Review Questions
1. What is the process of hiding text within an image called?
A. Steganography
B. Encryption
C. Spyware
D. Keystroke logging
2. What is a rootkit?
A. A simple tool to gain access to the root of the Windows system
B. A Trojan that sends information to an SMB relay
C. An invasive program that affects the system files, including the kernel and libraries
D. A tool to perform a buffer overflow
3. Why would hackers want to cover their tracks?
A. To prevent another person from using the programs they have installed on a target system
B. To prevent detection or discovery
C. To prevent hacking attempts
D. To keep other hackers from using their tools
4. What is privilege escalation?
A. Creating a user account with higher privileges
B. Creating a user account with administrator privileges
C. Creating two user accounts: one with high privileges and one with lower privileges
D. Increasing privileges on a user account
5. What are two methods used to hide files? (Choose all that apply.)
A. NTFS file streaming
B. attrib command
C. Steganography
D. Encrypted File System
6. What is the recommended password-change interval?
A. 30 days
B. 20 days
C. 1 day
D. 7 days
7. What type of password attack would be most successful against the password T63k#s23A?
A. Dictionary
B. Hybrid
C. Password guessing
D. Brute force
8. Which of the following is a passive online attack?
A. Password guessing
B. Network sniffing
C. Brute-force attack
D. Dictionary attack
9. Why is it necessary to clear the event log after using the auditpol command to turn off
logging?
A. The auditpol command places an entry in the event log.
B. The auditpol command doesn’t stop logging until the event log has been cleared.
C. auditpol relies on the event log to determine whether logging is taking place.
D. The event log doesn’t need to be cleared after running the auditpol command.
10. What is necessary in order to install a hardware keylogger on a target system?
A. The IP address of the system
B. The administrator username and password
C. Physical access to the system
D. Telnet access to the system
11. What is the easiest method to get a password?
A. Brute-force cracking
B. Guessing
C. Dictionary attack
D. Hybrid attack
12. Which command is used to cover tracks on a target system?
A. elsave
B. coverit
C. legion
D. nmap
13. What type of hacking application is Snow?
A. Password cracker
B. Privilege escalation
C. Spyware
D. Steganography
14. What is the first thing a hacker should do after gaining administrative access to a system?
A. Create a new user account
B. Change the administrator password
C. Copy important data files
D. Disable auditing
15. Which of the following programs is a steganography detection tool?
A. Stegdetect
B. Stegoalert
C. Stegstopper
D. Stegorama
16. Which countermeasure tool will detect NTFS streams?
A. Windows Security Manager
B. LNS
C. Auditpol
D. RPS
17. Which program is used to create NTFS streams?
A. StreamIT
B. makestrm.exe
C. NLS
D. Windows Explorer
18. Why is it important to clear the event log after disabling auditing?
A. An entry is created that the administrator has logged on.
B. An entry is created that a hacking attempt is underway.
C. An entry is created that indicates auditing has been disabled.
D. The system will shut down otherwise.
19. What is the most dangerous type of rootkit?
A. Kernel level
B. Library level
C. System level
D. Application level
20. What is the command to hide a file using the attrib command?
A. att +h [file/directory]
B. attrib +h [file/directory]
C. attrib hide [file/directory]
D. hide [file/directory]
Answers to Review Questions
1. A. Steganography is the process of hiding text within an image.
2. C. A rootkit is a program that modifies the core of the operating system: the kernel and
libraries.
3. B. Hackers cover their tracks to keep from having their identity or location discovered.
4. D. Privilege escalation is a hacking method to increase privileges on a user account.
5. A, B. NTFS file streaming and the attrib command are two hacking techniques used to
hide files.
6. A. Passwords should be changed every 30 days for the best balance of security and usability.
7. D. A brute-force attack tries every combination of letters, numbers, and symbols.
8. B. Network sniffing is a passive online attack because it can’t be detected.
9. A. The event log must be cleared because the auditpol command places an entry in the
event log indicating that logging has been disabled.
10. C. A hardware keylogger is an adapter that connects the keyboard to the PC. A hacker
needs physical access to the PC in order to plug in the hardware keylogger.
11. B. The easiest way to get a password is to guess the password. For this reason it is important to create strong passwords and to not reuse passwords.
12. A. elsave is a command used to clear the event log and cover a hacker’s tracks.
13. D. Snow is a steganography program used to hide data within the whitespace of text files.
14. D. The first thing a hacker should do after gaining administrative level access to a system is
disable system auditing to prevent detection and attempt to cover tracks.
15. A. Stegdetect is a steganography detection tool.
16. B. LNS is an NTFS countermeasure tool used to detect NTFS streams.
17. B. makestrm.exe is a program used to make NTFS streams.
18. C. It is important to clear the event log after disabling auditing because an entry is created
indicating that auditing is disabled.
19. A. A kernel-level rootkit is the most dangerous because it infects the core of the system.
20. B. attrib +h [file/directory] is the command used to hide a file using the hide
attribute.