











Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Common encryption algorithms used in digital forensics, explains data mining and data carving, and provides information on data classification and ways companies can prevent data loss. It also touches upon the importance of change management and virtualization in data security.
Typology: Study notes
1 / 19
This page cannot be seen from the preview
Don't miss anything!












Below are 25 interview questions to help you prepare for your next computer forensics interview. What is MD5 checksum? MD5 checksum is a 128 bit value that helps identify the uniqueness of a file. You can have two file names, but each will have a different checksum. You use these checksums to compare two different files to identify if they are the same. Name some common encryption algorithms that are used to encrypt data Some common ones include triple DES, RSA, Blowfish, Twofish and AES. What is an .ISO file? An ISO file contains an application or CD image of several files and executables. Most app software can be made into an ISO that you then mount as a virtual drive and can browse files within the ISO. New Windows versions come with internal ISO mounting capabilities. What is a SAM file? A SAM, or Security Accounts Manager, file is a file specifically used in Windows computers to store user passwords. It’s used to authenticate both remote and local Windows users, and can be used to gain access to a user’s computer. What is data mining? Data mining is the process of recording as much data as possible to create reports and analysis on user input. For instance, you can mine data from various websites and then log user interactions with this data to evaluate which areas of a website are accessed by users when they are logged in. What is data carving? Data carving is different than data mining in that data carving searches through raw data on a hard drive without using a file system. Data carving is essential for computer forensics investigators to find data when a hard drive’s data is corrupted. What operating systems do you use? Most computer forensic experts know at least one operating system well. Be honest with this question, but you should know either Windows, Linux or Mac operating systems well. Your interviewer will probably go into more detailed questions based on your answer. What type of email analysis experience do you have? Computer forensics relies on email analysis. You should be experienced with email servers such as MS Exchange and free web-based platforms such as Gmail and Yahoo. What is steganography? Steganography conceals a message within a message. In other words, someone can send an email message with content that says one thing, but every third word comprises a second message that makes sense to a recipient. What are some common port numbers? TCP port numbers are the virtual connections created by computers and applications. Common port numbers are 21 for FTP, 80 for web services, 25 for SMTP and 53 for DNS. Describe the SHA-1 hash The secure hash algorithm 1 is a hash algorithm that creates a 160-bit or 20-byte message digest. Describe your experience with virtualization Do not lie here. Be honest about your experience with virtualizations, but be sure to describe the virtual infrastructures you are familiar with, i.e., Virtualbox, VMWare, etc. Make sure you identify the
types of operating systems you have dealt with. You do not have to prove you were a system administrator, but you need to at least understand virtual storage, partitioning, how to log into a virtual box and the benefits — as well as the security issues — with virtualization. It can save a company money by combining the use of resources and minimizing the amount of hardware a company has to purchase. But if there are issues with VM sprawl, which is when an admin duplicates a machine and forgets about it, it creates a vulnerability because those machines are not patched or hardened. This is a prevalent issue. How would you handle retrieving data from an encrypted hard drive? First determine the encryption method used. For simple encryption types, try finding the configuration file. Use tools such as EaseUS Data Recovery, Advanced EFS Data Recovery or Elcomsoft Forensic Disk Decryptor. You can also use brute force methods. What port does DNS run over? 53 What are some security issues related to the Cloud? The biggest issue is the increased potential for data breaches or exfiltration as well as the potential for account hijacking. The Man in Cloud Attack is a new threat specific to Cloud usage. It is similar to the MitM attack, where an attacker steals the user token which is used to verify devices without requiring additional logins. Cloud computing introduces insecure API usage, which is discussed on the OWASP Top 10 Vulnerabilities list. Describe some of the vulnerabilities listed on the OWASP Top 10 Vulnerabilities list? This list is updated yearly with the current top 10 application security risks. Cross-site scripting is one item that has been on the list year after year. But others on the most current list include injections such as SQL, OS and LDAP, security misconfigurations, sensitive data exposure and under- protected APIs. What is an ACL? An access control list. It is a list used to grant users and processes access to system resources. How would you be able to tell at the hex level that a file has been deleted in FAT12? Run fsstat against the FAT partition to gather details. Run fls to get information about the image files. This will return information about deleted files and the metatdata information. What are some tools used to recover deleted files? Recuva, Pandora Recovery, ADRC data recovery, FreeUndelete, Active UNDELETE, Active partition or File recovery and more. What is a form of simple encryption often used by an intruder or criminal? XOR (exclusive OR) How do you stay up to date on current cybersecurity trends? This is a personal question; make sure you can share newsletters and websites you visit often. These could include InfoSec Institute, Cyberwire, IT whitepapers, and podcasts or webinars given by companies like Nessus, Metasploit and SANS. How do you handle conflicting direction from different stakeholders?
Symmetric is usually much faster but the key needs to be transferred over an unencrypted channel. Asymmetric on the other hand is more secure but slow. Hence, a hybrid approach should be preferred. Setting up a channel using asymmetric encryption and then sending the data using symmetric process.
3. What is an IPS and how does it differs from IDS? IDS is an intrusion detection system whereas an IPS is an intrusion prevention system. IDS will just detect the intrusion and will leave the rest to the administrator for further action whereas an IPS will detect the intrusion and will take further action to prevent the intrusion. Another difference is the positioning of the devices in the network. Although they work on the same basic concept but the placement is different. 4. What is XSS, how will you mitigate it? Cross site scripting is a JavaScript vulnerability in the web applications. The easiest way to explain this is a case when a user enters a script in the client side input fields and that input gets processed without getting validated. This leads to untrusted data getting saved and executed on the client side. Countermeasures of XSS are input validation, implementing a CSP (Content security policy) etc. TIP: Know the different types of XSS and how the countermeasures work. 5. What is the difference between encryption and hashing? TIP: Keep the answer short and straight. Point 1: Encryption is reversible whereas hashing is irreversible. Hashing can be cracked using rainbow tables and collision attacks but is not reversible. Point 2: Encryption ensures confidentiality whereas hashing ensures Integrity. 6. Are you a coder/developer or know any coding languages? TIP: You are not expected to be a PRO; understanding of the language will do the job. Although this is not something an information security guy is expected to know but the knowledge of HTML, JavaScript and Python can be of great
advantage. HTML and JavaScript can be used in web application attacks whereas python can be used to automate tasks, exploit development etc. A little knowledge of the three can be of great advantage - both in the interview and on the floor.
7. What is CSRF? Cross Site Request Forgery is a web application vulnerability in which the server does not check whether the request came from a trusted client or not. The request is just processed directly. It can be further followed by the ways to detect this, examples and countermeasures. 8. What is a Security Misconfiguration? Security misconfiguration is a vulnerability when a device/application/network is configured in a way which can be exploited by an attacker to take advantage of it. This can be as simple as leaving the default username/password unchanged or too simple for device accounts etc. 9. What is a Black hat, white hat and Grey hat hacker? TIP: Keep the answer simple. Black hat hackers are those who hack without authority. White hat hackers are authorised to perform a hacking attempt under signed NDA. Grey hat hackers are white hat hackers which sometimes perform unauthorised activities. 10. What is a firewall? TIP: Be simple with the answer, as this can get complex and lead to looped questions. A firewall is a device that allows/blocks traffic as per defined set of rules. These are placed on the boundary of trusted and untrusted networks. 11. How do you keep yourself updated with the information security news? TIP: Just in case you haven't followed any: the hacker news, ThreatPost, Pentest mag etc. Be sure to check and follow a few security forums so that you get regular updates on what is happening in the market and about the latest trends and incidents.
17. What are the objects that should be included in a good penetration testing report? A VAPT report should have an executive summary explaining the observations on a high level along with the scope, period of testing etc. This can be followed by no of observations, category wise split into high, medium and low. Also include detailed observation along with replication steps, screenshots of proof of concept along with the remediation. 18. What is compliance? Abiding by a set of standards set by a government/Independent party/organisation. E.g. An industry which stores, processes or transmits Payment related information needs to be complied with PCI DSS (Payment card Industry Data Security Standard). Other compliance examples can be an organisation complying with its own policies. 19. Tell us about your Personal achievements or certifications? Keep this simple and relevant, getting a security certification can be one personal achievement. Explain how it started and what kept you motivated. How you feel now and what are your next steps. 20. Various response codes from a web application? 1xx - Informational responses 2xx - Success 3xx - Redirection 4xx - Client side error 5xx - Server side error You may also like: Cybersecurity: What’s next in 2018? 21. When do you use tracert/traceroute? In case you can’t ping the final destination, tracert will help to identify where the connection stops or gets broken, whether it is firewall, ISP, router etc. 22. DDoS and its mitigation? DDoS stands for distributed denial of service. When a network/server/application is flooded with large number of requests which it is
not designed to handle making the server unavailable to the legitimate requests. The requests can come from different not related sources hence it is a distributed denial of service attack. It can be mitigated by analysing and filtering the traffic in the scrubbing centres. The scrubbing centres are centralized data cleansing station wherein the traffic to a website is analysed and the malicious traffic is removed.
23. What is a WAF and what are its types? TIP: This topic is usually not asked in detail. WAF stands for web application firewall. It is used to protect the application by filtering legitimate traffic from malicious traffic. WAF can be either a box type or cloud based. 24. Explain the objects of Basic web architecture? TIP: Different organisations follow different models and networks. BE GENERIC. A basic web architecture should contain a front ending server, a web application server, a database server.
25. How often should Patch management be performed? Patch should be managed as soon as it gets released. For windows – patches released every second Tuesday of the month by Microsoft. It should be applied to all machines not later than 1 month. Same is for network devices, patch as soon as it gets released. Follow a proper patch management process. 26. How do you govern various security objects? Various security objects are governed with the help of KPI (Key Performance Indicators). Let us take the example of windows patch, agreed KPI can be 99%. It means that 99% of the PCs will have the latest or last month’s patch. On similar lines various security objects can be managed. 27. How does a Process Audit go?
Red team is the attacker and blue team the defender. Being on the red team seems fun but being in the blue team is difficult as you need to understand the attacks and methodologies the red team may follow.
34. What is you preferred - Bug bounty or security testing? Both are fine, just support your answer like Bug Bounty is decentralised, can identify rare bugs, large pool of testers etc. 35. Tell us about your Professional achievements/major projects? This can be anything like setting up your own team and processes or a security practice you have implemented. Even if the achievement is not from a security domain just express it well. 36. 2 quick points on Web server hardening? TIP: This is a strong topic, get over with the exact answer and carry on the conversation over the lines. Web server hardening is filtering of unnecessary services running on various ports and removal of default test scripts from the servers. Although web server hardening is a lot more than this and usually organisations have a customised checklist for hardening the servers. Any server getting created has to be hardened and hardening has to be re-confirmed on a yearly basis. Even the hardening checklist has to be reviewed on a yearly basis for new add-ons. 37. What is data leakage? How will you detect and prevent it? Data leak is when data gets out of the organisation in an unauthorised way. Data can get leaked through various ways – emails, prints, laptops getting lost, unauthorised upload of data to public portals, removable drives, photographs etc. There are various controls which can be placed to ensure that the data does not get leaked, a few controls can be restricting upload on internet websites, following an internal encryption solution, restricting the mails to internal network, restriction on printing confidential data etc.
38. What are the different levels of data classification and why are they required?
Data needs to be segregated into various categories so that its severity can be defined, without this segregation a piece of information can be critical for one but not so critical for others. There can be various levels of data classification depending on organisation to organisation, in broader terms data can be classified into: Top secret – Its leakage can cause drastic effect to the organisation, e.g. trade secrets etc. Confidential – Internal to the company e.g. policy and processes. Public – Publically available, like newsletters etc.
39. In a situation where a user needs admin rights on his system to do daily tasks, what should be done – should admin access be granted or restricted? Users are usually not provided with admin access to reduce the risk, but in certain cases the users can be granted admin access. Just ensure that the users understand their responsibility. In case any incident happens, the access should be provided for only limited time post senior management approval and a valid business justification. 40. What are your views on usage of social media in office? TIP: Keep an open mind with these kinds of questions. Social media is acceptable, just ensure content filtering is enabled and uploading features are restricted. Read only mode is acceptable till the time it does not interfere with work. You may also like: How will Blockchain technology revolutionize cybersecurity? 41. What are the various ways by which the employees are made aware about information security policies and procedures? There can be various ways in which this can be done: Employees should undergo mandatory information security training post joining the organisation. This should also be done on yearly basis, and this can be either a classroom session followed by a quiz or an online training.
Any event which leads to compromise of the security of an organisation is an incident. The incident process goes like this: Identification of the Incident Logging it (Details) Investigation and root cause analysis (RCA) Escalation or keeping the senior management/parties informed Remediation steps Closure report.
47. Is social media secure? TIP: This is another debatable question but be generic. Not sure if the data is secure or not but users can take steps from their end to ensure safety. Connect with trusted people Do not post/upload confidential information Never use the same username password for all accounts 48. Chain of custody? For legal cases the data/device (evidence) needs to be integrated, hence any access needs to be documented – who, what when and why. Compromise in this process can cause legal issues for the parties involved. 49. How should data archives be maintained? Gone are the times when there used to be files and cabinets which held data over the years. This phase was long followed by archiving data over magnetic tapes and storing the tapes. There is another overhead for the maintenance and safety of the tapes. These are few conventional approaches, but the world is slightly moving to the cloud storage architecture. The only hurdle is the data privacy. Companies are not very sure about handing the critical data. This will actually take time but securely configured and managed cloud can be one of the best options.
Have developers fill out forms to identify each change and document which systems are being changed during the deployment plan. What are some security systems in place to protect from unauthorized traffic? Firewalls protect the internal network at the router or server level. Antivirus software stops virus software from installing, and penetration testing systems run scripts to identify any potential threats to the network. What is the purpose of a CISA audit trail? Audit trails allow you and the company to track systems with sensitive information. Audit trails are mainly used to track which user accessed data and track the time the data was accessed. These trails can help companies identify improper use of private data. What are some ways that companies can lose data? Hackers and malware are the two primary ways data is lost. Other reasons include unhappy or dishonest employees, accidental data leaks or stolen property such as laptops. What is the standard protocol of the Internet? The TCP/IP protocol is used by the Internet and most internal networks. How can a CISA auditor get a better idea of how the system works? Talk to management, read documents, watch processes performed by other employees and read system logs and data. What is a BIA and what is it used for? The Business Impact Analysis, which is useful in creating the Business Continuity Plan. In evaluating the use of a biometric system in an environment that has high security requirements, what is an item that is important to consider? The false-acceptance rate. Which control should be implemented when granting account access to third-party vendors? Creating a temporary account that has a set expiration date and limited access. Describe a honeypot A security device used to deflect unauthorized access by creating an enticing trap containing data that appears legitimate. What is a disadvantage of using long asymmetric encryption keys? Even though asymmetric encryption technology is generally more secure, it is a slower method and increases the overhead costs. You’re an auditor evaluating the network of a company that provides wireless access for a fee, requiring them to process financial data. The company’s wireless network connection
has implemented the use of SSL and WTLS. What is one of the top concerns? That a hacker may compromise the WAP gateway. When an auditor evaluates an IT system, what user features should be evaluated? The auditor should ensure all users have access to system documentation and user guides. Auditors are used to review security controls and policy. What are the pitfalls of inadequate control implementation and policy definitions? Giving users unauthorized accesses, increasing the likelihood of a breach, improper load balancing or other poor network configurations can cause bottlenecked or degraded performance, data exfiltration, or noncompliance. What are other benefits to having continuous auditing? It improves the overall security posture of an organization. What is the BCP? The Business Continuity Plan (BCP) is the written organizational policy used in incident response. In writing the BCP, the Business Impact Analysis is analyzed and a risk assessment is performed to determine potential risks to the organization and the best way to mitigate those risks based on the company’s needs. What is sociability testing? A type of test performed to determine if an application is working as expected in a specified environment. Name two types of backup methods used for remote backup sites Shadow file processing and electronic vaulting. What is the CA used for? And what processes can it delegate? The CA is the certificate authority in PKI technology. It issues the certificates. The CA is able to delegate the process of establishing a link between the requesting entity and its public key. What is the purpose of network encryption? To protect the confidentiality of information that passes through the network. When you find a flaw in the system while performing an audit, what is the best response? Auditors do not fix system flaws, they are noted in the final report and submitted to the system owners for their review. It is their duty to determine what to do concerning the flaw.
Digital forensics is the science of preserving and analyzing digital data; this data can then be used in court cases as well as for crime detection and prevention. Digital forensics began in the 1970s and was initially used as a tool for fighting financial crime. Today, with computers and digital devices
file, and sparse data copy of a file or folder. The sparse acquisition is useful in the circumstances where there is too much data to acquire from RAID drives or large drives. While collecting digital evidence, the examiners must comply with the “Order of Volatility” rule that defines the order or sequence in which the digital evidence is collected. This order is maintained from highly volatile to less volatile data. Moreover, the appropriate tool must be used for acquisition purposes and always perform test acquisition on a test drive rather than on suspect drive. Besides, always validate acquisition with built-in tools such as a hexadecimal editor with SHA-1 or MD5 hashing functions. Preservation: Digital preservation is the process of preserving digital evidence at a secure physical site so that it cannot be changed or altered. Only well-preserved evidence can be presented for court proceedings.
Symmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetrical encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating. Symmetric encryption is an old technique while asymmetric encryption is relatively new. Asymmetric encryption was introduced to complement the inherent problem of the need to share the key in symmetrical encryption model, eliminating the need to share the key by using a pair of public-private keys. Asymmetric encryption takes relatively more time than the symmetric encryption.