Chat with AI
Deck 24: Digital Evidence at the Physical and Data-Link Layers
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/34
Play
Full screen (f)
Deck 24: Digital Evidence at the Physical and Data-Link Layers
1
Sniffers put NICs into_________ , forcing them to listen in on all of the communications that are occurring on the network.
A) Covert mode
B) Wiretap mode
C) Promiscuous mode
D) None of the above
A) Covert mode
B) Wiretap mode
C) Promiscuous mode
D) None of the above
Promiscuous mode
2
How many bytes per packet does tcpdump capture by default?
A) 10 bytes
B) 68 bytes
C) 128 bytes
D) 1024 bytes
A) 10 bytes
B) 68 bytes
C) 128 bytes
D) 1024 bytes
B
3
What is the maximum cable length for a 10BaseT network?
A) 10 feet
B) 100 feet
C) 10 meters
D) 100 meters
A) 10 feet
B) 100 feet
C) 10 meters
D) 100 meters
D
4
What is the approximate theoretical maximum number of bytes that can be downloaded in one minute on a 10BaseT network?
A) 10 Mb
B) 75 Mb
C) 100 Mb
D) 175 Mb
A) 10 Mb
B) 75 Mb
C) 100 Mb
D) 175 Mb
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
5
The netstat command can be used to obtain the MAC address of a remote computer.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
6
Which of the following applications is used to capture network traffic?
A) Snort
B) Wireshark
C) Tcpdump
D) All of the above
A) Snort
B) Wireshark
C) Tcpdump
D) All of the above
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
7
The transition method in which only one computer can transmit while all the others listen is known as:
A) Baseband
B) Narrowband
C) Broadband
D) Sideband
A) Baseband
B) Narrowband
C) Broadband
D) Sideband
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
8
It is necessary to physically tap a network cable to capture the traffic it carries.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
9
If a criminal reconfigures his computer with someone else's IP address to conceal his identity, the local router would have an entry in its _________showing that criminal's actual Mac address associated with somebody else's IP address.
A) Host table
B) BOOTP
C) CMOS
D) ARP table
A) Host table
B) BOOTP
C) CMOS
D) ARP table
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
10
ARP stands for:
A) Address Resource Protection
B) Advanced Retrieval Protocol
C) Address Resolution Protocol
D) Added Resource Processing
A) Address Resource Protection
B) Advanced Retrieval Protocol
C) Address Resolution Protocol
D) Added Resource Processing
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
11
Each network packet stored in the tcpdump file is date-time stamped.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
12
The best operating system for capturing network traffic on high-speed networks is:
A) Microsoft DOS/Windows
B) OpenBSD/FreeBSD
C) Linux
D) Solaris
A) Microsoft DOS/Windows
B) OpenBSD/FreeBSD
C) Linux
D) Solaris
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
13
Although ARP is part of TCP/IP, it is generally considered a part of the _________layer.
A) Physical
B) Data-link
C) Network
D) Transport
A) Physical
B) Data-link
C) Network
D) Transport
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
14
Which of the following commands can be used to obtain the MAC address of a remote Windows computer?
A) Netstat
B) Ping
C) Nbtstat
D) Traceroute
A) Netstat
B) Ping
C) Nbtstat
D) Traceroute
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
15
Which of the following tools can reconstruct TCP streams?
A) Tcpdump
B) Wireshark
C) Snoop
D) EnCase
A) Tcpdump
B) Wireshark
C) Snoop
D) EnCase
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
16
Which of the following is a valid MAC address?
A) 192.168.0.5
B) 00:10:4b:de:fc:e9
C) 0-0-e2-7a-c3-5b-6f
D) 08-00-56-s7-fd-d4
A) 192.168.0.5
B) 00:10:4b:de:fc:e9
C) 0-0-e2-7a-c3-5b-6f
D) 08-00-56-s7-fd-d4
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
17
MAC addresses can be associated with a particular computer.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
18
The form of ARP that ATM uses to discover MAC addresses is known as:
A) ARPATM
B) ATMARP
C) MACATM
D) ATMMAC
A) ARPATM
B) ATMARP
C) MACATM
D) ATMMAC
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
19
What is the maximum cable length for a 10 base five segment?
A) 100 feet
B) 500 feet
C) 100 m
D) 500 m
A) 100 feet
B) 500 feet
C) 100 m
D) 500 m
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
20
Routers use Ethernet addresses to direct data between networks.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
21
It is not possible to use a sniffer when connected to a network via a modem.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
22
A common approach to collecting digital evidence from the physical layer is using a sniffer.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
23
Obtain the MAC address of a computer and describe how you did it.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
24
One of the drawbacks of copying network traffic using a SPANned port is that a
SPANned port copies only valid Ethernet packets.
SPANned port copies only valid Ethernet packets.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
25
The tcpdump application can be used to reconstruct TCP streams.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
26
A computer connected to the Internet via a dial-up modem can eavesdrop on network traffic from other computers that are dialed into the same Internet service provider.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
27
Describe how a computer obtains the Ethernet address of another computer that it wants to communicate with.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
28
Unlike ARP cache, ATMARP is stored on the individual computers.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
29
DHCP can be configured to assign a static IP address to a particular computer every time it is connected to the network.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
30
By default, tcpdump captures the entire contents of a packet.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
31
What is a "gratuitous ARP request" and why is it dangerous?
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
32
One key point about MAC addresses is that they do not go beyond the router.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
33
What information is contained in the padding of an Ethernet frame?
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
34
It is possible to obtain file names from network traffic as well as the file contents.
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 34 flashcards in this deck.
