1 $Which directory in the Linux file system is a virtual file system containing volatile information about running processes and system resources?$

A.

/proc

B.

/var

C.

/etc

D.

/home

2 $Which Linux command is primarily used to list open files and the processes that opened them, crucial for analyzing volatile data?$

A.

ls

B.

grep

C.

lsof

D.

chmod

3 $In Linux forensics, what does the 'w' command display?$

A.

The wireless network strength

B.

Write permissions of the current directory

C.

Network interface configuration

D.

A list of logged-in users and what they are doing

4 $Which of the following data is considered Non-volatile in a Linux system?$

A.

Running process list

B.

System logs stored in /var/log

C.

RAM contents

D.

ARP cache

5 $What is the primary purpose of the Linux Swap space in the context of forensics?$

A.

To store the master boot record

B.

To act as an extension of RAM, potentially containing volatile memory artifacts

C.

To store user passwords permanently

D.

To keep network logs

6 $Which command-line utility is commonly used to create a bit-stream image of a Linux partition?$

A.

cp

B.

mv

C.

tar

D.

dd

7 $What is an Inode in the context of Linux file systems?$

A.

A data structure storing metadata about a file (size, owner, permissions)

B.

A networking protocol

C.

The name of the root user

D.

An input node for peripherals

8 $When analyzing a Linux file system image, what does a dot (.) at the beginning of a filename indicate?$

A.

The file is an executable

B.

The file is corrupted

C.

The file is hidden

D.

The file is a directory

9 $Which file system is the default journaling file system for many modern Linux distributions?$

A.

NTFS

B.

HFS+

C.

FAT32

D.

ext4

10 $Which file in Linux contains encrypted user passwords?$

A.

/etc/passwd

B.

/etc/shadow

C.

/etc/group

D.

/var/www

11 $Which tool is a Loadable Kernel Module (LKM) often used to acquire volatile memory from Linux systems?$

A.

LiME

B.

Wireshark

C.

Autopsy

D.

Nmap

12 $Why is Memory Forensics critical in investigating advanced malware?$

A.

Memory forensics is faster than disk forensics

B.

Malware always deletes itself from the disk immediately

C.

Malware may reside only in RAM (fileless) or encrypt its disk components

D.

RAM is easier to copy than a hard drive

13 $Which framework is the industry standard for analyzing volatile memory dumps?$

A.

Volatility

B.

John the Ripper

C.

Snort

D.

Metasploit

14 $In the context of Volatility, what is a 'profile'?$

A.

A specification of the operating system version and kernel data structures

B.

A list of suspect IP addresses

C.

The user account of the investigator

D.

The hardware configuration of the suspect machine

15 $Which command in the Volatility framework is used to list running processes from a memory dump?$

A.

linux_pslist

B.

linux_netstat

C.

linux_mount

D.

linux_ls

16 $What artifact can often be recovered from memory that allows an investigator to decrypt encrypted volumes?$

A.

Encryption Keys

B.

The Master Boot Record

C.

The BIOS password

D.

The MAC address

17 $What is Network Forensics?$

A.

Repairing broken routers

B.

Monitoring and analyzing computer network traffic for information gathering, legal evidence, or intrusion detection

C.

Restoring deleted emails

D.

Cracking Wi-Fi passwords

18 $Which mode must a network interface card (NIC) be in to capture all traffic on a network segment, not just traffic addressed to it?$

A.

Protected mode

B.

Promiscuous mode

C.

Safe mode

D.

Private mode

19 $In the 'Catch-it-as-you-can' network forensics strategy, what is the main challenge?$

A.

It requires large amounts of storage to keep all captured data

B.

It is illegal in most countries

C.

It cannot capture encrypted traffic

D.

It misses data frequently

20 $Which of the following is a standard format for saving captured network packets?$

A.

DOCX

B.

JPEG

C.

PDF

D.

PCAP

21 $What is 'Forensic Readiness' regarding network logging?$

A.

The ability to maximize an organization's potential to use digital evidence while minimizing the cost of an investigation

B.

Deleting logs every 24 hours to save space

C.

Buying the most expensive forensic software

D.

Having a lawyer on speed dial

22 $Which Linux log file typically records authentication information, such as failed login attempts?$

A.

/var/log/dmesg

B.

/var/log/kern.log

C.

/var/log/boot.log

D.

/var/log/auth.log

23 $What is the standard port for the Syslog protocol?$

A.

22

B.

514

C.

443

D.

80

24 $Which protocol is crucial for ensuring that timestamps across different network devices are consistent for correlation?$

A.

NTP

B.

HTTP

C.

FTP

D.

SMTP

25 $What does the term 'Log Rotation' refer to?$

A.

Spinning the hard drive physically

B.

Encrypting logs using a rotating cipher

C.

The process of archiving old log files and creating new ones to prevent file systems from filling up

D.

Sending logs to different servers in a round-robin fashion

26 $Which syslog severity level indicates the system is unusable?$

A.

Warning (4)

B.

Debug (7)

C.

Emergency (0)

D.

Info (6)

27 $What is 'Event Correlation' in the context of network forensics?$

A.

Backing up events to the cloud

B.

Copying events from one log to another

C.

Relating distinct events from multiple sources to identify a pattern or security incident

D.

Deleting duplicate events

28 $In event correlation, what is 'Normalization'?$

A.

Ignoring outliers in data

B.

Reducing the severity of all alerts

C.

Making all users use the same password

D.

Converting data from different formats into a common format for analysis

29 $What is a SIEM system used for?$

A.

Secure Internal External Messaging

B.

Simple Internet Evidence Monitor

C.

Security Information and Event Management

D.

System Information and Email Management

30 $What is an Indicator of Compromise (IoC)?$

A.

A software license key

B.

A password policy

C.

A piece of forensic data that identifies potentially malicious activity on a system or network

D.

A type of network cable

31 $Which of the following is a common Network IoC?$

A.

A blue screen of death

B.

A fragmented hard drive

C.

High CPU usage on a local machine

D.

Beaconing traffic to a known malicious IP address

32 $What is 'Beaconing' in network traffic analysis?$

A.

Sending a distress signal to the administrator

B.

A router broadcasting its SSID

C.

The blinking light on a network card

D.

Malware sending regular communications to a Command and Control (C2) server

33 $What does a sudden spike in outbound traffic likely indicate?$

A.

A system update

B.

Data Exfiltration

C.

A failed login attempt

D.

Incoming email

34 $Which User-Agent string anomaly might indicate a non-browser tool or malware?$

A.

Python-urllib/3.8

B.

Safari/537.36

C.

Chrome/91.0.4472.124

D.

Mozilla/5.0 (Windows NT 10.0; Win64; x64)

35 $What is a Domain Generation Algorithm (DGA) used for by malware?$

A.

To speed up DNS resolution

B.

To generate secure passwords

C.

To periodically generate a large number of domain names for C2 communication to evade blacklisting

D.

To encrypt the hard drive

36 $Which tool is primarily used for deep packet analysis and visual inspection of traffic?$

A.

Wireshark

B.

Netcat

C.

Ping

D.

Traceroute

37 $Which command-line packet analyzer is standard on most Unix-like systems?$

A.

Tcpdump

B.

Excel

C.

Photoshop

D.

Outlook

38 $What Wireshark display filter would show only traffic associated with IP address 192.168.1.5?$

A.

show 192.168.1.5

B.

filter.ip(192.168.1.5)

C.

ip.addr == 192.168.1.5

D.

ip = 192.168.1.5

39 $In a TCP packet, which flag initiates a connection?$

A.

SYN

B.

ACK

C.

RST

D.

FIN

40 $What traffic pattern is characteristic of a SYN Flood DoS attack?$

A.

Slow HTTP requests

B.

Many connection requests (SYN) without completing the handshake (ACK)

C.

Large UDP packets

D.

Many FIN packets sent at once

41 $How does Deep Packet Inspection (DPI) differ from stateful inspection?$

A.

It only works on wireless networks

B.

It is faster but less secure

C.

It examines the data part (payload) of the packet as well as the header

D.

It only looks at the header

42 $Which of the following creates a significant challenge for network traffic investigation?$

A.

IPv4 addressing

B.

End-to-End Encryption (TLS/SSL)

C.

Ethernet cables

D.

DHCP

43 $What is the function of the command grep in Linux forensics?$

A.

To search text or logs for specific patterns or strings

B.

To format a disk

C.

To restart the system

D.

To capture packets

44 $Which directory contains configuration files in Linux, useful for establishing the baseline state of a system?$

A.

/etc

B.

/bin

C.

/tmp

D.

/dev

45 $In network forensics, what is the 'fast-flux' technique?$

A.

A way to speed up internet download speeds

B.

A DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts

C.

Rapidly plugging and unplugging network cables

D.

Using fiber optics instead of copper

46 $Which log file would you check to investigate potential USB device insertions on a Linux system?$

A.

/var/log/dpkg.log

B.

/var/log/mail.log

C.

/var/log/apache2/access.log

D.

/var/log/kern.log

47 $What is the primary benefit of 'Centralized Logging'?$

A.

It is cheaper than local logging

B.

It requires no configuration

C.

It uses less bandwidth

D.

It prevents an attacker from deleting logs locally to cover their tracks

48 $Which command displays the history of commands executed by the current user?$

A.

past

B.

trace

C.

mem

D.

history

49 $What does a 'Keep-Alive' signal usually suggest in a forensic analysis of malware?$

A.

The computer battery is low

B.

The firewall is blocking traffic

C.

The network cable is unplugged

D.

The malware is maintaining an active connection to the C2 server to receive commands

50 $When analyzing a disk image, which hashing algorithm is commonly used to verify the integrity of the image?$

A.

SHA-256

B.

AES

C.

DES

D.

RSA

Unit 4 - Practice Quiz