Question

1. T/F. An attacker who steals an organization’s user’s password hash can use it, without decrypting it, to authenticate to other systems on the network through what’s considered to be a “pass-the-hash” attack.
   
2. T/F. The Ntuser.dat file loads registry information for the current user logged onto a system in the HKEY_CURRENT_USER (HKCU) registry hive.
   
3. T/F. Forensic analysis of memory allows cyber security researchers to examine malware, which otherwise might not be accessible due to file packing and other anti-forensic techniques the malware author employed

Answer 1

Ans 1: True
Explanation: The attacker uses the weak stolen hashed user credentials and without cracking it, the attacker reuses to bypass authentication system and create a new authenticated session on the same network.

Ans 2: True
Explanation: Each time the user logs in, a separate hive and profile is created. Each user profile are stored under HKEY_CURRENT_USER. Ntuser.dat file contains user profile settings

Ans 3: True
Explanation: Forensic analysis of memory allows in investigating the computer attacks which doesn't leave data behind on computer's hard drive.