IS3440 CHAP 14 DETECTING AND RESPONDING TO SECURITY BREACHES Flashcards

1
Q

COMMAND ___ is known as the disk dump command, it supports a full copy of all data on a partition, volume, or drive.

A

dd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

COMMAND ___ is a variation on the dd command that reads data from back to front on a specified partition, volume, or drive. It is more error tolerant than dd.

A

dd_rescue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

COMMAND ___ is a command that lists libraries used by a specified command; its use requires the full path to the target command.

A

ldd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

COMMAND ___ is a file that dynamically represents the contents of RAM on the local system.

A

/proc/kcore

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

COMMAND ___ is a command that synchronizes files from one location to another; may be used in conjunction with SSH.

A

rsync

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

COMMAND ___ is a command that traces the system calls used by another command; primarily used for troubleshooting.

A

strace

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

COMMAND ___ is a package that tracks the RAM and CPU usage on a system, with the help of the ‘cron’ service.

A

sysstat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

COMMAND ___ is a command that lists currently logged in users and the process currently being run by that user.

A

w

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

COMMAND ___ is a command that lists currently logged in users.

A

who

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

___ is an abbreviation for Computer Aided Investigative Environment, a bootable live CD distribution available from http://caine-live.net/.

A

CAINE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

___ is built on Ubuntu Linux. It includes a number of live tools for recovering data from live Microsoft operating systems available.

A

DEFT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

___ is a live CD distribution that incorporates the tools associated with the Sleuth Kit.

A

Master Key Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

___ is a system for bug reports on Red Hat distributions.

A

Red Hat Bugzilla

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

___ is a package of tools that can be used to save volatile data; intended for use on read-only media as commands on compromised systems.

A

Sleuth Ket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Which of the following COMMANDS can display the free memory in RAM and in a swap partition? (Select two)
  2. free
  3. mem
  4. top
  5. swapon
A

free

top

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. It is important to have a security policy that applies to users for how they do their backups.
    TRUE OR FALSE
A

FALSE

17
Q
  1. What command reads log files created through the system status tool?
A

sar

18
Q
  1. Which of the following COMMANDS is used to identify users who have since logged out?
  2. who
  3. w
  4. last
  5. sar
A

last

19
Q
  1. Which of the following file extensions is NOT associated with software packages?
  2. .odt
  3. .tar.gz
  4. .rpm
  5. .deb
A

.odt

20
Q
  1. Which of the following is most important to recover from a compromised system before powering it down?
  2. /home/
  3. /etc/fstab
  4. /proc/kcore
  5. None of the above
A

/proc/kcore

21
Q
  1. Which of the following FILES is most likely to change when a system is powered down?
  2. /etc/mtab
  3. /etc/fstab
  4. /etc/boot/grub/menu.1st
  5. /etc/crontab
A

/etc/mtab

22
Q
  1. which of the following COMMANDS is least useful for recovering data from a live system?
  2. nc
  3. vi
  4. dmesg
  5. cat
A

vi

23
Q
  1. What command can be used to duplicate the contents of a partition by its device file?
A

dd

24
Q
  1. Which of the following COMMANDS is NOT associated with compiling the source code associated with other commands?
  2. config
  3. configure
  4. make install
  5. make
A

config

25
Q

11, Which of the following actions is normally done from a forensic operating system booted from live media, when connected to a compromised hard drive?

  1. Recovering information from RAM
  2. Making a copy of the /proc/kcore file
  3. Recovering information from a swap partition
  4. Copying the contents of /etc/mtab
A

Recovering information from a swap partition

26
Q
  1. Which of the following commands does NOT include free space in the duplication process?
  2. rsync
  3. dd
  4. dd_rescue
  5. icat
A

rsync

27
Q
  1. Which of the following steps is NOT appropriate when saving compromised data from a hard drive?
  2. Keeping a compromised system connected to a network during an investigation
  3. Taking special care to avoid overwriting data in a swap partition
  4. Booting a live Knoppix CD distribution
  5. Powering down a compromised system after saving dynamic data
A

Booting a live Knoppix CD distribution

28
Q
  1. Which of the following steps should you take if you’ve identified a new security problem with open source software?
  2. Share the concern on a standard mailing list for the distribution
  3. Share the concern on a standard mailing list for the compromised software
  4. Communicate privately with the developers of the compromised software
  5. Nothing, as it is important to protect proprietary information in the open source community
A

Communicate privately with the developers of the compromised software