Networking 978-0123742681 Chapter 24 Quiz

Unlock access to all the studying documents.

View Full Document

Chapter 24

Digital Evidence at the Physical and Data-Link Layers

On completion of this chapter, the student will:

– Be aware of some of the tools available to exploit the physical and data-link layers of a

network.

– Recognize and be able to articulate the differences in various implementations of Ethernet.

– Be aware of the value of collecting MAC addresses in addition to IP addresses.

– Recognize the role of Address Resolution Protocol (ARP) in an Ethernet network in the

Chapter Guide

This chapter expands on the overview provided in Chapter 21, describing network technologies

in more detail, focusing on Ethernet. Tools and techniques for preserving, examining, and

analyzing network traffic are presented.

C:\>ping 192.168.0.2

C:\>ping 192.168.0.3

C:\>arp -a

The following ARP table is from a Mac OS X system with IP address 192.168.0.3 that was used

to connect to two Windows machines, including the one in the previous example:

Having students play around with ARP tables on a network computer provides an opportunity to

discuss how ARP functions, demonstrates IP MAC address mapping, and shows that both 00-

30-ab-1d-cd-ef and 0:30:ab:1d:cd:ef are valid representations of Ethernet addresses.

Because of the significant amount of private information that exists at this layer, it can be

difficult to gain authorization to eavesdrop on networks. Also, because of the distributed nature

of the Internet, it can be difficult to gain access to the network that carries the relevant traffic.

Extracting the few streams of useful traffic from the raging river of high-speed networks is

another challenge. Provided these hurdles can be overcome, the resulting digital evidence can be

the equivalent of a video recording of the crime, giving a detailed view of what occurred.

If you would like to share additional traffic data or other examples relevant to this network layer

with other teachers, please submit them to decourses@digital-evidence.net and they will be

posted on the book website at http://www.disclosedigital.com/downloads.html.

Multiple Choice Questions

1. What is the maximum cable length for a 10BaseT network?

2. What is the approximate theoretical maximum number of bytes that can be downloaded

in one minute on a 10BaseT network?

3. Which of the following is a valid MAC address?

4. Which of the following commands can be used to obtain the MAC address of a remote

Windows computer?

5. What is the maximum cable length for a 10 base five segment?

6. ARP stands for:

7. The best operating system for capturing network traffic on high-speed networks is:

8. Which of the following applications is used to capture network traffic?

9. How many bytes per packet does tcpdump capture by default?

10. Which of the following tools can reconstruct TCP streams?

11. The transition method in which only one computer can transmit while all the others listen

is known as:

12. Although ARP is part of TCP/IP, it is generally considered a part of the ______ layer.

13. If a criminal reconfigures his computer with

identity, the local router woul

Mac address associated with

14. The form of ARP that ATM uses to discover MAC addresses is known as:

15. Sniffers put NICs into ____________, forcing them to listen in on all of the

communications that are occurring on the network.

True or False Questions

1. Routers use Ethernet addresses to direct data between networks.

2. MAC addresses can be associated with a particular computer.

3. The netstat command can be used to obtain the MAC address of a remote computer.

4. Each network packet stored in the tcpdump file is date-time stamped.

5. It is necessary to physically tap a network cable to capture the traffic it carries.

6. A computer connected to the Internet via a dial-up modem can eavesdrop on network

traffic from other computers that are dialed into the same Internet service provider.

7. DHCP can be configured to assign a static IP address to a particular computer every time

it is connected to the network.

8. By default, tcpdump captures the entire contents of a packet.

9. It is possible to obtain file names from network traffic as well as the file contents.

10. The tcpdump application can be used to reconstruct TCP streams.

11. One of the drawbacks of copying network traffic using a SPANned port is that a

SPANned port copies only valid Ethernet packets.

12. A common approach to collecting digital evidence from the physical layer is using a

sniffer.

13. Unlike ARP cache, ATMARP is stored on the individual computers.

14. It is not possible to use a sniffer when connected to a network via a modem.

15. One key point about MAC addresses is that they do not go beyond the router.

Discussion Questions

1. Should law enforcement be given backdoors that enable them to monitor all encrypted

2. Describe how a computer obtains the Ethernet address of another computer that it wants

to communicate with.

3. Obtain the MAC address of a computer and describe how you did it.

Answer guidance: This can be performed on a local computer by various means or remotely

4. What data is contained in an Ethernet header?

5. What information is contained in the padding of an Ethernet frame?