Covering Tracks

Pre-Assessment
Question 1
Why would hackers leave audit policies disabled even after they log off?

A. To hide their activities

B. To prevent administrators from discovering the breach
C. To facilitate further access
D. They wouldn’t

Answer: C
A hacker may leave the audit policies disabled to facilitate further access.

Question 2
Where are .EVT files readable through?

A. Desktop
B. Event Viewer
C. Audit Log
D. .LOG files

Answer: B
These files are readable through the Event Viewer and are the main log files in Windows.

Question 3
A completely empty file won’t be noticed by an administrator as a sign of a breach.
True
False

Answer: False
An empty event log will be an indication that something has happened.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920    
Question 4
What is the major limitation of WinZapper?
A. It isn’t free
B. Only works on Win NT and 2000
C. There are remote capabilities
D. Doesn’t require a reboot

Answer: B
The first and major limitation of this app is that it works only for Win NT and 2000. Microsoft has since prohibited the deletion a
of single entry from the events

Question 5
WinZapper sometimes corrupts the event logs and makes them unstable, unreadable, and unusable.
True
False

Answer: True
It should also be understood that sometimes WinZapper can corrupt the event logs and make them unstable, unreadable, and
unusable.

Question 6
_______safely, efficiently, and rapidly handles cleaning up tens of thousands of "usage tracks"
and other remnants that most programs leave behind.
A. MRU-Blaster
B. WinZapper
C. DLL Injection
D. Cookies

Answer: A
MRU-Blaster safely, efficiently, and rapidly handles cleaning up tens of thousands of "usage tracks" and other remnants that
most programs leave behind.

Question 7
Every console session on LInux is exactly the same as the others.
True
False

Answer: False
Every console session on Linux is a completely different interactive session from the others, thus, commands initiated to a
particular session will not affect other sessions.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920    
Chapter 1 & 2 Quiz
Question 1
Which are the three primary .EVT files? (Choose all that apply.)

A. SYSEVENT
B. SECEVENT
C. LOG
D. APPEVENT

Answer: A, B, and D
A .LOG file is periodically rewritten into an .EVT format in one of these folders. Some versions of Windows have additional EVT
files, but these three are the primary ones.

Question 2
.EVT files can be altered on a running system by conventional means.

True
False

Answer: False
.EVT files are readable through the Event Viewer and are the main log files in Windows. They are write-protected and cannot be
altered on a running system by conventional means.

Question 3
What tool was developed by Arne Vidstrom?

A. DLL Injection
B. WinZapper
C. ELsave.exe
D. MRU-Blaster

Answer: B
WinZapper is a tool that was developed by Arne Vidstrom and is free for download.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920    
Question 4
In a Linux distribution, a console session will save all the executed commands to a file.

True
False

Answer: True
In any Linux distribution, a console session will save all the executed commands to a file, whether the command is executed
successfully or not.

Question 5
_____________ specifies the location and file where the shell commands will be logged.

A. HISTSAVE
B. .EVT
C. HISTFILE
D. A console session

Answer: C
HISTFILE specifies the location and file where the shell commands will be logged; HISTSAVE is the job where saving the history is
in action.

Question 6
What is the name of the directory that is “nowhere”?

A. HISTSAVE
B. .LOG
C. [~/ .bash_history]
D. /dev/null

Answer: D
If you send any file to the /dev/null directory, you are sending it to nowhere. Taking advantage of this black hole in Linux, if we
redirect HISTFILE to /dev/null/ guess what will happen? All the logged commands will be sent to nowhere to be written in a log
file.

Question 7
Disabling auditing when logged onto a session allows hackers to hide their activities from
administrators.

True
False

Answer: True
Disabling auditing when logged onto a session allows hackers to hide their activities from administrators who will investigate
when the breach has been discovered.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920    
Final
Question 1
Why would hackers leave audit policies disabled even after they log off?

E. To hide their activities

F. To prevent administrators from discovering the breach
G. To facilitate further access
H. They wouldn’t

Answer: C
A hacker may leave the audit policies disabled to facilitate further access.

Question 2
Where are .EVT files readable through?

E. Desktop
F. Event Viewer
G. Audit Log
H. .LOG files

Answer: B
These files are readable through the Event Viewer and are the main log files in Windows.

Question 3
A completely empty file won’t be noticed by an administrator as a sign of a breach.
True
False

Answer: False
An empty event log will be an indication that something has happened.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920    
Question 4
What is the major limitation of WinZapper?
E. It isn’t free
F. Only works on Win NT and 2000
G. There are remote capabilities
H. Doesn’t require a reboot

Answer: B
The first and major limitation of this app is that it works only for Win NT and 2000. Microsoft has since prohibited the deletion a
of single entry from the events

Question 5
WinZapper sometimes corrupts the event logs and makes them unstable, unreadable, and unusable.
True
False

Answer: True
It should also be understood that sometimes WinZapper can corrupt the event logs and make them unstable, unreadable, and
unusable.

Question 6
_______safely, efficiently, and rapidly handles cleaning up tens of thousands of "usage tracks"
and other remnants that most programs leave behind.
E. MRU-Blaster
F. WinZapper
G. DLL Injection
H. Cookies

Answer: A
MRU-Blaster safely, efficiently, and rapidly handles cleaning up tens of thousands of "usage tracks" and other remnants that
most programs leave behind.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920    
Question 7
Every console session on LInux is exactly the same as the others.
True
False

Answer: False
Every console session on Linux is a completely different interactive session from the others, thus, commands initiated to a
particular session will not affect other sessions.

Question 8
The default file that holds the history or shell is:
A. ELsave.exe
B. SYSEVENT.EVT
C. [~/ .bash_history]
D. /dev/null

Answer: C
The default file that holds the history or shell is [~/ .bash_history]. This file can be deleted and it will be recreated after the next
log in.

Question 9
What action makes sure that data is overwritten and unrecoverable?
A. File shredding
B. HISTSAVE
C. Clearing events
D. Deleting

Answer: A
Shredding files is intended, like its real world equivalent, to make sure that data you are finished with is unrecoverable. When a
file is deleted, it is commonly dereferenced in the file system table but the contents are otherwise left untouched until the
operating system writes over the space with a new file. To get around this, file shredding utilities overwrite the area with new
data.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920    
Question 10
How many overwrites are necessary to stop recovery of data?
A. 1
B. 7
C. 35
D. 60

Answer: A
It is now widely acknowledged that one overwrite is enough to remove any chance of recovering the file.

Question 11
A term that refers to privacy features in web browsers is:
A. Incognito mode
B. Backdoors
C. Cookies
D. Overwriting

Answer: A
Privacy mode, or "private browsing" — sometimes informally referred to as "incognito mode" — is a term that refers to privacy
features in some web browsers.

Question 12
___________ operates by allowing the user to choose between sets of anonymizing proxies, or
“mix cascades,” giving fine grain control over who the user trusts to route their traffic through.
A. A live CD
B. The Java Anon Proxy
C. Tor

Answer: B
The Java Anon Proxy operates by allowing the user to choose between sets of anonymizing proxies, or “mix cascades,” giving
fine grain control over who the user trusts to route their traffic through.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920    
Question 13
TOR stands for:
A. This Old Router
B. The Offline Router
C. Three Old Routers
D. The Onion Router
Answer: D
TOR stands for The Onion Router.

Question 14
What is a motto you should implement for a best defense for covering your tracks?
A. “Delete the Logs”
B. “Gain Administrator Privileges”
C. “Be Prepared”
D. “Use Best Practices”

Answer: C
Some of the best defenses, or we should say countermeasures, for covering your tracks is by implementing the Boy Scout
motto: “be prepared.”

Question 15
What are somethings we can do to be more proactive? (Choose all that apply.)
A. Hash integrity checks of log files
B. Use live CDs
C. Use Msyslog
D. Delete log files

Answer: A and C
Things that we could do to be a little bit more proactive are: doing hash integrity checks of log files, and using a utility called
Msyslog from core labs.

Question 16
A corruption in error logs will be indicated by smiley faces, periods, percent symbols, etc.
True
False

Answer: True
You should look for corruption in error logs. This would normally look like some type of trash in the logs would be indicated by
smiley faces, periods, percent symbols, things of that nature; basically things that really shouldn’t be appearing in our logs.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920    
Question 17
In the Tor client, when traffic passes a node, no further encryption is added.
True
False

Answer: False
At each node a further layer of encryption is added.

Question 18
Tor provides anonymity for a user to the regular web.
True
False

Answer: True
As well as providing anonymity for a user to the regular web, Tor has hidden services that are accessible only to users
connected to the Tor network.

Question 19
For Internet-accessible machines with sensitive data, a great amount of care must be taken with the
logs.
True
False

Answer: True
For Internet-accessible machines with sensitive data, a great amount of care must be taken with the logs. For internal systems,
logging may be less important.

Question 20
Windows does not support syslog tools through the use of various third-party products.
True
False

Answer: False
Windows supports syslog tools through the use of various third-party products.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920    
Question 21
Live CDs are only usable for systems which you have physical access to.
True
False

Answer: True
Live CDs are only usable for systems which you have physical access to and which can be booted into an alternative operating
system without drawing any attention.

Question 22
It is impossible for law enforcement to demand access to proxies for monitoring purposes.
True
False

Answer: False
Since the proxies are known and centrally administered, it is possible for law enforcement to demand access for monitoring
purposes, as happened in 2003 with the Dresden Mix.

Question 23
Privacy mode can be enabled so that the browser does not store information for selected
browsing sessions.
True
False

Answer: True

Question 24
Until a file is overwritten, a file recovery program that can read the disk at a sector level will not
be able to recover information in the file.
True
False

Answer: False
A file recovery program or utility that can read the disk at a sector level may be able to recover information.

LearnSmart  |  www.learnsmartsystems.com 
Tel: 1 800.418.6789  |  Int’l: +1 813.769.0920