Set 3

Question 1

Which areas of a windows host should you focus on investigating for windows information?

Answer 1

Registry, event logs, memory

Question 2

Running commands on a suspects windows system, what is the best practice?

Answer 2

Run windows commands from a USB drive.

Question 3

Out of these what would not be considered volatile evidence?
Open shares and files
Running processes
Network connections
Shadow volume copies

Answer 3

Shadow volume copies

Question 4

Where to collect windows based tool?

Answer 4

Windows system control center

Question 5

Which command would a forensics analyst use to determine what processes are running on windows based system?

Answer 5

Tasklist

Question 6

Which command would be used to list active network connections?

Answer 6

Netstat

Question 7

What does this command do?
Net users&raquo_space; output.txt

Answer 7

Appends the information to a txt file.
» always has something to do with append

Question 8

Juanita is performing windows laptop search, consent and search and seizure form, wants to make a copy of the contents of physical memory of the host, what does she use?

Answer 8

Dumpit

Question 9

Forensic analyst on windows host, a registry key shows ClearpagefileatShutdown, what does this mean?

Answer 9

No virtual memory

Question 10

Which registry hive is populated once the user logs in?

Answer 10

current user

Question 11

Which is not considered a main give of registry?

Answer 11

Config update

Question 12

Metadata is encrypted and hidden in a different file, True or false

Answer 12

false

Question 13

Windows based laptop investigation, suspect may have installed malware on purpose, to confirm John runs in vm, what analysis is this?

Answer 13

Dynamic

Question 14

Which area is best for investigation for users suspicious internet related activities?

Answer 14

Browser cache

Question 15

In an investigation Liv uses volatility, employee wont give password, she tries every possible password to enter computer, what method is this called?

Answer 15

Brute force attack

Question 16

During data investigation, aleta uses volatility, employee wont give password, what is a hydra tool used to get passwords?

Answer 16

Word list

Question 17

What are volatility modules?

Answer 17

Hive list, image info, system info, hash dump

Question 18

Which tool can be used to analyze hard drive images on linux, windows, mac?

Answer 18

Autopsy

Question 19

One TB in size analysis, how much space should she have?

Answer 19

Three terabytes

Question 20

Which soft skill is important to being important to being a data forensic analyst?

Answer 20

attention to detail

Question 21

What password hash is considered the strongest?

Answer 21

SHA256

Question 22

What nist program must verify tools?

Answer 22

CFTT computer forensics tools testing

Question 23

Know what classifies as hardware

Answer 23

You should know this

Question 24

Osi layer that routes traffic between ip hosts?

Answer 24

Layer 3 network layer

Question 25

Tcp and udp operate at which level of the OSI?

Answer 25

Transport layer

Question 26

Trivial FTP is _____

Answer 26

UDP

Question 27

What port is associated with websites HTTPS?

Answer 27

443 tcp

Question 28

85% of internet traffic is encrypted, why is this?

Answer 28

Due to intrusion detection

Question 29

Which can be reviewed on a host to determine what other hosts have communicated with it?

Answer 29

ARP address resolution protocol

Question 30

Wireshark three way handshake?

Answer 30

SYN > SYN, ACK > ACK

Question 31

Which tool is used to view an output of active connections?

Answer 31

netstat

Question 32

Which exe is associated with a specific process number?

Answer 32

PID

Question 33

Greg is apart of information security team, server problem, greg does network tap, he enables what mode to see traffic?

Answer 33

Promiscuous

Question 34

Attacker deletes an event log how do you know?

Answer 34

Centralized logs

Question 35

Sending an event log to another host?

Answer 35

Udp 514, windows event forwarding

Question 36

Blank protocol is used to synchronize?

Answer 36

Network time protocol NTP

Question 37

Qraar or Splunk is only able to collect event logs form firewalls, as many firewalls as its licensed for? True or false

Answer 37

false

Question 38

5 different parts of the network tuple?

Answer 38

source IP, source port, destination IP, destination port, and the protocol.