IAM 302 Final Exam | Q & A (Complete Solutions)

Document Content and Description Below

IAM 302 Final Exam | Q & A (Complete Solutions) __________ virus uses an executable file as a host. a. File b. Prefix c. Suffix d. None of the other What is a Trojan Horse? A. A program designed to ... take down the computer system while performing an inoffensive task. B. A hollow wooden statue of a horse in which the Greeks concealed themselves in order to enter Troy. C. A different type of horse. D. A chess piece. Rootkits are a set of software tools that enable an unauthorized user to gain control of a computer Covert channels work over _______ a. unknown channels b. old channels c. new channels d. known channels Which of the following is most likely to make your computer stop working? a. Virus b. Adware c. Keylogger d. Botnet REMnux is _______ All of the other choices _______________ generally does not limit the impact of worms. a. Install OS updates and software patches. b. Use firewall c. Use antivirus software d. Rebooting your system _________ is antivirus that has predefined rulesets that is used to detect the malicious software or malware a. ClamAV b. IDA Pro c. ProDiscover d. InetSIM _____________________________ is a characteristic of adware. a. Redirecting the website b. Displaying popup c. Block user's files d. None of the other ____ is a self-contained program that does not integrate itself with other programs to spread. A. Trojan horse B. None of the other choices C. Logic bomb D. Worm E. Virus Trojans can be used to open backdoors on a system. a. True b. False Wireshark is___________ a. a network packet analyzer b. an antivirus c. an analyzer d. a recovery tool Which of the following refers to software designed to harm your computer or computer security, engage in criminal activity, or compromise resources on some way? a. ransomware b. adware c. malware d. spyware We can customize clamAV signature by using ________ a. Hash based Signatures b. All of the mentioned c. ASCII Signatures d. Binary Signatures __________operating system preconfigured with various open source malware analysis tools a. Ubuntu b. CentOs c. Windows d. REMnux What form of analysis involves running the possibly infected file? a. Static Analysis b. Dynamic Analysis c. Virtual Analysis d. Malware Analysis Name a type of malware a. Ransomware b. Horse c. Trojan War d. Tiger There is only one type of Keylogger: Sofware Keylogger a. True b. False What are the purpose of sandbox analysis? a. To determine the nature and purpose of the malware b. To determine the interaction with the network c. To determine the interaction with the file system d. All of the mentioned Which tool allows you to analyze botnet malware without contacting a real C&C server? a. Wireshark b. INetSim c. Regshot d. Task Manager Which of the following is best describing botnets? a. None of the other choices b. A botnet is a group of honeypots made to simulate a real live network, but isolated from it. c. A botnet consists of a network of compromised computers that attackers use to launch attacks and spread malware. d. A botnet is a type of malware that primarily infects executable programs. e. A botnet is a type of malware that includes a separate encryption engine that stores the virus body in encrypted format while duplicating the main body of the virus. VirusTotal is _______ a. Dynamic analysis b. Periodic analysis c. Static analysis d. None of the other Which of the following type of malware secretly gathers and transmits system information, often for advertising purposes? a. Adware b. Spyware c. Keylogger d. Ransomware On Ubuntu. which of the following command can be used to install Wireshark? a. # apt-get install wireshark b. # sudo apt-get install wireshark c. # sudo apt-get setup wireshark c. # apt-get uninstall wireshark __________ and ___________ are two command line packet sniffer tools a. netstat / tshark b. inetstat / wireshark c. tcpdump / tshark d. wireshark / netflix _____________ is 32 bit assembler level analyzing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. a. Snort b. Eclipse c. Claimav d. OllyDbg What is used to define a block of code in Python? a. Parenthesis b. Curly braces c. Quotation d. Indentation Which of the following commands can be used to get extended information about a file? a. blk b. rm c. ifind d. istat It's not a good idea to indiscriminately forward all traffic that reaches your controller to the intended servers on the Internet. a. True b. False Wireshark is an open source antivirus engine owned by Sourcefire, the makers of the Snort intrusion-detection engine. a. True b. False ln python, the statement using and operator results True if _________ a. first operand is True b. either of the operands is True c. both operands are False d. both operands are True Crossview-based rootkit detection tools generate information about a system in two or more ways and then look for discrepancies in the results. a. True b. False It is inevitable that you will need to perform behavioral analysis on service DLLs a. True b. False __________ is used to intercept user information a. Adware b. Spyware c. Malware d. Trojan Backdoors are an example of covert channels. a. True b. False What is an antivirus? a. Computer software is used to prevent, detect and remove malicious software b. Small programs or scripts that damage a computer system c. Program used to exploit security holes found in software applications d. None of the other The registry composed of binary data files is also called _______ a. record b. hive c. metadata d. Binary data Why does alternate data streams (ADS) cause risk to our computer? a. None of the other choices b. It can remove data arbitrarily c. It allows malware to hide files from anyone who doesn't have special tools to view them d. It can edit data arbitrarily Assembly language programs are written using a. None of the other choices b. ASCII code c. Hex code d. Mnemonics __________ can extract a dll from a process memory space and dump it to disk for analysis. a. memdump b. hibr2bin c. dlldump d. pstree Which the following tools are developed to memory forensics? a. Memoryze b. All of the other choices c. Windows Memory Toolkit d. MoonSols _________ GUI tool for Windows that you can use to detect packers A. Runtime packer B. a data file C. No-runtime packer D. None of the other choices Software in the main registry stores: a. None of the other choices b. the window and program configuration c. the system security settings d. user's and system security settings How many types of SRE? a. Data Reverse Engineering only b. Code, Data and Information Reverse Engineering c. Code and Data Reverse Engineering d. Code Reverse Engineering only rip.pl -r /mnt/forensics/Documents\ and\ Settings/Mr.\Evi/NTUSER.DAT -p typedurls a. In order to deterrnine suspect's web-browsing history b. In onder to deterrnine the information of user c. In order to detennine the information of running program d. In order to deterrnine the inforrnation of all files on Documents win64dd -d /f c:\memory.dmp a. Create a memory dump file in C b. Erase the information of main memory c. None of the other choices d. Obtain the information of disk perl rip.pl -r /mnt/forensics/WINDOWS/system32/config/software -p userinit a. To determine the information of all apllications b. To determine the version of operating system c. To determine the value of the "userinit" registry key d. To determine the information of administrator rip.pl -r /mnt/forensics/WINDOWS/system32/configisoftware -p winver a. In order to determine the operating system installed on this computer b. In order to determine the version of Windows installed on this computer c. None of the other choices d. In order to determine all programs installed on this computer In order to view "hidden" ADS file on window OS, we type the command a. dir /R b. dir c. rm /R d. ls /R _____________can print list of loaded DLLs for each process A. pstree B. win64dd C. dllist D. pslist Which of the following answers are true about use of Reverse Engineering? a. All of the other choices. b. To check the limitations of the existing program c. To increase security of the existing program d. To create documentation of the product _________________ is forensic analysis of a computer's memory dump a. Malware forensics b. Computer forensics c. Malware analysis d. Memory forensics Can extract all memory resident pages in a process into an individual file a. dlldump b. memdump c. procdump d. tcpdump regripper/rip -r G:\Windows\System32\config\SYSTEM -f info a. we are preparing to edit data from the SYSTEM registry hive located on drive G b. we are recovering data from the SYSTEM registry hive located on drive G c. we are delete data from the SYSTEM registry hive located on drive G d. we are moving data from the SYSTEM registry hive located on drive G to F ____________ can dump a process's executable a. dlldump b. memdump c. hibr2bin d. procdump rip.pl -r /mnt/forensics/WINDOW/system32/config/software -p uninstall a. To determining all installed applications b. To determining all uninstalled applications c. To determine the information of switch d. To determine the information of operating system Which is the following tool that allows us to detect ADS in a file a. yara b. vwareworkstation c. fog d. stream.exe _________ can be considered a self-extracting archive, where compressed data is packaged along with the relevant decompression code in an executable file a. dlldump b. dir /R c. runtime packer d. RISC Which of the following is not a stand-alone program? a. Virus b. Worm c. Adware d. Antivirus Which of the following is most likely to send spam emails from your computer? a. Worm b. Adware c. Spyware d. Keylogger Which of the following is least likely to be detected with standard antivirus software? a. Spyware b. Adware c. Ransomware d. Trojan Which of the following is most likely to come with other malware? a. Trojan b. Virus c. Worm d. Adware Which of the following is bundled with the peer-to-peer file-sharing software, Kazaa? a. Trojan b. Spyware c. Adware d. Worm Which of the following is most likely to install a "backdoor" internet connection? a. Botnet b. Rootkit c. Scareware d. worm Which of the following is most likely to be involved in a denial-of-service attack? a. worm b. rootkit c. adware d. scrareware Which of the following is the only malware publicly documented as having been employed by the FBI to bring a suspect to trial? a. Ransomware b. Trojan c. Spyware d. Adware ______________ is piece of software that takes the original malware file and compresses it, thus making all the original code and data unreadable a. packers b. Both of them c. pslist d. RegRipper ______________ is a C library and a collection of command-line tools for file system forensic investigations. a. Microsoft Office b. VirusTotal c. The Sleuth Kit d. ClamAV The _____________ by Thomas Hungenberg and Matthias Eckert not only handles logging, but it simulates various services that malware frequently expects to interact with a. Wireshark b. nmap c. GNS3 d. INetSim7 regripper/rip -r G:\Windows\System32\config\SYSTEM -f info a. we are moving data from the SYSTEM registry hive located on drive G to F b. we are recovering data from the SYSTEM registry hive located on drive G c. we are deleting data from the SYSTEM registry hive located on drive G d. we are preparing to edit data from the SYSTEM registry hive located on drive G rule Yara_Example_1 { strings: $hex_string = {F4 23 (62 B4 | 56) 45} condition: $hex_string } a. This rule will match any file containing F42362B445 and F4235645. b. This rule will match any file containing F42362B445, c. This rule will match any file containing F4235645. d. This rule will match any file containing F42362B445 or F4235645. rule Yara_Example_2 { strings: $wide_string = "Borland" wide condition: $wide_string } a. This rule will match any file containing the string "Borland" encoded as four bytes per character b. This rule will match any file containing the string "Bortand" c. This rule will match any file containing the string "Borland" encoded as two bytes per character d. This rule will match any file containing the string "Borland" encoded as one byte per character rule Yara_Example_3 { strings: $a="dummy1" $b="dummy2" condition: #a == 6 and #b > 10 } a. This rule will match any file or process containing the string $a and string $b. in which, their lengths are more than six and ten, respectively. b. This rules matches any file or process containing the string $a exactly six times, and more than ten occurrences of string $b. c. None of the mentioned d. This rule will match any file containing string $a and $b. Given a program segment >>> import hashilib >>> data = opent("ace3", "rb").read() >>> print hashlib.md5(data).hexdigest() 69e46a1967b4dacce63faSta6F342209 >>> print hashlib.sha1 (data).hexdigest() 4c570b44c8dac70af742af446d8a475be702dc97 It generates hashes for file ace3 by using____________. a. sha1sum b. None of the other choices c. md5sum and sha1sum d. md5sum Which of the following Volatility commands can be used to reads the keyboard buffer from Real Mode memory? a. connections b. connscan2 c. bioskbd d. crashinfo Which of the following Volatility commands can be used to prints list of registry hives a. hivelist b. crashinfo c. filescan d. files System in the main registry stores a. the information about the system and the connected devices b. the window and program configuration c. None of the other choices d. users and system security settings Can list the processes of a system a. packers b. Both of them c. pslist d. RegRipper _________can extract all memory resident papes in a process into an individual file a. dlldump b. memdump c. pstree d. hibr2bin ______________ is a tool to extract and analyze data from the registry a. packers b. Both of them c. pslist d. RegRipper Computer program performed the reverse operation by converting it into Assembly language is known as: a. Disassemble b. Debuggers c. Decompilation d. All of the other choices perl rip.pl -r /mnt/forensics/WINDOWS/system32/config/software -p product a. packers b. Disassemble c. pslist d. To get information about all programs installed on this computer _________ are pieces of info hidden as metadata on files on NTFS drives a. video data b. a data in Linux system c. text data d. Alternate data streams (ADS) Which type of packers is used to pack crackme.exe? a. ASPack b. None of the mentioned c. Microsoft Visual C++ method 2 d. No packer is used Why does malware writer attempt to pack his malware? A. To make it harder to detect and to analyze B. None of the other choices C. To make it easier to implement D. To make it simple for reading ______________ are usually the tool of choice for dynamic analysis a. Analyzer b. Packets capture c. Debugger d. None of the other choice _________ is a highly reliable technique thats used to hide file contents, and sometimes the entire file itself if using a packer program a. Obfuscation b. Packer [Show More]

Last updated: 3 hours ago

Preview 5 out of 68 pages