1Which directory in the Linux file system is a virtual file system containing volatile information about running processes and system resources?
A./etc
B./home
C./proc
D./var
Correct Answer: /proc
Explanation:The /proc directory is a pseudo-file system that provides an interface to kernel data structures, containing volatile runtime system information.
Incorrect! Try again.
2Which Linux command is primarily used to list open files and the processes that opened them, crucial for analyzing volatile data?
A.ls
B.lsof
C.grep
D.chmod
Correct Answer: lsof
Explanation:lsof stands for 'list open files' and is used to identify which files are open by which process, a key step in live forensics.
Incorrect! Try again.
3In Linux forensics, what does the 'w' command display?
A.Network interface configuration
B.A list of logged-in users and what they are doing
C.The wireless network strength
D.Write permissions of the current directory
Correct Answer: A list of logged-in users and what they are doing
Explanation:The 'w' command shows who is logged on and what they are doing, which is vital for identifying suspicious active user sessions.
Incorrect! Try again.
4Which of the following data is considered Non-volatile in a Linux system?
A.ARP cache
B.Running process list
C.System logs stored in /var/log
D.RAM contents
Correct Answer: System logs stored in /var/log
Explanation:Data stored on the hard drive, such as log files in /var/log, remains after power is cut, making it non-volatile.
Incorrect! Try again.
5What is the primary purpose of the Linux Swap space in the context of forensics?
A.To store user passwords permanently
B.To act as an extension of RAM, potentially containing volatile memory artifacts
C.To keep network logs
D.To store the master boot record
Correct Answer: To act as an extension of RAM, potentially containing volatile memory artifacts
Explanation:Swap space is used when physical RAM is full. Forensically, it is valuable because it preserves pages of memory that were paged out to disk.
Incorrect! Try again.
6Which command-line utility is commonly used to create a bit-stream image of a Linux partition?
A.cp
B.dd
C.mv
D.tar
Correct Answer: dd
Explanation:The 'dd' (data duplicator) command is a low-level utility used to copy and convert data, widely used for creating forensic disk images.
Incorrect! Try again.
7What is an Inode in the context of Linux file systems?
A.A networking protocol
B.A data structure storing metadata about a file (size, owner, permissions)
C.The name of the root user
D.An input node for peripherals
Correct Answer: A data structure storing metadata about a file (size, owner, permissions)
Explanation:An inode (index node) stores all attributes of a file or directory except its name and actual data.
Incorrect! Try again.
8When analyzing a Linux file system image, what does a dot (.) at the beginning of a filename indicate?
A.The file is an executable
B.The file is hidden
C.The file is corrupted
D.The file is a directory
Correct Answer: The file is hidden
Explanation:In Linux, filenames starting with a dot are hidden from standard directory listings (like 'ls' without the '-a' flag).
Incorrect! Try again.
9Which file system is the default journaling file system for many modern Linux distributions?
A.NTFS
B.FAT32
C.ext4
D.HFS+
Correct Answer: ext4
Explanation:ext4 (Fourth Extended Filesystem) is the standard journaling file system used by most modern Linux distributions.
Incorrect! Try again.
10Which file in Linux contains encrypted user passwords?
A./etc/passwd
B./etc/shadow
C./etc/group
D./var/www
Correct Answer: /etc/shadow
Explanation:While /etc/passwd contains user account details, the actual password hashes are stored in /etc/shadow, which is readable only by root.
Incorrect! Try again.
11Which tool is a Loadable Kernel Module (LKM) often used to acquire volatile memory from Linux systems?
A.LiME
B.Wireshark
C.Autopsy
D.Nmap
Correct Answer: LiME
Explanation:LiME (Linux Memory Extractor) is a Loadable Kernel Module that allows for the acquisition of volatile memory from Linux devices.
Incorrect! Try again.
12Why is Memory Forensics critical in investigating advanced malware?
A.Malware always deletes itself from the disk immediately
B.Malware may reside only in RAM (fileless) or encrypt its disk components
C.RAM is easier to copy than a hard drive
D.Memory forensics is faster than disk forensics
Correct Answer: Malware may reside only in RAM (fileless) or encrypt its disk components
Explanation:Memory forensics helps detect fileless malware, unpacked code, and rootkits that hide processes, which might not be visible during static disk analysis.
Incorrect! Try again.
13Which framework is the industry standard for analyzing volatile memory dumps?
A.Metasploit
B.Volatility
C.John the Ripper
D.Snort
Correct Answer: Volatility
Explanation:The Volatility Framework is a widely used open-source collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples.
Incorrect! Try again.
14In the context of Volatility, what is a 'profile'?
A.The user account of the investigator
B.A specification of the operating system version and kernel data structures
C.The hardware configuration of the suspect machine
D.A list of suspect IP addresses
Correct Answer: A specification of the operating system version and kernel data structures
Explanation:To correctly parse a memory dump, Volatility needs a profile that matches the specific OS version and kernel build of the target system.
Incorrect! Try again.
15Which command in the Volatility framework is used to list running processes from a memory dump?
A.linux_pslist
B.linux_ls
C.linux_netstat
D.linux_mount
Correct Answer: linux_pslist
Explanation:The 'linux_pslist' plugin walks the process list in memory to display running processes.
Incorrect! Try again.
16What artifact can often be recovered from memory that allows an investigator to decrypt encrypted volumes?
A.The Master Boot Record
B.Encryption Keys
C.The BIOS password
D.The MAC address
Correct Answer: Encryption Keys
Explanation:Encryption keys often reside in RAM while the system is running and the volume is mounted, allowing investigators to recover them via memory forensics.
Incorrect! Try again.
17What is Network Forensics?
A.Restoring deleted emails
B.Monitoring and analyzing computer network traffic for information gathering, legal evidence, or intrusion detection
C.Cracking Wi-Fi passwords
D.Repairing broken routers
Correct Answer: Monitoring and analyzing computer network traffic for information gathering, legal evidence, or intrusion detection
Explanation:Network forensics deals with the capture, recording, and analysis of network events to discover the source of security attacks or other problem incidents.
Incorrect! Try again.
18Which mode must a network interface card (NIC) be in to capture all traffic on a network segment, not just traffic addressed to it?
A.Protected mode
B.Promiscuous mode
C.Safe mode
D.Private mode
Correct Answer: Promiscuous mode
Explanation:Promiscuous mode allows a NIC to pass all traffic it receives to the CPU, regardless of the destination MAC address, enabling full packet capture.
Incorrect! Try again.
19In the 'Catch-it-as-you-can' network forensics strategy, what is the main challenge?
A.It misses data frequently
B.It requires large amounts of storage to keep all captured data
C.It is illegal in most countries
D.It cannot capture encrypted traffic
Correct Answer: It requires large amounts of storage to keep all captured data
Explanation:This strategy involves capturing all traffic passing through a specific point, which generates massive amounts of data requiring significant storage capacity.
Incorrect! Try again.
20Which of the following is a standard format for saving captured network packets?
A.DOCX
B.PCAP
C.JPEG
D.PDF
Correct Answer: PCAP
Explanation:PCAP (Packet Capture) is the standard file format used by tools like Wireshark and Tcpdump to store captured network traffic.
Incorrect! Try again.
21What is 'Forensic Readiness' regarding network logging?
A.The ability to maximize an organization's potential to use digital evidence while minimizing the cost of an investigation
B.Buying the most expensive forensic software
C.Having a lawyer on speed dial
D.Deleting logs every 24 hours to save space
Correct Answer: The ability to maximize an organization's potential to use digital evidence while minimizing the cost of an investigation
Explanation:Forensic readiness ensures that an organization has the appropriate logging, procedures, and tools in place before an incident occurs.
Incorrect! Try again.
22Which Linux log file typically records authentication information, such as failed login attempts?
A./var/log/dmesg
B./var/log/auth.log
C./var/log/kern.log
D./var/log/boot.log
Correct Answer: /var/log/auth.log
Explanation:On Debian/Ubuntu systems (or /var/log/secure on RedHat/CentOS), this file logs authentication mechanisms, including sudo usage and SSH logins.
Incorrect! Try again.
23What is the standard port for the Syslog protocol?
A.80
B.22
C.514
D.443
Correct Answer: 514
Explanation:Syslog typically uses UDP port 514 for sending log messages across an IP network.
Incorrect! Try again.
24Which protocol is crucial for ensuring that timestamps across different network devices are consistent for correlation?
A.HTTP
B.FTP
C.NTP
D.SMTP
Correct Answer: NTP
Explanation:NTP (Network Time Protocol) synchronizes the clocks of computers over a network, which is essential for accurate event correlation in forensics.
Incorrect! Try again.
25What does the term 'Log Rotation' refer to?
A.Spinning the hard drive physically
B.Sending logs to different servers in a round-robin fashion
C.The process of archiving old log files and creating new ones to prevent file systems from filling up
D.Encrypting logs using a rotating cipher
Correct Answer: The process of archiving old log files and creating new ones to prevent file systems from filling up
Explanation:Log rotation manages file size constraints by compressing, renaming, or deleting old logs periodically.
Incorrect! Try again.
26Which syslog severity level indicates the system is unusable?
A.Info (6)
B.Warning (4)
C.Emergency (0)
D.Debug (7)
Correct Answer: Emergency (0)
Explanation:In the syslog standard, level 0 is 'Emergency' (emerg), indicating the system is unusable.
Incorrect! Try again.
27What is 'Event Correlation' in the context of network forensics?
A.Copying events from one log to another
B.Relating distinct events from multiple sources to identify a pattern or security incident
C.Deleting duplicate events
D.Backing up events to the cloud
Correct Answer: Relating distinct events from multiple sources to identify a pattern or security incident
Explanation:Correlation involves analyzing relationships between various log entries (e.g., firewall, server, router) to reconstruct a sequence of events.
Incorrect! Try again.
28In event correlation, what is 'Normalization'?
A.Making all users use the same password
B.Converting data from different formats into a common format for analysis
C.Reducing the severity of all alerts
D.Ignoring outliers in data
Correct Answer: Converting data from different formats into a common format for analysis
Explanation:Normalization standardizes diverse log formats (from different vendors) into a uniform schema to enable effective comparison and analysis.
Incorrect! Try again.
29What is a SIEM system used for?
A.System Information and Email Management
B.Security Information and Event Management
C.Simple Internet Evidence Monitor
D.Secure Internal External Messaging
Correct Answer: Security Information and Event Management
Explanation:SIEM technology aggregates and analyzes activity from many different resources across the entire IT infrastructure.
Incorrect! Try again.
30What is an Indicator of Compromise (IoC)?
A.A software license key
B.A piece of forensic data that identifies potentially malicious activity on a system or network
C.A type of network cable
D.A password policy
Correct Answer: A piece of forensic data that identifies potentially malicious activity on a system or network
Explanation:IoCs are artifacts (like IP addresses, file hashes, or domain names) observed in a network or host that indicate an intrusion.
Incorrect! Try again.
31Which of the following is a common Network IoC?
A.A fragmented hard drive
B.High CPU usage on a local machine
C.Beaconing traffic to a known malicious IP address
D.A blue screen of death
Correct Answer: Beaconing traffic to a known malicious IP address
Explanation:Beaconing (regular heartbeat signals) to an external C&C server is a classic network-based Indicator of Compromise.
Incorrect! Try again.
32What is 'Beaconing' in network traffic analysis?
A.Sending a distress signal to the administrator
B.Malware sending regular communications to a Command and Control (C2) server
C.A router broadcasting its SSID
D.The blinking light on a network card
Correct Answer: Malware sending regular communications to a Command and Control (C2) server
Explanation:Beaconing refers to the practice of malware checking in with its controller at regular intervals to receive commands or exfiltrate data.
Incorrect! Try again.
33What does a sudden spike in outbound traffic likely indicate?
A.A system update
B.Data Exfiltration
C.A failed login attempt
D.Incoming email
Correct Answer: Data Exfiltration
Explanation:Unexpected large amounts of data leaving the network often suggest that an attacker is stealing (exfiltrating) data.
Incorrect! Try again.
34Which User-Agent string anomaly might indicate a non-browser tool or malware?
A.Mozilla/5.0 (Windows NT 10.0; Win64; x64)
B.Chrome/91.0.4472.124
C.Python-urllib/3.8
D.Safari/537.36
Correct Answer: Python-urllib/3.8
Explanation:Standard users browse with Chrome, Firefox, etc. 'Python-urllib' indicates a script is making the request, which is common in automated attacks or malware.
Incorrect! Try again.
35What is a Domain Generation Algorithm (DGA) used for by malware?
A.To encrypt the hard drive
B.To periodically generate a large number of domain names for C2 communication to evade blacklisting
C.To generate secure passwords
D.To speed up DNS resolution
Correct Answer: To periodically generate a large number of domain names for C2 communication to evade blacklisting
Explanation:DGAs allow malware to switch rendezvous points rapidly, making it difficult for defenders to block the Command and Control infrastructure.
Incorrect! Try again.
36Which tool is primarily used for deep packet analysis and visual inspection of traffic?
A.Wireshark
B.Netcat
C.Ping
D.Traceroute
Correct Answer: Wireshark
Explanation:Wireshark is the premier graphical network protocol analyzer used for troubleshooting and analyzing packet details.
Incorrect! Try again.
37Which command-line packet analyzer is standard on most Unix-like systems?
A.Photoshop
B.Tcpdump
C.Excel
D.Outlook
Correct Answer: Tcpdump
Explanation:Tcpdump is a powerful command-line packet analyzer tool used to capture and display TCP/IP and other packets being transmitted or received.
Incorrect! Try again.
38What Wireshark display filter would show only traffic associated with IP address 192.168.1.5?
A.ip.addr == 192.168.1.5
B.show 192.168.1.5
C.ip = 192.168.1.5
D.filter.ip(192.168.1.5)
Correct Answer: ip.addr == 192.168.1.5
Explanation:The correct syntax for filtering by IP address in Wireshark is ip.addr == [IP].
Incorrect! Try again.
39In a TCP packet, which flag initiates a connection?
A.RST
B.FIN
C.SYN
D.ACK
Correct Answer: SYN
Explanation:The SYN (Synchronize) flag is used to initiate the three-way handshake in a TCP connection.
Incorrect! Try again.
40What traffic pattern is characteristic of a SYN Flood DoS attack?
A.Many connection requests (SYN) without completing the handshake (ACK)
B.Many FIN packets sent at once
C.Large UDP packets
D.Slow HTTP requests
Correct Answer: Many connection requests (SYN) without completing the handshake (ACK)
Explanation:A SYN flood involves sending many SYN requests to a target, exhausting its resources as it waits for the final ACK that never comes.
Incorrect! Try again.
41How does Deep Packet Inspection (DPI) differ from stateful inspection?
A.It only looks at the header
B.It examines the data part (payload) of the packet as well as the header
C.It is faster but less secure
D.It only works on wireless networks
Correct Answer: It examines the data part (payload) of the packet as well as the header
Explanation:DPI inspects the actual content/payload of the packet, allowing for the detection of malware signatures or specific application data.
Incorrect! Try again.
42Which of the following creates a significant challenge for network traffic investigation?
A.IPv4 addressing
B.End-to-End Encryption (TLS/SSL)
C.Ethernet cables
D.DHCP
Correct Answer: End-to-End Encryption (TLS/SSL)
Explanation:Encryption hides the payload of the network traffic, making it impossible to read the contents (like passwords or transferred files) without the key.
Incorrect! Try again.
43What is the function of the command grep in Linux forensics?
A.To restart the system
B.To search text or logs for specific patterns or strings
C.To capture packets
D.To format a disk
Correct Answer: To search text or logs for specific patterns or strings
Explanation:grep (Global Regular Expression Print) is essential for filtering through massive log files to find specific IoCs or keywords.
Incorrect! Try again.
44Which directory contains configuration files in Linux, useful for establishing the baseline state of a system?
A./bin
B./dev
C./etc
D./tmp
Correct Answer: /etc
Explanation:/etc contains system-wide configuration files and shell scripts used to initialize system settings.
Incorrect! Try again.
45In network forensics, what is the 'fast-flux' technique?
A.A way to speed up internet download speeds
B.A DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts
C.Rapidly plugging and unplugging network cables
D.Using fiber optics instead of copper
Correct Answer: A DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts
Explanation:Fast-flux involves rapidly changing the IP addresses associated with a domain name to evade detection and takedown.
Incorrect! Try again.
46Which log file would you check to investigate potential USB device insertions on a Linux system?
A./var/log/apache2/access.log
B./var/log/kern.log
C./var/log/mail.log
D./var/log/dpkg.log
Correct Answer: /var/log/kern.log
Explanation:The kernel logs (/var/log/kern.log or dmesg) record hardware events, including the attachment and detachment of USB devices.
Incorrect! Try again.
47What is the primary benefit of 'Centralized Logging'?
A.It is cheaper than local logging
B.It prevents an attacker from deleting logs locally to cover their tracks
C.It uses less bandwidth
D.It requires no configuration
Correct Answer: It prevents an attacker from deleting logs locally to cover their tracks
Explanation:If an attacker compromises a machine, they can delete local logs. Sending logs to a separate, secured server in real-time preserves the evidence.
Incorrect! Try again.
48Which command displays the history of commands executed by the current user?
A.past
B.history
C.mem
D.trace
Correct Answer: history
Explanation:The 'history' command outputs the list of previously executed commands, usually stored in .bash_history, which is valuable for reconstructing user actions.
Incorrect! Try again.
49What does a 'Keep-Alive' signal usually suggest in a forensic analysis of malware?
A.The computer battery is low
B.The malware is maintaining an active connection to the C2 server to receive commands
C.The network cable is unplugged
D.The firewall is blocking traffic
Correct Answer: The malware is maintaining an active connection to the C2 server to receive commands
Explanation:Keep-alive packets are used to prevent a connection from timing out, ensuring the attacker retains control over the infected host.
Incorrect! Try again.
50When analyzing a disk image, which hashing algorithm is commonly used to verify the integrity of the image?
A.AES
B.RSA
C.SHA-256
D.DES
Correct Answer: SHA-256
Explanation:SHA-256 (Secure Hash Algorithm) is a cryptographic hash function used to verify that the forensic image has not been altered from the original source.
Incorrect! Try again.
Give Feedback
Help us improve by sharing your thoughts or reporting issues.