# CHFI2 Midterm 1. Which of the following techniques involves the analysis of logs to detect and study an incident that may have already occurred in a network or device? - [X] Postmortem - [ ] Steganalysis - [ ] Social engineering - [ ] Cryptanalysis 2. Which of the following is a program that allows bundling all files together into a single executable file via compression to bypass security software detection? - [ ] Obfuscator - [ ] Dropper - [ ] Payload - [X] Packer 3. Identify the malware distribution technique using which attackers use tactics such as keyword stuffing, doorway pages, page swapping, and addition of unrelated keywords to get a higher ranking on the web for their malware pages. - [X] Blackhat search engine optimization - [ ] Drive-by downloads - [ ] Spear phishing sites - [ ] Social engineered clickjacking 4. In which of the following methods do attackers often use packers to compress, encrypt, or modify a malware executable file to avoid detection? - [ ] Malware disassembly - [X] Obfuscation - [ ] File fingerprinting - [ ] Performing string search 5. Which of the following is a dedicated high-speed network that provides access to consolidated block-level storage, is a network by itself, and is not affected by network traffic such as bottlenecks in LAN? - [X] SAN - [ ] SSD - [ ] HDD - [ ] NAS 6. Which of the following fields of an IIS log entry can be reviewed to determine whether a request made by a client is fulfilled without an error? - [X] sc-status - [ ] cs-method - [ ] cs-username - [ ] cs(User-Agent) 7. Identify the element of Apache core that is responsible for managing routines, interacting with the client and handling all the data exchange and socket connections between the client and the server. - [ ] http_main - [ ] http_request - [ ] http_core - [X] http_protocol 8. Which of the following tools allow a forensic investigator to extract web activity information, such as the event timestamp, port, server status code, etc., during an investigation? - [ ] CRITIFENCE - [ ] Suphacap - [X] HttpLogBrowser - [ ] Postman 9. In which of the following attacks does an attacker exploit “http” to gain access to unauthorized directories and execute commands outside the web server’s root directory? - [X] Path traversal - [ ] Buffer overflow - [ ] Unvalidated input - [ ] Denial of service (DoS) 10. Which of the following tools can be used by a forensic investigator to perform Apache log analysis during an investigation? - [ ] FaceNiff - [X] GoAccess - [ ] iStumbler - [ ] Halberd 11. Which of the following parameters in the Apache common log format represents the client’s IP address? - [X] `%h` - [ ] `%l` - [ ] `%u` - [ ] `%t` 12. Given below are the various steps investigators follow while performing the forensic acquisition of an Amazon EC2 instance when it is suspected to be compromised. > 1. Provision and launch of a forensic workstation > 2. Mount the evidence volume onto the forensic workstation > 3. Take a snapshot of the EC2 instance > 4. Attach the evidence volume to the forensic workstation > 5. Isolate the compromised EC2 instance from the production environment > 6. Create an evidence volume from the snapshot Identify the correct sequence of steps involved in the forensic acquisition of an Amazon EC2 instance. - [ ] 1 → 4 → 5 → 6 → 3 → 2 - [ ] 6 → 1 → 5 → 2 → 3 → 4 - [ ] 2 → 1 → 4 → 3 → 6 → 5 - [X] 5 → 3 → 1 → 6 → 4 → 2 13. Which of the following tools will help Andrews in the above scenario? - [ ] Banner grabbing - [ ] Honeypot - [X] Sniffer - [ ] Scanning 14. Identify the obfuscation method employed by the attacker in the above scenario. - [ ] In-line comment - [ ] Double encoding - [X] White space manipulation - [ ] Replaced keywords 15. The following regular expression can be used for detecting a typical SQL injection attack: > ``` > /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix > ``` Identify the signature in the above expression that searches for the word “or” with various combinations of its hex values (both uppercase and lowercase combinations). - [ ] `\%27)|\'` - [X] `(\%6F)|o|(\%4F))((\%72)|r|(\%52)` - [ ] Union - [ ] `\w*` 16. Carlos, a forensic analyst, was investigating a system that was compromised earlier. He started the investigation process by extracting the Apache access log entries and searching for malicious HTML tags or their hex equivalents in HTTP requests. Carlos identified some encoded values, such as `%3Cscript%3Ealert%28XSS%29%3C%2Fscript%3E` in the query string. He assumed it was an XSS attack and decoded them. Which of the following characters represents the hex equivalent `%29` in the above scenario? - [ ] `(` - [ ] `>` - [ ] `<` - [X] `)` 17. Identify the artifact that helps an investigator explore the Tor browser when it is uninstalled from a machine or installed in a location other than the Windows desktop. - [ ] Rp.log Files - [X] Prefetch Files - [ ] Image Files - [ ] PDF Files 18. Peter, a forensic investigator, was investigating an incident that occurred on a Windows server. As part of the investigation, he examined the DNS entries in the cache to understand whether any malware is attempting to contact a specific domain name. Identify the type of analysis performed by Peter in the above scenario. - [ ] System behavior analysis - [ ] Cryptanalysis - [X] Network behavior analysis - [ ] Power analysis 19. Williams, a forensics specialist, collected a malware sample from a suspect machine. He analyzed the malware sample on his workstation in the binary format to study its functionalities and features. He employed an automated tool called OllyDbg to identify the language used for programming the malware and searched for APIs that reveal its function. - [ ] Identify the malware analysis technique performed by Williams in the above scenario. - [ ] Performing string searches - [X] Malware disassembly - [ ] Identifying packing or obfuscation methods - [ ] File fingerprinting 20. Given below is the syntax of netstat command. > netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] Identify the netstat parameter that is used to display active TCP connections and includes the process ID (PID) for each connection. - [ ] -n - [X] -o - [ ] -r - [ ] -p 21. Given below are the various steps involved in creating and analyzing snapshots of persistent disk on the Google Cloud Platform. > 1. Delete an instant snapshot after creating long-term snapshot > 2. View the instant snapshots for a disk > 3. Create an instant snapshot of a persistent disk volume > 4. Copy an instant snapshot to a different location Identify the correct sequence of steps involved in the forensic acquisition of persistent disk volumes. - [ ] 1 → 2 → 3 → 4 - [ ] 2 → 3 → 1 → 4 - [ ] 4 → 3 → 2 → 1 - [X] 3 → 2 → 4 → 1 22. Which of the following tools is used by a forensic investigator to search, analyze, and visualize VPN logs in multiple formats? - [ ] Elastic Stack - [ ] JumpListsView - [ ] DevCon - [ ] ShellBagsView 23. Which of the following is an 802.11 network discovery tool that gathers information about nearby wireless APs in real-time and displays it in different diagnostic views and charts? - [X] NetSurveyor - [ ] Free Hex Editor Neo - [ ] ESEDatabaseView - [ ] Hex Workshop 24. Which of the following tools allows forensic investigators to perform Apache log analysis during an investigation? - [ ] FaceNiff - [ ] iStumbler - [X] GoAccess - [ ] Halberd 25. Which of the following AWS services helps forensic investigators to monitor and analyze various log sources, such as Amazon S3 logs, CloudTrail management event logs, DNS logs, etc., to identify security threats? - [ ] ModSecurity - [X] GuardDuty - [ ] XRY LOGICAL - [ ] Autopsy