Network Forensics Practice Questions
Last Update Unknown
Network Forensics Practice Questions
Q1: Which filter can be used to find the correct FTP login?
Select one:
- ftp.response.code == 230
- ftp.response.code == 530
- ftp.response.code == 227
- ftp.response.code == 331
Q2: Which filter(s) with ICMP traffic can be used to find online hosts?
Select one or more:
- icmp.type == 0
- icmp.resp_to
- icmp.no_resp
- ip.dst_host == <IP address>
Q3: What is a port scan?
Select one:
- Enumerates any ports to be found on one or more hosts
- Looks for a specific port(s) across multiple hosts.
- A form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalising the connection
- A low-level network discovery tool used to associate physical (MAC) addresses to logical (IP) addresses
Q4: How would you quickly identify whether a large pcap file with thousands of sessions contained FTP activity? How would you extract the transferred files?
Q5: How can your team detect the following suspicious activities through statistical network monitoring?
- Installation of dropper malware
- Malware that retrieves commands from a remote site
- Potential data theft
Refer to the Wireshark capture below for the following questions.
Q6: Refer to Capture 1. For the intial FTP connection, what is the source port used by the client:
Select one:
- 25
- 63227
- 3655
- 65000
- 21
Q7: Refer to Capture 1. For the FTP connection, what is the IP address of the client:
Select one:
- 192.168.0.1
- 192.168.75.132
- 192.168.75.1
- 192.168.0.20
- 84.53.138.25
Q8: Refer to Capture 1. Which is the successful code to identify that the user has logged in after the connection has been made to the FTP server:
Select one:
- 215
- 200
- 220
- 331
- 230
Q9: Ref to Capture 1. Which is the MAC code for a VMWare network card:
Select one:
- 00:15:99
- 00:50:56
- ff:ff:ff
- 00:1f:3c
- 00:18:4d
Q10: Refer to Capture 2. For the www.intel.com lookup, what is the source port used by the client for the DNS request:
Select one:
- 53
- 63227
- 21
- 25
- 65000
Q11: Refer to Capture 1. Which FTP command is used to list the current directory:
Select one:
- CWD
- SYST
- PASV
- LIST
- PWD
Q12: Refer to Capture 1. Which is the MAC code for an Netgear network card:
Select one:
- 00:50:56
- 00:1f:3c
- ff:ff:ff
- 00:15:99
- 00:18:4d
Q13: Refer to Capture 2. Which is the MAC code for an Samsung network card:
Select one:
- 00:50:56
- 00:1f:3c
- ff:ff:ff
- 00:15:99
- 00:18:4d
Q14: Refer to Capture 1. For the FTP connection, what is the IP address of the server:
Select one:
- 192.168.0.1
- 192.168.75.132
- 192.168.75.1
- 84.53.138.25
- 192.168.0.20
Q15: Refer to Capture 1. What is the MAC address of the client in the DNS request:
Select one:
- 00:50:56:c0:00:08
- 00:18:4d:b0:d6:8c
- 00:0c:29:0f:71:a3
- 00:1f:3c:4f:30:1d
- ff:ff:ff:ff:ff:ff
Q16: Ref to Capture 1. Which is the successful code initially returned after the connection has been made to the FTP server:
Select one:
- 215
- 200
- 220
- 331
- 230
Q17: Refer to Capture 2. For the www.intel.com lookup, what is the destination port used by the client for the DNS request:
Select one:
- 25
- 63227
- 3655
- 65000
- 53
Q18: Refer to Capture 1. Which FTP command is used to get the system type:
Select one:
- CWD
- SYST
- PASV
- LIST
- PWD
Q19: Refer to Capture 2. For the www.intel.com lookup, what is the source port used by the client for the DNS request:
Select one:
- 25
- 63227
- 3655
- 65000
- 53
Q20: Refer to Capture 1. Which FTP command is used to change the current directory:
Select one:
- CWD
- SYST
- PASV
- LIST
- PWD