Exam 24: Digital Evidence at the Physical and Data-Link Layers

Which of the following tools can reconstruct TCP streams?

What is the maximum cable length for a 10BaseT network?

It is necessary to physically tap a network cable to capture the traffic it carries.

Although ARP is part of TCP/IP, it is generally considered a part of the _________layer.

What information is contained in the padding of an Ethernet frame?

If a criminal reconfigures his computer with someone else's IP address to conceal his identity, the local router would have an entry in its _________showing that criminal's actual Mac address associated with somebody else's IP address.

MAC addresses can be associated with a particular computer.

A common approach to collecting digital evidence from the physical layer is using a sniffer.

The netstat command can be used to obtain the MAC address of a remote computer.

The form of ARP that ATM uses to discover MAC addresses is known as:

What is the maximum cable length for a 10 base five segment?

ARP stands for:

The best operating system for capturing network traffic on high-speed networks is:

Which of the following applications is used to capture network traffic?

Unlike ARP cache, ATMARP is stored on the individual computers.

A computer connected to the Internet via a dial-up modem can eavesdrop on network traffic from other computers that are dialed into the same Internet service provider.

The transition method in which only one computer can transmit while all the others listen is known as:

The tcpdump application can be used to reconstruct TCP streams.

Each network packet stored in the tcpdump file is date-time stamped.

Which of the following commands can be used to obtain the MAC address of a remote Windows computer?