Network Forensics

Question 1

What is a Switched Port Analyzer (SPAN) ?

Answer 1

Allows for the copying of ingress and/or egress communications from one or more switch ports to another

Question 2

What is Packet Sniffer ?

Answer 2

A piece of hardware or software that records data from frames as they pass over network media using methods such as a mirrored port or tap device

Question 3

Complete the sentence:

A network sniffer should be placed inside / outside a firewall or close to an important server

Answer 3

inside

Question 4

What is tcpdump ?

Answer 4

A data-network packet analyzer computer program that runs under a command line interface.
It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached

Question 5

What is Wireshark?

Answer 5

A free and open-source GUI-based packet analyzer that is used for network troubleshooting, analysis, software and communications protocol development, and education

Question 6

What is Full Packet Capture (FPC) ?

Answer 6

Captures the entire packet including the header and the payload for all traffic entering and leaving a network- entering and leaving - a lot of data!

Flow analysis tools provides network traffic statistics sampled by a collector

Question 7

What is Flow Collector ?

Answer 7

A means of recording metadata and statistics about network traffic rather than recording each frame

Flow analysis tools provides network traffic statistics sampled by a collector

Question 8

What is NetFlow ?

Answer 8

A Cisco-developed means of reporting network flow information to structured database
Gathers:
● Network protocol interface
● Version and type of IP
● Source and destination IP
● Source and destination port
● IPs type of service
● NetFlow provides metadata while packet captures provide a complete record of what occurred

Question 9

What is Zeek (Bro) ?

Answer 9

a hybrid tool that passively monitors a network like a sniffer and only logs data of potential interest.
Zeek performs normalization on the data.
stores data as tab-delimited or Java Script Object. Notation (JSON) formatted text files.

Question 10

What is Multi Router Traffic Grapher (MRTG) ?

Answer 10

Is a tool used to create graphs showing traffic flows through the network interfaces of routers and
switches by polling the appliances using the Simple Network Management Protocol (SNMP)

Question 11

What are Known-bad IP Addresses ?

Answer 11

An IP address or range of addresses that appears on one or more blacklists.
Reputation-based risk intelligence is used to create IP/URL block lists
Attackers now use domain generation algorithms to overcome block lists

Question 12

What is Domain Generation Algorithm (DGA) ?

Answer 12

A method used by malware to evade block lists by dynamically generating domain names for C2 networks

Question 13

Domain Generation Algorithm (DGA) - 5 steps:

Answer 13

1. Attacker sets up one or more dynamic DNS (DDNS) services
2. Malware code implements a DGA to create a list of new domain
   names
3. A parallel DGA is used to create name records on the DDNS
   service
4. The malware tries a selection of the domains it has created to
   connect to C2
5. C&C server communicates with a new seed for the DGA to prevent
   being blocked

Question 14

What is a Fast Flux Network?

Answer 14

A method used by malware to hide the presence of C&C networks by continually changing the host IP addresses in domain records using domain generation algorithms

Question 15

If you get a high rate of NXDOMAIN errors when resolving the DNS, it
could be an indicator of a

Answer 15

DGA

Question 16

Secure Recursive DNS Resolver
occurs when one trusted DNS server communicates with

Answer 16

several other trusted DNS servers to hunt down an IP address and returns it to the client

Question 17

What is a URL Analysis?

Answer 17

an activity that is performed to identify whether a link is already flagged on an existing reputation list, and if not, to identify what malicious script or activity might be coded within it

Usetoolsfor
● Resolving percent encoding
● Assessing redirection of the URL
● Showing source code for scripts in URL

Question 18

What does a HTTP request contains?

Answer 18

a method, a resource, a version number, the header
and the body of the request

Question 19

A HTTP method of GET is:

Answer 19

The principal method used with HTTP and is used to retrieve a resource

Question 20

A HTTP method of POST is:

Answer 20

Used to send data to the server for processing by the requested resource

Question 21

A HTTP method of PUT is:

Answer 21

Creates or replaces the requested resource

Question 22

A HTTP method of DELETE is:

Answer 22

Used to remove the requested resource

Question 23

A HTTP method of HEAD is:

Answer 23

Retrieves the headers for a resource only and ignores the body

Question 24

Datasubmitted via a URL is delimited by the___character

Answer 24

‘?’

Question 25

Query parameters are usually formatted as one or more name=value pairs with ampersands ___ delimiting each pair

Answer 25

(&)

Question 26

A ___ is used to indicate a fragment or anchor ID and it not processed by the webserver

Answer 26

‘#’

Question 27

HTTP Response Codes shows on the

Answer 27

The header value returned by a server when a client requests a URL

Question 28

HTTP Response Code - 200 says what?

Answer 28

Indicates a successful GET or POST request (OK)

Question 29

HTTP Response Code - 201 says what?

Answer 29

Indicates where a PUT request has succeeded in creating a resource

Question 30

HTTP Response Code - 3XX says what?

Answer 30

Any code in this range indicates that a redirect has occurred by the server

Question 31

HTTP Response Code - 4XX says what?

Answer 31

Any code in this range indicates an error in the client request

Question 32

HTTP Response Code - 400 says what?

Answer 32

Indicates that a request could not be parsed by the server

Question 33

HTTP Response Code - 401 says what?

Answer 33

Indicates that a request did not supply authentication credentials

Question 34

HTTP Response Code - 403 says what?

Answer 34

Indicates that a request did not have sufficient permissions

Question 35

HTTP Response Code - 404 says what?

Answer 35

Indicates that a client is requested a non-existent resource

Question 36

HTTP Response Code - 5XX says what?

Answer 36

Any code in this range indicates a server-side issue

Question 37

HTTP Response Code - 500 says what?

Answer 37

Indicates a general error on the server-side of the application

Question 38

HTTP Response Code - 502 says what?

Answer 38

Indicates a bad gateway has occurred when the server is acting as a proxy

Question 39

HTTP Response Code - 503 says what?

Answer 39

Indicates an overloading of the server is causing service unavailability

Question 40

HTTP Response Code - 504 says what?

Answer 40

Indicates a gateway timeout means an issue with the upstream server

Question 41

What is a Percent Encoding?

Answer 41

A mechanism to encode 8-bit characters that have specific meaning in the context of URLs, also known as URL encoding

Question 42

A URL can contain only ______ and _________ characters from the ASCII set

Answer 42

unreserved and reserved

Question 43

What is a Unreserved Characters?

Answer 43

letters, numbers and - . _ ~

Question 44

What is a reserved Characters?

Answer 44

:/?#[]@!$&'()*+,;=

Question 45

A URL can not contain unsafe characters like:

Answer 45

Null string termination, carriage return, line feed, end of file, tab, space, and \ < > { }

Question 46

can u represent reserved Characters inside the URL? if yes then how?

Answer 46

yes using binary, for example: null is translated to %00

Question 47

Which tool allows for the creation of graphs to visualize network traffic flows through router and switch interfaces by utilizing SNMP?

Answer 47

MRTG

Question 48

You are a cybersecurity analyst investigating a potential network issue at your company. You suspect there is unusual traffic on your company's network. Which of the following would be most effective command-line for capturing and analyzing network packets in real-time to investigate this issue?

Answer 48

TCPDUMP

Question 49

You are a cybersecurity analyst at Dion Training Solutions and have been observing an unusual pattern in the company’s DNS logs. Over the past week, there has been a significant increase in NXDOMAIN responses, which indicates that numerous domain lookups are failing because the domains do not exist. Upon closer inspection, you notice repeated attempts to resolve domain names that follow no logical naming pattern and appear to be randomly generated. There are no signs of unusually high network traffic, and the domains being queried are not matching any known malware signatures in your database. Based on this scenario, which of the following is the MOST likely cause of the increase in NXDOMAIN responses in the organization's DNS logs?

Answer 49

The network is likely infected with malware using a Domain Generation Algorithm (DGA).