Guide to Computer Forensics and Investigations, 3Rd Ed., 1418063312

Guide to Computer Forensics and Investigations, 3rd ed., 1418063312

Ch. 11 Solutions-2

Chapter 11 Solutions

Review Questions

1.  What are the potential problems when you discover that another company’s machines are being used as part of the same attack your company is dealing with?

2.  Why are live acquisitions becoming more common?

3.  A layered network defense puts the most valuable data where?

a. in the DMZ

b. in the outermost layer

c. in the innermost layer

d. none of the above

4.  Tcpslice can be used to retrieve specific timeframes of packet captures. True or False?

5.  Which of the following tools from Sysinternals monitors Registry data in real time?

a. PsList

b. Handle

c. RegMon

d. PsUpTime

6.  Data gathered from a honeypot is considered evidence that can be used in court. True or False?

7.  Name three types of log files you should examine after a network intrusion.

8.  Decribe what needs to be done during a live acquisition.

9.  Packet sniffers examine what layers of the OSI model?

a. layers 2 and 4

b. layers 4 through 7

c. layers 2 and 3

d. all layers

10.  When do zero day attacks occur? (Choose all that apply.)

a. on the day the application or OS is related

b. before a patch is available

c. before the vendor is aware of the vulnerability

d. on he day a patch is created

11.  What are the three modes of protection in the DiDS strategy?

12.  In what way do live acquisitions violate standard forensics procedures?

13.  Having the hash value of standard installation files on a system can help you determine whether an attacker altered the OS. True or False?

14.  What are the Pcap versions for UNIX/Linux and Windows?

Libpcap and Winpcap

15.  Ethereal can send automated alerts when it encounters anomalies in captured packets. True or False?

16.  A honeypot should contain some valuable network data to ensure that it lures attackers successfully. True or False?