Module 1 - Insider Threats

Question 1

Intrusion Definition

Answer 1

unauthorized access to a computer system

Question 2

Protections - Gov (1) vs non (3)

Answer 2

Computer Fraud and Abuse Act

Private:
employment agreements
computer/end-user agreements
corporate policies

Question 3

Unintentional Intrusion (causes)

Answer 3

• snooping through an organization

- not adhering to IT policies

Question 4

Unintentional Intrusion (results)

Answer 4

data and systems inadvertently altered (deleted or modified)

Question 5

Intentional Intrusion (results)

Answer 5

• accessing info without authorization
• theft of data
• damage to computer system
• removing security safeguards

Question 6

Candidates for intentional

Answer 6

• disgruntled employees
• employees giving into temptation
• employees who may have substantial financial gain

Question 7

Insider Threat Means (5)

Answer 7

• physical access
• within perimeter defenses
• already have access to sensitive info
• system admins with universal access
• difficult to detect and defend

Question 8

Methods of Exfil (6)

Answer 8

• corporate e-mail
• personal e-mail
• printing
• web site
• drop sites (dropbox, iCloud, Google docs)
• external media

Question 9

Artifacts (5)

Answer 9

• auditing of sensitive data
• windows registry
• corporate e-mail
• Internet history
• Windows event logs

Question 10

Autopsy - history

Answer 10

Graphical interface for Sleuth Kit
Brian Carrier and Basis Technology
free
- Ver 2 - (Linux and OS X)
- Ver 3 (Windows 32 & 64)
- Add-on Modules/Plugins (Videos/Registry)

Question 11

Autopsy Start up Procedures

Answer 11

Create case
add evidence file
preprocessing/ run ingest modules
building database

Question 12

Autopsy case file extension

Answer 12

aut

Question 13

Autopsy Data Source Options

Answer 13

Image Files
Local Disk
Logical Files

Question 14

Autopsy Modules with Additional Options (2)

Answer 14

Hash Lookup

Keyword Search

Question 15

Autopsy Keyword Search Options (4)

Answer 15

Phone Numbers
IP Addresses
Email Addresses
URLs

Question 16

Autopsy - Views - File Types

Answer 16

Images
Documents
Executables (.dll, .bat .cmd, .exe, .com)

Question 17

Autopsy Results - Extracted Content

Answer 17

Recent Documents
Installed Programs
Web History
Web Search

Question 18

Autopsy - To Extract

Answer 18

Right click file - Extract file(s)

Question 19

Autopsy Plugins

Answer 19

Tools - Plug-ins

Question 20

Autopsy Options menu

Answer 20

Tools - Options:
display settings
time zone setting
keyword searches
hashes
general settings

Question 21

Windows XP/7 Event Logs

Answer 21

Application.evt / Application.evtx
System.evt / System.evtx
Security.evt / Security.evtx

/Windows/System32/winevt/Logs

Question 22

Event Code for USB device driver install

Answer 22

10000

Question 23

Output for Windows Registry extractor Module

Answer 23

\ModuleOutput\Windows Registry Extractor

Question 24

Registry for USB Storage

Answer 24

\SYSTEM\ControlSet001\Enum\USBSTOR\