Chat with AI
Deck 13: Computer Intrusions
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/32
Play
Full screen (f)
Deck 13: Computer Intrusions
1
A more thorough method of collecting specific volatile data from a computer is to:
A) Examine the specific memory addresses live
B) Collect the full contents of physical memory
C) Selectively collect contents of physical memory
D) Take screenshots.
A) Examine the specific memory addresses live
B) Collect the full contents of physical memory
C) Selectively collect contents of physical memory
D) Take screenshots.
B
2
The registry key HKLM\Software\Microsoft\Windows\Current
Version is one of the most common locations for:
A) New software entries
B) Time and date information
C) Trojans
D) A list of recently run programs
Version is one of the most common locations for:
A) New software entries
B) Time and date information
C) Trojans
D) A list of recently run programs
Trojans
3
If digital investigators find an unauthorized file, they should:
A) Immediately move the file to removable media
B) Check for other suspicious files in the same directory
C) Execute the file to determine its purpose
D) Permanently delete the file
A) Immediately move the file to removable media
B) Check for other suspicious files in the same directory
C) Execute the file to determine its purpose
D) Permanently delete the file
B
4
A thorough understanding of the tactics and techniques used by criminals is "nice to know" but is not essential to the successful investigation of criminal behavior.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
5
The forensic examiner needs to be aware that the process of collecting memory:
A) Is seldom useful and not often called for
B) Can take an extremely long period of time
C) Is only needed for standalone systems
D) Changes the contents of memory
A) Is seldom useful and not often called for
B) Can take an extremely long period of time
C) Is only needed for standalone systems
D) Changes the contents of memory
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
6
Determining skill level can lead to:
A) Determining the extent of the intrusion
B) Likely hiding places for rootkits and malware
C) Suspects
D) Offense behaviors
A) Determining the extent of the intrusion
B) Likely hiding places for rootkits and malware
C) Suspects
D) Offense behaviors
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
7
A computer intruder's method of approach and attack can reveal a significant amount about their:
A) Skill level
B) Knowledge of the target
C) Intent
D) All of the above
A) Skill level
B) Knowledge of the target
C) Intent
D) All of the above
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
8
In the case of a computer intrusion, the target computer is:
A) The remote crime scene
B) The auxiliary crime scene
C) The virtual crime scen.
D) The primary crime scene
A) The remote crime scene
B) The auxiliary crime scene
C) The virtual crime scen.
D) The primary crime scene
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
9
A growing number of intrusions are committed by organized criminal organizations and state-sponsored groups.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
10
Why are "non-volatile" storage locations contained in the RFC 8227 "Order of Volatility"?
A) This is an old RFC and has not been updated.
B) No form of data storage is permanent.
C) An RFC is a Request for Comments - and corrections are expected.
D) None of the above.
A) This is an old RFC and has not been updated.
B) No form of data storage is permanent.
C) An RFC is a Request for Comments - and corrections are expected.
D) None of the above.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
11
Remote forensic solutions can be used to access live systems, and include the ability to:
A) Acquire and, sometimes, analyze memory
B) Image systems without ever having to leave the lab
C) Conduct examination and analysis without the need to image
D) Image large systems across the Internet
A) Acquire and, sometimes, analyze memory
B) Image systems without ever having to leave the lab
C) Conduct examination and analysis without the need to image
D) Image large systems across the Internet
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
12
When collecting data from a compromised computer, consideration should be given to collecting the _________data first.
A) CMOS
B) Most volatile
C) Magnetic
D) Optical
A) CMOS
B) Most volatile
C) Magnetic
D) Optical
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
13
Although new exploits are published daily, it takes skill and experience to break into a computer system, commit a crime, and cover one's tracks.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
14
Capturing all of the network traffic to and from the compromised system can:
A) Allow the network administrators to participate in the investigation, establishing rapport for later interviews
B) Reveal the source of the attack
C) Seriously slow down the network, affecting normal work
D) None of the above
A) Allow the network administrators to participate in the investigation, establishing rapport for later interviews
B) Reveal the source of the attack
C) Seriously slow down the network, affecting normal work
D) None of the above
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
15
Intruders who have a preferred toolkit that they have pieced together over time, with distinctive features:
A) Usually have little experience and are relying on the kit
B) Show little initiative - letting the tool do the work
C) Are generally more experienced
D) Pose less of a threat
A) Usually have little experience and are relying on the kit
B) Show little initiative - letting the tool do the work
C) Are generally more experienced
D) Pose less of a threat
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
16
During the commission of a crime, evidence is transferred between the offender's computer and the target. This is an example of:
A) Locard's Exchange Principle
B) Sutherland's General Theory of Criminology
C) Martin's Rule
D) Parkinson's Rule of Available Space
A) Locard's Exchange Principle
B) Sutherland's General Theory of Criminology
C) Martin's Rule
D) Parkinson's Rule of Available Space
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
17
Social engineering refers to any attempt to contact legitimate users of the target system and trick them into giving out information that can be used by the intruder to break into the system.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
18
A forensic analysis conducted on a forensic duplicate of the system in question is referred to as:
A) Virtual analysis
B) Clone analysis
C) Post-mortem analysis
D) Ex post facto analysis
A) Virtual analysis
B) Clone analysis
C) Post-mortem analysis
D) Ex post facto analysis
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
19
A common technique that is highly useful and can be applied in a computer intrusion investigation is to simply focus on file system activities around the time of known events. This embodies a principle known as:
A) Temporal proximity
B) Timeline analysis
C) File system analysis
D) Temporal aggregation
A) Temporal proximity
B) Timeline analysis
C) File system analysis
D) Temporal aggregation
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
20
A valid profile of a computer intruder is an antisocial adolescent.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
21
Discuss why computer intrusions are among the most challenging types of cybercrimes from a digital evidence perspective.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
22
Investigating computer intrusions usually involves a small amount of digital evidence from only a few sources.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
23
Gathering information about a system through the use of a port scanner is considered a direct attack method.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
24
The first stage of a computer intrusion is Abuse.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
25
Discuss the difference between automated and dynamic modus operandi, including the kinds of information to look for, and the value of conducting this kind of analysis.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
26
Incident Response can be viewed as a subset or part of an intrusion investigation.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
27
In a computer intrusion, the stage after Attack is Abuse.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
28
An example of the Entrenchment phase of an intrusion would be uploading a backdoor through the remote shell.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
29
The first step when investigating a computer intrusion incident is to determine if there actually was one - there must be a corpus delicti.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
30
Examining a live system is prone to error, may change data on the system, and may even cause the system to stop functioning.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
31
Reverse social engineering is any attempt by intruders to have someone in the target organization contact them for assistance.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
32
"Spear phishing" is an intrusion technique wherein mass e-mails that appear or claim to be from a legitimate source request that the recipient follow instructions contained in the e-mail.
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 32 flashcards in this deck.
