Network Forensics Flashcards
In network forensics, data collection can be performed using a “Stop, look, and listen” or a “Catch-it-as-you-can” strategy. Concerning the former, select which of the following statements are appropriate.
a. It performs a real-time processing
b. it requires fast processing
c. It requires much larger memory storage than a “Catch-it-as-you-can” strategy
d. Only certain packets are stored
e. All the listened packets are stored
a. It performs a real-time processing
b. it requires fast processing
d. Only certain packets are stored
Which of the following methods can be used to detect whether on a machine there is a sniffer running?
Select one or more:
a. Check for duplicates in the ARP table of a machine.
b. Sending a ping to the suspected machine with a wrong MAC address
c. Check the ping latency
d. Sending a broadcast ARP with a wrong MAC/IP pairing
a. Check for duplicates in the ARP table of a machine.
b. Sending a ping to the suspected machine with a wrong MAC address
c. Check the ping latency
Select among the following, some sniffing tools or software Select one or more: a. Neped b. Wireshark c. Ethereal d. Snort e. Ettercap f. ARP watch
b. Wireshark
d. Snort,
c. Ethereal,
e. Ettercap
Among the following, select the antisniffing softwares or strategies
Select one or more:
a. Wireshark
b. Flooding the network
c. Cyphering the data (PGP, SSH)
d. Snort
e. Add some MAC address permanently in tables
c. Cyphering the data (PGP, SSH)
d. Snort
e. Add some MAC address permanently in tables
Select which of the following softwares and tools can be used to carry on a Man-In-The-Middle attack on a router
Select one or more:
a. Encryption
b. Router Audit Tool (RAT)
c. Ultima Ratio
d. VIPPR
c. VIPPR,
d. Ultima Ratio
Which of the following incidents a DEFR could analyze on a router
Select one or more:
a. The router is infected by a malware performing SYN flood attacks
b. The working state of the router is compromised (DoS)
c. Theft of Information
d. The router is working in promiscuos mode
e. The routing table has been manipulated
b. The working state of the router is compromised (DoS)
c. Theft of Information
e. The routing table has been manipulated
Network-based Intrusion Detection Systems (NIDS) … (select the most appropriate sentences)
Select one or more:
a. … tell if the attack is successful.
b. … raises an alarm during some suspicious network activity.
c. … evaluate network traffic.
d. … monitor a specific protocol.
c. … evaluate network traffic.,
b. … raises an alarm during some suspicious network activity.
Among the following, select the most correct statements concerning Host-based IDS.
Select one or more:
a. HIDS are robust to fragmentation and TTL attack.
b. HIDS can monitor log files, system activities, errors
c. HIDS can detect out-of-band attacks (e.g., juice jacking)
d. HIDS provide a network-wide overview of the attack
e. Maintenance for different HIDS is extremely easy.
a. HIDS are robust to fragmentation and TTL attack.
b. HIDS can monitor log files, system activities, errors
c. HIDS can detect out-of-band attacks (e.g., juice jacking)
Concerning Network-based Intrusion Detection Systems (NIDS), we can state that …
Select one or more:
a. … they work in promiscuous mode.
b. … they do not waste network or CPU resources
c. … they are robust to packet fragmentation and re-assembly
d. … they can experience some problems if the network usage increases.
e. … they are not affected by TTL attacks
a. … they work in promiscuous mode.
b. … they do not waste network or CPU resources
d. … they can experience some problems if the network usage increases.
In signature-based IDS trigger, …
Select one or more:
a. … profiles are dynamic.
b. …it is possible to detect a previously-known attack only.
c. … protection is instantaneous after signature update.
d. … attackers can not pre-configure an IDS-transparent attack.
b. …it is possible to detect a previously-known attack only.
c. … protection is instantaneous after signature update.
In wireless forensics operations, …
Select one or more:
a. … it is necessary to sense multiple frequencies since devices can connect to multiple APS.
b. … storage and processing requirements can be very low for passive devices.
c. … capture time depends on the motion states of the monitored devices
a. … it is necessary to sense multiple frequencies since devices can connect to multiple APS.
c. … capture time depends on the motion states of the monitored devices
The use of honeypot terminals in a network presents some issues. Select the correct ones.
Select one or more:
a. Honeypots compromise the safety of the network.
b. If no damage is done by the attack, no legal claim is possible.
c. Since they are designed to be compromised, we can weaken the monitoring on them.
d. Honeypot are illegal in many countries.
b. If no damage is done by the attack, no legal claim is possible.
Traceback softwares ans strategies can resort to different analysis methods. Select the correct ones.
Select one or more:
a. probabilistic packet marking
b. keeping a distributed marking tables for packets
c. monitoring IP and ports of attacking terminals.
d. packet logging
a. probabilistic packet marking
b. keeping a distributed marking tables for packets
d. packet logging
Among the following, select the wrong statement concerning Network-based IDS.
Select one:
a. They require storage and fast processing capabilities
b. They can detect out-of-band attacks
c. They provide a network-wide overview of the attack
d. They are not robust to fragmentation and TTL attack
b. They can detect out-of-band attacks
In signature-based IDS trigger, ___ (select the correct completion)
Select one:
a. ___ initially, false-positive and negative percentages are very high
b. ___ it is possible to detect a new anomaly
c. ___ protection is instantaneous after database update
d. ___ profiles are dynamically updating
c. ___ protection is instantaneous after database update
Put in the correct order the steps of network forensics: Analysis Collection Examination Incident response Identification Preservation Presentation
- Identification - recognizing and determining an incident based on network indicators.
- Preservation - securing and isolation the state of physical and logical evidence from being altered, such as, for example, protection from electromagnetic damage or interference.
- Collection - recording the physical scene and duplicating digital evidence using standardized methods and procedures.
- Examination - in-depth systematic search of evidence relating to the network attack. This focuses on identifying and discovering potential evidence and building detailed documentation for analysis.
- Analysis - determine significance, reconstruct packets of network traffic data and draw conclusions based on evidence found.
- Presentation - summarize and explain drawn conclusions.
- Incident response - The response to an attack or intrusion detected is initiated based on the information gathered to validate and assess the incident.
What are the operating layers in network forensics?
Ethernet analysis
TCP/IP - Router analysis
Internet/Server based analysis
Wireless analysis
Describe the “catch-is-as-you-can” data collection method and how it differs from the “Stop, look and listen” method.
-
Catch-it-as-you-can
- all packets/data are captured
- Large storage needed
- Analysis in batch mode
- Usually at the packet level
- For later analysis
2) Stop, look and listen
- requires a faster processor for incoming traffic
- Each analyzed in memory
- Certain ones are stored
- Usually at the packet level
- Real-time filtering
Difference between Sniffer on shared Ethernet and a sniffer on the Switched ethernet?
Sniffer on shared Ethernet - a machine running a sniffer accepts all the frames regardless of the MAC address (promiscuous mode)
How to detect a sniffer?
- Ping method - send a packet with the IP address of the suspect machine without or with a wrong MAC address. All machines should reject it since MAC does not match. Only the sniffer answers.
- ARP method exploits ARP cache. Sends a non-broadcast ARP, which is cached by a machine in promiscuous mode. Then, send broadcast IP packets with the correct IP but different MAC addresses. Only a machine with the correct MAC address from the sniffed ARP frame will respond.
- Localhost analysis hackers may have compromised your terminal and left sniffers. Use ifconfig and analyze the answer.
- Latency method - most sniffers do some parsing. A huge amount of data is sent through the network, and during the transmission, the suspect machine can be pinged. In promiscuous mode, it parses all packets and therefore, the ping response is delayed. False positives are possible.
- ARP watch - gateway can be spoofed. arpwatch can be used to check the ARP cache of a terminal: look for duplicates. With DHCP there can be many false alarms: increase the IDHCP lease time.
- IDS - snort record IP/MAC pairing of packets. Whenever a mismatch is found, it generates an alert.
Define router forensics.
- Operational troubleshooting
- Log monitoring
- Data recovery
- Data acquisition
List possible attacks on routers.
- Reconnaissance
- Scanning and enumeration
- Gaining access
- Escalation of privilege
- Maintaining access
- Covering tracks and placing backdoors
- DoS attack
- Packet mistreating attacks
- Routing table poisoning
- Persistent attacks
How to gather volatile router data?
- connect to console port; cable and laptop with terminal emulation software
- Record System Time and determine who is logged on
- Save router configuration
- Review routing tables and detect malicious static routes modified by an attacker
- View ARP cache looking for evidence of IP and MAC spoofing
How to process router forensics? Choose the correct ones:
a. Reboot the router
b. Access router through the console
c. Run configuration commands
d. Record all your console session, including actual and router time
e. Run show commands
g. Access the router through the network
h. Record volatile information
i. Rely only on persistent information
DOs
b. Access router through the console
d. Record all your console session, record actual time and router time
e. Run show commands.
h. Record volatile information