IS3440 CHAP 14 DETECTING AND RESPONDING TO SECURITY BREACHES

Question 1

COMMAND ___ is known as the disk dump command, it supports a full copy of all data on a partition, volume, or drive.

Answer 1

dd

Question 2

COMMAND ___ is a variation on the dd command that reads data from back to front on a specified partition, volume, or drive. It is more error tolerant than dd.

Answer 2

dd_rescue

Question 3

COMMAND ___ is a command that lists libraries used by a specified command; its use requires the full path to the target command.

Answer 3

ldd

Question 4

COMMAND ___ is a file that dynamically represents the contents of RAM on the local system.

Answer 4

/proc/kcore

Question 5

COMMAND ___ is a command that synchronizes files from one location to another; may be used in conjunction with SSH.

Answer 5

rsync

Question 6

COMMAND ___ is a command that traces the system calls used by another command; primarily used for troubleshooting.

Answer 6

strace

Question 7

COMMAND ___ is a package that tracks the RAM and CPU usage on a system, with the help of the ‘cron’ service.

Answer 7

sysstat

Question 8

COMMAND ___ is a command that lists currently logged in users and the process currently being run by that user.

Answer 8

w

Question 9

COMMAND ___ is a command that lists currently logged in users.

Answer 9

who

Question 10

___ is an abbreviation for Computer Aided Investigative Environment, a bootable live CD distribution available from http://caine-live.net/.

Answer 10

CAINE

Question 11

___ is built on Ubuntu Linux. It includes a number of live tools for recovering data from live Microsoft operating systems available.

Answer 11

DEFT

Question 12

___ is a live CD distribution that incorporates the tools associated with the Sleuth Kit.

Answer 12

Master Key Linux

Question 13

___ is a system for bug reports on Red Hat distributions.

Answer 13

Red Hat Bugzilla

Question 14

___ is a package of tools that can be used to save volatile data; intended for use on read-only media as commands on compromised systems.

Answer 14

Sleuth Ket

Question 15

1. Which of the following COMMANDS can display the free memory in RAM and in a swap partition? (Select two)
2. free
3. mem
4. top
5. swapon

Answer 15

free

top

Question 16

2. It is important to have a security policy that applies to users for how they do their backups.
   TRUE OR FALSE

Answer 16

FALSE

Question 17

3. What command reads log files created through the system status tool?

Answer 17

sar

Question 18

4. Which of the following COMMANDS is used to identify users who have since logged out?
5. who
6. w
7. last
8. sar

Answer 18

last

Question 19

5. Which of the following file extensions is NOT associated with software packages?
6. .odt
7. .tar.gz
8. .rpm
9. .deb

Answer 19

.odt

Question 20

6. Which of the following is most important to recover from a compromised system before powering it down?
7. /home/
8. /etc/fstab
9. /proc/kcore
10. None of the above

Answer 20

/proc/kcore

Question 21

7. Which of the following FILES is most likely to change when a system is powered down?
8. /etc/mtab
9. /etc/fstab
10. /etc/boot/grub/menu.1st
11. /etc/crontab

Answer 21

/etc/mtab

Question 22

8. which of the following COMMANDS is least useful for recovering data from a live system?
9. nc
10. vi
11. dmesg
12. cat

Answer 22

vi

Question 23

9. What command can be used to duplicate the contents of a partition by its device file?

Answer 23

dd

Question 24

10. Which of the following COMMANDS is NOT associated with compiling the source code associated with other commands?
11. config
12. configure
13. make install
14. make

Answer 24

config

Question 25

11, Which of the following actions is normally done from a forensic operating system booted from live media, when connected to a compromised hard drive?

1. Recovering information from RAM
2. Making a copy of the /proc/kcore file
3. Recovering information from a swap partition
4. Copying the contents of /etc/mtab

Answer 25

Recovering information from a swap partition

Question 26

12. Which of the following commands does NOT include free space in the duplication process?
13. rsync
14. dd
15. dd_rescue
16. icat

Answer 26

rsync

Question 27

13. Which of the following steps is NOT appropriate when saving compromised data from a hard drive?
14. Keeping a compromised system connected to a network during an investigation
15. Taking special care to avoid overwriting data in a swap partition
16. Booting a live Knoppix CD distribution
17. Powering down a compromised system after saving dynamic data

Answer 27

Booting a live Knoppix CD distribution

Question 28

14. Which of the following steps should you take if you’ve identified a new security problem with open source software?
15. Share the concern on a standard mailing list for the distribution
16. Share the concern on a standard mailing list for the compromised software
17. Communicate privately with the developers of the compromised software
18. Nothing, as it is important to protect proprietary information in the open source community

Answer 28

Communicate privately with the developers of the compromised software