Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
26 Cards in this Set
- Front
- Back
|
What version of Inverstigator allows you to perform live data Capture?
|
Field Edition
|
|
|
What two rules types are created for live or imported data collections?
|
Network and Applications
|
|
|
What are two sources of network data that Investigator can analyze?
|
Local NIC
Downloaded from Decoder or Concentrator |
|
|
*What are two levels of configuration for data collections?
|
Application Level- Storage and Index Settings
Collection Level - File Location and Locking |
|
|
*What are two different types of Local Data Collections?
|
PCAP Import
Live Network Captures |
|
|
*What is the conversion utility for using packet data that is not in a supported format?
|
editcap
|
|
|
*Name 8 Investigator Input File Types?
|
TCPDump
NetMon EtherPeek IPTrace NAIDOS RAW NetWitness Data Network Instruments Observer |
|
|
*How do you reprocess a data collection with different set of rules?
|
Reprocess the existing colletion by:
-Exporting the rules to an NWR file -Delete existing rules and replace with new rules Select the collection to reprocess |
|
|
In a remote collection what port is used for the Broker?
|
TCP Port 50003
|
|
|
In a remote collection what port is used for the Concentrator?
|
TCP Port 50005
|
|
|
*What are the two most common uses of Rules within Investigator?
|
- To filter out certain typres of traffic that doesn't add value to analysis
-To alert and create an alert meta value when certain criteria are found during the processing and reconstruction of sessions |
|
|
*When are network rules applied?
|
Prior to session reconstruction
|
|
|
*When are application rules applied?
|
After session reconstruction
|
|
|
What are the 3 Network Rule Actions for Packet Data?
|
Keep
Filter Truncate |
|
|
What are the 4 Network Rule Actions for Session Options?
|
Assemble
Network Meta Application Meta Alert |
|
|
What happens once an Application layer rule is hit?
|
All future rule evalution stops
|
|
|
What are the 4 Packet Data Applicaton Rules?
|
Keep
Filter Truncate Stop Rule Processin |
|
|
What is the Session Option Application Rule Action?
|
Alert
|
|
|
What is the default value for instances of Report Types in Investigator?
|
20 Instances
|
|
|
What are the two Custom Actions variables?
|
$(TYPE) - specifies the metadata's equivalent value
$(VALUE) - specifies the metadata's raw value |
|
|
What color are the Pivot Points in an investigator?
|
Blue
|
|
|
*What does the Tilde (~) in the quantity of session indicate?
|
An estimated number of sessions was used
|
|
|
What is the term for the path taken in the pivoting process?
|
Pivot Trails
|
|
|
What are "Bread Crumbs"
|
Reference point for the current analysis point
|
|
|
What four display options should be disabled to help protect against malware?
|
-Automated Thumbnail Generation
-Do not embed applicaiton types -Enable CSS Reconstruction -Disable Native Content Views |
|
|
What four formats can Investigator export data?
|
-PCAP
-RAW -XML -NWD |
