War Driving
d. Port Scanning

3. What tool was used in this chapter to find patterns of malicious activity?
a. Snort
b. WireShark
c. BackTrack4
d. McAfee
4. A single SYN packet is sent through a port and a RST ACK packet is received. What
does this mean?
a. Port is busy
b. Port is closed
c. Port is open
d. Port is available

5. As opposed running Snort in “live mode” to inspect traffic actively passed on the wire,
what mode can Snort be running under to inspect previously captured data?
a. dead mode
b. capture mode
c. batch mode
d. response mode




             F4 Analyzing Network-based evidence for a windows intrusion
Key

1. What tool was used by running it against the Libcap data to transform it into session
data?
b. Argus

2. Multiple protocols with low number of packets may indicate of activity?
d. Port Scanning

3. What tool was used in this chapter to find patterns of malicious activity?
a. Snort

4. A single SYN packet is sent through a port and a RST ACK packet is received. What
does this mean?
b. Port is closed

5. As opposed running Snort in “live mode” to inspect traffic actively passed on the wire,
what mode can Snort be running under to inspect previously captured data?
c. batch mode
                         F6 - Preparing for Forensic Duplication

1. Items included in a forensic toolkit should include the following except…
a. Screwdrivers
b. Power Cables
c. Printer
d. Permanent Markers

2. Each piece of hardware must be documented with the item‟s information which
includes…
a. Driver‟s License
b. Make/Model
c. Date of Birth
d. Maiden Name

3. The information written on each label should include the following except…
a. Number of Partitions
b. Date
c. Type of file system
d. Price

4. Which item is used to document evidence.
a. Digital Camera
b. Firewire
c. Flash Drive
d. Flashlight

5. The following should be recorded when evidence is checked out except…
a. Date of Birth
b. Case Number
c. Name
d. Date




                         F6 - Preparing for Forensic Duplication
Key

1. Items included in a forensic toolkit should include the following except…
c. Printer

2. Each piece of hardware must be documented with the item‟s information which
includes…
b. Make/Model

3. The information written on each label should include the following except…
d. Price

4. Which item is used to document evidence.
a. Digital Camera

5. The following should be recorded when evidence is checked out except…
a. Date of Birth
                       F7- Commercial-based Forensic Duplication

1. EnCase is used to…
a. backup system information
b. retrieve data from a storage device
c. print labels
d. surf the internet

2. When using EnCase or FTK, use which of the following to connect to the source hard
drive (evidence)
a. serial cable
b. read-only Firewire-to-IDE module
c. read-write Firewire-to-IDE module
d. coaxial cable

3. When EnCase duplicates an evidence hard drive, it crates evidence files on a
destination media. This usually means a…
a. DVD-R
b. Floppy Disk
c. Flash drive
d. formatted storage hard drive

4. FTK can acquire the forensic duplication in the following three different formats
excepts…
a. Portable Network Graphics
b. SMART format
c. Raw Disk Image (dd)
d. EnCase Evidence Files (.E01)
5. When using a laptop with Encase, two additional items are usually needed. This
includes a 2.5” to 3.5” laptop hard drive converter and a…
a. Graphics card
b. PCMCIA Firewire card
c. Sound card
d. Data Acquisition card




                       F7- Commercial-based Forensic Duplication

Key
1. EnCase is used to…
b. retrieve data from a storage device

2. When using EnCase or FTK, use which of the following to connect to the source hard
drive (evidence)?
b. read-only Firewire-to-IDE module

3. When EnCase duplicates an evidence hard drive, it crates evidence files on a
destination media. This usually means a…
d. formatted storage hard drive

4. FTK can acquire the forensic duplication in the following three different formats
except…
a. Portable Network Graphics

5. When using a laptop with Encase, two additional items are usually needed. This
includes a 2.5” to 3.5” laptop hard drive converter and a…
b. PCMCIA Firewire card
                   F8 – Noncommercial-based Forensic Duplications

1. The most basic of all noncommercial forensic duplication tools is definitely dd which
stands for…
a. data dump
b. drive dump
c. data drive
d. digital dump

2. You want to make sure the BIOS is configured so that the computer will…
a. boot from a dvd
b. boot from your Linux operating system
c. boot from the evidence hard drive
d. boot from a flash drive

3. The command „if‟ designates the…
a. if statement
b. independent file
c. conditional statement
d. input file

4. Which command is useful when encountering errors?
a. dd_recover
b. dd_rescue
c. dd_reverse
d. dd_record

5. Typically, we would cop the NED client onto a bootable CD-ROM environment which
would be loaded into _____ and booted.
a. a third computer on the same network
b. the forensic workstation
c. the suspect‟s computer
d. remote computer
                   F8 – Noncommercial-based Forensic Duplications

Key
1. The most basic of all noncommercial forensic duplication tools is definitely dd which
stands for…
a. data dump

2. You want to make sure the BIOS is configured so that the computer will…
b. boot from your Linux operating system

3. The command „if‟ designates the…
d. input file

4. Which command is useful when encountering errors?
b. dd_rescue

5. Typically, we would cop the NED client onto a bootable CD-ROM environment which
would be loaded into _____ and booted.
c. the suspect‟s computer
                      F9 – Common Forensic Analysis Techniques

1. In order to recover deleted files, the recommended tool is TASK, later renamed to…
a. Encase
b. The Sleuth Kit
c. Undelete
d. Date Recovery

2. Both EnCase and FTK will recover deleted files…
a. automatically
b. by selecting undelete on menu
c. from the destination hard drive
d. only

3. Metadata can include which of the following?
a. disk size
b. registration keys
c. MD5 hashes
d. fat/ntsf

4. A better way to ignore known files is to compare the _____ of every file in a forensic
duplication.
a.MAC times
b. file sizes
c. MD5 hashes
d. full file names

5. We can download _____ and save ourselves a lot of time in ignoring known files.
a. EnCase
b. Undelete
c. FTK
d. NISTS NSRL distribution
                      F9 – Common Forensic Analysis Techniques

1. In order to recover deleted files, the recommended tool is TASK, later renamed to…
b. The Sleuth Kit

2. Both EnCase and FTK will recover deleted files…
a. automatically

3. Metadata can include which of the following?
c. MD5 hashes

4. A better way to ignore known files is to compare the _____ of every file in a forensic
duplication.
c. MD5 hashes

5. We can download _____ and save ourselves a lot of time in ignoring known files.
d. NISTS NSRL distribution
                      F10 – Web Browsing Activity Reconstruction

1 Internet explorer uses these three facilities where we can find evidence except ____.
a. system32
b. web browsing history
c. cookies
d. temp internet files

2 ____ was developed to examine the contents of Internet Explorer‟s cache files.
a. Pasco
b. Data Dump
c. Galleta
d. Fport

3 ____ examine cookies by parsing the information in Internet Explorer‟s cookie files
into a human readable format.
a. Pasco
b. Data Dump
c. Galleta
d. Fport

4 Encase utilizes a script referred to as a(n) ____ to parse the web browsing information
found in the evidence and present it to the investigator.
a. E-Script
b. Fport
c. dd
d. FTK

5 The cookies, History.IE5, and Content.IE5 folders contain a ____ file with forensic
evidence.
a. index.exe
b. index.dat
c. index.xls
d. index.txt




                      F10 – Web Browsing Activity Reconstruction
Key
1 Internet explorer uses these three facilities where we can find evidence except ____.
a. system32

2 ____ was developed to examine the contents of Internet Explorer‟s cache files.
a. Pasco

3 ____ examine cookies by parsing the information in Internet Explorer‟s cookie files
into a human readable format.
c. Galleta

4 Encase utilizes a script referred to as a(n) ____ to parse the web browsing information
found in the evidence and present it to the investigator.
a. E-Script

5 The cookies, History.IE5, and Content.IE5 folders contain a ____ file with forensic
evidence.
b. index.dat




                          F11 – Email Activity Reconstruction

1 Which commercial tool can be used for e-mail reconstruction/
a. Galleta
b. Undelete
c. FTK
d. Outlook

2 When creating a report with FTK during e-mail reconstruction, it will contain ____
versions of the e-mails.
a. HTML
b. EnCase
c. text
d. excel

3 Which file contains actual e-mail messages for Outlook Express?
a. Sent E-Mails
b. E-Mail DBX
c. TypedURLs
d. Folders DBX

4 ____ is a utility that undecodes MIME file attachments in e-mails.
a. Regedit
b. Munpack
c. FTK
d. Eindeutig

5 This tool can be used to read Outlook Express e-mail repositories.
a. eindeutig
b. dd
c. Pasco
d. regedit




                          F11 – Email Activity Reconstruction

KEY
1 Which commercial tool can be used for e-mail reconstruction/
c. FTK

2 When creating a report with FTK during e-mail reconstruction, it will contain ____
versions of the e-mails.
a. HTML
3 Which file contains actual e-mail messages for Outlook Express?
b. E-Mail DBX

4 ____ is a utility that undecodes MIME file attachments in e-mails.
b. Munpack

5 This tool can be used to read Outlook Express e-mail repositories.
a. eindeutig




                                 F12 – Windows Registry

1 Registry contains information such as which of the following?
a. MAC address
b. most visited websites
c. ip address
d. e-mails

2 Registry is often overlooked because the files are in proprietary format. In this case,
which tool can be used?
a. undelete
b. Back Track
c. FTK
d. dd

3 Which command can be used to locate registry.
a. Fport
b. startx
c. cmd
d. regedit

4 Which keyword denotes a registry with documents that were recently viewed.
a. IIS
b. MRU
c. REC
d. EXE

5 Microsoft Windows records information of URLs typed into IE in a registry folder
called ____.
a. Typed URLs
b. Recent URLs
c. History.IE5
d. Temporary Internet Files




                                 F12 – Windows Registry

1 Registry contains information such as which of the following?
b. most visited websites

2 Registry is often overlooked because the files are in proprietary format. In this case,
which tool can be used?
c. FTK

3 Which command can be used to locate registry.
d. regedit

4 Which keyword denotes a registry with documents that were recently viewed.
b. MRU
5 Microsoft Windows records information of URLs typed into IE in a registry folder
called ____.
a. Typed URLs




                         Computer Forensic Additional Notes
1 ____ is the method of modifying data so that it is meaningless and unreadable in its
current form.
a. decryption
b. obfuscation
c. stenography
d. encryption

2 ____ is the science of writing hidden messages I such a way that no one apart from th
sender and intended recipient even realizes there is a hidden message.
a. decryption
b. obfuscation
c. stenography
d. encryption

3 The following is used as forensic software except ____.
a. The Coroner‟s Toolkit
b. Outlook
c. ILook
d. Forensic Toolkit

4 ____ are devices that allow acquisition of information on a drive without creating the
possibility of accidentally damaging the drive contents
a. write blockers
b. hubs
c. IDE Converters
d. Firewire Cards

5 A ____ function is any well defined procedure or mathematical function for turning
some kind of data into a relatively small integer.
a. hash
b. metadata
c. encryption
d. decryption




                          Computer Forensic Additional Notes
Key
1 ____ is the method of modifying data so that it is meaningless and unreadable in its
current form.
d. encryption

2 ____ is the science of writing hidden messages I such a way that no one apart from th
sender and intended recipient even realizes there is a hidden message.
c. stenography

3 The following is used as forensic software except ____.
b. Outlook

4 ____ are devices that allow acquisition of information on a drive without creating the
possibility of accidentally damaging the drive contents
a. write blockers

5 A ____ function is any well defined procedure or mathematical function for turning
some kind of data into a relatively small integer.
a. hash
                                     Chapter 1
1.    When collecting data from a victim machine to determine the “who, “how,” and
     possibly “why” of an incident, which is a viable source:
     a. Open TCP or UDP Ports
     b. Users Currently Logged On
     c. Open Files
     d. All the above
2.   An open rogue port usually denotes:
     a. The system date and time
     b. A backdoor running on the victim machine
     c. Volatile data
     d. Users currently logged on
3.   FPort does the following:
     a. Opens a backdoor
     b. Closes all ports
     c. Links open ports to executables that opened them
     d. Launches live response
4.   Group Policy information does not contain:
     a. Redirected folders that are and their details
     b. The last time policy was applied for both user and computer
     c. IIS logs
     d. Registry settings that were applied and their details
5.   Most attacks happen over port:
     a. 10
     b. 1
     c. 50
     d. 80
                             Chapter Computer Foundations
   1. Which is not a type of data organization?
      a. ASCII
      b. HDMI
      c. Unicode
      d. EBCDIC
   2. Little endian is read which way?
      a. Top to bottom
      b. Left to right
      c. Bottom to top
      d. Right to left
   3. Drives can be configured as which of the following:
      a. Servant
      b. Driver
      c. Master
      d. Dictator
   4. LBA addressing stands for:
      a. Logical block addressing
      b. Load balancing area
      c. Logic block authenticator
      d. Light battalion armor
   5. Which SCSI cables can be interchanged with Ultra 320?
      a. Ultra2 SCSI
      b. Fast SCSI
      c. Ultra 3 SCSI
      d. SCSI cables are not interchangeable



                                Chapter 2

1. The Live Response process for a Unix machine is____ to a Windows machine.
   A. Completely different
   B. Almost identical
   C. Exactly the same
   D. Unix has not released a version
2. Which of the following is a common password cracking program that attackers
   employ to learn users‟ passwords discussed in chapter 2?
   A. Jack the Ripper
   B. The Headless Horseman
   C. The Minotaur
   D. John the Ripper

3. When issuing the command uname –a you will receive what information?
   A. All the available operating system version information
   B. A review of all the loaded kernel modules
   C. A display of the mounted file systems
   D. A list of all the running processes on the system

4. A quick way to eliminate redundant data in the file system is to ____:
   A. Calculate and analyze the MD5 checksum
   B. Use a “Poor Man‟s FTP” using netcat
   C. Go to www.Facebook.com
   D. Do a search for “.kde”

5.   A hacker would search for a keyword such as datapipe with ____?
     A. $
     B. |
     C. \
     D. ?




                                     Chapter 3 & 4


     1. The acronym NBE stands for which of the following?
        A. Network-based exposure
        B. Network-based evidence
        C. Non-Biological Extraterrestrials
        D. None of the above
   2. What type of data is the easiest form of data to understand and manipulate?
      A. Full Content Data
      B. Statistical Data
      C. Session Data
      D. Alert Data

   3. Taps (also known as Test Access Ports) are placed ____.
      A. Between the firewall and router
      B. Between mirroring ports
      C. Between switches
      D. A and C

   4. When looking at alert data ____ is helpful when searching for something
      suspicious.
      A. Wire Shark
      B. Snort
      C. Argus
      D. Netstat

   5. ARP is used to _____.
      A. Rebuilds sessions of interest
      B. Resolve IP addresses to MAC addresses
      C. Get better retirement benefits
      D. Check for Common Vulnerabilities and Exposure (CVE)


                                   Chapter 6

1. All but which of the following is something that you would want to record in an
   Evidence Worksheet:
   A. Model
   B. Serial number
   C. Anti-static bags
   D. Jumper settings

2. What principle is paramount to any investigation and should not be overlooked.
   A. Documentation
   B. Notation
   C. Evidence
   D. Smoking Gun
3. Any time evidence changes hands, which form should be filled out?
   A. Agent Notes worksheet
   B. Evidence Worksheet
   C. Chain of Custody Form
   D. Evidence Access Log

4. Which of the following is recommended to have in a toolkit mentioned in the
   chapter?
   A. Swiss Army Knife
   B. Gerber Knife
   C. Pens
   D. HDMI cable

5. The following is unique information found on a hard drive that is recorded in the
   Evidence Worksheet:
   A. Calculus
   B. Trigonometry
   C. Algebra
   D. Geometry




                                         Chapter 7

       1. _____ is one of the most widely used forensic duplication and analysis
          software tools available today.
          A. Snort
          B. TechNet
          C. TraceFirst
          D. EnCase

       2. When you hot swap a drive, you ____ or _____ it from a running
          computer system without powering off the forensic workstation.
          A. Add ; delete
          B. Swap ; take
          C. Read; write
          D. Add; remove
       3. By default, EnCase will duplicate the media and create a series of _____
          files in a directory you specify.
          A. 56k
          B. 640 MB
          C. 32 GB
          D. 100 Mbps

       4. Laptop hard drive converters come in _____ to _____.
          A. 1.5” to 2.5”
          B. 5.5” to 7.5”
          C. 1.0” to 5.0”
          D. 2.5” to 3.5”

       5. A benefit when acquiring evidence using EnCase is that it allows us to
          preview and ______ the drive in forensically sound manner.
          A. Analyze
          B. Send
          C. Corrupt
          D. Destroy


                                   Chapter 9

1. One limitation of The Coroner‟s Toolkit was that the authors pointed out involved
   an emphasis on recovering deleted files from a ___________ when in fact FAT
   32 and NTFS are the types of file systems we investigate the most.

   A. Microsoft Windows file system
   B. Linux file system
   C. Unix file system
   D. Both B and C
2. Downloading and installing The Sleuth Kit is a relatively ________ task.

   A. Arduous
   B. Trivial
   C. Cumbersome
   D. Difficult
3. Commercial methods to undelete files are more _________ and will show you the
   logical and deleted files in one view.
   A. Time consuming
   B. Enabling
     C. Fee-based
     D. User-friendly

4.    A notable hash distribution is the National Software Reference Library provided
     by the National Institute of Standards and Technology. It is can be obtained by
     _____ or ____?
     A. Downloaded freely
     B. Bought at the store
     C. Purchased as a subscription
     D. Both A and C

5. The process of looking for data when you know a portion of it is called?

     A.   String searching
     B.   Unicode searching
     C.   Microsoft office
     D.   File searching


                                  Chapter 10
1. At the time the book was written, __________ was the most popular Web browser
   utilized by the general computing population.
   A. Google Chrome
   B. Mozilla Firefox
   C. Opera
   D. Microsoft Internet Explorer

2. Which of the following is not a facility where we can find evidence to view Web
   browsing history?
   A. Temporary Internet Files
   B. Web browsing history
   C. Cookies
   D. GNU directory

3. Why are cookies necessary for browsing the internet?
   A. HTTP is a stateless protocol
   B. URI is a stateless protocol
   C. TCP/IP is a stateless protocol
   D. RFC is a stateless protocol

4. A cookie contains _____?
   A.   Unallocated space
   B.   FTK display
   C.   Expiration time
   D.   Executables

5. A REDR activity record contains ____ information than the URL or LEAK
   records.
   A. More
   B. The same
   C. Less
   D. None of the

                                   Chapter 11

1. FTK will not recognize which of the following e-mail repository formats?
   A. Yahoo
   B. Earthlink
   C. Lotus Notes
   D. Outlook Express

2. How many types of DBX files are there?
   A. 1
   B. 2
   C. 3
   D. 4

3. The file _______ begins at the first byte of the Folders DBX file.
   A. Header
   B. Location
   C. Folder
   D. Signature

4. _______ and _______ tended to be the most utilized e-mail clients discovered
   during the author‟s investigations.
   A. Yahoo; Google
   B. Outlook ; Outlook Express
   C. Google; Outlook
   D. AOL; Google

5. The E-Mail DBX file format is very similar to the Folders DBX file format.
   Which of the following is not among the three main differences between the two?
   A.   The data entries contain different values.
   B.   The e-mail repository has a different file offset.
   C.   A new internal structure called an “email entry” is added to the file.
   D.   The file signature is slightly different.


                                     Chapter 12

1. When investigating Microsoft Windows systems, there are basically three
   different types of log files you can examine, which of the following is not one of
   them?
   A. Windows Event Logging
   B. Application Logs
   C. The Microsoft Windows Registry
   D. All are used

2. By examining a few ______, we can determine some of the currently installed
   programs and programs that may have been installed in the past but have since
   been uninstalled.
   A. Applications
   B. Registry keys
   C. Registry viewer
   D. Event logs

3. There are currently ______ open source tools that can examine registry files
   directly.
   A. Plenty of
   B. Really expensive
   C. No available
   D. Scarcely any

4. MRU stands for _______?
   A. Most Redundantly Used
   B. Maximum Receive Unit
   C. Most Recently Used
   D. Malware Removal Unit

5. Installed programs usually contain a mechanism that will enable them to be
   _________.
   A. Run
   B. Uninstalled
       C. Copied
       D. Exported




Ayme Pena
                                     Chapters 2, 3 & 4
1. Lsof is the single most powerful tool in our live response toolkit for UNIX systems;
what does it stand for.
a) list software operating files
b) list open filters
c) list open files
d) list several open files

2) In windows, an executable cannot be deleted while it is running in memory. Who locks
the file and it cannot be removed?
a) kernel
b) file system
c) operating system
d) none of the above

3) In Unix, an attacker can run a file, such as _________ and delete the original binary.
a) lsof
b) datapipe
c) mounted file
d) all of the above

c____4) Full Content Data                    a) Similar to time of the day of the regular
                                             calls    between subjects, duration, etc.
b____5) Session Data                         b) Similar to recording one conversation
                                             between suspects
d____6) Alert Data                           c) Similar to recording all conversations of
                                             suspects.
a____7) Statistical Data                     d) Similar to a red light going off when a
                                             particular word is heard
8) What answers can session data provide?
a) Is the web server compromised?
b) Did the intruder visit other machines using the webserver?
c) Is the intruder present now?
d) How frequent are the visits?
e) all of the above
9) ____________ means running Snort against previously captured data.

a) batch mode
b) live mode
c) close mode
d) run mode

10) Snort‟s signature-matching can find patterns of ___________________.

a) daily activities
b) malicious activities
c) time activities
d) a and c only


Chapter 5

1. The portscan.log is a simple?
a) open port
b) file
c) text file
d) none of the above

2. Tcptrace first provides __________ on the _______it sees. Next, it lists a record
number, followed by the source Ip and port and destination IP and port.
a) data:information
b) statistics:data
c) conection:networks
d) service:device

3. What is the command to exit from the FTP server?
a) exit
b) logoff
c) end
d) bye

4. If the comman used by the intruder is mget knark* what is he going to retrieve?
a) passwords
b) create a file with the name “knark”
c) files beginning with the word “knark”
d) that command is not recognized
5. What command shows the directory listings?
a) lo
b) la
c) ls
d) al


Chapter 6

1. Each piece of hardware must be documented with all except?
a) Different color
b) Peripheral connections
c) Evidence tag number
d) Make model

2. Your toolkit needs to have every type of computer hardware interface going back how
many years?
a) 2 years
b) Many
c) 6 months
d) Not applicable

3. Agent notes, Evidence labels, Chain of custody forms, Evidence custodian logs are all
part of which important part?
a) tags
b) labels
c) documents
d) printer

4. By what is the evidence safe maintained?
a) evidence custodian
b) evidence register
c) evidence janitor
d) evidence computer



5. Evidence custodian keeps a log:
a)Date, name, case number, time in, time out
b)Date, name, font
c)Date, case number, place
d)none of the above


Chapter 7
1. What is used by many law enforcement agencies and corporations around the world to
support civil/criminal investigations, network investigations, data compliance and
electronic discovery?
a) Northern
b) Windows Security
c) Encase
d) FBI Security

2. Encase enables you to acquire your evidence in a forensically sound manner, and will
perform on ______ by default.
a) 64 Bites
b) MD5 hash
c) SCA-1 Hash
d) CS Hash

3. Two important devices that do not come with Fire wire duplication kit by default are?
a) Fire wire card and software
b) Fire wire disk and laptop
c) Fire wire card and hard drive converter
d) laptop and a plug

4. What is FTK?
a) Files Tool Kit
b) Fire wire Transport Kit
c) Forensic Tool Kit
d) None of the above

5. Why is it recommended not to put a password in your EnCase?
a) because you will secure your information
b) it‟s to many steps
c) if you forget you are out of luck
d) it cannot be encrypted
Chapter 8

1. Data dump is part of the most basic of all
a) commercial tools
b) noncommercial forensic duplication tools
c) commercial forensic duplication tools
d) all of the above

2. After Linux has finished booting, what do you want to see?
a) if the computer will restart
b) the color of the screen
c) Which device represents your suspect‟s hard drive
d) the device empty space
3. By running [root@localhost root]# md5sum –c md5sums.txt you are trying to ?
a) validate the evidence file
b) separate the memory
c) hack the computer
d) delete

4. The ______ indicates the number of blocks that are skipped from the input before the
copying begins.
a) time
b) date
c) refresh
d) skip

5. So that data left on the storage hard drive previously is not introduced into the
evidence, the first order of business is to ______?
a) buy a new hard drive
b) wash the hard drive
c) cleanse the evidence
d) unplug the hard drive




Chapter 9

1. When conducting _________ analysis, the first step is to recover undeleted files.
a) research
b) forensic
c) process
d) security

2. In order so that you can associate a file with a local loopback device such as /dev/loop0
the _________ has to be altered?
a) memory
b) hard drive
c) device
d) kernel

3.Metadata includes ___________, file sizes, MAC times, MD5 hashes, and more.
a) full file names
b) brand
c) exact sizes
d) none of the above
4. What must you select from the menu bar to perform a keyword search with EnCase?
a) View->Words
b) View->Hidden words
c) View->Keywords
d) View->Menu bar

5. Keyword searching is a very important step for ________________________ and
___________________ throughout your evidence data set.
a) identifying relevant files : file fragments
b) finding time of data : file name
c) identifying images : relevant fragments
d) forensic analysis : security treats




Chapter 10

1. Who utilizes the E-script, to parse the Web browsing information found in the
evidence and present it to the investigator?
a) FTK
b) IE History
c) E-Script
d) EnCase

2.C:\Documents and Settings\<<profilename>>\Cookies\ is an example of one of the
____________________________________?
a) profile names
b) main directory associated with web browsing history
c) web browsing history
d) documents and settings

3. Each cookie is saved as a small text file that contains?
a) variable names and values, time the cookie was downloaded
b) time the cookie expires, some information about its status
c) time the cookie was downloaded and time the cookie expires only
d) a and b

4. IE History can examine not only IE index.dat files but also __________________?
a) Microsoft Records
b) EnCase Solutions
c) Recycle Bin records
d) Main directory records

5. Pasco and Galleta are two main tools that were released within the past few years that
enable us to reconstruct ______________ browsing activity?
a) Keith J. Jones
b) Lewis‟s Web
c) Linux
d) Curtis W. Rose



F-12 Windows Registry
   1. What is the command to open a windows registry?
         a. Registry
         b. Edit
         c. RegEdit
         d. EditRegistry
   2. What is the Microsoft program used to modify which process is run at start-up?
         a. MSConfig
         b. Regedit
         c. MMS
         d. cmd
   3. Which are the three basic event logging logs for windows?
         a. System, Application, Security
         b. Audit, Application, Security
         c. Application, Security, Domain
         d. User events, System, Application
   4. Where is the windows registry file kept?
         a. C:\windows\system32\config
         b. C:\Programs\Windows\config
         c. C:\Registry\logs\config
         d. C:\system32\registry\config
   5. What tools are normally available to examine windows registry files?
         a. Open source tools
         b. Encase, FTK, Windows Regedit
         c. Notepad
         d. Winword
F-13
   1.    What command is used in Linux to complete a source code C program?
             a. Gcc
             b. Compile
             c. Bcc
             d. None of the above
   2.   What are self contained programs that do not require any other file reference to run
        called?
             a. Static Executables
             b. Self Contained programs
             c. Stand alone program
             d. None of the above
   3.   What are executive programs that reference outside files of libraries or code called?
             a. Dynamic Executables
             b. Dependent programs
             c. Referenced programs
             d. Data executables
   4.   The approach used to examine a file by actually executing the code/file is called?
             a. Static Analysis
             b. Exec Analysis
             c. Dynamic Analysis
             d. Runtime analysis
   5.   Which program allows user in Linux to peer inside an executable as it executes?
             a. GNU Debugger
             b. MMC
             c. BB
             d. GCC Debuger

                             Question for Chapters F7, F8, F9
Chapter F7
        1. What is the file system used by MS Windows Vista or 7?
             a. FAT16
             b. FAT32
             c. NTFS
             d. EXT3
        2. What is the main advantage of NTFS of FAT?
             a. Encryption
             b. Access time
             c. Drive speed
        3. What file system is used by Linux?
             a. EXT3
             b. NTFS
             c. FAT32
            d. FAT16
      4. drawback of FAT16?
            a. Restricted disk size.
            b. Slow speed
            c. Easily corruptible
      5. What is the Linux command to make a new file system?
            a) Mkfs
            b) Fdisk
            c) Mkdir
            d) Format

Chapter F8
   1. What is the fastest and most reliable drive type available?
         a. IDE
         b. SATA
         c. SCISI
         d. ATA
   2. What is the term for a chronological documentation of evidence?
         a. Chain of custody
         b. Evidence
         c. Evidence log
         d. Custody log
   3. What is the most modern form of booting device are currently used in computers
      today?
         a. 5 ¼ Floppy disk
         b. 3 ½ Floppy disk
         c. USB boot drives
         d. CDROMS
   4. Computer forensics deals with which of the following:
         a. Virus software
         b. Spyware
         c. Legal evidence found in computer media
         d. Intellectual property
   5. What is the most important rule to remember in dealing with digital forensic evidence?
         a. Do not disturb the original disk image evidence
         b. Recover deleted files
         c. Access the information as fast as possible
         d. Discover digital evidence


Chapter F9
      1. What is the best digital investigation tool current available commercially?
            a. Symantic
            b. Encase
            c. Dfrag
            d. Undelete
      2. Encase is published by which company:
            a. Guidance Software
         b. Encase Software
         c. Microsoft
         d. Oracle
    3. What is the recommended way of obtaining a digital copy of an evidence disk?
         a. Bit by bit disk copy
         b. Copy Paste
         c. Logging into the computer in question.
    4. What is the extension for an EnCase media type?
         a. .exe
         b. .bat
         c. .enc
         d. .ewf
    5. What type of software is FTK?
         a. Virus program
         b. Disk copy program
         c. Scanning program
         d. Computer forensic tool kit




                      Real Digital Forensics chapter F2,F3,F4

1. What is the Linux or Unix system command to display a list of active internet
   connections:
    a. Netstat –n
    b. Fport
    c. FTP
    d. Ipconfig

2. Different drives in Linux or Unix often also have to be_____ to be accessed.
   a) Referenced
   b) Loaded
    c) Mounted
    d) Accessed

3. What is the best way to determine if a system file has been modified?
   a) Do a virus scan
   b) Do an LS command
    c) Run a checksum
    d) Try to run the file.

4. Where is the system log stored in Linux?
   a) /etc/bin/syslog.conf
    b) /etc/syslog.conf
    c) /windown32/system.log
    d) /bin/syslog.conf
5. Which system file in Linux/Unix contains a list of user accounts?
    a) /etc/passwd
    b) /etc/bin/passwd
    c) /windows/passwd
    d) It does not exist

6. Which type of equipment joins networks together?
      a. Hub
      b. Switch
        c. Router
        d. Access Point

7. What type of device is used to filter network traffic?
        a. Firewall
        b. A server
        c. Hub
        d. Switch

8. What is a standard packet capture program?
        a. TCPdump
        b. Fport
        c. Telnet
        d. Netstat



9. What is an appropriate alert data tool to collect network traffic?
        a. Snort
        b. SSH
        c. Netstat
        d. Telnet

10. In a standard intrusion scenario, when an intruder conducts probes against a target
    system it is called?
         a. Consolidation
         b. Exploitation
        c. Reconnaissance
        d. Pillage

11. What type of data gives you a general pattern of network traffic?
      a. Alert data
        b. Statistical data
        c. Total capture data
        d. Sample data
   12. What type of sample technique looks for particular patterns in the network traffic?
           a. Signature based alert data
          b. Statistical data
          c. Sample data
          d. Raw data
   13. The intercepting of network data directly from the network via a hardware device is
       known as?
          a. Exploit
           b. Tap
           c. Signature
           d. Sample
   14. The data that records all network activity that occurred during a specific period is know
       as?
           a. Raw data
           b. Full content data
           c. Sample data
           d. Alert data
   15. Gaining “root” privileges in a linux/unix system usually refers to the following?
           a. Gaining administrative level access
           b. Gaining access to the c: drive.
           c. Compromising a guest account
           d. Mounting a drive




1. Which of these elements is classified as volatile data?
       a. File timestamps
       b. Location of registry file
       c. Internal routing table
       d. System version and patch level

2. Which of the following is not a system event log?
       a. Security
       b. System
       c. Audit
       d. Application

3. Which command can be used to see the routing table?
       a. netstat
       b. regedit
       c. at
       d. psexecsvc
4. Which command line tool can help test file integrity?
       a. regedit
       b. md5sum
       c. netcat
       d. inspect

5. Which set of tools provide enhanced functionality for viewing volatile data in
Windows?
       a. IIS
       b. Policy Manager
       c. pstools
       d. Windows XP Service Pack 3
1. Which of these elements is classified as volatile data?
      a.      File timestamps
      b.      Location of registry file
      c.      Internal routing table
      d.      System version and patch level

2. Which of the following is not a system event log?
       a.      Security
       b.      System
       c.      Audit
       d.      Application

3. Which command can be used to see the routing table?
       a.   netstat
       b.   regedit
       c.   at
       d.   psexecsvc

4. Which command line tool can help test file integrity?
       a.   regedit
       b.   md5sum
       c.   netcat
       d.   inspect

5. Which set of tools provide enhanced functionality for viewing volatile data in
Windows?
       a.      IIS
       b.      Policy Manager
       c.      pstools
       d.      Windows XP Service Pack 3
1. In Unix, which command is used to display a list of running processes

a. proc
b. PS
c. lp
d. ps -aux

2. What is required before a disk drive can be viewed in Unix?

a. open file explorer
b. mount the drive
c. refresh the device manager
d. connect the computer and restart the machine

3. Regarding Unix, which one of these statements is not true

a. the netstat command can be used just like in Windows
b. The process list includes the name of the user that launched the process
c. Standard TCP ports are different in the Unix environment
d. The volatile and non-volatile types of data are the same as Windows


4. What is the purpose of the netcat utility?

a. To acquire non-volatile data
b. To obtain output without disturbing the victim computer in a live response
c. To detect trojans currently on the victim computer
d. A utility used to perform a network route inventory


5. What utility provides a list of open files?

a. ps
b. flist
c. fopen
d. lsof
1. What is NBE?

a. NetBios Environment
b. Network-Based Evidence
c. Non-Breakable Execution
d. Network Bound E-mail

2. Which one of these is not a type of NBE

a. Session Data
b. Alert Data
c. Application Data
d. Statistical Data

3. Which of these is not a method to intercept network traffic

a. Multimeter
b. Taps
c. Hubs
d. Inline devices


4. What function does the snort program perform

a. performs a core dump
b. eavesdrop through the telephone system
c. perform statistical analysis
d. captures interesting network packets


5. Which event is a likely precursor to an attack

a. server begins to power off without warning
b. a disgruntled employee was fired
c. a threatening email
d. a port scan
1. Which of these is not a factor in a Chain of Custody

a. source individual
b. location
c. ethernet port number
d. transfer Date

2. Which is the most widely used commercial forensic software

a. data dump
b. abadox
c. forensic toolkit
d. encase

3. What function does the fdisk command perform?

a. create a partition
b. duplicate a disk
c. mount a disk
d. show an enumerated list of external disks

4. What must be done immediately after performing a duplication

a. compress the files to save space
b. change file permissions on the victim drive to read-only
c. perform an md5 hash on the files
d. disconnect drive and give it to the evidence custodian

5. Why is it important to lock writes to the source drive

a. a single access or write will contaminate the evidence
b. it is a faster data transfer
c. the firewire device converter is relatively inexpensive
d. the victim can sue for property damage
1. What command is used to make a hard drive accessible in Unix

a. fdisk
b. mount
c. load
d. ls

2. Which of these is not a step in duplicating a hard drive

a. generate md5 hashes
b. make hash file read-only
c. use the dd command
d. open file on the source hard drive to make sure you are duplicating the correct
drive

3. What technique is key to reducing fileset

a. delete all mp3 files if music files are not relevant to the case
b. delete c:\Windows folder since no user data is stored there
c. remove all files that irrelevant file extensions, such as DLL files
d. compare file hashes to remove known files, such as C:\Windows folder

4. Commercial forensic solutions recover deleted files automatically

a. true
b. false

5. Which of these is not a non-commercial forensic software

a. DCFLDD
b. dd
c. encase
d. NED
1. Which Windows program can be used to examine the registry

a. regedit
b. openreg
c. registry express
d. windows explorer


2. What type of information is not kept in the registry?

a. Installed applications
b. MRU
c. Cookies
d. Windows configuration settings

3. Which technique is used to make data unreadable (gibberish) but is not considered a
serious form of encryption?

a. masking
b. file defragmentation
c. hidden files
d. obfuscation

4. Which hardware device is sometimes required for software to function normally

a. keyboard
b. printer
c. modem
d. dongle

5. A computer forensic investigator should assume that any unknown code is hostile.

a. true
b. false


6. Which one of these is not a method used to calculate a hash value

a. RCA
b. SHA-256
c. MD5
d. SHA-512

7. Data cannot be recovered from a hard drive after the user has deleted all the files
a. true
b. false

8. What device can be used to avoid disturbing the data on a suspect drive when
accessing it?

a. Write blocker
b. dongle
c. MTU
d. Just set all the file to read-only.



9. Data can be hidden in the spaces between files

a. true
b. false


10. What is the default file system used in Windows XP?

a. UFS
b. FAT32
c. FAT16
d. NTFS




    1. Under which directory are Microsoft Windows Registry files found?
          a. C:\Windows\system32\config
          b. C:\Program Files\system32\config
          c. C:\Windows\system42\bin
          d. C:\Registry Files\system32\config
    2. _________ forensics is forensics applied to information stored or transported on
       computers
          a. System
          b. File
          c. Computer
          d. Hard Drive
    3. What are the two ways encrypting data could guard the data?
          a. Protect Data and Prove Integrity
          b. Lock and Key
          c. Data Integrity and Prove Data
          d. Passwords and Authentication
   4. _______ is some method of modifying data so that it is meaningless and unreadable in
       it’s encrypted form.
            a. Encryption
            b. Decryption
            c. Bicryption
            d. Monocryption
   5. A _____ function is any well-defined procedure or mathematical function for turning
       some kind of data into a relatively small integer.
            a. Mash
            b. Hash
            c. Linear
            d. Quadratic
   6. What does SHA stand for?
            a. System Hit Algorithm
            b. Secure Hash Algorithm
            c. Science History Agency
            d. Secure Hail Algorithm
   7. Use a __________device to prevent accidentally writing to the suspect media.
            a. System
            b. File
            c. Read-Blocking
            d. Write-blocking
   8. The _____ algorithm takes as input a message of arbitrary length and produces as
       output a 128-bit fingerprint of the input.
            a. MD8
            b. MD5
            c. MD6
            d. MD7
   9. It is important that an _____ is made of the hard drive and not a copy or a backup.
            a. Icon
            b. File
            c. Picture
            d. Image
   10. Which is NOT a name for a returned value of hash function?
            a. Hash values
            b. Hash codes
            c. Hashish
            d. Hashesh




Moises Flores Jr
CSCI 6318
Dr. John Abraham
                               Chapter 6 Questions
     1. Which of the following tools is an essential tool when conducting forensic
        duplication?
           a. Hammer
           b. Digital Camera
           c. Cell Phone
           d. Pager

     2.               is paramount when conducting a forensic investigation.
            a.   Storing hardware and software.
            b.   Ensuring data is backed up.
            c.   Documentation of evidence worksheets, system worksheets, agent
                 notes, evidence labels, etc.
            d.   Keeping time of the work you put in to the investigation.

     3. Which of the following IS NOT contained on the evidence labels?
          a. Type of data retrieved.
          b. Case Number.
          c. Evidence Tag Number.
          d. Contents.

     4. On the Evidence Custodian Log, what information is contained?
           a. Date, Name, Information, Time in, Time out.
           b. Date, Name, Case Number, Time in, Time out.
           c. Date, Name, Computer Number, Time in, Time out.
           d. None of the above.

     5. On the Chain of Custody Form, what information is contained?
           a. Source individual, Source location, Destination individual, Destination
               location, Transfer date.
           b. Source individual, Source description, Destination individual,
               Destination location, Transfer date.
           c. Source information, Source address, Destination individual, Destination
               location, Transfer date.
           d. None of the above.


                                Chapter 7 Questions
1. The duplication device contains a number of components that must be assembled
   correctly to successfully acquire your evidence. Which of the following IS NOT
   one of those components?
       a. A read-only Firewire-to-IDE module.
       b. A read-write Firewire-to-IDE module.
       c. Firewire cables.
       d. Duplication cables.

2. When acquiring a forensic duplication, which of the following programs can be
   used to assist you in this process?
      a. EnChase.
      b. Ncase
      c. E-case
      d. EnCase.

3. It is highly recommended to use               controls for evidence access rather
   than a software solution.
        a. Active.
        b. Hardware.
        c. Physical.
        d. Password.

4. FTK can acquire the forensic duplication in three different formats, what are
   they?
       a. EnChase Information Files, Raw Disk Image, SMART Format.
       b. EnCase Evidence Files, Row Disk Image, SMART Format.
       c. EnCase Evidence Files, Raw Disk Image, SMART Format.
       d. EnCase Evidence Files, Raw Disk Image, SNORT Format.

5. To acquire a forensic duplication with FTK, you must open the FTK
          .
      a. Instant program.
      b. Initiation program.
      c. Imager program.
      d. Imaging program.




                                     Chapter 8 Questions
1. The most basic of all noncommercial forensic duplication tools is definitely

       a.   Desk dump
       b.   Data dunk
       c.   Date dump
       d.   Data dump

2. What does if stand for in the dd command?
     a. Inter file
     b. Inner file
     c. Input file
     d. In file

3. The dmesg command displays four hard drives used to boot into Linux. What are
   they?
       a. Suspect‟s hard drive, OS drive, Speed drive, CD-ROM drive.
       b. Suspect‟s hard drive, OS drive, Separate drive, CD-ROM drive.
       c. Suspect‟s hard drive, OS drive, Storage drive, CD-ROM drive.
       d. Suspect‟s hard drive, OS drive, Storage drive, CD-RMO drive.

4. When creating an evidence hard drive, the first thing one should do is?
     a. Delete the evidence hard drive so that data left on the storage hard drive
         previously is not introduced into the evidence.
     b. Detect the evidence in the hard drive so that data left on the storage hard
         drive is introduced into the evidence.
     c. Cleanse the evidence hard drive so that date left on the storage hard drive
         previously is not introduced into the evidence.
     d. None of the above.

5. The             is a variation of the standard dd that provides functionality for
   greater authentication using a built-in MD5 hashing algorithm.
       a. DCFLLD
       b. DCFLDD
       c. DDFLCD
       d. DDFLDD




                            Chapter 9 Questions
1. When conducting forensic analysis, what is the first step you want to take?
          a.   Delete files.
          b.   Undelete files.
          c.   Recover files.
          d.   Take pictures.

   2. The             is altered so that you can associate a file (the forensic duplication)
      with a local loopback device such as /dev/loop0.
         a. Operating system.
         b. Memory.
         c. Kernel.
         d. Shell.

   3. The first step to recover deleted files is to load our evidence into           .
         a. Hard drive.
         b. USB.
         c. EnCase.
         d. Forensic Work Station.

   4. What is one of the advantages of using open source tools to undelete files?
        a. It is easier to use than commercial alternatives.
        b. No licensing fees associated.
        c. It retrieves more undeleted files than commercial solutions.
        d. None of the above.

   5. What does Metadata include?
        a. Full file names, file sizes, MAC times, MD5 hashes.
        b. Full user names, file names, MAC dates, MD 5 hashes.
        c. Full file names, file sizes, MAC size, MD 5 hashes.
        d. None of the above.




                                                                   Created By: Jerry Garza
                                                                             Dr. Abraham
                                                                               CSCI 6318

Chapter 2 - Questions - Key
1. What is the name of logs in unix?
        A. Events
        B. System
        C. SysLog
        D. Event Viewer
2. What command will give you the version and patch level in unix?
        A. user
        B. netcat -stat
        C. uname -a
        D. print -system
3. What is the unique mathematical fingerprint of a file called?
        A. fingerprints
        B. MD5 Checksum
        C. encryption
        D. file properties
4. What command will show the current network connections?
        A. netcat -list
        B. net show ports
        C. net
        D. netstat -an
5. In the address 102.60.21.3:1827, what is 1827?
        A. The Number of connections being made.
        B. The user ID
        C. The port number
        D. IP address



Chapter 3 & 4 - Questions - KEY

1. Capturing data when a rule or signature is met is called
        A. Session Data
        B. Alert Data
        C. Full Content Data
        D. Statistical Data
2. Capturing all the data of network connection is called
        A. Session Data
        B. Alert Data
        C. Full Content Data
        D. Statistical Data
3. This device will repeat all traffic from a port to all the other ports on the device
        A. Switch
        B. Tap
        C. Hub
        D. Inline Device
4. An application that can capture network data and run as an IDS is
      A. argus
      B. tcpdump
      C. snort
      D. fport
5. What command will capture data on linux and dump to a file
      A. fport
      B. argus
      C. tcpdump
      D. netstat

Chapter - 10 Questions

1. An open source Cookie Investigation Tool
        A. FTK
        B. Galleta
        C. Pasco
        D. Encase
2. Internet Explorer utilizes all EXCEPT the following were digital forensics evidence
can be found.
        A. Web browsing history
        B. Temporary Internet Files
        C. Cookies
        D. Local User Settings
3. An open source tool to reconstruct web browsing
        A. Pasco
        B. FTK
        C. Galleta
        D. Encase
4. In order to rebuild web history, commercial and open source tools look at what
Internet Explorer File
        A. index.html
        B. history.dat
        C. index.dat
        D. ie.dat
5. The following are valid types for an activity record in internet explorer‟s history
EXCEPT:
        A. LEAK
        B. REDR
        C. URL
        D. COOKIE

1. The aim of an information management strategy is to:

A. gain value from information resources.
B. assign appropriate responsibilities for information resources.
C. protect information resources.
D. improve the quality of information resources.
E. none of the above.

2.   An information policy is typically aimed at improving:
A.   opportunities from better usage of information.
B.   a culture of knowledge sharing.
C.   openness of communications within an organization.
D.   the utilization of data storage on servers.
E.   errors from poor quality information.

3. The Information Technology School of information management of Marchand et al.
   (2002) has focus on:
A. managing the information lifecycle for different types of information.
B. improving people's information usage, behaviors and values.
C. none of the above.
D. selecting appropriate technology to support decision making.
E. using information to manage people and link their performance to business
   performance.

4. The Management Control School of information management of Marchand et al.
   (2002) has focus on:
A. selecting appropriate technology to support decision making.
B. improving people's information usage, behaviors and values.
C. managing the information lifecycle for different types of information.
D. none of the above.
E. using information to manage people and link their performance to business
   performance.

5. The Behaviour and Control School of information management of Marchand et al.
   (2002) has focus on:
A. none of the above.
B. selecting appropriate technology to support decision making.
C. using information to manage people and link their performance to business
   performance.
D. improving people's information usage, behaviors and values.
E. managing the information lifecycle for different types of information.

6. The Information Management School of information management of Marchand et
   al. (2002) has focus on:
A. none of the above.
B. improving people's information usage, behaviors and values.
C. using information to manage people and link their performance to business
   performance.
D. selecting appropriate technology to support decision making.
E. managing the information lifecycle for different types of information.

7. Information management strategy development uses starts with:
A. defining responsibilities.
B. reviewing current information resource characteristics and usage (an information
   audit).
C. putting in place security control.
D. setting objectives.
E. none of the above.

8.   Responsibilities for information management need to be defined at this level.
A.   Board level.
B.   None of the above.
C.   User-level.
D.   Middle manager level.
E.   Partner-level.

9. The Hawley Committee recommendation that dealt with information security was:
A. the identification of information assets...
B. none of the above.
C. the protection of information from theft, loss, unauthorized access and abuse...
D. the harnessing of information assets and their proper use for maximum benefit of
   the organization...
E. the proper use of information with applicable legal, regulatory, operational and
   ethical standards...

10. The Hawley Committee recommendation that dealt with information information
    auditing was:
A. the harnessing of information assets and their proper use for maximum benefit of
    the organization...
B. the identification of information assets...
C. none of the above.
D. the protection of information from theft, loss, unauthorized access and abuse...
E. the proper use of information with applicable legal, regulatory, operational and
    ethical standards...



CSCI6318
03/28/2010
Liang Ding

Lecture 1: Live Incident Response
1. Which option is not included in Volatile Data?
A.   The System Date and Time
B.   Which Executables Are Opening TCP or UDP Ports
C.   A History of Logins
D.   Open Files

2.   Which symbol can we use to write information printed on screen into file?
A.   ^
B.   <<
C.   &
D.   >

3.   Which command do we use to get information about Scheduled Jobs?
A.   at
B.   Pslist
C.   Fport
D.   Date

4.   Which option is not included in Nonvolatile Data?
A.   File System Time and Data Stamps
B.   Registry Data
C.   IIS Logs
D.   Cached NetBIOS Name Table

5.   Which command in our book do we use to get File System Time and Date Stamps?
A.   dir
B.   find
C.   psinfo
D.   time




Lecture 2: Computer Foundations
1. Which not belong to data organization in following items?
A. Hexadecimal
B. Decimal
C. Binary
D. byte

2. Numbers are stored and transmitted inside a computer in
A.   binary form
B.   ASCII code form
C.   decimal form
D.   alphanumeric form

3.   Computer knows the layout of data through _____?
A.   Data Organization
B.   Data Recovery
C.   Data Structure
D.   Data Analysis

4.   A byte correspond to_____.
A.   4 bit
B.   8 bit
C.   16 bit
D.   32 bit

5. Which are two ways to access ATA hard drives?
A. Through BIOS
B. Indirect Access
C. Through Datalink
D. Direct Access
Lecture1 Answers:
1. C
2. D
3. A
4. D
5. B


Lecture2 Answers:
1. D
2. A
3. C
4. B
5. AD

CSCI6318
03/28/2010
Liang Ding

Lecture 3: Unix Live Incident Response

1. Which option is not included in Volatile Data for Unix?
A. The System Date and Time
B. Which Executables Are Opening TCP or UDP Ports
C. A History of Logins
D. Open Files

2. Which command in our book do we use to get current network connections for
   Unix?
A. netstat
B. date
C. ps
D. dir

3.   Which command do we use to get information about a history of logins for Unix?
A.   at
B.   Pslist
C.   last
D.   Date

4.   Which option is not included in Nonvolatile Data for Unix?
A.   System version and patch level
B.   File system time and date stamps
C.   A history of logins
D.   Mounted File systems

5. Which command in our book do we use to get information of mounted file systems
   for Unix?
A. df
B. find
C. psinfo
D. time




Lecture 4&5: Collecting Network-Based Evidence & Analyzing Network-Based
Evidence for a Windows Instrusion

6.      Which are included in Network-Based Evidence?
A.      Full content data
B.      Session data
C.      Alert data
D.      Statistical data
E.      All of above
7.     Which are included in a standard intrusion scenario?
A.     Reconnaissance
B.     Exploitation
C.     Reinforcement
D.     All of above

8.    Network security specialists use four main ways to access network traffic. These
methods include:
A.    Hubs
B.    Taps
C.    Inline devices
D.    Switch SPAN ports
E.    All of above

9.     Which description is for Full Content Data?
A.     Consists of the actual packets, typically including headers and application
information.
B.     Shows aggregations of packets into “flows” or groups of associated packets.
C. Created by network IDSs, when the IDSs see traffic that matches its signature or rule
    base, it informs the administrator via an alert reported to a database, console, or e-
    mail.
D. For stepping back and looking at the big picture, provides perspective.

10.    Which description is for Alert Data?
A.     Consists of the actual packets, typically including headers and application
information.
B.     Shows aggregations of packets into “flows” or groups of associated packets.
C. Created by network IDSs, when the IDSs see traffic that matches its signature or rule
    base, it informs the administrator via an alert reported to a database, console, or e-
    mail.
D. For stepping back and looking at the big picture, provides perspective.



Answer:
           a)   C.
           b)   A.
           c)   C.
           d)   B.
           e)   A.
           f)   E.
           g)   D.
           h)   E.
           i)   A.
           j)   C.
CSCI6318
04/15/2010
Liang Ding

Chapter 6 & 7:

6.   Tools needed for Forensic Duplications?
E.   Digital camera
F.   Screwdriver with several sizes and types of bits
G.   Flashlight
H.   Dremel tool
I.   All of above

7.   Which documentations do we need for Forensic Duplications?
E.   Evidence Worksheets
F.   System Worksheets
G.   Agent Notes
H.   Evidence Labels
I.   All of above

8.   What is the purpose of Evidence tape for Forensic Duplications?
E.   Cut a cable tie in the suspect’s computer to acquire a duplication
F.   Connect the suspect’s media to your forensic
G.   Show tampering if you store your evidence in a standard business envelope
H.   Modify a boot disk

9.   What is the purpose of Blank floppies for Forensic Duplications?
A.   Cut a cable tie in the suspect’s computer to acquire a duplication
B.   Connect the suspect’s media to your forensic
C.   Show tampering if you store your evidence in a standard business envelope
D.   Modify a boot disk

10. Which is the commercial software we use to accomplish a forensic duplication? It is
    one of the most widely used forensic duplication and analysis software tools
    available today.
A. FTK
B. EnCase
C. DD
D. DCFLDD
Chapter 8: Noncommercial-Based Forensic Duplications

11. Commercial software for forensic duplication includes ______
A. FTK
B. EnCase
C. DD
D. All of above
E. Both A and B

7.     Which is the most basic of all noncommercial forensic duplication tools?
A.     NED
B.     FTK
C.     EnCase
D.     DD

8.     The ______ is a variation of the standard dd that provides functionality for greater
authentication using a built-in MD5 hashing algorithm.
A.     NED
B.     DCFLDD
C.     FTK
D.     EnCase

9.     Which is the newest open source forensics tool that runs in linux environment?
A.     NED
B.     FTK
C.     EnCase
D.     DD

10. Noncommercial software for forensic duplication includes _________
A. DD
B. DCFLDD
C.    NED
D.    All of above

Answer:
   1 E
   2 E
   3 C
   4 D
   5 B
   6 E
   7 D
   8 B
   9 A
   10 D
CSCI6318
04/15/2010
Liang Ding

Chapter 6 & 7:

12. Tools needed for Forensic Duplications?
J. Digital camera
K. Screwdriver with several sizes and types of bits
L. Flashlight
M. Dremel tool
N. All of above

13. Which documentations do we need for Forensic Duplications?
J. Evidence Worksheets
K. System Worksheets
L. Agent Notes
M. Evidence Labels
N. All of above

14. What is the purpose of Evidence tape for Forensic Duplications?
I. Cut a cable tie in the suspect’s computer to acquire a duplication
J. Connect the suspect’s media to your forensic
K. Show tampering if you store your evidence in a standard business envelope
L. Modify a boot disk

15. What is the purpose of Blank floppies for Forensic Duplications?
E. Cut a cable tie in the suspect’s computer to acquire a duplication
F. Connect the suspect’s media to your forensic
G. Show tampering if you store your evidence in a standard business envelope
H. Modify a boot disk

16. Which is the commercial software we use to accomplish a forensic duplication? It is
    one of the most widely used forensic duplication and analysis software tools
    available today.
E. FTK
F. EnCase
G. DD
H. DCFLDD
Chapter 8: Noncommercial-Based Forensic Duplications

17. Commercial software for forensic duplication includes ______
F. FTK
G. EnCase
H. DD
I. All of above
J. Both A and B

7.     Which is the most basic of all noncommercial forensic duplication tools?
A.     NED
B.     FTK
C.     EnCase
D.     DD

8.     The ______ is a variation of the standard dd that provides functionality for greater
authentication using a built-in MD5 hashing algorithm.
A.     NED
B.     DCFLDD
C.     FTK
D.     EnCase

9.     Which is the newest open source forensics tool that runs in linux environment?
A.     NED
B.     FTK
C.     EnCase
D.     DD

10. Noncommercial software for forensic duplication includes _________
A. DD
B. DCFLDD
C.    NED
D.    All of above




Answer:
   1 E
    2 E
    3 C
    4 D
    5 B
    6 E
    7 D
    8 B
    9 A
    10 D


CSCI6318
04/22/2010
Liang Ding

Chapter 9: Common forensic analysis techniques

18. Before analysis, we should make sure that forensic duplication is________.
O. Read and write
P. Write only
Q. Read only
R. Hidden

19. Which is the most notable forensic tool in the open source movement to recover
    deleted files?
O. The Coroner’s Toolkit
P. EnCase
Q. JBRWWW
R. FTK

20. After we finish forensic duplication and files recovering, we should do______.
M. Load evidence
N. Acquire the metadata from all files that exist in the evidence
O. Create new image
P. Create MD5 hashes for the files

21. What is the better way to ignore known files?
I. Delete known files at first
J. Make marks for the known files
K. Copy the known files into another hard drive
L. Compare the MD5 hashes of every file in a forensic duplication with a known set of
    hashes and ignore any matches

22. If you do not know what you will find on the subject’s hard drive, but you know
     specifics of a case, what you should do?
I.   Perform a search across the whole hard drive and detect files or file fragments that
     contain the information you are looking for
J.   Determine the file signatures
K.   Remove known files
L.   Forensic duplication




Chapter 10: Web Browsing Activity Reconstruction

23. IE utilizes ______ facilities where we can find evidence:
K. Web browsing history
L. Cookies
M. Temporary Internet Files
N. All of above

24. Which is commercial tools to parse the Web browsing information found in the
    evidence and present it to the investigator?
A.      NED
B.      FTK
C.      EnCase
D.      DD

8.    Pasco examines ______ files and how they were populated when a suspect
browses the internet.
A.    index.html
B.    index.sys
C.    index.dat
D.    index.zip

9.    Which is the tool to translate the information inside an IE cookie file to something
a human can understand?
A.    Pasco
B.    FTK
C.    EnCase
D.    Galleta

10. Cookie files are store in _____.
A. Remote computer
B. Server
C.    Native computer
D.    Switch
Answer: 1. C 2. A 3.B 4.D 5.A 6.D 7.C 8.C 9.D 10.C

1.-When using Nikto web server scanning tool, status code ______________means that
the Access was successful.
A)400                             D)200
B)300                             E)800
2.-Activity web server logs are automatically saved in ____________
A)Winnt\System32\Savedfiles                     B) Winnt\System32\Logfiles
C) Winnt\Webservices\logfiles                    D) Winnt\System32\Recentactivity
3.-A utility named _________________, is used to transmit encrypted data to the forensic
workstation.
A)Netcat                          B)Cryptcat
C)MD5                              D)FPort
4.-_________, a utility used to check open ports and associates the executables that
opened them.
A)Netcat                          B)Cryptcat
C)MD5                              D)FPort
5.-_________, is an application to list the process table in order to know what processes
the attacker executed.
A)PsExec                           B)PsTools
C)PsList                             D)Netstat




1.-______________, refers to collecting every electronic element of a data connection.
A)Session data                  D)Full content data
B)Statistical data              E)Alert data
2.-____________, is data that shows predefined items of interest (e.g. a red light flashes
each time the word “shipment” is detected)
A)Alert data                     B) Full content data
C) Session data                 D) Statistical data
3.- _________________, is the last step in a standard intrusion scenario. It could involve
stealing information or damage a computer.
A)Recoinnassance                  B)Session end
C)Reinforcement                   D)Pillage
4.-_________, is a tool used to split a file into smaller files.
A)Netcat                            B)Cryptcat
C)MD5                               D)Tcpslice
5.-In order to identify the most active hosts on a network, the analyst should use
____________.
A)Session data                             B)Full content data
C)Statistical data                         D)Local data




1.-______________, network security monitoring. Is used when the attack has already
happened.
A)Threat response              D)Proactive NBE
B)Reactive NSM                   E)Resulting NSM
2.-____________, a java program that reads information from a MYSQL database and
produces a 3-D map of network traffic.
A)scanmap3d                       B) Tcpdump
C)3-D visualizer                  D)IDS
3.-In a Linux environment, if an administrator want to check if a kernel module have
been trojaned, he must use the ________ command to review all the loaded kernel
modules.
A)lsmod                           B)Cryptcat
C)MD5                              D)FPort
4.-_________, network security monitoring. Is used to prevent attacks.
A)Proactive NSM                             B)Cryptcat
C)Reactive NBE                              D)FPort
5.- ___________, is the protocol Microsoft uses to share files, printers, serial ports, and
also to communicate between computers.
A)Active Directory                     B)Sharepoint Services
C)Server Message Block                  D)System Services


Prepared by: Edgar Garcia
1.-In a standard intrusion scenario, _________, refers to preliminary examination before
an attack happens and check for vulnerable versions of software.
A)Pillage                             D)Consolidation
B)Reconnaissance                     E)Reinforcement
2.-Full content data, _________, alert data, statistical data, are the four main types of data
collected during network based evidence.
A)Session data                         B) Log data
C)System data                      D)History data
3.-_________, is the most useful tool to analyze full content data on a packet-level basis.
A)lsmod                              B)Ethereal
C)MD5                                 D)FPort
4.-_________, is the best open source tool for network intrusion detection.
A)Proactive NSM                               B)Ethereal
C)Snort                                        D)Tcpview
5.- In a standard intrusion scenario, _________, refers to download attack tools, attempt
to elevate privileges at the target, perhaps using a backdoor.
A)Pillage                                  B)Privilege escalation
C)Consolidation                           D)Reinforcement


Prepared by: Edgar Garcia




1.-When handling evidence, the first task is to document________.
A)Agent NotesSession data                     D)Evidence Worksheets
B)Chain of custory forms                       E)Evidence Access Logs
2.-____________, is a form used to document any time the evidence change hands.
A)Agent Notes                        B) Evidence Worksheet
C)Chain of Custody Forms              D)System Worksheets
3.- _________________,this log contains information about new evidence submission,
old evidence disposition, and any evidence auditing.
A)Evidence Custodian Log           B)Evidence Access Log
C)System Logs                       D)Chain of Custody Forms
4.-_________, is a worksheet next to the evidence safe, is used when an individual
desires access to evidence in the safe.
A)Evidence Custodian Log          B)Cryptcat
C)Evidence Access Logs             D)Safe Access Logs
5.-When documenting the specifics of a hard drive. One worksheet is used for each
unique______. They usually start at one and increase by one for each unique piece of
evidence.
A)Geometry                             B)Serial Number
C)Capacity                              D)Evidence Tag




1.-__________, is the most widely used commercial-based forensic duplication software
tool.
A)Undelete                                    D)Encase
B)Partition Recover                           E)System Restore
2.-When acquiring a forensic duplication, the evidence hard drive should be connected
using______________.
A)Standard SATA Cable                       B) Standard IDE Cable
C)read-only Firewire-to-IDE module          D)read-write Firewire-to-IDE module
3.- If we want to duplicate more than one drive at a time, simply
requires_________________.
A)Purchase additional read-only Firewire to IDE module B)Purchase an extra
computer
C)It can‟t be done                                                D)Purchase a Server
4.-Forensic Tool Kit (FTK) can acquire the forensic duplication in the following
formats:_________.
A)EXE, COM and DOC files            B)PPT, XLS, TXT files
C)E01, dd, SMART format            D)IDS, IPS, PSD files
5.-When acquiring a forensic duplication, the storage drive(the drive on which the
duplication will be stored) should be connected using______________.
A)Standard SATA Cable                       B) Standard IDE Cable
C)read-only Firewire-to-IDE module        D)read-write Firewire-to-IDE module




1.-________, is a variation of dd and can traverse a hard drive forward or backward.
A)dd_forward                    D)dd_rescue
B)dd_backward                   E)Encase
2.-When using dd, if= is used to ____________.
A)Specify the output file           B)Specify the network name
C)Specify the input file              D)Is not used in dd
3.- _________________,is an evidence duplicator, originally named ODESSA. Operates
using client and server model.
A)NED                                B)Cryptcat
C)dd                                 D)Netcat
4.-_________, is a variation of dd. It provides functionality for greater authentication
using a built-in MD5 hashing algorithm.
A)NED                               B)Cryptcat
C)DCFLDD                             D)Netcat
5.- When using dd, of= is used to ____________.
A)Specify the output file            B)Specify the network name
C)Specify the input file            D)Is not used in dd




1.-________, is an open source tool used to examine the contents of Internet Explorer‟s
cache files. It will parse the information in an index.dat file and output the results in a
field delimited manner.
A)FTK                       D)Pasco
B)EnCase                  E)NBE
2.-________, is an open source tool used to examine the contents of a cookie file. It will
parse the information in a cookie file and output the results in a field delimited manner.
A)FTK                       D)Pasco
B)NBE                  E)Galleta

3.- _________________,a file that can be used to reconstruct the Web browsing activity.
It contains three activity records, LEAK, URL and REDR.
A)index.dat                          B)iehistory.dat
C)browser.dat                       D)ielogs.dat
4.-_________,this record shows information about a browser‟s redirection to another site.
A)URL                                B)LEAK
C)REDR                                D)WebRecord
5.-It does the same as URL, it contains information about websites visited______ record.
A)REDR                                      B)Webrecord
C)FTK                                        D)LEAK
1.-__________, is an open source tool that can be used to reconstruct an E-Mail DBX
file.
A)Encase                                     D)Eindeutig
B)MailRecover                               E)MailRestore
2.-An open source tool named __________, can be used to undecode MIME file
attachments in email.
A)EnCase                          B)PASCO
C)Munpack                         D)Undelete
3.- Lotus Notes e-mail repositories can be directly analyzed. They do not need to be
converted to another format before analysis.
A)True                                        B)False
4.-AOL E-mail repositories can be directly analyzed without having to download the
AOL client.
A)False                                      B)True
5.-Is a file format used by Outlook Express and contains the actual e-mail messages‟
content and attachments, is called______________.
A)E-Mail DBX file                            B) Standard IDE Cable
C)Folders DBX File                           D)Express E-Mail File




1.-Using the Sleuth Kit, ______ tool provides a file listing.
A)fls                        D)dir list
B)ls                          E)File list
2.-When using The Sleuth Kit, the fls tool together with the ________ shows a
recursive directory listing of the whole hard drive.
A)-s switch                         B)-x switch
C)-r switch                         D)No switch can be used together with fls
3.- _________________,is a program that recursively computes the MD5 hash for files.
A)NED                                 B)Cryptcat
C)md5deep                            D)Netcat
4.-_________, are a common tool attackers use to control your computer remotely.
A)IRC bots                         B)Virus
C)DCFLDD                           D)Netcat
5.- The command: file /usr/include/stdio.h is intended to:________.
A)Specify the output file         B)Specify the network name
C)Specify the input file           D)determine the file signature of a file



  1. What does the flag “-n” under the command netstat display?
     a. Displays addresses and port numbers in numerical form.
     b. Displays the owning process ID associated with each connection.
     c. Displays all connections and listening ports.
     d. Displays the owning process ID associated with each connection.


  2. Under the PsTools suite, which command allows you to execute processes remotely?
      a. PsKill
      b. PsExec
      c. PsService
      d. PsLogList

  3. Under the PsTools suite, lists the files on the local system that are open by remote
     systems.?
      a. PsLogList
      b. PsService
      c. PsExec
      d. PsFile

  4. Which command displays protocol statistics and current TCP/IP connections using
     NetBIOS over TCP/IP?
      1. nc
      2. Ipconfig
      3. Nbtstat
      4. Fport

  5.   What tool opens TCP/IP and UDP ports and maps them to the owning application?
       a. Fport
       b. ShoWin
       c. NTLast
       d. Fpipe
1.   Which is NOT a tool needed when preparing for forensic duplication?
          a. Evidence worksheets
          b. System Worksheets
          c. Agent Notes
          d. Scan Disk
2.   What is used as safety measure to prevent static damage to brand new unused hard drives?
          a. Anti-Static bags
          b. Cable ties
          c. Plastic bag
          d. Endust
3.   Which of the following is unique information that is found on a hard drive that should be
     collected on an evidence worksheet?
          a. Serial Number
          b. ID number
          c. IP Address
          d. Port Number
4.   All evidence should be contained in a _________envelope.
          a. First class
          b. UPS
          c. Plastic
          d. Tamper-proof
5.   _________is paramount to any investigation and should not be overlooked.
          a. Documentation
          b. Licensing
          c. Cleanings
          d. Listening
6.   Which is most powerful and most expensive forensic software on the market?
          a. Norton Anti Vius
          b. Encase
          c. Ftk
          d. AVG
7.   _________ converts traditional 3.5 IDE connections to read-only firewall connections
          a. Connections Converter
          b. Read-only IDE-to-Firewall device
          c. SCSI
          d. SATA
8.   What forensics tool-kit is used obtain forensic duplication in DD format?
          a. FTK
          b. VTK
          c. AVG
          d. Norton
9.   When EnCase duplicates an evidence hard darive, it creates ________files on a destination
     media.
          a. System
          b. Log
          c. Evidence
        d. Sound
10. Which is not a format supported by FTK?
        a. .e01
        b. dd
        c. Smart Format
        d. .doc
11. What does DD stand for?
        a. Dymanic Drive
        b. Data Dump
        c. Disk Drive
        d. Device Data
12. _________is a variation of the standard dd that provides functionaility for greater authentication
    using a built-in Md5 algorithm.
        a. DCFLDD
        b. DD v2
        c. IpDD
        d. DD Blaster
13. ____ operates using a client and server model so that the client component can be run directly
    from the suspect’s computer.
        a. Share ware
        b. P2P
        c. NED
        d. FTP
14. Which file contains the completed actions inside NED in XML format?
        a. Audit.xml
        b. Check.xml
        c. File.xml
        d. Hash.xml
15. Which directory contains the compressed image of the forensic duplication?
        a. Gif_compressed
        b. Pic_compressed file
        c. Image_compressed
        d. File_compressed
16. __________is a library and collection of command line tools that allow you to investigate volume
    and file system data.
        a. The Sleuth Kit
        b. Visualization Tool kit
        c. Data Command Tool kit
        d. System Analysis Tool kit
17. What is the most notable hash distribution provided by the National Institute of Standards and
    Technology (NIST)?
        a. NSRL
        b. HTTP
        c. XHTML
        d. MD5
   18. With The Sleuth Kit, using the __ switch you see the full path of every file listed rather than the
       pseudo-graphical directory structure.
           a. –r
           b. –n
           c. –c
           d. –p
   19. ________is used to associate loop devices with regular files or block devices
           a. Losetup
           b. Psexec
           c. Logmgr
           d. TSK
   20. Which is one of the types of file systems that the Sleuth Kit supports?
           a. File Server
           b. FTP
           c. FAT32
           d. HTTP




Chapter 2
   1. The ______file system can be obtained from issuing either the mount command or the
      dfcommand.
          a. Mount
          b. Internal
          c. Windows
          d. Linux
   2. Which of the following is not a form of nonvolatile data?
          a. User accounts
          b. User history accounts
          c. Syslog logs
          d. Open files
   3. What command must you use to review all loaded kernel modules?
          a. Nbtstat
          b. Netstat
          c. Lsmod
          d. Md5sum
   4. You can view open processes and the users running them by issuing the _____
      command.
          a. Ps –aux
          b. Ps –rn
          c. Pt –x
          d. Pq –rt
   5. _______are commands the user types at the prompt.
            a.   User log files
            b.   History files
            c.   Event log files
            d.   System log files




Chapter 3
   1. Which of the following a type of NBE?
          a. Statistical data
          b. Raw data
          c. Registry Keys
          d. Metadata
   2. Which of the followings is NOT a way to access network traffic?
          a. Hubs
          b. Taps
          c. Switch SPAN ports
          d. Radio waves
   3. Under which standard intrusion scenario does the intruder perform reconnaissance
      against the target to validate connectivity, enumerate services, and check for vulnerable
      versions?
          a. Pillage
          b. Consolidation
          c. Reconnaissance
          d. Exploitation
   4. ________data is created by analyzing NBE for predefined items of interest.
          a. Alert
          b. Session
          c. Physical
          d. New
   5. _____are the simplest and cheapest way to gain access to network traffic.
          a. Hubs
          b. Wireless routers
          c. Repeaters
          d. NAS
     Chapter 4
1.   _______ mode runs Snort against previously captured data.
         a. Stealth
         b. Live
         c. Batch
         d. Silent
2.   _______ is the protocol Microsoft uses to share files, printers, serial ports, and also to
     communicate between computers using named pipes and mail slots.
         a. Server Message Block (SMB)
         b. MAC
         c. FTP
         d. HTTP
3.   An identification request, commonly used with email and Internet Relay Chat (IRC) is
     known as_________.
         a. ICMP
         b. SNTP
         c. IDENT
         d. HTML
4.   What does the “-n” do in the command tcpdump –n –I eth0 –s 1515 capture_file.lpc?
         a. Disable translation of IP addresses to host names and port number services to
             names.
         b. Enables trandlsation of IP addresses to host names and port number services to
             names.
         c. Changes the port numbers and IP addresses.
         d. Disables the all functions of TCP/IP
5.   Which Microsoft service contains a dedicated scripting engine for advanced file types
     such as ASP, ASA, and HTR files.
         a. WebClient
         b. IIS 5.0
         c. W32Time
           d. RapiMgr

Jennifer Garcia Avila
April 22, 2010
CSCI 6318

                                        Answer Key

   1. FTK can acquire forensic duplication in three different formats:
          a. EnCase Evidence Files (.E01)
          b. Microsoft Excel files (.xls)
          c. Raw Disk Image (DD)
          d. A. and C.
          e. None of the above

   2. When using DD, always boot make sure that the BIOS boots from:
        a. Your LINUX operating system
        b. The suspect’s hard drive
        c. None of the above

   3. Sync tells DD to place:
         a. Zeros in any blocks in the output when an error is encountered
         b. Ones in any blocks in the output when an error is encountered
         c. Twos in any blocks in the output when an error is encountered
         d. None of the above

   4. DD-rescue is different from DD in that:
         a. It outputs a statistics screen so one can observe how much duplication has been
             completed.
         b. Copies the hard drive a lot faster because it uses the optimal block sizes to
             transfer data.
         c. Both A and B
         d. None of the above

   5. NED stands for
         a. Network Editing Diagram
         b. Network Evidence Duplicator
         c. All of the above
         d. None of the above

   6. NED is built around an architecture that accepts
         a. Plugins
         b. Words
           c. Scripts
           d. All of the above
           e. None of the above

   7. NED also contains
         a. Pre-processing capabilities
         b. Post-processing capabilities
         c. All of the above
         d. None of the above

   8. Odessa is also known as:
         a. ClosedDD
         b. OpenDD
         c. All of the above
         d. None of the above

   9. DSFLDD is a variation of:
         a. OpenDD
         b. EnCase
         c. Standard dd
         d. All of the above
         e. None of the above

   10. DCFLDD contains the following extra switch(es):
          a. Hashwindow
          b. Hashlog
          c. A and B
          d. None of the above

Jennifer Garcia Avila
April 22, 2010
CSCI 6318

                                          Questions

   11. FTK can acquire forensic duplication in three different formats:
           a. EnCase Evidence Files (.E01)
           b. Microsoft Excel files (.xls)
           c. Raw Disk Image (DD)
           d. A. and C.
           e. None of the above

   12. When using DD, always boot make sure that the BIOS boots from:
        a. Your LINUX operating system
        b. The suspect’s hard drive
        c. None of the above

13. Sync tells DD to place:
       a. Zeros in any blocks in the output when an error is encountered
       b. Ones in any blocks in the output when an error is encountered
       c. Twos in any blocks in the output when an error is encountered
       d. None of the above

14. DD-rescue is different from DD in that:
       a. It outputs a statistics screen so one can observe how much duplication has been
           completed.
       b. Copies the hard drive a lot faster because it uses the optimal block sizes to
           transfer data.
       c. Both A and B
       d. None of the above

15. NED stands for
       a. Network Editing Diagram
       b. Network Evidence Duplicator
       c. All of the above
       d. None of the above

16. NED is built around an architecture that accepts
       a. Plugins
       b. Words
       c. Scripts
       d. All of the above
       e. None of the above

17. NED also contains
       a. Pre-processing capabilities
       b. Post-processing capabilities
       c. All of the above
       d. None of the above

18. Odessa is also known as:
       a. ClosedDD
       b. OpenDD
       c. All of the above
       d. None of the above
   19. DSFLDD is a variation of:
          a. OpenDD
          b. EnCase
          c. Standard dd
          d. All of the above
          e. None of the above

   20. DCFLDD contains the following extra switch(es):
          a. Hashwindow
          b. Hashlog
          c. A and B
          d. None of the above

Jennifer Garcia Avila

                        Questions for Chapters 6,7,8,9 (due 4/15/10)

   1. Your forensics toolkit should have items like:
         a. Hard Drives
         b. Cables
         c. Flashlight
         d. Power cords
         e. All of the above

   2. One should include the following in documentation:
         a. Evidence worksheets
         b. Chain of custody forms
         c. A menu from Jason’s Deli
         d. A and B
         e. None of the above

   3. Encase is a:
         a. Freeware application
         b. Commercial application
         c. None of the above
         d. All of the above

   4. FTK can acquire forensic duplication in the following formats:
          a. Encase evidence files
          b. Raw disk image
          c. Smart format
        d. All of the above
        e. None of the above

5. DD does:
      a. High level copying
      b. Low level copying
      c. All of the above
      d. None of the above

6. DD is also used to:
       a. Copy a specified number of bytes or blocks
       b. On-the-fly byte order conversions
       c. Copy regions of raw device files
       d. All of the above
       e. None of the above

7. NED’s original name was
      a. Charlotte
      b. Odessa
      c. Maria
      d. None of the above

8. In conducting forensic analysis, the investigator must execute a few steps, including:
       a. Recovering any deleted files to add to the analysis
       b. Reduce the data set to the smallest number
       c. String searching
       d. All of the above
       e. None of the above

9. Fdisk shows what the _________ looks like.
       a. BIOS
       b. Partition table
       c. Operating system
       d. All of the above
       e. None of the above

10. Metadata includes:
       a. Full tile names
       b. File sizes
       c. MD5 hashes
       d. All of the above
       e. None of the above
Jennifer Garcia Avila

                        Questions for Chapters 6,7,8,9 (due 4/15/10)

   11. Your forensics toolkit should have items like:
          a. Hard Drives
          b. Cables
          c. Flashlight
          d. Power cords
          e. All of the above

   12. One should include the following in documentation:
          a. Evidence worksheets
          b. Chain of custody forms
          c. A menu from Jason’s Deli
          d. A and B
          e. None of the above

   13. Encase is a:
          a. Freeware application
          b. Commercial application
          c. None of the above
          d. All of the above

   14. FTK can acquire forensic duplication in the following formats:
           a. Encase evidence files
           b. Raw disk image
           c. Smart format
           d. All of the above
           e. None of the above

   15. DD does:
          a. High level copying
          b. Low level copying
          c. All of the above
          d. None of the above

   16. DD is also used to:
           a. Copy a specified number of bytes or blocks
        b.   On-the-fly byte order conversions
        c.   Copy regions of raw device files
        d.   All of the above
        e.   None of the above

17. NED’s original name was
       a. Charlotte
       b. Odessa
       c. Maria
       d. None of the above

18. In conducting forensic analysis, the investigator must execute a few steps, including:
        a. Recovering any deleted files to add to the analysis
        b. Reduce the data set to the smallest number
        c. String searching
        d. All of the above
        e. None of the above

19. Fdisk shows what the _________ looks like.
        a. BIOS
        b. Partition table
        c. Operating system
        d. All of the above
        e. None of the above

20. Metadata includes:
       a. Full tile names
       b. File sizes
       c. MD5 hashes
       d. All of the above
       e. None of the above

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:894
posted:1/24/2011
language:English
pages:101
Description: Digital Forensics Chain of Custody Form document sample