Summer Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

ECCouncil 312-49v10 Computer Hacking Forensic Investigator (CHFI-v10) Exam Practice Test

Page: 1 / 70
Total 704 questions

Computer Hacking Forensic Investigator (CHFI-v10) Questions and Answers

Question 1

Select the tool appropriate for examining the dynamically linked libraries of an application or malware.

Options:

A.

DependencyWalker

B.

SysAnalyzer

C.

PEiD

D.

ResourcesExtract

Question 2

Rusty, a computer forensics apprentice, uses the command nbtstat –c while analyzing the network information in a suspect system. What information is he looking for?

Options:

A.

Contents of the network routing table

B.

Status of the network carrier

C.

Contents of the NetBIOS name cache

D.

Network connections

Question 3

What must an attorney do first before you are called to testify as an expert?

Options:

A.

Qualify you as an expert witness

B.

Read your curriculum vitae to the jury

C.

Engage in damage control

D.

Prove that the tools you used to conduct your examination are perfect

Question 4

What malware analysis operation can the investigator perform using the jv16 tool?

Options:

A.

Files and Folder Monitor

B.

Installation Monitor

C.

Network Traffic Monitoring/Analysis

D.

Registry Analysis/Monitoring

Question 5

Select the tool appropriate for finding the dynamically linked lists of an application or malware.

Options:

A.

SysAnalyzer

B.

ResourcesExtract

C.

PEiD

D.

Dependency Walker

Question 6

Which among the following U.S. laws requires financial institutions—companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance—to protect their customers’ information against security threats?

Options:

A.

SOX

B.

HIPAA

C.

GLBA

D.

FISMA

Question 7

What is the investigator trying to view by issuing the command displayed in the following screenshot?

Question # 7

Options:

A.

List of services stopped

B.

List of services closed recently

C.

List of services recently started

D.

List of services installed

Question 8

Select the data that a virtual memory would store in a Windows-based system.

Options:

A.

Information or metadata of the files

B.

Documents and other files

C.

Application data

D.

Running processes

Question 9

Robert is a regional manager working in a reputed organization. One day, he suspected malware attack after unwanted programs started to popup after logging into his computer. The network administrator was called upon to trace out any intrusion on the computer and he/she finds that suspicious activity has taken place within Autostart locations. In this situation, which of the following tools is used by the network administrator to detect any intrusion on a system?

Options:

A.

Hex Editor

B.

Internet Evidence Finder

C.

Process Monitor

D.

Report Viewer

Question 10

An attacker has compromised a cloud environment of a company and used the employee information to perform an identity theft attack. Which type of attack is this?

Options:

A.

Cloud as a subject

B.

Cloud as a tool

C.

Cloud as an object

D.

Cloud as a service

Question 11

UEFI is a specification that defines a software interface between an OS and platform firmware. Where does this interface store information about files present on a disk?

Options:

A.

BIOS-MBR

B.

GUID Partition Table (GPT)

C.

Master Boot Record (MBR)

D.

BIOS Parameter Block

Question 12

In which registry does the system store the Microsoft security IDs?

Options:

A.

HKEY_CLASSES_ROOT (HKCR)

B.

HKEY_CURRENT_CONFIG (HKCC)

C.

HKEY_CURRENT_USER (HKCU)

D.

HKEY_LOCAL_MACHINE (HKLM)

Question 13

What does Locard's Exchange Principle state?

Options:

A.

Any information of probative value that is either stored or transmitted in a digital form

B.

Digital evidence must have some characteristics to be disclosed in the court of law

C.

Anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave

D.

Forensic investigators face many challenges during forensics investigation of a digital crime, such as extracting, preserving, and analyzing the digital evidence

Question 14

In a computer that has Dropbox client installed, which of the following files related to the Dropbox client store information about local Dropbox installation and the Dropbox user account, along with email IDs linked with the account?

Options:

A.

config.db

B.

install.db

C.

sigstore.db

D.

filecache.db

Question 15

Which of the following file system uses Master File Table (MFT) database to store information about every file and directory on a volume?

Options:

A.

FAT File System

B.

ReFS

C.

exFAT

D.

NTFS File System

Question 16

What does the Rule 101 of Federal Rules of Evidence states?

Options:

A.

Scope of the Rules, where they can be applied

B.

Purpose of the Rules

C.

Limited Admissibility of the Evidence

D.

Rulings on Evidence

Question 17

During an investigation, Noel found the following SIM card from the suspect's mobile. What does the code 89 44 represent?

Question # 17

Options:

A.

Issuer Identifier Number and TAC

B.

Industry Identifier and Country code

C.

Individual Account Identification Number and Country Code

D.

TAC and Industry Identifier

Question 18

Which of the following statements is true regarding SMTP Server?

Options:

A.

SMTP Server breaks the recipient’s address into Recipient’s name and his/her designation before passing it to the DNS Server

B.

SMTP Server breaks the recipient's address into Recipient’s name and recipient’s address before passing it to the DNS Server

C.

SMTP Server breaks the recipient’s address into Recipient’s name and domain name before passing it to the DNS Server

D.

SMTP Server breaks the recipient’s address into Recipient’s name and his/her initial before passing it to the DNS Server

Question 19

Which of the following is a precomputed table containing word lists like dictionary files and brute force lists and their hash values?

Options:

A.

Directory Table

B.

Rainbow Table

C.

Master file Table (MFT)

D.

Partition Table

Question 20

Which of the following is a responsibility of the first responder?

Options:

A.

Determine the severity of the incident

B.

Collect as much information about the incident as possible

C.

Share the collected information to determine the root cause

D.

Document the findings

Question 21

Hard disk data addressing is a method of allotting addresses to each _______ of data on a hard disk.

Options:

A.

Physical block

B.

Operating system block

C.

Hard disk block

D.

Logical block

Question 22

When a user deletes a file, the system creates a $I file to store its details. What detail does the $I file not contain?

Options:

A.

File Size

B.

File origin and modification

C.

Time and date of deletion

D.

File Name

Question 23

Which of the following standard represents a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?

Options:

A.

SWGDE & SWGIT

B.

Daubert

C.

Frye

D.

IOCE

Question 24

Lynne receives the following email:

Dear lynne@gmail.com! We are sorry to inform you that your ID has been temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24

You have 24 hours to fix this problem or risk to be closed permanently!

To proceed Please Connect >> My Apple ID

Thank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon/

What type of attack is this?

Options:

A.

Mail Bombing

B.

Phishing

C.

Email Spamming

D.

Email Spoofing

Question 25

When analyzing logs, it is important that the clocks of all the network devices are synchronized. Which protocol will help in synchronizing these clocks?

Options:

A.

UTC

B.

PTP

C.

Time Protocol

D.

NTP

Question 26

What document does the screenshot represent?

Question # 26

Options:

A.

Expert witness form

B.

Search warrant form

C.

Chain of custody form

D.

Evidence collection form

Question 27

Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system?

Options:

A.

Net config

B.

Net sessions

C.

Net share

D.

Net stat

Question 28

James, a forensics specialist, was tasked with investigating a Windows XP machine that was used for malicious online activities. During the Investigation, he recovered certain deleted files from Recycle Bin to Identify attack clues.

Identify the location of Recycle Bin in Windows XP system.

Options:

A.

Drive:\$Recycle.Bin\

B.

Iocal/sha re/Trash

C.

Drive:\RECYCLER\

D.

DriveARECYCLED

Question 29

Adam Is thinking of establishing a hospital In the US and approaches John, a software developer to build a site and host it for him on one of the servers, which would be used to store patient health records. He has learned from his legal advisors that he needs to have the server's log data reviewed and managed according to certain standards and regulations. Which of the following regulations are the legal advisors referring to?

Options:

A.

Data Protection Act of 2018

B.

Payment Card Industry Data Security Standard (PCI DSS)

C.

Electronic Communications Privacy Act

D.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Question 30

Recently, an Internal web app that a government agency utilizes has become unresponsive, Betty, a network engineer for the government agency, has been tasked to determine the cause of the web application's unresponsiveness. Betty launches Wlreshark and begins capturing the traffic on the local network. While analyzing the results, Betty noticed that a syn flood attack was underway. How did Betty know a syn flood attack was occurring?

Options:

A.

Wireshark capture shows multiple ACK requests and SYN responses from single/multiple IP address(es)

B.

Wireshark capture does not show anything unusual and the issue is related to the web application

C.

Wireshark capture shows multiple SYN requests and RST responses from single/multiple IP address(es)

D.

Wireshark capture shows multiple SYN requests and ACK responses from single/multiple IP address(es)

Question 31

Mark works for a government agency as a cyber-forensic investigator. He has been given the task of restoring data from a hard drive. The partition of the hard drive was deleted by a disgruntled employee In order to hide their nefarious actions. What tool should Mark use to restore the data?

Options:

A.

EFSDump

B.

Diskmon D

C.

iskvlew

D.

R-Studio

Question 32

During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to Identify attributes such as "author name," "organization name." "network name," or any additional supporting data that is meant for the owner's Identification purpose. Which term describes these attributes?

Options:

A.

Data header

B.

Data index

C.

Metabase

D.

Metadata

Question 33

To which phase of the computer forensics investigation process does "planning and budgeting of a forensics lab" belong?

Options:

A.

Post-investigation phase

B.

Reporting phase

C.

Pre-investigation phase

D.

Investigation phase

Question 34

During an Investigation, the first responders stored mobile devices In specific containers to provide network Isolation. All the following are examples of such pieces of equipment, except for:

Options:

A.

Wireless StrongHold bag

B.

VirtualBox

C.

Faraday bag

D.

RF shield box

Question 35

Fred, a cybercrime Investigator for the FBI, finished storing a solid-state drive In a static resistant bag and filled out the chain of custody form. Two days later. John grabbed the solid-state drive and created a clone of It (with write blockers enabled) In order to Investigate the drive. He did not document the chain of custody though. When John was finished, he put the solid-state drive back in the static resistant and placed it back in the evidence locker. A day later, the court trial began and upon presenting the evidence and the supporting documents, the chief Justice outright rejected them. Which of the following statements strongly support the reason for rejecting the evidence?

Options:

A.

Block clones cannot be created with solid-state drives

B.

Write blockers were used while cloning the evidence

C.

John did not document the chain of custody

D.

John investigated the clone instead of the original evidence itself

Question 36

Robert needs to copy an OS disk snapshot of a compromised VM to a storage account in different region for further investigation. Which of the following should he use in this scenario?

Options:

A.

Azure CLI

B.

Azure Monitor

C.

Azure Active Directory

D.

Azure Portal

Question 37

An Investigator Is checking a Cisco firewall log that reads as follows:

Aug 21 2019 09:16:44: %ASA-1-106021: Deny ICMP reverse path check from 10.0.0.44 to 10.0.0.33 on Interface outside

What does %ASA-1-106021 denote?

Options:

A.

Mnemonic message

B.

Type of traffic

C.

Firewall action

D.

Type of request

Question 38

Data density of a disk drive is calculated by using_______

Options:

A.

Slack space, bit density, and slack density.

B.

Track space, bit area, and slack space.

C.

Track density, areal density, and slack density.

D.

Track density, areal density, and bit density.

Question 39

A file requires 10 KB space to be saved on a hard disk partition. An entire cluster of 32 KB has been allocated for this file. The remaining, unused space of 22 KB on this cluster will be Identified as______.

Options:

A.

Swap space

B.

Cluster space

C.

Slack space

D.

Sector space

Question 40

In a Fllesystem Hierarchy Standard (FHS), which of the following directories contains the binary files required for working?

Options:

A.

/sbin

B.

/proc

C.

/mm

D.

/media

Question 41

Williamson is a forensic investigator. While investigating a case of data breach at a company, he is maintaining a document that records details such as the forensic processes applied on the collected evidence, particulars of people handling It. the dates and times when it Is being handled, and the place of storage of the evidence. What do you call this document?

Options:

A.

Consent form

B.

Log book

C.

Authorization form

D.

Chain of custody

Question 42

An investigator Is examining a file to identify any potentially malicious content. To avoid code execution and still be able to uncover hidden indicators of compromise (IOC), which type of examination should the investigator perform:

Options:

A.

Threat hunting

B.

Threat analysis

C.

Static analysis

D.

Dynamic analysis

Question 43

When Investigating a system, the forensics analyst discovers that malicious scripts were Injected Into benign and trusted websites. The attacker used a web application to send malicious code. In the form of a browser side script, to a different end-user. What attack was performed here?

Options:

A.

Brute-force attack

B.

Cookie poisoning attack

C.

Cross-site scripting attack

D.

SQL injection attack

Question 44

Maria has executed a suspicious executable file In a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for In this scenario?

Options:

A.

Event ID 4657

B.

Event ID 4624

C.

Event ID 4688

D.

Event ID 7040

Question 45

Jeff is a forensics investigator for a government agency's cyber security office. Jeff Is tasked with acquiring a memory dump of a Windows 10 computer that was involved In a DDoS attack on the government agency's web application. Jeff is onsite to collect the memory. What tool could Jeff use?

Options:

A.

Volatility

B.

Autopsy

C.

RAM Mapper

D.

Memcheck

Question 46

William is examining a log entry that reads 192.168.0.1 - - [18/Jan/2020:12:42:29 +0000) "GET / HTTP/1.1" 200 1861. Which of the following logs does the log entry belong to?

Options:

A.

The combined log format of Apache access log

B.

The common log format of Apache access log

C.

Apache error log

D.

IIS log

Question 47

Steve received a mail that seemed to have come from her bank. The mail has instructions for Steve to click on a link and provide information to avoid the suspension of her account. The link in the mail redirected her to a form asking for details such as name, phone number, date of birth, credit card number or PIN, CW code, SNNs, and email address. On a closer look, Steve realized that the URL of the form in not the same as that of her bank's. Identify the type of external attack performed by the attacker In the above scenario?

Options:

A.

Aphishing

B.

Espionage

C.

Taiigating

D.

Brute-force

Question 48

Which of the following Windows event logs record events related to device drives and hardware changes?

Options:

A.

Forwarded events log

B.

System log

C.

Application log

D.

Security log

Question 49

"In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court." Which ACPO principle states this?

Options:

A.

Principle 1

B.

Principle 3

C.

Principle 4

D.

Principle 2

Question 50

SO/IEC 17025 is an accreditation for which of the following:

Options:

A.

CHFI issuing agency

B.

Encryption

C.

Forensics lab licensing

D.

Chain of custody

Question 51

Jacob, a cybercrime investigator, joined a forensics team to participate in a criminal case involving digital evidence. After the investigator collected all the evidence and presents it to the court, the judge dropped the case and the defense attorney pressed charges against Jacob and the rest of the forensics team for unlawful search and seizure. What forensics privacy issue was not addressed prior to collecting the evidence?

Options:

A.

Compliance with the Second Amendment of the U.S. Constitution

B.

Compliance with the Third Amendment of the U.S. Constitution

C.

None of these

D.

Compliance with the Fourth Amendment of the U.S. Constitution

Question 52

When installed on a Windows machine, which port does the Tor browser use to establish a network connection via Tor nodes?

Options:

A.

7680

B.

49667/49668

C.

9150/9151

D.

49664/49665

Question 53

Derrick, a forensic specialist, was investigating an active computer that was executing various processes. Derrick wanted to check whether this system was used In an Incident that occurred earlier. He started Inspecting and gathering the contents of RAM, cache, and DLLs to Identify Incident signatures. Identify the data acquisition method employed by Derrick in the above scenario.

Options:

A.

Dead data acquisition

B.

Static data acquisition

C.

Non-volatile data acquisition

D.

Live data acquisition

Question 54

Debbie has obtained a warrant to search a known pedophiles house. Debbie went to the house and executed the search warrant to seize digital devices that have been recorded as being used for downloading Illicit Images. She seized all digital devices except a digital camera. Why did she not collect the digital camera?

Options:

A.

The digital camera was not listed as one of the digital devices in the warrant

B.

The vehicle Debbie was using to transport the evidence was already full and could not carry more items

C.

Debbie overlooked the digital camera because it is not a computer system

D.

The digital camera was old. had a cracked screen, and did not have batteries. Therefore, it could not have been used in a crime.

Question 55

Using Internet logging software to investigate a case of malicious use of computers, the investigator comes across some entries that appear odd.

Question # 55

From the log, the investigator can see where the person in question went on the Internet. From the log, it appears that the user was manually typing in different user ID numbers. What technique this user was trying?

Options:

A.

Parameter tampering

B.

Cross site scripting

C.

SQL injection

D.

Cookie Poisoning

Question 56

What is the smallest physical storage unit on a hard drive?

Options:

A.

Track

B.

Cluster

C.

Sector

D.

Platter

Question 57

Which of the following standard represents a legal precedent sent in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses’ testimony during federal legal proceedings?

Options:

A.

IOCE

B.

SWGDE & SWGIT

C.

Frye

D.

Daubert

Question 58

Davidson Trucking is a small transportation company that has three local offices in Detroit Michigan. Ten female employees that work for the company have gone to an attorney reporting that male employees repeatedly harassed them and that management did nothing to stop the problem. Davidson has employee policies that outline all company guidelines, including awareness on harassment and how it will not be tolerated. When the case is brought to court, whom should the prosecuting attorney call upon for not upholding company policy?

Options:

A.

IT personnel

B.

Employees themselves

C.

Supervisors

D.

Administrative assistant in charge of writing policies

Question 59

Which of the following commands shows you the names of all open shared files on a server and the number of file locks on each file?

Options:

A.

Net config

B.

Net file

C.

Net share

D.

Net sessions

Question 60

While searching through a computer under investigation, you discover numerous files that appear to have had the first letter of the file name replaced by the hex code byte 5h. What does this indicate on the computer?

Options:

A.

The files have been marked as hidden

B.

The files have been marked for deletion

C.

The files are corrupt and cannot be recovered

D.

The files have been marked as read-only

Question 61

What type of equipment would a forensics investigator store in a StrongHold bag?

Options:

A.

PDAPDA?

B.

Backup tapes

C.

Hard drives

D.

Wireless cards

Question 62

Which among the following search warrants allows the first responder to get the victim’s computer information such as service records, billing records, and subscriber information from the service provider?

Options:

A.

Citizen Informant Search Warrant

B.

Electronic Storage Device Search Warrant

C.

John Doe Search Warrant

D.

Service Provider Search Warrant

Question 63

Which of the following are small pieces of data sent from a website and stored on the user’s computer by the user’s web browser to track, validate, and maintain specific user information?

Options:

A.

Temporary Files

B.

Open files

C.

Cookies

D.

Web Browser Cache

Question 64

Which of the following file contains the traces of the applications installed, run, or uninstalled from a system?

Options:

A.

Shortcut Files

B.

Virtual files

C.

Prefetch Files

D.

Image Files

Question 65

Company ABC has employed a firewall, IDS, Antivirus, Domain Controller, and SIEM. The company’s domain controller goes down. From which system would you begin your investigation?

Options:

A.

Domain Controller

B.

Firewall

C.

SIEM

D.

IDS

Question 66

Watson, a forensic investigator, is examining a copy of an ISO file stored in CDFS format. What type of evidence is this?

Options:

A.

Data from a CD copied using Windows

B.

Data from a CD copied using Mac-based system

C.

Data from a DVD copied using Windows system

D.

Data from a CD copied using Linux system

Question 67

What type of attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the IP broadcast address of a large network?

Options:

A.

Fraggle

B.

Smurf scan

C.

SYN flood

D.

Teardrop

Question 68

Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\\ while analyzing a hard disk image for the deleted data. What inferences can he make from the file name?

Options:

A.

It is a doc file deleted in seventh sequential order

B.

RIYG6VR.doc is the name of the doc file deleted from the system

C.

It is file deleted from R drive

D.

It is a deleted doc file

Question 69

What will the following command accomplish in Linux?

fdisk /dev/hda

Options:

A.

Partition the hard drive

B.

Format the hard drive

C.

Delete all files under the /dev/hda folder

D.

Fill the disk with zeros

Question 70

Which of the following tool enables a user to reset his/her lost admin password in a Windows system?

Options:

A.

Advanced Office Password Recovery

B.

Active@ Password Changer

C.

Smartkey Password Recovery Bundle Standard

D.

Passware Kit Forensic

Question 71

Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?

Options:

A.

18 USC §1029

B.

18 USC §1030

C.

18 USC §1361

D.

18 USC §1371

Question 72

When searching through file headers for picture file formats, what should be searched to find a JPEG file in hexadecimal format?

Options:

A.

FF D8 FF E0 00 10

B.

FF FF FF FF FF FF

C.

FF 00 FF 00 FF 00

D.

EF 00 EF 00 EF 00

Question 73

Which of the following tool captures and allows you to interactively browse the traffic on a network?

Options:

A.

Security Task Manager

B.

Wireshark

C.

ThumbsDisplay

D.

RegScanner

Question 74

All Blackberry email is eventually sent and received through what proprietary RIM-operated mechanism?

Options:

A.

Blackberry Message Center

B.

Microsoft Exchange

C.

Blackberry WAP gateway

D.

Blackberry WEP gateway

Question 75

When needing to search for a website that is no longer present on the Internet today but was online few years back, what site can be used to view the website collection of pages?

Options:

A.

Proxify.net

B.

Dnsstuff.com

C.

Samspade.org

D.

Archive.org

Question 76

Which password cracking technique uses details such as length of password, character sets used to construct the password, etc.?

Options:

A.

Dictionary attack

B.

Brute force attack

C.

Rule-based attack

D.

Man in the middle attack

Question 77

Which of the following files gives information about the client sync sessions in Google Drive on Windows?

Options:

A.

sync_log.log

B.

Sync_log.log

C.

sync.log

D.

Sync.log

Question 78

Which of the following is a database in which information about every file and directory on an NT File System (NTFS) volume is stored?

Options:

A.

Volume Boot Record

B.

Master Boot Record

C.

GUID Partition Table

D.

Master File Table

Question 79

At what layer does a cross site scripting attack occur on?

Options:

A.

Presentation

B.

Application

C.

Session

D.

Data Link

Question 80

What is the default IIS log location?

Options:

A.

SystemDrive\inetpub\LogFiles

B.

%SystemDrive%\inetpub\logs\LogFiles

C.

%SystemDrive\logs\LogFiles

D.

SystemDrive\logs\LogFiles

Question 81

Casey has acquired data from a hard disk in an open source acquisition format that allows her to generate compressed or uncompressed image files. What format did she use?

Options:

A.

Portable Document Format

B.

Advanced Forensics Format (AFF)

C.

Proprietary Format

D.

Raw Format

Question 82

Law enforcement officers are conducting a legal search for which a valid warrant was obtained.

While conducting the search, officers observe an item of evidence for an unrelated crime that was not included in the warrant. The item was clearly visible to the officers and immediately identified as evidence. What is the term used to describe how this evidence is admissible?

Options:

A.

Plain view doctrine

B.

Corpus delicti

C.

Locard Exchange Principle

D.

Ex Parte Order

Question 83

The police believe that Melvin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers and Educational Institutions. They also suspect that he has been stealing, copying and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant?

Options:

A.

The Fourth Amendment

B.

The USA patriot Act

C.

The Good Samaritan Laws

D.

The Federal Rules of Evidence

Question 84

Item 2If you come across a sheepdip machine at your client site, what would you infer?

Options:

A.

A sheepdip coordinates several honeypots

B.

A sheepdip computer is another name for a honeypot

C.

A sheepdip computer is used only for virus-checking.

D.

A sheepdip computer defers a denial of service attack

Question 85

A state department site was recently attacked and all the servers had their disks erased. The incident response team sealed the area and commenced investigation. During evidence collection they came across a zip disks that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong?

Options:

A.

They examined the actual evidence on an unrelated system

B.

They attempted to implicate personnel without proof

C.

They tampered with evidence by using it

D.

They called in the FBI without correlating with the fingerprint data

Question 86

John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of the traffic produced by Firewalk. Why is that?

Options:

A.

Firewalk cannot pass through Cisco firewalls

B.

Firewalk sets all packets with a TTL of zero

C.

Firewalk cannot be detected by network sniffers

D.

Firewalk sets all packets with a TTL of one

Question 87

During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore, you report this evidence. This type of evidence is known as:

Options:

A.

Inculpatory evidence

B.

Mandatory evidence

C.

Exculpatory evidence

D.

Terrible evidence

Question 88

What is a good security method to prevent unauthorized users from "tailgating"?

Options:

A.

Man trap

B.

Electronic combination locks

C.

Pick-resistant locks

D.

Electronic key systems

Question 89

What is kept in the following directory? HKLM\SECURITY\Policy\Secrets

Options:

A.

Cached password hashes for the past 20 users

B.

Service account passwords in plain text

C.

IAS account names and passwords

D.

Local store PKI Kerberos certificates

Question 90

Jason has set up a honeypot environment by creating a DMZ that has no physical or logical access to his production network. In this honeypot, he has placed a server running Windows Active Directory. He has also placed a Web server in the DMZ that services a number of web pages that offer visitors a chance to download sensitive information by clicking on a button. A week later, Jason finds in his network logs how an intruder accessed the honeypot and downloaded sensitive information. Jason uses the logs to try and prosecute the intruder for stealing sensitive corporate information. Why will this not be viable?

Options:

A.

Entrapment

B.

Enticement

C.

Intruding into a honeypot is not illegal

D.

Intruding into a DMZ is not illegal

Question 91

From the following spam mail header, identify the host IP that sent this spam?

From jie02@netvigator.com jie02@netvigator.com Tue Nov 27 17:27:11 2001

Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk

(8.11.6/8.11.6) with ESMTP id

fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT)

Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by

viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1)

with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT)

Message-Id: >200111270926.fAR9QXwZ018431@viruswall.ie.cuhk.edu.hk

From: "china hotel web"

To: "Shlam"

Subject: SHANGHAI (HILTON HOTEL) PACKAGE

Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0

X-Priority: 3 X-MSMail-

Priority: Normal

Reply-To: "china hotel web"

Options:

A.

137.189.96.52

B.

8.12.1.0

C.

203.218.39.20

D.

203.218.39.50

Question 92

How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?

Options:

A.

128

B.

64

C.

32

D.

16

Question 93

What should you do when approached by a reporter about a case that you are working on or have worked on?

Options:

A.

Refer the reporter to the attorney that retained you

B.

Say, "no comment"

C.

Answer all the reporter’s questions as completely as possible

D.

Answer only the questions that help your case

Question 94

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

Options:

A.

The system files have been copied by a remote attacker

B.

The system administrator has created an incremental backup

C.

The system has been compromised using a t0rnrootkit

D.

Nothing in particular as these can be operational files

Question 95

What file structure database would you expect to find on floppy disks?

Options:

A.

NTFS

B.

FAT32

C.

FAT16

D.

FAT12

Question 96

It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?

Options:

A.

by law, three

B.

quite a few

C.

only one

D.

at least two

Question 97

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

Options:

A.

one who has NTFS 4 or 5 partitions

B.

one who uses dynamic swap file capability

C.

one who uses hard disk writes on IRQ 13 and 21

D.

one who has lots of allocation units per block or cluster

Question 98

What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?

Options:

A.

forensic duplication of hard drive

B.

analysis of volatile data

C.

comparison of MD5 checksums

D.

review of SIDs in the Registry

Question 99

Julia is a senior security analyst for Berber Consulting group. She is currently working on a contract for a small accounting firm in Florid a. They have given her permission to perform social engineering attacks on the company to see if their in-house training did any good. Julia calls the main number for the accounting firm and talks to the receptionist. Julia says that she is an IT technician from the company's main office in Iowa. She states that she needs the receptionist's network username and password to troubleshoot a problem they are having. Julia says that Bill Hammond, the CEO of the company, requested this information. After hearing the name of the CEO, the receptionist gave Julia all the information she asked for. What principal of social engineering did Julia use?

Options:

A.

Social Validation

B.

Scarcity

C.

Friendship/Liking

D.

Reciprocation

Question 100

Which is a standard procedure to perform during all computer forensics investigations?

Options:

A.

with the hard drive removed from the suspect PC, check the date and time in the system's CMOS

B.

with the hard drive in the suspect PC, check the date and time in the File Allocation Table

C.

with the hard drive removed from the suspect PC, check the date and time in the system's RAM

D.

with the hard drive in the suspect PC, check the date and time in the system's CMOS

Question 101

You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?

Options:

A.

The X509 Address

B.

The SMTP reply Address

C.

The E-mail Header

D.

The Host Domain Name

Question 102

If a suspect computer is located in an area that may have toxic chemicals, you must:

Options:

A.

coordinate with the HAZMAT team

B.

determine a way to obtain the suspect computer

C.

assume the suspect machine is contaminated

D.

do not enter alone

Question 103

What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled?

Options:

A.

digital attack

B.

denial of service

C.

physical attack

D.

ARP redirect

Question 104

What happens when a file is deleted by a Microsoft operating system using the FAT file system?

Options:

A.

only the reference to the file is removed from the FAT

B.

the file is erased and cannot be recovered

C.

a copy of the file is stored and the original file is erased

D.

the file is erased but can be recovered

Question 105

To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software?

Options:

A.

Computer Forensics Tools and Validation Committee (CFTVC)

B.

Association of Computer Forensics Software Manufactures (ACFSM)

C.

National Institute of Standards and Technology (NIST)

D.

Society for Valid Forensics Tools and Testing (SVFTT)

Page: 1 / 70
Total 704 questions