Operations and Incident Response

Question 1

Exact Data Match (EDM)

Answer 1

a pattern matching technique that uses a structured database of string values to detect matches

Question 2

Cain and Abel

Answer 2

a popular password cracking tool

it can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute-force and cyrptanalysis attacks

Question 3

Diamond Model of Intrusion Analysis

Answer 3

is constructed around a graphical representation of an attacker’s behavior

an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly

Question 4

SHA-256

Answer 4

one of the most common hash algorithms in use and is employed in many applications and protocols

has a 256-bit length output

Question 5

Port Scanning

Answer 5

technique used to identify open porrts and services available on a network host

Question 6

Order of Volatility

digital evidence

Answer 6

Processor Cache
Random Access Memory
Swap File
Hard Drive or USB Drive

Question 7

FTK Imager

Answer 7

can create perfect copies or forensic images of computer data without making changes to the original evidence

Question 8

Chain of Custody

Answer 8

list of every person who has worked with or who has touched the evidence that is a part of an investigation

Question 9

tracert

trace route

Answer 9

disgnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination

Question 10

netstat

Answer 10

used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols) on a Windows machine

Question 11

Netflow

Answer 11

flow analysis tool

does NOT capture the full packet capture of data as it crosses the network sensor but instead captures metadata and statsitics about the network traffic

Question 12

Hping

Answer 12

a TCP/IP packet assembler and analyzer

handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies

particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities

Question 13

What tool can be used as an exploitation framework during your penetration tests?

Answer 13

Metasploit

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development

Question 14

Protocol Analyzers

Sniffers

Answer 14

used for packet capture

Question 15

What is MD-5 most susceptible to?

Message Digest 5

Answer 15

Collisions

MD-5 is also vulnerable to rainbow table attacks and pre-image attacks

Question 16

NXLog

Answer 16

A log collection and centralization tool

Question 17

IPFIX, NetFlow, and sFlow

Answer 17

all gather data about network traffic, including source, destination, port, protocol, and amount of data sent to be collected

Question 18

John the Ripper

Answer 18

used to crack passwords

can provide a better view of how hard the password was to crack

Question 19

What can you use to capture traffic from VoIP?

Answer 19

Wireshark

Question 20

What U.S. federal agency is in charge of COOP?

Answer 20

FEMA (The Federal Emergency Management Agency) is in charge of COOP (Continuity of Operations Planning)

Question 21

Key elements to consider when planning on-site vs. cloud forensic investigations

Answer 21

right to audit classes
regulatory and jurisdictional issues
data breach notification laws