Unit 4 - Practice Quiz

INT250 50 Questions
0 Correct 0 Wrong 50 Left
0/50

1 Which directory in the Linux file system is a virtual file system containing volatile information about running processes and system resources?

A. /proc
B. /home
C. /etc
D. /var

2 Which Linux command is primarily used to list open files and the processes that opened them, crucial for analyzing volatile data?

A. ls
B. grep
C. chmod
D. lsof

3 In Linux forensics, what does the 'w' command display?

A. A list of logged-in users and what they are doing
B. The wireless network strength
C. Network interface configuration
D. Write permissions of the current directory

4 Which of the following data is considered Non-volatile in a Linux system?

A. ARP cache
B. System logs stored in /var/log
C. Running process list
D. RAM contents

5 What is the primary purpose of the Linux Swap space in the context of forensics?

A. To store the master boot record
B. To act as an extension of RAM, potentially containing volatile memory artifacts
C. To store user passwords permanently
D. To keep network logs

6 Which command-line utility is commonly used to create a bit-stream image of a Linux partition?

A. dd
B. tar
C. cp
D. mv

7 What is an Inode in the context of Linux file systems?

A. An input node for peripherals
B. A data structure storing metadata about a file (size, owner, permissions)
C. The name of the root user
D. A networking protocol

8 When analyzing a Linux file system image, what does a dot (.) at the beginning of a filename indicate?

A. The file is a directory
B. The file is corrupted
C. The file is hidden
D. The file is an executable

9 Which file system is the default journaling file system for many modern Linux distributions?

A. HFS+
B. NTFS
C. ext4
D. FAT32

10 Which file in Linux contains encrypted user passwords?

A. /var/www
B. /etc/group
C. /etc/passwd
D. /etc/shadow

11 Which tool is a Loadable Kernel Module (LKM) often used to acquire volatile memory from Linux systems?

A. LiME
B. Wireshark
C. Nmap
D. Autopsy

12 Why is Memory Forensics critical in investigating advanced malware?

A. RAM is easier to copy than a hard drive
B. Malware may reside only in RAM (fileless) or encrypt its disk components
C. Malware always deletes itself from the disk immediately
D. Memory forensics is faster than disk forensics

13 Which framework is the industry standard for analyzing volatile memory dumps?

A. Metasploit
B. Volatility
C. John the Ripper
D. Snort

14 In the context of Volatility, what is a 'profile'?

A. A list of suspect IP addresses
B. The hardware configuration of the suspect machine
C. A specification of the operating system version and kernel data structures
D. The user account of the investigator

15 Which command in the Volatility framework is used to list running processes from a memory dump?

A. linux_netstat
B. linux_ls
C. linux_mount
D. linux_pslist

16 What artifact can often be recovered from memory that allows an investigator to decrypt encrypted volumes?

A. The Master Boot Record
B. The MAC address
C. Encryption Keys
D. The BIOS password

17 What is Network Forensics?

A. Restoring deleted emails
B. Monitoring and analyzing computer network traffic for information gathering, legal evidence, or intrusion detection
C. Cracking Wi-Fi passwords
D. Repairing broken routers

18 Which mode must a network interface card (NIC) be in to capture all traffic on a network segment, not just traffic addressed to it?

A. Promiscuous mode
B. Safe mode
C. Protected mode
D. Private mode

19 In the 'Catch-it-as-you-can' network forensics strategy, what is the main challenge?

A. It requires large amounts of storage to keep all captured data
B. It misses data frequently
C. It is illegal in most countries
D. It cannot capture encrypted traffic

20 Which of the following is a standard format for saving captured network packets?

A. PCAP
B. PDF
C. DOCX
D. JPEG

21 What is 'Forensic Readiness' regarding network logging?

A. Deleting logs every 24 hours to save space
B. Having a lawyer on speed dial
C. The ability to maximize an organization's potential to use digital evidence while minimizing the cost of an investigation
D. Buying the most expensive forensic software

22 Which Linux log file typically records authentication information, such as failed login attempts?

A. /var/log/dmesg
B. /var/log/boot.log
C. /var/log/kern.log
D. /var/log/auth.log

23 What is the standard port for the Syslog protocol?

A. 22
B. 443
C. 514
D. 80

24 Which protocol is crucial for ensuring that timestamps across different network devices are consistent for correlation?

A. FTP
B. HTTP
C. NTP
D. SMTP

25 What does the term 'Log Rotation' refer to?

A. The process of archiving old log files and creating new ones to prevent file systems from filling up
B. Sending logs to different servers in a round-robin fashion
C. Encrypting logs using a rotating cipher
D. Spinning the hard drive physically

26 Which syslog severity level indicates the system is unusable?

A. Info (6)
B. Emergency (0)
C. Debug (7)
D. Warning (4)

27 What is 'Event Correlation' in the context of network forensics?

A. Backing up events to the cloud
B. Copying events from one log to another
C. Relating distinct events from multiple sources to identify a pattern or security incident
D. Deleting duplicate events

28 In event correlation, what is 'Normalization'?

A. Converting data from different formats into a common format for analysis
B. Reducing the severity of all alerts
C. Ignoring outliers in data
D. Making all users use the same password

29 What is a SIEM system used for?

A. Simple Internet Evidence Monitor
B. Security Information and Event Management
C. System Information and Email Management
D. Secure Internal External Messaging

30 What is an Indicator of Compromise (IoC)?

A. A piece of forensic data that identifies potentially malicious activity on a system or network
B. A type of network cable
C. A software license key
D. A password policy

31 Which of the following is a common Network IoC?

A. A fragmented hard drive
B. High CPU usage on a local machine
C. Beaconing traffic to a known malicious IP address
D. A blue screen of death

32 What is 'Beaconing' in network traffic analysis?

A. A router broadcasting its SSID
B. Sending a distress signal to the administrator
C. Malware sending regular communications to a Command and Control (C2) server
D. The blinking light on a network card

33 What does a sudden spike in outbound traffic likely indicate?

A. A failed login attempt
B. A system update
C. Incoming email
D. Data Exfiltration

34 Which User-Agent string anomaly might indicate a non-browser tool or malware?

A. Chrome/91.0.4472.124
B. Python-urllib/3.8
C. Safari/537.36
D. Mozilla/5.0 (Windows NT 10.0; Win64; x64)

35 What is a Domain Generation Algorithm (DGA) used for by malware?

A. To encrypt the hard drive
B. To periodically generate a large number of domain names for C2 communication to evade blacklisting
C. To generate secure passwords
D. To speed up DNS resolution

36 Which tool is primarily used for deep packet analysis and visual inspection of traffic?

A. Traceroute
B. Ping
C. Wireshark
D. Netcat

37 Which command-line packet analyzer is standard on most Unix-like systems?

A. Outlook
B. Tcpdump
C. Excel
D. Photoshop

38 What Wireshark display filter would show only traffic associated with IP address 192.168.1.5?

A. show 192.168.1.5
B. ip.addr == 192.168.1.5
C. ip = 192.168.1.5
D. filter.ip(192.168.1.5)

39 In a TCP packet, which flag initiates a connection?

A. RST
B. FIN
C. SYN
D. ACK

40 What traffic pattern is characteristic of a SYN Flood DoS attack?

A. Large UDP packets
B. Many FIN packets sent at once
C. Slow HTTP requests
D. Many connection requests (SYN) without completing the handshake (ACK)

41 How does Deep Packet Inspection (DPI) differ from stateful inspection?

A. It only works on wireless networks
B. It examines the data part (payload) of the packet as well as the header
C. It is faster but less secure
D. It only looks at the header

42 Which of the following creates a significant challenge for network traffic investigation?

A. End-to-End Encryption (TLS/SSL)
B. IPv4 addressing
C. DHCP
D. Ethernet cables

43 What is the function of the command grep in Linux forensics?

A. To capture packets
B. To format a disk
C. To search text or logs for specific patterns or strings
D. To restart the system

44 Which directory contains configuration files in Linux, useful for establishing the baseline state of a system?

A. /etc
B. /dev
C. /bin
D. /tmp

45 In network forensics, what is the 'fast-flux' technique?

A. A DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts
B. Using fiber optics instead of copper
C. Rapidly plugging and unplugging network cables
D. A way to speed up internet download speeds

46 Which log file would you check to investigate potential USB device insertions on a Linux system?

A. /var/log/kern.log
B. /var/log/dpkg.log
C. /var/log/apache2/access.log
D. /var/log/mail.log

47 What is the primary benefit of 'Centralized Logging'?

A. It requires no configuration
B. It is cheaper than local logging
C. It uses less bandwidth
D. It prevents an attacker from deleting logs locally to cover their tracks

48 Which command displays the history of commands executed by the current user?

A. trace
B. history
C. mem
D. past

49 What does a 'Keep-Alive' signal usually suggest in a forensic analysis of malware?

A. The firewall is blocking traffic
B. The malware is maintaining an active connection to the C2 server to receive commands
C. The network cable is unplugged
D. The computer battery is low

50 When analyzing a disk image, which hashing algorithm is commonly used to verify the integrity of the image?

A. RSA
B. SHA-256
C. DES
D. AES