Wgu C702 - Forensics and Network Intrusion Exam (Questions & Answers) Passed!!

Civil Case - Answer-A case involving a noncriminal matter such as a contract dispute or a claim of patent infringement between two parties. Criminal Case - Answer-A type of case that involve actions that go against the interests of society, the burden of proving that the accused is guilty lies entirely with the prosecution. Administrative Investigation - Answer-An internal investigation by an organization to discover if its employees, clients, and partners are complying with the rules or policies. Linux Boot Process - Answer-1. BIOS Stage: First stage. It initializes the system hardware during the booting process. The BIOS retrieves the information stored in the complementary metal-oxide semiconductor (CMOS) chip, which is a battery-operated memory chip on the motherboard that contains information about the system's hardware configuration. During the boot process, the BIOS performs a POST to ensure that all the hardware components of the system are operational. 2. Bootloader Stage: Second stage. The bootloader stage includes the task of loading the Linux kernel and optional initial RAM disk. The kernel enables the CPU to access RAM and the disk. 3. Kernel Stage: Third stage. Once the control shifts from the bootloader stage to the kernel stage, the virtual root file system created by the initrd image executes the Linuxrc program. This program generates the real file system for the kernel and later removes the initrd image. 42 4D - Answer-BMP FF D8 FF - Answer-JPEG (Joint Photographic Experts Group) 47 49 46 - Answer-GIF 49 49 4D4D - Answer-TIFTIFF Virtual File System (VFS) - Answer-a common software interface that sits between the kernel and real file systems. We can mount multiple different types of file systems on the same Linux installation, and they will appear uniform to the user and to all other applications; examples include /proc/, /sys/,/boot/initramfs, devtmpfs, and debugfs Superblock - Magic number - Answer-Allows the mounting software to verify the Superblock for the ext2 file system. For the present ext2 version, it is 0xEF53. Superblock - Revision Level - Answer-The major and minor revision levels allow the mounting code to determine whether a file system supports features that are only available in particular revisions of the file system. Superblock - Mount count - Answer-These allow the system to determine if it needs to fully check the file system. The mount count is incremented each time the system mounts the file system. Sector - Answer-Section of the platter holding data. Shaped like a slice of pizza. Tracks - Answer-The tracks are the thin concentric circular strips of sectors. At least one head is required to read a single track. Cylinders - Answer-A cylinder is a division of data in a disk drive, as used in the CHS addressing mode of a Fixed Block Architecture disk or the cylinder-head-record (CCHHR) addressing mode of a CKD disk. Head - Answer-Reads and writes data in a hard drive by manipulating the magnetic medium that composes the surface of an associated disk platter. Clusters - Answer-These are the smallest accessible storage units on a hard disk. File systems divide the volume of data stored on the disk into discreet chunks of data for optimal performance and efficient disk usage. Clusters are formed by combining sectors to ease the process of handling files. Also called allocation units, clusters are sets of tracks and sectors ranging from cluster number 2 to 32 or higher, depending on the formatting scheme. File allocation systems must be flexible toallocate the required sectors to files. The allocation can be of the size of one sector per cluster. Any read or write process consumes a minimum space of one cluster. Program Packers - Answer-Used by attackers to hide their data. In this regard, the technique is similar to cryptography. The packers compress the files using various algorithms. Hence, unless the investigators know the tool that has been used to pack the file and have a tool to unpack it, they will not be able to access it. Windows Logged-On Commands - Answer-Net Sessions PSLoggedOn LogonSessions Net file - Answer-A windows command used to determine open files. Nbstat -c - Answer-A command used to display the NetBIOS name table cache in Windows and active TCP (or UDP) connections, as well as a host of other statistics. Microsoft Security ID - Answer-Refers to a unique identification number that Microsoft assigns to a Windows user account for granting the user access to a particular resource. Wevtutil - Answer-This tool enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests; to run queries; and to export, archive, and clear logs. Commands for showing Windows Processes - Answer-Pslist Tasklist Listdlls Handle