D431-Digital Forensics in Cybersecurity

Question 1

Which law requires both parties to consent to the recording of a conversation?

Answer 1

Electronic Communications Privacy Act (ECPA)

Question 2

Which law is related to the disclosure of personally identifiable protected health information (PHI)?

Answer 2

Health Insurance Portability and Accountability Act (HIPAA)

Question 3

Which U.S. law criminalizes the act of knowingly using a misleading domain name with the intent to deceive a minor into viewing harmful material?

Answer 3

18 U.S.C. 2252B

Question 4

Which U.S. law protects journalists from turning over their work or sources to law enforcement before the information is shared with the public?

Answer 4

The Privacy Protection Act (PPA)

Question 5

Which law or guideline lists the four states a mobile device can be in when data is extracted from it?

Answer 5

NIST SP 800-72 Guidelines

Question 6

Which law includes a provision permitting the wiretapping of VoIP calls?

Answer 6

Communications Assistance to Law Enforcement Act (CALEA)

Question 7

Which policy is included in the CAN-SPAM Act?

Answer 7

The email sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out.

Question 8

Which United States law requires telecommunications equipment manufacturers to provide built-in surveillance capabilities for federal agencies?

Answer 8

Communication Assistance to Law Enforcement Act (CALEA)

Question 9

Which law requires a search warrant or one of the recognized exceptions to the search warrant requirements for searching email messages on a computer?

Answer 9

The Fourth Amendment to the U.S. Constitution.

Question 10

The chief information officer of an accounting firm believes sensitive data is being exposed on the local network.

Which tool should the IT staff use to gather digital evidence about this security vulnerability?

Answer 10

Sniffer

Question 11

A police detective investigating a threat traces the source to a house. The couple at the house shows the detective the only computer the family owns, which is in their son’s bedroom. The couple states that their son is presently in class at a local middle school. How should the detective legally gain access to the computer?

Answer 11

Obtain consent to search from the parents.

Question 12

How should a forensic scientist obtain the network configuration from a Windows PC before seizing it from a crime scene?

Answer 12

By using the ipconfig command from a command prompt on the computer.

Question 13

The human resources manager of a small accounting firm believes he may have been a victim of a phishing scam. The manager clicked on a link in an email message that asked him to verify the logon credentials for the firm’s online bank account.

Which digital evidence should a forensic investigator collect to investigate this incident?

Answer 13

Browser cache

Collecting the browser cache is indeed crucial in investigating a potential phishing scam. The browser cache contains temporary files, including web pages, images, and other media, that are stored locally on the manager’s computer. By examining the browser cache, the forensic investigator can potentially find evidence of the phishing attempt, such as copies of the fake login page or any scripts used to capture login credentials. This evidence can help confirm the manager’s actions and shed light on the nature of the phishing scam.

Question 14

After a company’s single-purpose, dedicated messaging server is hacked by a cybercriminal, a forensics expert is hired to investigate the crime and collect evidence.

Which digital evidence should be collected?

Answer 14

Firewall logs

Question 15

Thomas received an email stating that he needed to follow a link and verify his bank account information to ensure it was secure. Shortly after following the instructions, Thomas noticed money was missing from his account.

Which digital evidence should be considered to determine how Thomas’ account information was compromised?

Answer 15

Email messages

Question 16

The chief executive officer (CEO) of a small computer company has identified a potential hacking attack from an outside competitor. Which type of evidence should a forensics investigator use to identify the source of the hack?

Answer 16

Network transaction logs

Question 17

A forensic scientist arrives at a crime scene to begin collecting evidence. What is the first thing the forensic scientist should do?

Answer 17

Photograph all evidence in its original place

Question 18

Which method of copying digital evidence ensures proper evidence collection?

Answer 18

Make the copy at the bit-level

Question 19

A computer involved in a crime is infected with malware. The computer is on and connected to the company’s network. The forensic investigator arrives at the scene.

Which action should be the investigator’s first step?

Answer 19

Unplug the computer’s Ethernet cable

The investigator’s first step should be to disconnect the infected computer from the company’s network to prevent further spread of the malware and to preserve evidence for analysis. This helps contain the situation and allows for a thorough examination of the compromised system without risking the integrity of other networked devices.

Question 20

What are the three basic tasks that a systems forensic specialist must keep in mind when handling evidence during a cybercrime investigation?

Answer 20

Find evidence, preserve evidence and prepare evidence.

Question 21

How do forensic specialists show that digital evidence was handled in a protected, secure manner during the process of collecting and analyzing the evidence?

Answer 21

Chain of custody

Question 22

Which characteristic applies to magnetic drives compared to solid-state drives (SSDs)?

Answer 22

Lower cost

Question 23

Which characteristic applies to solid-state drives (SSDs) compared to magnetic drives?

Answer 23

They are less susceptible to damage

Question 24

Which type of storage format should be transported in a special bag to reduce electrostatic interference?

Answer 24

Magnetic media

Question 25

Which Windows component is responsible for reading the boot.ini file and displaying the boot loader menu on Windows XP during the boot process?

Answer 25

NTLDR

Question 26

The following line of code is an example of how to make a forensic copy of a suspect drive:

dd if=/dev/mem of=/evidence/image.memory1

Which operating system should be used to run this command?

Answer 26

Linux

Question 27

Which file system is supported by Mac?

Answer 27

Hierarchical File System Plus (HFS+)

Question 28

Where are local passwords stored for the Windows operating system?

Answer 28

SAM file in \Windows\System32\

Question 29

Where on a Windows system is the config folder located that contains the SAM file?

Answer 29

C:\Windows\System32

Question 30

A forensic examiner wants to try to extract passwords for wireless networks to which a system was connected.

Where should passwords for wireless networks be stored on a Windows XP system?

Answer 30

Registry

Question 31

Which Windows password cracking tool uses rainbow tables?

Answer 31

Ophcrack

Question 32

How does a rainbow table work to crack a password?

Answer 32

It uses a table of all possible keyboard combinations and their hash values, then searches for a match.

Question 33

What should a forensic investigator use to gather the most reliable routing information for tracking an email message?

Answer 33

Email header

Question 34

Which activity involves email tracing?

Answer 34

Determining the ownership of the source email server

Question 35

A forensic examiner reviews a laptop running OS X which has been compromised. The examiner wants to know if there were any mounted volumes created from USB drives.

Which digital evidence should be reviewed?

Answer 35

/var/log

/var/log is indeed a crucial location for forensic examination in Unix-based operating systems like macOS. It contains a variety of log files that record system events, including USB device connections and other relevant activities. Checking log files within /var/log can provide valuable evidence regarding mounted volumes created from USB drives on the compromised laptop.

Question 36

Which log or folder contains information about printed documents on a computer running Mac OS X?

Answer 36

/var/spool/cups

Question 37

Which Windows event log should be checked for evidence of invalid logon attempts?

Answer 37

Security

Question 38

A cyber security organization has issued a warning about a cybercriminal who is using a known vulnerability to attack unpatched corporate Macintosh systems. A network administrator decides to examine the software updates logs on a Macintosh system to ensure the system has been patched.

Which folder contains the software updates logs?

Answer 38

/Library/Receipts

The /Library/Receipts directory used to contain installation receipts for software installed via Apple’s Installer application. These receipts provided information about installed software, including version numbers and installation dates.

However, starting with macOS 10.8 (Mountain Lion), Apple deprecated the use of installation receipts for tracking software installations. Instead, software installations are now managed by the package database maintained by the Installer application. Therefore, while /Library/Receipts used to be a relevant directory for tracking software installations, it may not contain up-to-date information on software updates, including security patches.

For checking software updates logs on a Macintosh system, it’s more reliable to refer to the /Library/Logs/SoftwareUpdate.log file, as mentioned earlier. This log file provides detailed information about software update activities, including the installation of security patches.

Question 39

A forensic investigator wants to image an older BlackBerry smartphone running OS 7.0.

Which tool should the investigator use?

Answer 39

BlackBerry Desktop Manager

Question 40

An investigator wants to extract information from a mobile device by connecting it to a computer.

What should the investigator take great care to ensure?

Answer 40

That the mobile device does not synchronize with the computer

Question 41

Which state is a device in if it is powered on, performing tasks, and able to be manipulated by the user?

Answer 41

Active

Question 42

What is one purpose of steganography?

Answer 42

To deliver information secretly

Question 43

Which method is used to implement steganography through pictures?

Answer 43

3DES

Question 44

The chief information security officer of a company believes that an attacker has infiltrated the company’s network and is using steganography to communicate with external sources. A security team is investigating the incident. They are told to start by focusing on the core elements of steganography.

What are the core elements of steganography?

Answer 44

Payload, carrier, channel

Question 45

A system administrator believes data are being leaked from the organization. The administrator decides to use steganography to hide tracking information in the types of files he thinks are being leaked.

Which steganographic term describes this tracking information?

Answer 45

Payload

The steganographic term that describes tracking information hidden within files is “payload.” In steganography, the payload refers to the secret message or data that is concealed within the carrier file, such as an image, audio, video, or document file. By embedding tracking information as the payload in these files, the system administrator aims to covertly monitor and trace the leaked data within the organization.

Question 46

A criminal organization has compromised a third-party web server and is using it to control a botnet. The botnet server hides command and control messages through the DNS protocol.

Which steganographic component are the command and control messages?

Answer 46

Payload

Question 47

Which method is commonly used to hide data via steganography?

Answer 47

LSB

Question 48

A system administrator believes an employee is leaking information to a competitor by hiding confidential data in images being attached to outgoing emails. The administrator has captured the outgoing emails.

Which tool should the forensic investigator use to search for the hidden data in the images?

Answer 48

Forensic Toolkit (FTK)

Question 49

A foreign government is communicating with its agents in the U.S. by hiding text messages in popular American songs, which are uploaded to the web.

Which steganographic tool can be used to do this?

Answer 49

MP3Stego

Question 50

During a cyber-forensics investigation, a USB drive was found that contained multiple pictures of the same flower.

How should an investigator use properties of a file to detect steganography?

Answer 50

Review the hexadecimal code looking for anomalies in the file headers and endings using a tool such as EnCase