Network Security Quiz

 Question 1: The security protocol used in HTTPS is _____________.
A. IPSec
B. DNSSEC
C. TLS
D. SSH

Solution: TLS

 Question 2: The SSH protocol was initially developed for the purpose of:
Select one:
A. Remote login
B. File transfer
C. Remote program execution
D. Sending email

Solution: Remote login

Question 3: Given below are security services offered by the Authentication Header (AH) protocol in IPSec EXCEPT:
Select one:
A. Integrity
B. Authentication
C. Confidentiality
D. Access control

Solution: Confidentiality

Question 4: Which of the following email security threats can be prevented using DNSSEC?
A. Email sent is sniffed during transmission
B. Email sent is transmitted to the attacker’s server
C. Email sending address is spoofed
D. Email cannot be sent due to DoS attack

Solution: Email sent is transmitted to the attacker’s server

Question 5: Which of the following is NOT one of the reasons why TLS has become the most popular network security protocol?
A. TLS is independent of operating system platform
B. TLS is used to secure the Web application, which is the most used network application
C. TLS only needs to be configured once, and all network applications running on the host would then be protected
D. From a user point of view, using TLS is as easy as downloading and using a client application that implements TLS

Solution: TLS only needs to be configured once, and all network applications running on the host would then be protected

Question 6: Given below are among the security concerns to an Internet user EXCEPT:
A. You may not be communicating with the person that you think you are communicating with
B. An attacker may sniff your packets
C. Your Internet connection may not be fast enough that an attacker may capture your slow moving packet
D. Malware may be secretly installed on your computer

Solution: Your Internet connection may not be fast enough that an attacker may capture your slow moving packet

Question 7: Which of the following email security mechanisms can be configured by an email user?
A. DKIM
B. SPF
C. DANE
D. PGP

Solution: PGP

Question 8: Which of the following is an advantage of using IPsec (which is network-layer security protocol) as compared to using TLS (which is a transport-layer security protocol)?
A. Configuration of IPsec is easier compared to TLS
B. IPsec uses more secure cryptographic protocols compared to TLS
C. Once IPsec is configured, communication will all Internet hosts will be protected
D. Once IPsec is configured, data transfer of all network applications with the specified receiving host will be protected

Solution: Once IPsec is configured, data transfer of all network applications with the specified receiving host will be protected

Question 9: DNSSEC ensures the following security objective(s):
A. Confidentiality, integrity and authenticity
B. Integrity and authenticity
C. Confidentiality and integrity
D. Authenticity and confidentiality

Solution: Integrity and authenticity

Question 10: Which of the following is NOT true about the use of explicit TLS in email application?
A. Before secure connection is achieved, port 25 is used by SMTP client to connect to SMTP server
B. When explicit TLS is used, email message sent between an email client and an email server is encrypted
C. It requires an insecure SMTP connection to be upgraded to a secure connection using the STARTTLS command
D. Explicit TLS can be used not only by SMTP, but also by IMAP and POP3

Solution: Before secure connection is achieved, port 25 is used by SMTP client to connect to SMTP server

Question 11: The use of https prevents the following attacks from being conducted EXCEPT:
A. Attacker replacing the Web server with a malicious server
B. Attacker sniffing the username and password transmitted by Web browser
C. Attacker stealing the HTTP cookie transmitted in an HTTP request message
D. Attacker spoofing the IP address of the host on which the Web browser is running

Solution: Attacker spoofing the IP address of the host on which the Web browser is running

Question 12: What is contained in an HTTP cookie?
A. A string that specifies the type of Web browser used by the user
B. The username and password of the Web user in cleartext
C. A string that identifies the Web user
D. The username and password of the Web user in encrypted form

Solution: A string that identifies the Web user

Question 13: Which of the following is NOT a TLS record protocol payload?
A. Hello protocol
B. Change cipher spec protocol
C. Alert protocol
D. Application data

Solution: Hello protocol

Question 14: Which of the following is one of the differences between S/MIME and OpenPGP?
A. S/MIME uses certificates issued by Certificate Authority while OpenPGP generates their own public and private keys
B. S/MIME provides authenticity and confidentiality, while OpenPGP only provides confidentiality
C. S/MIME does not include the sender’s public key with the message, while OpenPGP includes the sender’s public key with the message
D. OpenPGP provides authenticity and confidentiality, while S/MIME only provides authenticity

Solution: S/MIME uses certificates issued by Certificate Authority while OpenPGP generates their own public and private keys

Question 15:  The feature of SSH that enables any insecure TCP connection to be converted to a secure SSH connection is called ____________.
A. Remote login
B. Channel conversion
C. Securing channel
D. Port forwarding

Solution: Port forwarding

Question 16: Which of the following fields is not encrypted in Encapsulating Security Payload (ESP) transport mode?
A. ESP trailer
B. IP header
C. TCP header
D. TCP data

Solution: IP header

Question 17: The following are true about private IP addresses EXCEPT:
A. A private IP address used in an organization may also be used in another organization
B. Accessing the Internet requires the use of Network Address Translation (NAT)
C. The address block 172.16.0.0/12 belongs to one of the private IP address blocks
D. They can be directly accessed from the Internet

Solution: They can be directly accessed from the Internet

Question 18:  Which of the following is NOT true about DNS-based Authentication of Named Entities (DANE)?
A. It solves security issues related to the use of STARTTLS
B. It encrypts the email data regardless of whether the email server supports TLS or not
C. It ensures the authenticity of an email server without verifying the server's digital certificate with a Certificate Authority (CA)
D. It makes use of a DNS record called TLSA

Solution: It encrypts the email data regardless of whether the email server supports TLS or not 

Question 19: In S/MIME, what is the use of the receiver's private key?
A. To encrypt the message digest
B. To decrypt the message content
C. To decrypt the message digest
D. To decrypt the secret key
E. To encrypt the message content
F. To encrypt the secret key

Solution: To decrypt the secret key

Question 20: In S/MIME, what is the use of the receiver's public key?
A. To decrypt the secret key
B. To decrypt the message content
C. To encrypt the message digest
D. To encrypt the message content
E. To decrypt the message digest
F. To encrypt the secret key

Solution: To encrypt the secret key

Question 21: Differentiate between active and passive security attacks.

Solution: Passive security attack: In this attack the intruder or attacker just sniffs the information, he does not modify or change it. He only listens to the traffic and compromises the confidentiality of the data

Active Security attack: In this the attacker first listens to the information and then changes it and then forwards it to the receiving party which means the confidentiality and integrity both compromises.

Question 22: Both Sender Policy Framework (SPF) and DomainKeys Identified Email (DKIM) are used to prevent the email sending address from being spoofed. However, the techniques used are different. Differentiate between the techniques used by these two mechanisms.

Solution: SPF makes use of a TXT DNS resource log in which the sending domain identifies all of the domain's senders. To authenticate the sender, the receiver will query a TXT DNS resource record about the sender's address domain and IP address. DKIM, on the other hand, uses a digital signature. The sender's private key will be used to sign the message. The receiver would then search the public key to see if the message is from the legitimate sender

Question 23:For each of the following situations, identify the most suitable IPSec protocol (AH or ESP) and mode (transport or tunneling) to be used.
(a) A staff working from home during COVID-19 pandemic, and would like to establish a Virtual Private Network (VPN) to his corporate network.
(b) A system administrator configuring two servers that always send data to each other. The system administrator needs to ensure that the data transmitted between the two servers cannot be read by an attacker.
(c) A network administrator configuring firewall between two office branches. The data transmitted are all TLS data. The main aim of using IPSec would be to ensure the authenticity of the two firewalls.

Solution: (a) Ipsec protocol (ESP) and tunneling mode
(b) Ipsec ESP transport modec)AH tunnel mode

Network Security Quiz

 Question 1: Which of the following statements about EAP authenticator is CORRECT?
Select one or more:
EAP authenticator may also play the role of an authentication server
EAP authenticator can communicate with supplicants using IEEE 802.1X
EAP authenticator is the device that grants access to the network
A WiFi access point is an example of an EAP authenticator

Solution: EAP authenticator may also play the role of an authentication server
EAP authenticator can communicate with supplicants using IEEE 802.1X
EAP authenticator is the device that grants access to the network
A WiFi access point is an example of an EAP authenticator

 Question 2: Identify the methods that are commonly used to control network access in a corporate network.
Select one or more:
Assign users to specific VLAN based on their access level
Allow access to devices based on their MAC address
Control access between network segments using firewall
Use 802.11X authentication

Solution: Assign users to specific VLAN based on their access level
Control access between network segments using firewall
Use 802.11X authentication

Question 3: Which of the following statements about EAP over LAN (EAPOL) is CORRECT?
Select one or more:
EAPOL support the transmission of EAP authentication packets over IEEE 802 LAN standards such Ethernet or WiFi
EAPOL is a protocol defined as part of IEEE 802.1X
EAPOL defines an authentication method to be used with IEEE 802.1X authentication
EAPOL is used to carry data packets sent after authentication has been approved

Solution: EAPOL support the transmission of EAP authentication packets over IEEE 802 LAN standards such Ethernet or WiFi
EAPOL is a protocol defined as part of IEEE 802.1X

Question 4:When a mobile phone is made into a WiFi hotspot, it would play the role of:
Select one or more:
Authenticator
Authentication server
Supplicant
Wireless medium

Solution: Authenticator
Authentication server

Question 5: Choose the essential features of cloud computing from the list below.
Select one or more:
Computing resources can be increased or decreased based on the specified service requirement
Cloud users are charged based on the amount of computing resources used
Computing resources are shared among the cloud users.
Cloud users can provision for computing resources themselves without the need to interact with any employee from the cloud service provider

Solution: Computing resources can be increased or decreased based on the specified service requirement
Cloud users are charged based on the amount of computing resources used
Cloud users can provision for computing resources themselves without the need to interact with any employee from the cloud service provider

Question 6:What are the security risks related to the use of cloud computing?
Select one or more:
Cloud computing account may be compromised by attackers
Cloud computing resources may be used for malicious purposes
Data may be leaked to other cloud computing users
Data may be read by the employees of the cloud service provider

Solution: Cloud computing account may be compromised by attackers
Cloud computing resources may be used for malicious purposes
Data may be leaked to other cloud computing users
Data may be read by the employees of the cloud service provider

Question 7: The IEEE 802.11i standard provides confidentiality through which of the following protocols?
Select one or more:
EAP
CCMP
TKIP
IEEE 802.11X

Solution: CCMP
TKIP

Question 8: The IEEE 802.11i standard provides access control through which of the following mechanisms?
Select one or more:
PSK
TKIP
CCMP
IEEE 802.11X

Solution: PSK
IEEE 802.11X

Question 9:  Among the reasons why mobile devices are more prone to security risks are:
Select one or more:
Mobile devices are equipped with Global Positioning System (GPS) receiver
Mobile devices run mobile operating systems where security features are not implemented
Mobile devices are easily lost or stolen
Mobile devices connect to various different networks

Solution: Mobile devices are equipped with Global Positioning System (GPS) receiver
Mobile devices are easily lost or stolen
Mobile devices connect to various different networks

Question 10: Which of the following should be done to secure a newly bought WiFi access point to be installed in your house?
Select one or more:
Change the default administration password
Change the default SSID name
Choose WPA3 for authentication even though it is not supported by the wireless devices that will use the access point
Use IEEE 802.1X instead of PSK as the authentication method

Solution: Change the default administration password
Change the default SSID name

Question 11: Choose the factors that contribute to the higher security risk of wireless networks as compared to wired networks.
Select one or more:
The fact that wireless devices are mobile and often connect to various different networks
Wireless network protocols have no security mechanisms implemented
Some mobile devices have limited capability to deal with security threats
The broadcast nature of wireless medium

Solution: The fact that wireless devices are mobile and often connect to various different networks
Some mobile devices have limited capability to deal with security threats
The broadcast nature of wireless medium

Question 12:  Among the common threat(s) faced by devices when communicating over a wireless network are:
Select one or more:
Attacker can break into any TCP or UDP port even though it is not opened
Its MAC address could be sniffed by attacker
The access point that it connects to could be a rogue access point
Its HTTP cookies can be easily sniffed even if HTTPS is used

Solution: Its MAC address could be sniffed by attacker
The access point that it connects to could be a rogue access point

Question 13: Choose the CORRECT statement(s) about WiFi association.
Select one or more:
It is not possible for association to be done without having to enter a password
It is possible to permit association based on device MAC address
Association refers to the process of transferring data from a wireless device to a WiFi access point
WPA3 is an authentication protocol used during WiFi association

Solution: It is possible to permit association based on device MAC address
WPA3 is an authentication protocol used during WiFi association

Question 14:Which of the following statements are TRUE about open WiFi network?
Select one or more:
When WPA3 is used, data transmitted in open WiFi network is encrypted
When open WiFi network is used, data is transmitted in clear text
Open WiFi network is only available in access points that support WEP
In open WiFi network, association can be done without requiring a password

Solution: When WPA3 is used, data transmitted in open WiFi network is encrypted
When open WiFi network is used, data is transmitted in clear text
In open WiFi network, association can be done without requiring a password

Question 15: Which of the following statements are TRUE about WPA2-Personal and WPA2-Enterprise?
Select one or more:
In WPA2-Personal, a single password is shared between multiple users
In WPA2-Personal, a radius server is used for authentication
In WPA2-Enterprise, each user has is own password
In WPA2-Enterprise, the access point can verify user credentials

Solution: In WPA2-Personal, a single password is shared between multiple users
In WPA2-Enterprise, each user has is own password

Network Security Quiz

Question 1: Which of the following is the latest VPN protocol?
WireGuard
OpenVPN
IPSec
SSTP

Solution: WireGuard

Question 2: A firewall can be implemented in the following ways EXCEPT:
As a module in a router or a switch
As a specialized firewall hardware
As a software running on a PC operating system
As a module in a network interface card

Solution: As a module in a network interface card

Question 3: In what way is an IPS (intrusion prevention system) different from an IDS (intrusion detection system)?
An IPS can prevent an attack while an IDS can detect an attack
IDS is installed on a host while IPS is installed on a network
IPS is more intelligent than an IDS because it uses machine learning
Upon detecting a malicious activity, an IDS will only generate an alert while an IPS will attempt to take an appropriate action to mitigate the attack

Solution: Upon detecting a malicious activity, an IDS will only generate an alert while an IPS will attempt to take an appropriate action to mitigate the attack

Question 4: Why is stateful inspection firewall more secure than the packet filtering firewall?
Stateful inspection firewall will automatically block high-numbered ports without having to specify them in the rules
Stateful inspection firewall will only allow incoming packets to high-numbered ports if they are part of an active TCP connection
Stateful inspection firewall can filter packets based on the network application
Stateful inspection firewall can allow for more specific rules

Solution: Stateful inspection firewall will only allow incoming packets to high-numbered ports if they are part of an active TCP connection

Question 5: Which of the following security objectives are important when VPN is used for organizations?
Confidentiality and authenticity
Privacy and authenticity
Confidentiality and anonymity
Privacy and anonymity

Solution: Confidentiality and authenticity

Question 6: An online NIDS (Network-based intrusion detection system) is characterized by:
Its ability to perform traffic evaluation in real time
Its ability to utilize online resources in detecting malicious activities
Its ability to be online 24/7 and monitor traffic all the time
Its ability to search for vulnerability signature online

Solution: Its ability to perform traffic evaluation in real time

Question 7:Which of the following specifies the main difference between stateful inspection firewall and packet filtering firewall?
State inspection firewall is faster
Stateful inspection firewall maintains the list of active TCP connections
Stateful inspection firewall can identify to which network application the packet belongs to
State inspection firewall can detect a network attack

Solution: Stateful inspection firewall maintains the list of active TCP connections

Question 8: Which of the following security threats cannot be prevented by a firewall?
A DDoS attack coming from a specific IP address range
A staff who attempts to use BitTorrent application for downloading pirated software and movies
An external attacker who attempts to exploit an unused port on a server in the DMZ
A malware downloaded through Web browsing activity of staff within the organization

Solution: A malware downloaded through Web browsing activity of staff within the organization

Question 9: Choose the correct statement regarding signature-based and anomaly-based IDS detection methods
Anomaly-based detection can only detect both active and passive attacks while signature-based detection only detect passive attacks
Signature-based detection makes use of machine learning algorithms and therefore is more accurate than anomaly-based detection
Signature-based detection may suffer from false positives while anomaly-based detection is more accurate
Signature-based detection can only detect known attacks while anomaly-based detection can detect new attacks

Solution: Signature-based detection can only detect known attacks while anomaly-based detection can detect new attacks

Question 10: Which of the following statements are TRUE about the TCP SYN flood attack?
Select one or more:
It is a type of reflector DDoS attack
It works by having the attacker to pretend to establish TCP connection to the victim but never actually complete the connection
It causes the victim to use up its system resources
It attempts to saturate the bandwidth of the victim

Solution: It works by having the attacker to pretend to establish TCP connection to the victim but never actually complete the connection
It causes the victim to use up its system resources

Question 11: Which of the following statements are TRUE about the HTTP flood attack?
Select one or more:
It can be configured to cause the victim to use up its system resources
It can saturate the bandwidth of the victim
It works by having attackers send large number of HTTP GET or POST messages to the victim
It is a type of reflector DDoS attack

Solution: It can be configured to cause the victim to use up its system resources
It can saturate the bandwidth of the victim
It works by having attackers send large number of HTTP GET or POST messages to the victim

Question 12: An SQL injection attack may allow an attacker to:
Select one or more:
Insert new data in database
Cause the web browser to execute a script belonging to the attacker
Hijack session belonging to another user
Modify existing data in database
Execute administrative operations on the database
Read data from database

Solution: Insert new data in database
Modify existing data in database
Execute administrative operations on the database
Read data from database

Question 13: Which of the following statements are TRUE about the MAC flooding attack?Select one or more:It forces the switch to behave like a hubIt aims to congest the networkIt causes the switch to become slow and not responsiveIt causes the switch to forward packets to all outgoing portsSolution:






It forces the switch to behave like a hub
It causes the switch to forward packets to all outgoing ports

Question 14:The man-in-the-middle (MITM) attacks compromise which of the following security objectives?Select one or more:ConfidentialityAvailabilityIntegrityAuthenticity Solution:






Confidentiality
Integrity
Authenticity

Question 15: Say that PC_A is communicating with PC_B in a LAN. An attacker (PC_X) wants to read all the messages sent from PC_B to PC_A. This can be achieved by doing ARP cache poisoning on PC_B.The IP address and MAC address of the three PCs are as follows:PC_A: IP address = 172.18.20.15, MAC address =  28:2A:3C:D4:56:98PC_B: IP address = 172.18.20.20, MAC address = 97:12:AC:AB:8E:9CPC_X: IP address = 172.18.20.101, MAC address = CA:98:65:7A:D1:12What is the ARP entry that you need to insert into PC_B's ARP table?IP address: 172.18.20.101, MAC address: 28:2A:3C:D4:56:98IP address: 172.18.20.15, MAC address: 28:2A:3C:D4:56:98IP address: 172.18.20.15, MAC address: CA:98:65:7A:D1:12IP address: 172.18.20.20, MAC address: CA:98:65:7A:D1:12Solution:










IP address: 172.18.20.15, MAC address: CA:98:65:7A:D1:12

Computer Forensics Quiz

Question 1: ________ is a unique identifier assigned to network interfaces for communications on the physical network segment.
A. Domain Name System
B. Traceroute
C. MAC Address
D. Internet Protocol (IP) Addresses

Solution: MAC Address

Question 2:________ unique address assigned to every computer connected to the network.
A. MAC Address
B. Domain Name System
C. Internet Protocol (IP) Addresses
D. Traceroute

Solution: Internet Protocol (IP) Addresses

Question 3: Which of the following are the possible locations to look for evidence in a network?
(I) From the victim computer
(II) From the attacked computer and intermediate computers
(III) From firewalls
(IV) From internetworking devices
A. (I), (II), (III) and (IV)
B. (II), (III) and (IV)
C. (I) and (II)
D. (I), (II) and (III)

Solution: (I), (II), (III) and (IV)

Question 4:A (n ) ________detection system is hardware or software used to monitor network traffic for malicious activity. It can provide alerts when suspicious activity occurs and provide detailed logging information with professional reporting capabilities.
A. firewall
B. intrusion
C. application
D. prevention

Solution: intrusion

Question 5: Which of the following is used by a network administrator to inspect data packets on a network and determine, based on its set of rules, whether each packet should be allowed through?
A. Content filter
B. Sandbox
C. Packet capturing
D. Firewall

Solution: Firewall

Question 6: Which of the following security tool would BEST be used at identifying and reacting to an attack by shutting down a port or dropping certain types of packets?
A. Intrusion Prevention System
B. Intrusion Detection System
C. Security Information and Event Manager (SIEM)
D. Sandbox

Solution: Intrusion Prevention System

Question 7: Which of the following information cannot be revealed by network forensics?
A. Intrusion techniques used by attackers
B. Hardware configuration of the attacker’s system
C. Path of intrusion
D. Source of security incidents and network attacks

Solution: Hardware configuration of the attacker’s system

Question 8:  _______ can be used to determine the path a transmitted e-mail has taken.
A. Routers logs
B. Application programs
C. Text editors
D. Internal memory

Solution: Routers logs

Question 9: Tracking internet e-mail users is more difficult because these accounts don’t always use standard naming schemes.
True
False
Solution: True

Question 10:If we have obtained a warrant to conduct social media forensics investigation for a specific social media account, but the suspect refuses to cooperate, we can use any workstation to Google search information about the suspect in the social media.
True
False

Solution: False

Question 11: E-mail is a major communication medium and some people may use e-mail when committing crimes such as narcotics trafficking, extortion, sexual harassment, stalking, fraud, child abductions, terrorism, child pornography, and so on. After you have determined that a crime has been committed involving e-mail, what’s the main piece of information you look for in an e-mail message you’re investigating?
A. Sender or receiver’s e-mail address.
B. Subject line content.
C. Message number.
D. Originating e-mail domain or IP address.

Solution: Originating e-mail domain or IP address.

Question 12: Which of the following is NOT a possible location where mobile device information might be stored?
A. SIM card
B. Power cable
C. Internal memory
D. Removable or external memory card

Solution: Power cable

Question 13: Malware analysis is the process of determining the _______ and ______ of a given malware sample such as a virus, worm, or backdoor.
A. purpose; functions
B. platform; operations
C. problem; functions
D. technology; operations

Solution: purpose; functions

Question 14: If investigators find a piece of evidence in the cloud that prove a particular IoT device in the crime scene is the cause of the crime, it will be easier to identify the criminal based on the registered account for the cloud service.
True
False

Solution: False

Question 15: ________ analysis is the process of studying a program without actually executing it.
A. Hybrid
B. Static
C. Dynamic
D. Statistic

Solution: Static

Question 16:

Computer Forensics Quiz

 Question 1: ________ can point to items on other drives or other parts of the network.
A. Full links
B. Half links
C. Soft links
D. Hard links

Solution: Soft links

 Question 2: To acquire RAID disks, you need to determine the _____ of RAID and which acquisition _____ to use.
A. location; size
B. location; type
C. type; tool
D. size; tool

Solution: type; tool

 Question 3:In Windows 8 and later versions, a USB’s last insertion and removal timestamps are stored in the registry hive:
A. SYSTEM
B. SOFTWARE
C. SAM
D. SECURITY

Solution: SYSTEM

 Question 4: A deleted file is any file that has been ________ erased from the file system but may still remain ________ on storage media.
A. logically; physically
B. logically; forensically
C. physically; logically
D. physically; forensically

Solution: logically; physically

 Question 5: A _______ is a data acquisition method is similar to logical acquisition but also collects fragments of unallocated (deleted) data.
A. sparse acquisition
B. disk-to-disk copy
C. disk-to-image file
D. logical acquisition

Solution: sparse acquisition

 Question 6: Which of the following is NOT the expected technology used in Data Centre?
A. Server uses Linux or Unix operating system.
B. Database may be on a separate server.
C. May use virtualization technology.
D. May use Windows 98 as email server.

Solution: May use Windows 98 as email server.

 Question 7:  Forensics acquisition can be done in static and live modes.
a) Describe the concept of live acquisition in digital forensics.
b)  Discuss TWO (2) cases in which live acquisition should be considered in finding potential crime evidence.

Solution: A-The acquisition of live device is manily of concern to digital investigator and incident responds,
Who must normally follow protocols and policies that produce forensically sound duplicates.
When gathering data from a live device for analysis,we are most concerned with volatile data,which is irretievable until the system is turned off.
In an ideal process each stage of the acquired by previous stage.
Its difficult to find optimal procedures however we should try .
Computer data is classified intp two types:Volatile data and permanent data.
When computer is turned off All volatile data is lost changed or made unavaliable.
Anything else is premanent data can be accessed even after the power is turned off.
The passing of time or the acquisition process itself can further alter volatile data .
Ram is the best example of data volatile because loses it contants very easily after machine is turned off.

B-some of the cases in which the The live acquisition is good that when the user who committed the crime has a device running and there has been crime committed fairly recently and evidence can be flound in the ram.
Another case could be when the device is password protected and the criminal is not cooerative than the ram can give hints about the password and sometimes password information for the true cryot and other encryption programs can be found in Ram.

 Question 8: In an event of a forensics investigation, Windows Event Logs serve as the primary source of evidence as the operating system logs every system's activities. Explain how Windows Event Logs can help in forensics investigation and list TWO (2) types of events that are recorded in Windows event logs.

Solution: Based on the logging details and the discoverd objects, windows event log revuew will assist an investigator in creating timeline.
The windows case logs assist in reconstructiong the sequence of events to aid in an investigation.
any incident that has an impact on the system may be registered as an event:
<Incorrect login attempt><Hack breach>
<system settings change><application failure>
<system failure and so on.

consider the following scenario:
A hacher attempts to remptely break into the device, first the hacker can brute force the system and those logs would be found in security when the user is successful in breaking into the device.
another log is created in protection excepts IP address which may aid in the investigation.

  Question 9:

Computer Forensics Quiz 3

 Question 1: In digital forensic analysis, we use MAC times to create a timeline of activities. Timeline analysis is considered an important element in most digital forensics investigations because:
(I) It gives a holistic view of the succession of events that have happened to the system.
(II) It allows investigators to save their investigation time by reducing the volume of data that needs to be investigated to a specific timeframe.
(III) It helps investigators reconstruct data to identify when activities occurred on a computer and in what sequence.
(IV) It helps the investigators to re-create the events of the crime and trace back the steps of the suspect/victim.
A. (I), (II), (III) and (IV)
B. (I), (II) and (III) only
C. (I), (III) and (IV) only
D. (I), (II) and (IV) only

Solution: (I), (II), (III) and (IV)

 Question 2: In Windows 8 and later versions, user account information for users and groups on the system are stored in the registry hive:
A. SECURITY
B. SAM
C. SOFTWARE
D. SYSTEM

Solution: SAM

Question 3: In Windows 8 and later versions, a USB’s last insertion and removal timestamps are stored in the registry hive:
A. SYSTEM
B. SAM
C. SECURITY
D. SOFTWARE

Solution: SYSTEM

Question 4:  It refers to a cluster (or a portion of a cluster) that is not being used by the current data. It may contain no data at all or data from a previously deleted file. The above statements refer to:
A. slack space
B. portion space
C. allocated space
D. deleted space

Solution: slack space

Question 5: When a document is printed, which of these files are created during the spooling process?
(I) A shadow file (.SHD) that contains information about the print job.
(II) A spool file (.SPL) that contains the document’s contents.
(III) A temp file (.TMP) for temporally storing the information about the print job.
A. (I) and (III) only
B. (I) and (II) only
C. (II) and (III) only
D. (I), (II) and (III)

Solution:  (I) and (II) only

 Question 6: In Windows Vista or a later OS, when a file is sent to the $Recycle.Bin, metadata information such as the file’s original filename/path information, size, and data/time moved to the $Recycle.Bin, is created and stored in:
A. An INFO2 file
B. A $R file
C. A $I file
D. An INFO file

Solution: A $I file

Question 7: A ________ is a pointer that allows accessing the same file by different filenames.
A. half link
B. hard link
C. soft link
D. full link

Solution: hard link

 Question 8: ________ can point to items on other drives or other parts of the network.
A. Half links
B. Full links
C. Hard links
D. Soft links

Solution: Soft links

 Question 9:____________ are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.
A. Vector images
B. Metafile images
C. Forensic images
D. Raster images

Solution: Vector images

 Question 10: ____________ are collections of dots, or pixels, in a grid format that form a graphic.
Select one:
A. Raster images
B. Forensic images
C. Metafile images
D. Vector images

Solution: Raster images

 Question 11: You use ______________ to create, modify, and save raster, vector, and metafile graphics.
A. clone editors
B. image viewers
C. graphics editors
D. write blockers

Solution: graphics editors

Computer Forensics Quiz 2

 Question 1: Which of the following is NOT the expected technology used in Data Centre?
A. Server uses Linux or Unix operating system.
B. May use Windows 98 as email server.
C. May use virtualization technology.
D. Database may be on a separate server.

Solution: May use Windows 98 as email server.

Question 2: A disk-to-disk copy acquisition method is required due to the following reasons:
(i) Hardware or software errors
(ii) Hardware or software incompatibilities
(iii) To acquire older drives
(iv) To capture only specific files of interest to the case
A. (ii), (iii) and (iv)
B. (i), (ii) and (iii)
C. (i), (ii) and (iv)
D. (i), (iii) and (iv)

Solution: (i), (ii) and (iii)

Question 3: Static acquisition is the process of acquiring data from a hard drive that remains unaltered when the system is powered off or shutdown. This acquisition type is performed due to the following reasons, EXCEPT:
A. Non-critical systems that can be shut down
B. Volatile data is more important than deleted files
C. Deleted files are more important than volatile data
D. The memory does not contains important data

Solution: Volatile data is more important than deleted files

Question 4:  A deleted file is any file that has been ________ erased from the file system but may still remain ________ on storage media.
A. physically; logically
B. physically; forensically
C. logically; physically
D. logically; forensically

Solution: logically; physically

Question 5: To acquire RAID disks, you need to determine the _____ of RAID and which acquisition _____ to use.
A. type; tool
B. location; type
C. location; size
D. size; tool

Solution: type; tool

Question 6: Which of the following is NOT the expected exhibit that can be found at home?
A. Laptop
B. Wireless router
C. Desktop computer
D. RAID server

Solution: RAID server

Question 7: What is the biggest concern when acquiring data from a RAID server?
A. Size
B. Firewall program
C. Access permissions
D. Data transfer speeds

Solution: Size

Question 8: Live acquisition is the process of acquiring data from a running computer (already powered on when encountered at a crime scene) that would be lost when it powered off. This acquisition type is performed due to the following reasons, EXCEPT:
A. Deleted files are more important than volatile data.
B. Volatile data is more important than deleted files.
C. The memory contains important data.
D. Business-critical systems that cannot be shut down.

Solution: Deleted files are more important than volatile data.

Computer Forensics Quiz 1

Question 1: __________ evidence is the evidence of those who relate, not what they know themselves, but what they have heard from others.
A. Exculpatory
B. Inculpatory
C. Tainted
D. Hearsay

Solution: Hearsay

Question 2: Kingston is the security administrator of XYZ Corporation. One day he finds the company's database server has been compromised, and the customer information has been stolen along with financial data. The financial loss will be in millions of dollars if the competitors take the database into their hands. Kingston wants to report directly to law enforcement authorities. Which act caters offenses relating to the misuse of computers in Malaysia?
Select one:
A. Cyber Crime Act 2010
B. Digital Evidence Act 1997
C. Copyright Act 1987
D. Computer Crimes Act 1997

Solution: Computer Crimes Act 1997

Question 3: You are assigned to work in a state police agency's Computer Forensics laboratory. While working on a high-profile criminal case, you have followed every applicable procedure, but your superior is still worried that the defense attorney might question whether evidence has been modified while at the laboratory. What would you do to ensure the proof is the same as when it first went into the laboratory?
A. Sign a letter confirming that the evidence is the same as it was when it entered the laboratory.
B. Generate the hash value of the evidence and compare it to the standard database developed by the police agency.
C. Create a new image of the evidence, encrypt the evidence to avoid any changes and send the encrypted evidence to the defense attorney.
D. Generate the hash value of the evidence and compare it with the original hash value that was taken when the evidence first entered the laboratory.

Solution: Generate the hash value of the evidence and compare it with the original hash value that was taken when the evidence first entered the laboratory.

Question 4: Evidence that indicates the suspect is innocent of the crime.
The above statement refers to __________ evidence.
A. tainted
B. hearsay
C. inculpatory
D. exculpatory

Solution: exculpatory

Question 5:  When capturing a system image from a computer system, what type of device should you use when connecting to the evidence drive?
A. Extract blocker
B. Write blocker
C. Read blocker
D. Chain blocker

Solution: Write blocker

Question 6:Chain of custody in digital forensics investigation is referred to as a _____________________________.
A. Document to track the movement of evidences.
B. Suspect and witness that involve in crime investigation.
C. Formal letter to attend court trial.
D. Payment slip for forensic investigator.

Solution: Document to track the movement of evidences.

Question 7: You suspect that the workstation of a user is infected with malware and are about to begin an investigation. If you want to minimize the risk of infecting other devices on your network with this workstation, but you also want to retain as much evidence as possible, which of the following should you do?
A. Remove all USB drives and peripherals from the workstation.
B. Isolate from network.
C. Shut down the workstation.
D. Pull the power cord from the workstation.

Solution: Isolate from network.

Question 8: When preserving digital evidence, the evidence must be___________.
A. located close to electric source
B. uniquely label
C. transported immediately
D. power ON all the time

Solution: uniquely label

Question 9:  _________ is an exact bit-for-bit copy in a form same as the original exhibit (identical)
A. Chain
B. Extract
C. Clone
D. Image

Solution: Clone

Question 10: Evidence that indicates a suspect is guilty of the crime he or she is charged with.
The above statement refers to __________ evidence.
A. tainted
B. exculpatory
C. hearsay
D. inculpatory

Solution: inculpatory

Question 11:When dealing with the powered-off computers at the crime scene, if the computer is switched off, turn it on.
True
False

Solution: False

Question 12: Under what circumstances can an investigator conduct a search without a search warrant?
A. When the premise owner instructed the investigator.
B. When the case involves other parties such as Internet Service Provider (ISP) companies.
C. When the investigator believe if the search no done on the current time the evidence will be lost or destroy.
D. When the investigator need to record, dates for items that related to investigation.

Solution: When the investigator believe if the search no done on the current time the evidence will be lost or destroy.

Question 13: Computers can be evidence in crimes involving fraud and human trafficking.
True
False

Solution: True 

Question 14: Which of the following is NOT an example of a cyber crime?
A. Firing an employee for misconduct.
B. Fraud achieved by the manipulation of the computer records.
C. Intellectual property theft, including software piracy.
D. Deliberate circumvention of the computer security systems.

Solution: Firing an employee for misconduct.

Question 15: A 2017 story from Digital Forensics Magazine describes a hit-and-run car crash caused by the driver of a dark SUV without lights on. The SUV hit a car, ran into a clump of trees and then drove off. Police were able to locate an SUV that fit the description. After downloading data from its on-board diagnostics, infotainment and telematics systems, police were able to determine that the vehicle had passed the scene at the approximate time the crash had occurred, that the lights had not been on and that the SUV had been placed in reverse and forward several times immediately after the time of the crash in the proximity of the damaged trees. Police also found other implicating details of the SUV’s trip that night from routes and destinations in the navigation system. From the case study, explain what kind of information that can be found from the vehicle that helps police to determine the conclusion of the case.

Solution: THE SUV NAVIGATION SYSTEM CAN BE FORENSICALLY INVESTIGATED AND THE DATA WHICH SHOWS THAT SUV PASSES EXACTLY AT THE TIME WHEN THE ACCIDENT HAPPENED AND THE MOVEMENT OF SUV LIKE REVERSE AND FORWARD MANY TIMES AFTER CRASH AND THE ROUTE OF CAR WHICH CAN BE FOUND IS SIMILAR TO DESCRIBED IN THE ACCIDENT.

Question 16:  Which of the following are the main activities during the Identification phase?
(i) Gather information about types of crime.
(ii) Identify the resources you may need at the crime scene.
(iii) Gather information about the location related to the crime.
(iv) Analyze the image copy.
A. (i), (ii) and (iii)
B. (i), (iii) and (iv)
C. (ii) and (iv)
D. (ii), (iii) and (iv)

Solution: (i), (ii) and (iii)

Question 17: It is important to sketch the crime scene for the purpose of _____________ details of the scene.
A. refurbishing
B. reenergizing
C. recreating
D. renovating

Solution: recreating