CHFI - Computer Hacking Forensic Investigator Network Forensics Questions and Answers

Question 1

A network forensic analyst is examining a packet capture (.pcap) file and observes a three-way handshake followed by an encrypted exchange between a client and a server. Suddenly, the analyst sees a large number of TCP packets with the RST (Reset) flag set being sent from the server to the client. What does this pattern most likely indicate?

Accepted Answer

An abrupt termination of the TCP connection, possibly by a firewall or Intrusion Prevention System (IPS).

Answer

A TCP RST (Reset) flag is used to immediately terminate a connection. While it can occur for normal reasons like an application crash, a sudden flood of RST packets after a valid connection has been established is often indicative of an external system, like a firewall or an IPS, forcibly closing the session because it detected suspicious or malicious traffic. A normal termination uses the FIN flag, and a SYN flood would consist of many SYN packets without a completed handshake.

Question 2

When investigating a network security incident, a forensic analyst lacks a full packet capture but has access to NetFlow records from the organization's routers. What type of information can the analyst primarily derive from this data?

Accepted Answer

Metadata about network conversations, including source/destination IPs, ports, and the volume of data transferred.

Answer

NetFlow data provides a high-level summary or metadata of network traffic, often compared to a phone bill. It records details like the source and destination IP addresses, source and destination ports, protocol, and the total bytes transferred for a given conversation ('flow'). It does not capture the actual payload or content of the packets, so it cannot reveal email contents, specific commands, or cryptographic keys.

Question 3

An investigator needs to capture live network traffic from a specific interface on a remote Linux server and save it to a file for later analysis. The investigator wants to use a command-line tool that is widely available and efficient. Which of the following tools is most suitable for this task?

Accepted Answer

tcpdump

Answer

tcpdump is a classic, powerful, and ubiquitous command-line packet capture utility available on Linux and other Unix-like systems. It is ideal for capturing traffic on remote servers where a GUI is not available. Autopsy is a disk forensics suite, Volatility is for memory forensics, and while Network Miner is a network forensic analysis tool, it is primarily a GUI-based application for Windows.

Question 4

During an investigation into a suspected malware infection, a CHFI analyst discovers an unusually high volume of DNS queries for various, seemingly random subdomains of a single parent domain (e.g., `axj34.evil.com`, `b9dk1.evil.com`). The compromised host is not receiving valid IP addresses in response. This pattern is a strong indicator of which activity?

Accepted Answer

Data exfiltration or Command and Control (C2) communication using DNS tunneling.

Answer

This pattern is a classic indicator of DNS tunneling, a technique used to bypass firewalls by encoding data into DNS queries. Malware on a compromised host encodes stolen data or C2 communications into the subdomain portion of a DNS query, which is then sent to a malicious DNS server controlled by the attacker. The high volume of queries with long, randomized subdomains is a key giveaway.

Question 5

A forensic investigator is analyzing a wireless packet capture and identifies a large number of deauthentication frames being broadcast. These frames appear to originate from the legitimate Access Point's MAC address but are targeting all connected clients, causing widespread disconnections. What is this specific type of attack called?

Accepted Answer

Wi-Fi Disassociation/Deauthentication Attack

Answer

This scenario describes a Wi-Fi Disassociation or Deauthentication attack. In this attack, an adversary sends forged deauthentication or disassociation frames to clients, spoofing the MAC address of the Access Point. This tricks the clients into disconnecting from the network, causing a denial-of-service condition.

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI - Computer Hacking Forensic Investigator Network Forensics Questions and Answers