Networking 978-0123742681 Chapter 13 Quiz

Unlock access to all the studying documents.

View Full Document

Chapter 13

Computer Intrusions

On completion of this chapter the student will:

– Recognize that the value of digital data has made it the target.

– Be aware of the reasons that criminals break into computers.

– Be aware of how computer intruders operate.

– Be aware of the tactics used in computer intrusions:

– Recognize that the first step in an intrusion investigation is to confirm that there actually

was one.

– Be aware of the need to de

– Recognize that an intrusion investigation requires a wide range of forensic skills.

–

– Recognize that the scientific method can be applied to intrusion investigations.

– Be aware of conflicting goals of the investigators and network administrators.

– Recognize that the majority of compromised systems in an intrusion will contain

malicious programs.

– Be aware that malware must be analyzed as part of the intrusion investigation.

– Recognize that intrusion investigations frequently cross jurisdictional lines.

– Recognize that the intrusion must ultimately be linked to a person.

–

Multiple Choice Questions

1. During the commission of a crime, eviden

computer and the target. This is an example of:

2. Intruders who have a preferred toolkit that they have pieced together over time, with

distinctive features:

3. In the case of a computer intrusion, the target computer is:

4. and attack can reveal a significant amount

about their:

5. Determining skill level can lead to:

6. If digital investigators find an unauthorized file, they should:

7. Remote forensic solutions can be used to access live systems, and include the ability to:

8. A forensic analysis conducted on a forensic duplicate of the system in question is referred

to as:

9. Capturing all of the network traffic to and from the compromised system can:

10. A common technique that is highly useful and can be applied in a computer intrusion

investigation is to simply focus on file system activities around the time of known events.

This embodies a principle known as:

11. The registry key HKLM\Software\Microsoft\Windows\Current Version is one of the

most common locations for:

12. When collecting data from a compromised computer, consideration should be given to

collecting the ______ data first.

13. The forensic examiner needs to be aware that the process of collecting memory:

14. A more thorough method of collecting specific volatile data from a computer is to:

15.

True or False Questions

1. Social engineering refers to any attempt to contact legitimate users of the target system

and trick them into giving out information that can be used by the intruder to break into

the system.

2. A valid profile of a computer intruder is an antisocial adolescent.

3. A growing number of intrusions are committed by organized criminal organizations and

state-sponsored groups.

4. Although new exploits are published daily, it takes skill and experience to break into a

5. A thorough understanding of the tactics and t

the successful investigation of criminal behavior.

6. Reverse social engineering is any attempt by intruders to have someone in the target

organization contact them for assistance.

7. The first stage of a computer intrusion is Abuse.

8. In a computer intrusion, the stage after Attack is Abuse.

9. An example of the Entrenchment phase of an intrusion would be uploading a backdoor

through the remote shell.

10. Gathering information about a system through the use of a port scanner is considered a

direct attack method.

11. ion technique wherein mass e-mails that appear or claim to

be from a legitimate source request that the recipient follow instructions contained in the

e-mail.

12. The first step when investigating a computer intrusion incident is to determine if there

corpus delicti.

13. Investigating computer intrusions usually involves a small amount of digital evidence

from only a few sources.

14. Incident Response can be viewed as a subset or part of an intrusion investigation.

15. Examining a live system is prone to error, may change data on the system, and may even

cause the system to stop functioning.

Essay Questions

1. Discuss why computer intrusions are among the most challenging types of cybercrimes from a

digital evidence perspective.

2. Discuss the difference between automated and dynamic modus operandi, including the kinds

of information to look for, and the value of conducting this kind of analysis.

Scenario

You are participating in an intrusion investigation. The investigation has progressed to the point

attendance to collect, preserve, and