9

Practice Questions

Network Forensics Practice QuestionsAdvanced Network Forensics Practice QuestionsAdvanced Network Forensics FTP Hydra Crack Practice QuestionsAdvanced Network Forensics Telnet Hydra Crack Practice QuestionsSIEM Practice QuestionsIncident Response Practice QuestionsLive Forensics Practice QuestionsDLP Regex Practice QuestionsSplunk Practice Questions

Advanced Network Forensics Practice Questions

Last Update Unknown

Advanced Network Forensics Practice Questions

Click here to download the Wireshark capture for use in the following questions.

Q1: Refer to the trace. Which host connection created the greatest amount of TCP traffic for a single TCP session (in terms of bytes transferred) [Hint: Statistics->Conversation List and Order by Bytes]:

Select one:

  • 192.168.75.1 and 192.168.75.132
  • 192.168.75.132 and 192.168.75.144
  • 192.168.75.1 and 192.168.75.144
  • 192.168.75.100 and 192.168.75.1
Reveal Answer

The correct answer is: 192.168.75.1 and 192.168.75.132

Q2: Refer to the trace. An NMAP scan starts at Packet 1327, what is the response from the machine that is being scanned when a requested port is open:

Select one:

  • [FIN]
  • [SYN]
  • [SYN][ACK]
  • [FIN][ACK]
  • [RST][ACK]
Reveal Answer

The correct answer is: [SYN][ACK]

Q3: Refer to the trace. In the initial phases of the trace, which host is being pinging by another host:

Select one:

  • 192.168.75.1
  • 192.168.75.145
  • 192.168.75.2
  • 192.168.75.130
Reveal Answer

The correct answer is: 192.168.75.145

Q4: Refer to the trace. At what is the name of the first JPEG picture in the network trace:

Select one:

  • default.jpg
  • home.jpg
  • banner.jpg
  • index.jpg
Reveal Answer

The correct answer is: default.jpg

This can be found using File -> Export Objects -> HTTP

Q5: Refer to the trace. Which host generated most IPv4 network packets [Hint: Statistics->End Points and Order by Packets]:

Select one:

  • 192.168.75.132
  • 192.168.75.100
  • 192.168.75.1
  • 192.168.75.144
Reveal Answer

The correct answer is: 192.168.75.132

Q6: Refer to the trace. At what packet ID does the first GIF file appear (Hint: http contains "GIF89a"):

Select one:

  • 92
  • 210
  • 21
  • 35
  • No GIF files in trace
Reveal Answer

The correct answer is: 35

Q7: Refer to the trace. An NMAP scan starts at Packet 1327, which host is being scanned:

Select one:

  • 192.168.75.132
  • 192.168.75.145
  • 192.168.75.2
  • 192.168.75.1
  • 192.168.75.146
Reveal Answer

The correct answer is: 192.168.75.132

Q8: Refer to the trace. For the NMAP scan, which packet identifies the start of the NMAP scan:

Select one:

  • 1325
  • 1356
  • 1327
  • 1334
Reveal Answer

The correct answer is: 1327

Q9: Refer to the trace. What is the MAC address of the host at 192.168.75.2:

Select one:

  • 00:0c:29:0f:71:a3
  • 00:0c:29:6b:0e:96
  • 00:50:56:f5:23:c8
  • 00:50:56:f5:2e:f3
  • Cannot determine
Reveal Answer

The correct answer is: 00:50:56:f5:2e:f3

Q10: Refer to the trace. For the Telnet connection which starts at Packet 204, identify one of the folders in C:\Documents and Settings:

Select one:

  • Home
  • User
  • Admin
  • Administrator
Reveal Answer

The correct answer is: Administrator

This can be found by following the TCP stream of the TELNET packets

Q11: Refer to the trace. For the NMAP scan, which host is scanning:

Select one:

  • 192.168.75.132
  • 192.168.75.1
  • 192.168.75.146
  • 192.168.75.2
  • 192.168.75.145
Reveal Answer

The correct answer is: 192.168.75.1

Q12: Refer to the trace. At what packet ID does the first JPEG file appear (Hint: http contains "JFIF"):

Select one:

  • 35
  • 18449
  • 21
  • 92
  • No JPEG files in trace
Reveal Answer

The correct answer is: 18449

This can be found by searching for 'image-jfif' or 'http contains "JFIF"'

Q13: Refer to the trace. For DNS requests, which transport layer protocol and port is used:

Select one:

  • UDP, Port 53
  • UDP, Port 8080
  • TCP, Port 53
  • TCP, Port 80
  • UDP, Port 80
  • TCP, Port 8080
Reveal Answer

The correct answer is: UDP, Port 53

Q14: Refer to the trace. For the Telnet connection which starts at Packet 204, identify one of the folders in C:\Documents and Settings:

Select one:

  • All Users
  • User
  • Admin
  • Home
Reveal Answer

The correct answer is: All Users

Q15: Refer to the trace. Which of the following hosts does not appear in network traffic:

Select one:

  • 192.168.75.2
  • 192.168.75.132
  • 192.168.75.1
  • 192.168.75.146
  • 192.168.75.145
  • 192.168.75.3
Reveal Answer

The correct answer is: 192.168.75.3

Q16: Refer to the trace. For the first SSH session, which host receives the connection request [Hint: tcp.port==22]:

Select one:

  • 192.168.75.1
  • 192.168.75.144
  • 192.168.75.132
  • 192.168.75.100
Reveal Answer

The correct answer is: 192.168.75.132

Q17: Refer to the trace. To search for a JPEG image, which filter is used:

Select one:

  • http contains "GIF89a"
  • http contains "gif89a"
  • http contains "\x50\x4b\x30"
  • http contains "JFIF"
  • http contains "jfif"
Reveal Answer

The correct answer is: http contains "JFIF"

Q18: Refer to the trace. What is the MAC address of the gateway on the 192.168.75.0 network:

Select one:

  • 00:50:56:f5:2e:f3
  • 00:50:56:f5:23:c8
  • 00:0c:29:6b:0e:96
  • 00:0c:29:0f:71:a3
  • Cannot determine
Reveal Answer

The correct answer is: 00:50:56:f5:2e:f3

This can be found using ip.addr eq 192.168.75.0/24 and icmp and looking for a packet where the source or destination is from a different network which will therefore have the mac address of the default gateway

Q19: Refer to the trace. What is the MAC address of the host at 192.168.75.132:

Select one:

  • 00:50:56:f5:2e:f3
  • 00:50:56:f5:23:c8
  • 00:0c:29:6b:0e:96
  • 00:0c:29:0f:71:a3
  • Cannot determine
Reveal Answer

The correct answer is: 00:0c:29:0f:71:a3