Networking Chapter 10 What Snapshot And Why Live Acquisition Typically

Name:

Class:

Date:

chapter 10

Indicate whether the statement is true or false.

1. The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput.

a.

True

b.

False

2. Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage.

a.

True

b.

False

3. The Honeynet Project was developed to make information widely available in an attempt to thwart Internet and network

attackers.

a.

True

b.

False

4. The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the

file system.

a.

True

b.

False

5. Forensics tools can’t directly mount VMs as external drives.

a.

True

b.

False

Indicate the answer choice that best completes the statement or answers the question.

6. The NSA’s defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the

three modes?

a.

People

b.

Technology

c.

Operations

d.

Management

7. The __________________ is the version of Pcap available for Linux based operating systems.

a.

Winpcap

b.

Libpcap

c.

Tcpcap

d.

Netcap

8. The ___________________ is a good tool for extracting information from large Libpcap files; you simply specify the

time frame you want to examine.

a.

Tcpdstat

b.

Tcpslice

c.

Ngrep

d.

tcpdump

Name:

Class:

Date:

chapter 10

9. In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine’s network

adapters?

a.

Show-NetworkAdapters

b.

Query-ipconfig

c.

Get-VMNetworkAdapter

d.

Dump-Netconfig

10. Select below the program within the PsTools suite that allows you to run processes remotely:

a.

PsService

b.

PsPasswd

c.

PsRemote

d.

PsExec

11. What processor instruction set is required in order to utilize virtualization software?

a.

AMD-VT

b.

Intel VirtualBit

c.

Virtual Machine Extensions (VMX)

d.

Virtual Hardware Extensions (VHX)

12. What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and

viruses?

a.

tcpdump

b.

Argus

c.

Ngrep

d.

Tcpslice

13. The __________ disk image file format is associated with the VirtualBox hypervisor.

a.

.vmdk

b.

.hda

c.

.vhd

d.

.vdi

14. Select below the option that is not a common type 1 hypervisor:

a.

VMware vSphere

b.

Microsoft Hyper-V

c.

Citirix XenServer

d.

Oracle VirtualBox

15. Select the file below that is used in VirtualBox to create a virtual machine:

a.

.vdi

b.

.vbox

c.

.r0

d.

.ova

16. What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided

Name:

Class:

Date:

chapter 10

as shareware?

a.

KVM

b.

Parallels

c.

Microsoft Virtual PC

d.

VirtualBox

17. What Windows Registry key contains associations for file extensions?

a.

HKEY_CLASSES_ROOT

b.

HKEY_USERS

c.

HKEY_LOCAL_MACHINE

d.

HKEY_CURRENT_CONFIG

18. In VirtualBox, ____________ different types of virtual network adapters are possible, such as AMD and Intel Pro

adapters.

a.

2

b.

4

c.

6

d.

8

19. The _____________________ tool is an updated version of BackTrack, and contains more than 300 tools, such as

password crackers, network sniffers, and freeware forensics tools.

a.

Kali Linux

b.

Ubuntu

c.

OSForensics

d.

Sleuth Kit

20. What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine?

a.

.nvram

b.

.vmem

c.

.vmpage

d.

.vmx

21. The tcpdump and Wireshark utilities both use what well known packet capture format?

a.

Netcap

b.

Pcap

c.

Packetd

d.

RAW

22. At what layers of the OSI model do most packet analyzers function?

a.

Layer 1 or 2

b.

Layer 2 or 3

c.

Layer 3 or 4

d.

Layer 4 or 5

23. In a __________ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading

Name:

Class:

Date:

chapter 10

a server with established connections.

a.

smurf

b.

SYN flood

c.

spoof

d.

ghost

24. The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of

Ubuntu?

a.

12.04

b.

13.11

c.

14.04

d.

14.11

25. The _______________ command line program is a common way of examining network traffic, which provides

records of network activity while it is running, and produce hundreds or thousands of records.

a.

netstat

b.

ls

c.

ifconfig

d.

tcpdump

Enter the appropriate word(s) to complete the statement.

26. The ___________________ utility can be used to view network traffic graphically.

27. Updating security patches, antivirus software, and OSs fall into the ________________ category of the defense in

depth strategy.

28. The ________________ software lists all open network sockets, including those hidden by rootkits, and also works on

both 32-bit and 64-bit systems.

29. __________________ help offset hardware costs for companies and are handy when you want to run legacy or

uncommon OSs and software along with the other software on your computer.

30. The ___________________ utility from Sysinternals shows what files, Registry keys, and DLLs are loaded at a

specific time.

Match the following terms with the correct definitions below:

a.

defense in depth (DiD)

b.

distributed denial-of-service (DDoS) attacks

c.

honeypot

d.

honeywalls

e.

layered network defense strategy

f.

network forensics

g.

type 1 hypervisor

h.

type 2 hypervisor

i.

zero day attacks

j.

zombies

31. A type of DoS attack in which other online machines are used, without the owner’s knowledge, to launch an attack.

32. An approach to network hardening that sets up several network layers to place the most valuable data at the innermost

Name:

Class:

Date:

chapter 10

part of the network

33. A virtual machine interface that’s loaded on top of an existing OS.

34. The NSA’s approach to implementing a layered network defense strategy. It focuses on three modes of protection:

people, technology, and operations.

35. The process of collecting and analyzing raw network data and systematically tracking network traffic to determine

how security incidents occur.

36. Computers used without the owners’ knowledge in a DDoS attack.

37. Intrusion prevention and monitoring systems that track what attackers do on honeypots.

38. Attacks launched before vendors or network administrators have discovered vulnerabilities and patches for them have

been released.

39. A virtual machine interface that loads on physical hardware and contains its own OS.

40. A computer or network set up to lure an attacker.

41. Why are live acquisitions becoming a necessity, and why don’t live acquisitions follow typical forensics procedures?

42. Define network forensics, and explain how network forensics can be used.

43. Describe the defense in depth (DiD) strategy, and outline each of the three modes of protection.

44. What is a VM snapshot, and why is a live acquisition typically required for VMs?

45. What is the biggest problem with live acquisitions?

46. Describe the standard procedure for performing network forensics.

47. Explain the need for using established procedures for acquiring data after an attack or intrusion incident, and list some

resources that address these needs.

48. What is a packet analyzer, and how is it used?

49. What is the difference between a type 1 and a type 2 hypervisor?

50. Describe a zero day attack.

Name:

Class:

Date:

chapter 10

Answer Key

Name:

Class:

Date:

chapter 10

Name:

Class:

Date:

chapter 10