Flashcards in IS3440 CHAP 14 DETECTING AND RESPONDING TO SECURITY BREACHES Deck (28):
COMMAND ___ is known as the disk dump command, it supports a full copy of all data on a partition, volume, or drive.
COMMAND ___ is a variation on the dd command that reads data from back to front on a specified partition, volume, or drive. It is more error tolerant than dd.
COMMAND ___ is a command that lists libraries used by a specified command; its use requires the full path to the target command.
COMMAND ___ is a file that dynamically represents the contents of RAM on the local system.
COMMAND ___ is a command that synchronizes files from one location to another; may be used in conjunction with SSH.
COMMAND ___ is a command that traces the system calls used by another command; primarily used for troubleshooting.
COMMAND ___ is a package that tracks the RAM and CPU usage on a system, with the help of the 'cron' service.
COMMAND ___ is a command that lists currently logged in users and the process currently being run by that user.
COMMAND ___ is a command that lists currently logged in users.
___ is an abbreviation for Computer Aided Investigative Environment, a bootable live CD distribution available from http://caine-live.net/.
___ is built on Ubuntu Linux. It includes a number of live tools for recovering data from live Microsoft operating systems available.
___ is a live CD distribution that incorporates the tools associated with the Sleuth Kit.
Master Key Linux
___ is a system for bug reports on Red Hat distributions.
Red Hat Bugzilla
___ is a package of tools that can be used to save volatile data; intended for use on read-only media as commands on compromised systems.
1. Which of the following COMMANDS can display the free memory in RAM and in a swap partition? (Select two)
2. It is important to have a security policy that applies to users for how they do their backups.
TRUE OR FALSE
3. What command reads log files created through the system status tool?
4. Which of the following COMMANDS is used to identify users who have since logged out?
5. Which of the following file extensions is NOT associated with software packages?
6. Which of the following is most important to recover from a compromised system before powering it down?
4. None of the above
7. Which of the following FILES is most likely to change when a system is powered down?
8. which of the following COMMANDS is least useful for recovering data from a live system?
9. What command can be used to duplicate the contents of a partition by its device file?
10. Which of the following COMMANDS is NOT associated with compiling the source code associated with other commands?
3. make install
11, Which of the following actions is normally done from a forensic operating system booted from live media, when connected to a compromised hard drive?
1. Recovering information from RAM
2. Making a copy of the /proc/kcore file
3. Recovering information from a swap partition
4. Copying the contents of /etc/mtab
Recovering information from a swap partition
12. Which of the following commands does NOT include free space in the duplication process?
13. Which of the following steps is NOT appropriate when saving compromised data from a hard drive?
1. Keeping a compromised system connected to a network during an investigation
2. Taking special care to avoid overwriting data in a swap partition
3. Booting a live Knoppix CD distribution
4. Powering down a compromised system after saving dynamic data
Booting a live Knoppix CD distribution