Network Forensics

Question 1

SPAN

Answer 1

Allows for the copying of ingress and/or egress communications from one or more switch ports to another

Question 2

Packet Sniffer

Answer 2

A piece of hardware or software that records data from frames as they pass over network media using methods such as a mirrored port or tap device

Question 3

tcpdump

Answer 3

A data-network packet analyzer computer program that runs under a
command line interface
▪ It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached

Question 4

Flow Collector

Answer 4

means of recording metadata and statistics about network traffic rather than recording each frame

Question 5

Zeek (Bro)

Answer 5

a hybrid tool that passively monitors a network like a sniffer and
only logs data of potential interest

Question 6

MRTG

Answer 6

is a tool used to create graphs showing traffic flows through the network interfaces of routers and switches by polling the appliances using (SNMP)

Question 7

DGA

Answer 7

a method used by malware to evade block lists by dynamically generating domain names for C2 networks

Question 8

Fast Flux Network

Answer 8

malware to hide the presence of C&C networks by continually changing the host IP addresses in domain records using domain generation algorithms

Question 9

Secure Recursive DNS Resolver

Answer 9

occurs when one trusted DNS server communicates with several other trusted DNS servers to hunt down an IP address and returns it to the client

Question 10

Unsafe Character in URL

Answer 10

Null string termination, carriage return, line feed, end of file, tab,
space, and \ < > { } PERCENT ENCODING - different percentage means a certain character

Question 11

Drop Versus Reject

Answer 11

A deny rule can either drop a packet or explicitly reject it by sending a TCP RST or an ICMP port/protocol unreachable to the requester. Dropping harder to ID port states

Question 12

Black hole vs Dark Net vs Sinkhole

Answer 12

Drops packet into void, port not used, and sends to different network for analysis

Question 13

Transparent vs non transparent proxy

Answer 13

server directs request/ response without configuration. Has to be configured with proxy address and port

Question 14

Common IPSs

Answer 14

Snort, Zeek, Security Onion - all open-source DPS/IDS

Question 15

Snort Rule Format

Answer 15

Action Protocol SourceIP SourcePort Direction - alert tcp $EXTERNAL_NET any -> $HOME_NET 143. IPS rule

Question 16

NAC w/ 802.1x

Answer 16

Provides the means to authenticate users and evaluate device integrity
before a network connection is permitted, usually authentication inside switch or router. Standard for EAP communication over LAN, port based authentication. USAF Network