Chapter 23 — Quiz
14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band are at the bottom. Commit to an answer before you look — a guess you have to defend teaches more than one you peek at.
Multiple choice
Q1. What makes network evidence fundamentally different from disk evidence? - A) Network evidence is always encrypted, so it cannot be read - B) On the network the default state of evidence is destroyed — a packet exists only if some sensor wrote it down as it passed - C) Network evidence has slack space you can carve, just like a disk - D) Network data is stored on the router indefinitely by default
Q2. Which evidence source gives you full content but the shortest retention? - A) NetFlow / IPFIX flow records - B) DNS query logs - C) Full packet capture (PCAP/PCAPNG) - D) Firewall logs
Q3. For a forensic capture with tcpdump, which option is not optional, and why?
- A) -nn, because it speeds up disk writes
- B) -w, because it prints packets to the screen
- C) -s 0 (full snaplen), because a small snapshot length truncates every packet and discards the payload permanently
- D) -c 100, because it limits the capture to 100 packets
Q4. What is the difference between a capture (BPF) filter and a Wireshark display filter? - A) They are two names for the same thing - B) A capture filter only hides packets; a display filter deletes them - C) A capture filter discards non-matching packets as they arrive (destructive); a display filter only hides them in an already-saved file (non-destructive) - D) Display filters run in the kernel; capture filters run in the GUI
Q5. A NetFlow / IPFIX flow record contains which of the following? - A) The full payload of every packet in the conversation - B) The URLs requested and the files transferred - C) The 5-tuple plus counters (packets, bytes, timestamps) — metadata only, with no payload - D) The decrypted contents of any TLS session
Q6. In Zeek logs, what is the uid field used for?
- A) It is the user's login name
- B) It is a unique connection identifier that appears in every log line about that connection, letting you join conn.log, dns.log, ssl.log, and files.log for one session
- C) It is the unique ID of the Zeek sensor
- D) It is the file's SHA-256 hash
Q7. A Zeek conn.log row shows orig_bytes 2,147,483,648 and resp_bytes 18,422 to an external IP. What does this asymmetry most strongly indicate?
- A) A normal web-browsing session (downloading a page)
- B) An upload / data exfiltration — the originator sent the bulk of the data
- C) A failed connection with no data transferred
- D) An inbound attack against the workstation
Q8. A host queries the same external domain every 60 seconds, with very low variance, for hours. This pattern is called: - A) A DGA infection - B) DNS tunneling - C) Beaconing (command-and-control check-in) - D) An NXDOMAIN flood
Q9. Which combination of DNS signatures most strongly indicates a Domain Generation Algorithm (DGA)?
- A) Short, dictionary-word domains with many A-record answers
- B) High-entropy (random-looking) domain labels and a burst of NXDOMAIN (rcode 3) responses as the malware walks its list
- C) A single query to a well-known domain
- D) TXT queries to a corporate mail server
Q10. In the United States, which law generally governs the real-time interception of the content of communications in transit? - A) The Stored Communications Act (governs data at rest) - B) The Pen Register / Trap-and-Trace statute (governs real-time metadata) - C) The Wiretap Act (Title III of ECPA, 18 U.S.C. §§ 2510–2522) - D) The Federal Rules of Civil Procedure
True / False
Q11. An IDS/IPS alert (from Snort or Suricata) is sufficient, by itself, to conclude in a report that exfiltration occurred. (True / False)
Q12. An IP address in a log reliably identifies the specific individual person responsible for the traffic. (True / False)
Short answer
Q13. Explain the content versus metadata distinction, and why it matters in two separate ways — one legal, one practical/storage. Name the law that applies to each side of the line.
Q14. You have just stopped a packet capture. State the first chain-of-custody action you take, the tool you use, and why — and name the per-packet check that confirms the capture was not truncated.
---
Answer key
Q1 — B. On disk, deletion removes a pointer and the bytes persist until overwritten; on the wire a packet exists for microseconds and then is gone, with no slack, journal, or shadow copy. Evidence exists only if a sensor recorded it as it passed — which is why capture coverage is the most consequential decision in network forensics, and it is made before any incident.
Q2 — C. Full packet capture records every byte and header (content), but at ~10.8 TB/day for a saturated 1 Gbps link it is kept only hours to days. Flow, DNS, firewall, and proxy logs are leaner and kept far longer.
Q3 — C. -s 0 sets an unlimited snapshot length so the entire packet is captured. A small snaplen clips every packet at that boundary and the payload beyond it is never written — unrecoverable once the traffic is gone. (-nn disables name resolution; neither -w printing nor -c is correct.)
Q4 — C. A BPF capture filter is applied by the kernel as packets arrive and permanently discards non-matching packets (destructive). A Wireshark display filter is applied to an already-saved file and only hides packets from view (non-destructive). Hence: capture broadly, narrow later.
Q5 — C. A flow record is the 5-tuple (src/dst IP, src/dst port, protocol) plus counters and timestamps — tens of bytes, no payload. That is why it survives for months and why it can prove that and how much but never what.
Q6 — B. The uid is a per-connection identifier that recurs across every Zeek log about that connection, so pivoting on it assembles the full cross-protocol story of one session (the lookup in dns.log, the SNI/cert in ssl.log, the volume in conn.log, the file hash in files.log).
Q7 — B. Normal browsing downloads far more than it uploads; a host that sent two gigabytes and received eighteen kilobytes is uploading. The orig_bytes ≫ resp_bytes asymmetry is the primary exfiltration signal.
Q8 — C. A regular, low-variance interval (quantified by a low coefficient of variation of inter-arrival times) sustained over a high count is beaconing — a machine on a timer, not a human, who browses in bursts and pauses.
Q9 — B. DGA domains have high character entropy (they look algorithmic) and most fail to resolve, producing a flood of NXDOMAIN (rcode 3) as the malware tries each candidate until one is live. Either signal alone is weak; together they are nearly unambiguous.
Q10 — C. Real-time interception of communication content is governed by the Wiretap Act (Title III of ECPA). Real-time metadata falls under Pen Register / Trap-and-Trace; data at rest under the Stored Communications Act. Confirm scope and authority with counsel before capturing.
Q11 — False. Signatures false-positive and false-negative constantly; an alert tells you where to look. You confirm with the flow, proxy, Zeek, and any surviving capture before concluding anything. "The IDS fired" is a lead, not proof.
Q12 — False. NAT/CGNAT, shared workstations, VPNs, Tor, open Wi-Fi, and spoofed source addresses all sever the IP→person link. An IP identifies (at best) a network interface at a moment; tying it to a human needs subscriber records, internal NAT/DHCP logs, an authenticated account, and endpoint corroboration.
Q13. Content is what was said (the payload, the message, the file); metadata is the addressing and signaling — who connected to whom, when, on what port, how many bytes. Legally, capturing content in transit is governed by the high-bar Wiretap Act, while real-time metadata falls under the lower-bar Pen Register / Trap-and-Trace statute (and stored records under the Stored Communications Act). Practically/storage, metadata is tiny — a flow record is tens of bytes — so it can be retained for months, while full-content capture is terabytes per day and kept only hours, which is why you start an investigation from metadata and reserve content for the window it points to.
Q14. Hash the capture immediately — capinfos -H cap.pcap produces the SHA-256 (and other digests) along with the statistics in one step — and record it in the chain-of-custody worksheet, then work only on copies, because the capture file is the original. The per-packet truncation check is incl_len == orig_len: when they are equal the whole packet was captured; when incl_len is smaller, the snaplen clipped it.
Scoring: 13–14 — courtroom-ready; you can defend each source and its limits. 10–12 — solid; revisit the content-vs-metadata line and the capture-vs-display-filter distinction. 7–9 — re-read "Full capture versus flow," "DNS," and "IDS/IPS and Zeek," then redo Groups C, E, and F of the exercises. Below 7 — re-read the chapter index and rebuild the fused exfiltration timeline before moving on to Chapter 24.