WGU C702 Questions And Answers///WGU C702 Questions And Answers

Document Content and Description Below

WGU C702 Questions And Answers Which of the following is not an objective of computer forensics? A. Computer forensics deals with the process of finding evidence related to a digital crime to find ... the victims and prevent legal action against them. B. Computer forensics deals with the process of finding evidence related to a crime to find the culprits and initiate legal action against them. C. Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them. D. Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and avoid legal action against them. - C Which of the following is not an objective of computer forensics? A. Track and prosecute the perpetrators in a court of law. B. Identify, gather, and preserve the evidence of a cybercrime. C. Interpret, document, and present the evidence to be admissible during prosecution. D. Document vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack. - D Which of the following is true regarding the enterprise theory of investigation (ETI) ? A. It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act. B. It adopts an approach toward criminal activity as a criminal act. C. It differs from traditional investigative methods, and it is less complex and less timeconsuming. D. It encourages reactive action on the structure of the criminal enterprise. - A Forensic readiness referrers to: A. having no impact on prospects of successful legal action B. replacing the need to meet all regulatory requirements C. the establishment of specific incident response procedures and designated trained personnel to prevent a breach D. an organization's ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs - D Which of the following is not an element of cybercrime? A. anonymity through masquerading B. fast-paced speed C. volatile evidence D. evidence smaller in size - D Which of the following is true of cyber crimes? A. Investigators, with a warrant, have the authority to forcibly seize the computing devices. B. Investigators attempt to demonstrate information to the opposite party to support the claims and induce settlement. C. The searching of the devices is based on mutual understanding and provides a wider time frame to hide the evidence. D. The claimant is responsible for the collection and analysis of the evidence. - A Which of the following is true of civil crimes? A. The initial reporting of the evidence is generally informal. B. A formal investigation report is required. C. Law enforcement agencies are responsible for collecting and analyzing evidence. D. The standards of proof need to be very high. - A Which of the following is not a consideration during a cybercrimes investigation? A. collection of clues and forensic evidence B. analysis of digital evidence C. presentation of admissible evidence D. value or cost to the victim - D Which of the following is a user-created source of potential evidence? A. address book B. printer spool C. cookies D. log files - A Which of the following is a computer-created source of potential evidence? A. bookmarks B. spreadsheet C. swap file D. steganography - C Which of the following is not where potential evidence may be located? A. digital camera B. smart card C. processor D. thumb drive - C Under which of the following conditions will duplicate evidence not suffice? A. when original evidence is destroyed in the normal course of business B. when original evidence is in possession of the originator C. when original evidence is in possession of a third party D. when original evidence is destroyed due to fire or flood - B Which of the following Federal Rules of Evidence governs proceedings in the courts of the United States? A. Rule 105 B. Rule 103 C. Rule 101 D. Rule 102 - C Which of the following Federal Rules of Evidence ensures that the truth may be ascertained and the proceedings justly determined? A. Rule 105 B. Rule 102 C. Rule 101 D. Rule 103 - B Which of the following Federal Rules of Evidence contains Rulings on Evidence? A. Rule 103 B. Rule 105 C. Rule 102 D. Rule 101 - A Which of the following Federal Rules of Evidence states that the court shall restrict the evidence to its proper scope and instruct the jury accordingly? A. Rule 102 B. Rule 103 C. Rule 101 D. Rule 105 - D Which of the following answers refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment in such a manner that the discovered evidence is acceptable during a legal and/or administrative proceeding in a court of law? A. disaster recovery B. incident handling C. computer forensics D. network analysis - C Computer forensics deals with the process of finding _______ related to digital crime to find the culprits and initiate legal action against them. A. insider threats B. evidence C. fraud D. malware - B Minimizing the tangible and intangible losses to the organization or an individual is considered an essential computer forensics use. A. True B. False - A Cybercrimes can be classified into the following two types of attacks, based on the line of attack. A. Fraud and Spam B. Phishing and Malware C. Internal and External - C Espionage, theft of intellectual property, manipulation of records, and Trojan horse attacks are examples of what? A. insider attacks or secondary threats B. insider attacks or primary threats C. outsider attacks or secondary threats D. outsider attacks or primary threats - B External attacks occur when there are inadequate information-security policies and procedures. A. True B. False - A Which type of cases involve disputes between two parties? A. civil B. investigative C. administrative D. criminal - A A computer forensic examiner can investigate any crime as long as he or she takes detailed notes and follows appropriate processes. A. True B. False - B _______ is the standard investigative model used by the FBI when conducting investigations against major criminal organizations. A. Enterprise Theory of Investigation (ETI) B. Both Enterprise Theory of Investigation (ETI) and Entrepreneur Theory of Investigation C. Entrepreneur Theory of Investigation - A Digital devices store data about sessions such as user and type of connection. A. True B. False - A Forensic readiness includes technical and non-technical actions that maximize an organization's competence to use digital evidence. A. True B. False - A Which of the following is the process of developing a strategy to address the occurrence of any security breach in the system or network? A. best evidence rule B. incident response C. security policy D. forensic readiness planning - B Codes of ethics are the principals stated to describe the expected behavior of an investigator while handling a case. Which of the following is not a principal that a computer forensic investigator must follow? A. Ensure integrity of the evidence throughout the investigation process. B. Act with utmost ethical and moral principles. C. Provide personal or prejudiced opinions. D. Act in accordance with federal statutes, state statutes, and local laws and policies. - C What must an investigator do in order to offer a good report to a court of law and ease the prosecution? A. preserve the evidence B. prosecute the evidence C. obfuscate the evidence D. authorize the evidence - A What is the role of an expert witness? A. to testify against the plaintiff B. to support the defense C. to evaluate the court's decisions D. to educate the public and court - D Which of the following is NOT a legitimate authorizer of a search warrant? A. magistrate B. concerned authority C. first responder D. court of law - C Under which of the following circumstances has a court of law allowed investigators to perform searches without a warrant? A. Delay in obtaining a warrant may lead to the preservation of evidence and expedite the investigation process. B. Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process. C. Expediting the process of obtaining a warrant may lead to a delay in prosecution of a perpetrator. D. Expediting the process of obtaining a warrant may lead to the timely prosecution of a perpetrator. - B Which of the following should be considered before planning and evaluating the budget for the forensic investigation case? A. use of outdated, but trusted, technologies B. breakdown of costs into daily and annual expenditure C. past success rate as a measure of value D. current media coverage of high-profile computer crimes - B Which of the following should be physical location and structural design considerations for forensics labs? A. Lightweight construction materials need to be used. B. Lab exteriors should have no windows. C. Room size should be compact with standard HVAC equipment. D. Computer systems should be visible from every angle. - B Which of the following should be work area considerations for forensics labs? A. Multiple examiners should share workspace for efficiency. B. Additional equipment such as notepads, printers, etc. should be stored elsewhere. C. Examiner station has an area of about 50-63 square feet. D. Physical computer examinations should take place in a separate workspace. - C Which of the following is NOT part of the Computer Forensics Investigation Methodology? A. testify as an expert witness B. data analysis C. testify as an expert defendant D. data acquisition - C Which of the following is NOT part of the Computer Forensics Investigation Methodology? A. Secure the evidence. B. Assess the evidence. C. Destroy the evidence. D. Collect the evidence. - C Investigators can immediately take action after receiving a report of a security incident. A. False B. True - A In forensics laws, "authenticating or identifying evidences" comes under which rule? A. Rule 708 B. Rule 801 C. Rule 608 D. Rule 901 - D Courts call knowledgeable persons to testify to the accuracy of the investigative process. These people who testify are known as the: A. judges B. character witnesses C. counselors D. expert witnesses - D A chain of custody is a critical document in the computer forensics investigation process because the document provides legal validation of appropriate evidence handling. A. True B. False - A Identify the following project which was launched by the National Institute of Standards and Technology (NIST), that establishes a "methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware." A. Computer Forensic Tool Testing Project (CFTTP) B. Computer Forensic Hardware Project (CFHP) C. Enterprise Theory of Investigation (ETI) D. Computer Forensic Investigation Project (CFIP) - A In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case? A. evidence procedures are not important unless you work for a law enforcement agency B. evidence must be handled in the same way regardless of the type of case C. evidence in a civil case must be secured more tightly than in a criminal case D. evidence in a criminal case must be secured more tightly than in a civil case - B Which part of the Windows Registry contains the user's password file? A. HKEY_LOCAL_MACHINE B. HKEY_CURRENT_CONFIGURATION C. HKEY_USER D. HKEY_CURRENT_USER - C If a suspect's computer is located in an area that may have toxic chemicals, you must: A. coordinate with the HAZMAT team B. do not enter alone C. assume the suspect machine is contaminated D. determine a way to obtain the suspect computer - A Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their pervious activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident? A. The vulnerability exploited in the incident B. The manufacture of the system compromised C. The nature of the attack D. The logic, formatting and elegance of the code used in the attack - D What information do you need to recover when searching a victims computer for a crime committed with specific e-mail message? A. Username and password B. Firewall log C. E-mail header D. Internet service provider information - C The use of warning banners helps a company avoid litigation by overcoming an employees assumed ___________________ when connecting to the companys intranet, network, or virtual private network (VPN) and will allow the companys investigators to monitor, search, and retrieve information stored within the network. A. right of privacy B. right to Internet access C. right to work D. right of free speech - A When examining a hard disk without a write-blocker, you should not start Windows because Windows will write data to the: A. Case files B. Recycle Bin C. BIOS D. MSDOS.SYS - B How many sectors will a 125 KB file use in a FAT32 file system? A. 16 B. 25 C. 256 D. 32 - C Which part of the Windows Registry contains the user's password file? A. HKEY_CURRENT_CONFIGURATION B. HKEY_USER C. HKEY_CURRENT_USER D. HKEY_LOCAL_MACHINE - B You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a simple backup copy of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a simple backup copy will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings? A. incremental backup copy B. full backup copy C. robust copy D. bit-stream copy - D A law enforcement officer may only search for and seize criminal evidence with ____________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists, and the evidence of the specific crime exists at the place to be searched. A. probable cause B. a preponderance of the evidence C. mere suspicion D. beyond a reasonable doubt - A To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software? A. Association of Computer Forensics Software Manufactures (ACFSM) B. Computer Forensics Tools Validation Committee (CFTVC) C. National Institute of Standards and Technology (NIST) D. Society for Valid Forensics Tools and Testing (SVFTT) - C When investigating a Windows system, it is important to view the contents of the "page" or "swap" file because: A. Windows stores all of the systems configuration information in this file B. a large volume of data can exist within the swap file of which the computer user has no knowledge C. this is the file that Windows uses to store the history of the last 100 commands that were run from the command line D. this is the file that Windows uses to communicate directly with the Registry - B Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their pervious activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident? A. The nature of the attack B. The vulnerability exploited in the incident C. The manufacture of the system compromised D. The logic, formatting and elegance of the code used in the attack - D When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk? A. a disk editor B. a firewall C. a write-blocker D. a protocol analyzer - C If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive. A. CMOS B. Boot.sys C. deltree command D. Scandisk utility - A The use of warning banners helps a company avoid litigation by overcoming an employees assumed ___________________ when connecting to the company's intranet, network, or virtual private network (VPN) and will allow the company's investigators to monitor, search, and retrieve information stored within the network. A. right of free speech B. right to Internet access C. right of privacy D. right to work - C When obtaining a warrant it is important to: A. particularly describe the place to be searched and particularly describe the items to be seized B. particularly describe the place to be searched and generally describe the items to be seized C. generally describe the place to be searched and particularly describe the items to be seized D. generally describe the place to be searched and generally describe the items to be seized - A Printing under a windows computer normally requires which one of the following files types to be created? A. EME B. CME C. MEM D. EMF - D When you carve an image, recovering the image depends on which of the following skills? A. recognizing the pattern of the header content B. recognizing the pattern of the data content C. recognizing the pattern of a corrupt file D. recovering the image from a tape backup - A Printing under a windows computer normally requires which one of the following files types to be created? A. EMF B. EME C. CME D. MEM - A What does the superblock in Linux define? A. location of the firstinode B. file system names C. available space D. disk geometry - A If a suspect's computer is located in an area that may have toxic chemicals, you must A. determine a way to obtain the suspect computer B. coordinate with the HAZMAT team C. assume the suspect machine is contaminated D. do not enter alone - B You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the wording in the graphic being different. What area of the law is the employee violating? A. copyright law B. IP Law C. patent law D. trademark law - D Which of the following is NOT a graphics file? A. Picture3.nfo B. Picture2.bmp C. Picture1.tga D. Picture4.psd - A From the following spam mail header, identify the host IP that sent this spam? From [email protected] [email protected] Tue Nov 27 17:27:11 2001 Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk (8.11.6/8.11.6) with ESMTP id fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT) Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1) with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT) Message-Id: >200111270926. [email protected] From: "china hotel web" To: "Shlam" Subject: SHANGHAI (HILTON HOTEL) PACKAGE Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail Priority: Normal Reply-To: "china hotel web" A. 203.218.39.50 B. 203.218.39.20 C. 137.189.96.52 D. 8.12.1.0 - B You have used a newly released forensic investigation tool, which doesnt meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case? A. Only the local law enforcement should use the tool B. You are not certified for using the tool C. The toolhasnt been tested by the International Standards Organization (ISO) D. The tool has not been reviewed and accepted by your peers - D When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk? A. a disk editor B. a write-blocker C. a protocol analyzer D. a firewall - B If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive. A. Scandisk utility B. deltree command C. CMOS D. Boot.sys - C Jones had been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the system for a period of three weeks. However law enforcement agencies were recording his every activity and this was later presented as evidence. The organization had used a virtual environment to trap Jones. What is a virtual environment? A. An environment set up after the user logs in B. A system usingTrojaned commands C. Ahoneypot that traps hackers D. An environment set up beforean user logs in - C You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a simple backup copy of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a simple backup copy will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings? A. incremental backup copy B. bit-stream copy C. robust copy D. full backup copy - B The offset in a hexadecimal code is: A. The 0x at the beginning of the code B. The first byte after the colon C. The last byte after the colon D. The 0x at the end of the code - A What does mactime, an essential part of the coroner's toolkit do? A. It is a tool specific to the MAC OS and forms a core component of the toolkit B. It traverses the file system and produces a listing of all files based on the modification, access and change timestamps C. The toolsscans for i-node information, which is used by other tools in the tool kit D. It can recover deleted file space and search it for data. However, it does not allow the investigator to preview them - B When examining a file with a Hex Editor, what space does the file header occupy? A. the first several bytes of the file B. the last several bytes of the file C. none, file headers are contained in the FAT D. one byte at the beginning of the file - A In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court? A. chain of custody B. law of probability C. rules of evidence D. policy of separation - A E-mail logs contain all but which of the following information to help you in your investigation? A. attachments sent with the e-mail message B. contents of the e-mail message C. user account that was used to send the message D. unique message identifier E. date and time the message was sent - A Microsoft Outlook maintains email messages in a proprietary format in what type of file? A. .email B. .doc C. .pst D. .mail - C You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacturer. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO? A. Trade secrets B. the attorney-work-product rule C. ISO 17799 D. Good manners - B When conducting computer forensic analysis, you must guard against _________ so that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected. A. scope creep B. hard drive failure C. unauthorized expenses D. overzealous marketing - A Which of the following should a computer forensics investigations lab have? A. isolation B. restricted access C. open access D. an entry log - B Which of the following is NOT a digital data storage type? A. optical storage devices B. flash memory devices C. magnetic storage devices D. quantum storage devices - D Which of the following is NOT a common computer file system? A. EXT2 B. FAT32 C. EFX3 D. NTFS - C Which field type refers to the volume descriptor as a primary? A. Number 1 B. Number 0 C. Number 2 D. Number 3 - A Which logical drive holds the information regarding the data and files that are stored in the disk? A. primary partition B. secondary partition C. extended partition D. tertiary partition - C How large is the partition table structure that stores information about the partitions present on the hard disk? A. 32-bit B. 32-byte C. 64-bit D. 64-byte - D How many bits are used by the MBR partition scheme for storing LBAs (Logical Block Addresses) and the size information on a 512-byte sector? A. 32 B. 64 C. 256 D. 128 - A In the GUID Partition Table, which Logical Block Address contains the Partition Entry Array? A. LBA 2 B. LBA 0 C. LBA 3 D. LBA 1 - A Which of the following describes when the user restarts the system via the operating system? A. hot booting B. hard booting C. cold booting D. warm booting - D Which Windows operating system powers on and starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method? A. Windows 8 B. Windows 7 C. Windows Vista D. Windows XP - A Which item describes the following UEFI boot process phase? The phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume (BFV); locating and executing the chapters to initialize all the found hardware in the system; and creating a Hand-Off Block List with all found resources interface descriptors. A. RT (Run Time) Phase B. DXE (Driver Execution Environment) Phase C. BDS (Boot Device Selection) Phase D. PEI (Pre-EFI Initialization) Phase - D Which of the following basic partitioning tools displays details about GPT partition tables in Windows OS? A. Gparted B. Disk Utility C. DiskPart D. Fdisk - C What stage of the Linux boot process includes the task of loading the Linux kernel and optional initial RAM disk? A. BIOS Stage B. POST Stage C. Bootloader Stage D. Kernel Stage - C What component of a typical FAT32 file system consists of data that the document framework uses to get to the volume and utilizes the framework parcel to stack the working portion documents? A. Reserved Area B. Data Area C. FAT Area D. Boot Sector - D Which component of the NTFS architecture is a computer system file driver for NTFS? A. Ntldlr.dll B. boot sector C. Ntfs.sys D. Master Boot Record - C What is the name of the abstract layer that resides on top of a complete file system, allows client applications to access various file systems, and consists of a dispatching layer and numerous caches? A. GNUC Library (glibc) B. Virtual File System (VFS) C. Kernel Space D. User Space - B Which information held by the superblock contains major and minor items that allow the mounting code to determine whether or not supported features are available to the file system? A. block size B. magic number C. revision level D. mount count - C Which file system used in Linux was developed by Stephen Tweedie in 2001 as a journaling file system that improves reliability of the system? A. Ext B. Ext4 C. Ext3 D. Ext2 - C How many bit values does HFS use to address allocation blocks? A. 32 B. 64 C. 16 D. 8 - C What UFS file system part is composed of a few blocks in the partition reserved at the beginning? A. super block B. cylinder groups C. data groups D. boot blocks - D What is a machine-readable language used in major digital operations, such as sending and receiving emails? A. ASCII B. .NET C. JAVA D. XML - A What is JPEG an acronym of? A. Joint Photographic Exchange Group B. Joint Photographic Experts Group C. Joint Picture Experts Group D. Joint Picture Exchange Group - B What is the proprietary Microsoft Office presentation file extension used in PowerPoint? A. PDF B. PPT C. RTF D. TXT - B Which of the following is an example of optical media? A. CD/DVD B. Flash media C. USB device D. Hard drive - A In Sector, addressing ________ determines the address of the individual sector on the disk. A. Clusters, Heads, and Series (CHS) B. Cylinders, Heads, and Sectors (CHS) C. Clusters, Series, and Heads (CSH) D. Logical Block Address (LBA) - B ________ is a 128-bit unique reference number used as an identifier in computer software. A. Global Unique Identifier (GUID) B. BIOS Parameter Block (BPB) C. Master Boot Record (MBR) D. Unified Extensible Firmware Interface (UEFI) - A Mac OS uses a hierarchical file system. A. False B. True - B The main advantage of RAID is that if a single physical disk fails: A. The system will isolate the defective disk. B. The operating system will protect the remaining disks. C. The system will continue to function without loss of data. D. The system will build another drive. - C The command "fsstat" displays the details associated with an image file. A. False B. True - A What is the simplest RAID level that does not involve any redundancy, and fragments the file into the user-defined stripe size of the array? A. RAID 1 B. RAID 5 C. RAID 10 D. RAID 0 - D An investigator may commit some common mistakes while collecting data from the system that result in the loss of critical evidence. Which of the following is NOT a mistake that investigators commonly make? A. poor knowledge of the instrument B. use of correct cables and cabling techniques C. choosing wrong resolution for data acquisition - B In Linux Standard Tools, forensic investigators use the following built-in Linux Commands to copy data from a disk drive: A. dc and dcfldd B. dd and dcfldd C. dd and ddfldc D. dc and ddfldc - B Because they are always changing, the information in the registers or the processor cache are the most volatile data. A. True B. False - A Forensic data duplication involves the creation of a file that has every bit of information from the source in a raw bit-stream format. A. False B. True - B What document is used as a written record consisting of all processes involved in seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence? A. investigation of evidence document B. chain of custody document C. written report D. description document - B What is the process of permanently deleting or destroying data from storage media? A. purge B. systems capture C. media sanitization D. disclosure - C The process of acquiring volatile data from working computers (locked or in sleep condition) that are already powered on is: A. static data acquisition B. standard data acquisition C. live data acquisition D. imaging data acquisition - C Which of the following refers to the data stored in the registries, cache, and RAM of digital devices? A. registries B. systems data C. physical memory D. volatile information - D What happens when a file is deleted by a Microsoft operating system using the FAT file system? A. a copy of the file is stored and the original file is erased B. the file is erased and cannot be recovered C. only the reference to the file is removed from the FAT D. the file is erased but can be recovered - C Jones had been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the system for a period of three weeks. However law enforcement agencies were recording his every activity and this was later presented as evidence. The organization had used a virtual environment to trap Jones. What is a virtual environment? A. A system usingTrojaned commands B. Ahoneypot that traps hackers C. An environment set up beforean user logs in D. An environment set up after the user logs in - B You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published? A. the life of the author B. the life of the author plus 70 years C. 70 years D. copyrights last forever - B If a suspect's computer is located in an area that may have toxic chemicals, you must A. coordinate with the HAZMAT team B. determine a way to obtain the suspect computer C. do not enter alone D. assume the suspect machine is contaminated - A When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time? A. in the Web Server log files B. in the DHCP Server log files C. on the individual computer's ARP cache D. there is no way to determine the specific IP address - B What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer? A. steganography B. rootkit C. key escrow D. offset - A While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense? A. destroy the evidence B. bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge (court) C. present the evidence to the defense attorney D. keep the information on file for later review - B What information do you need to recover when searching a victims computer for a crime committed with specific e-mail message? A. Firewall log B. Internet service provider information C. E-mail header D. Username and password - C This is the original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive. A. Disk Operating System (DOS) B. Master File Table (MFT) C. Master Boot Record (MBR) D. File Allocation Table (FAT) - D What file structure database would you expect to find on floppy disks? A. NTFS B. FAT12 C. FAT32 D. FAT16 - B When conducting computer forensic analysis, you must guard against _________ so that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected. A. unauthorized expenses B. overzealous marketing C. scope creep D. hard drive failure - C Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called? A. Microsoft Virtual Machine Identifier B. Globally Unique ID C. Personal Application Protocol D. Individual ASCII String - B While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense? A. keep the information on file for later review B. present the evidence to the defense attorney C. destroy the evidence D. bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge (court) - D What does the acronym POST mean as it relates to a PC? A. Pre Operational Situation Test B. Power On Self Test C. Primary Operating System Test D. Primary Operations Short Test - B You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protected. What are two common methods used by password cracking software that you can use to obtain the password? A. limited force and library attack B. brute force and dictionary attack C. minimum force and appendix attack D. maximum force and thesaurus attack - B A law enforcement officer may only search for and seize criminal evidence with ____________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists, and the evidence of the specific crime exists at the place to be searched. A. mere suspicion B. probable cause C. beyond a reasonable doubt D. a preponderance of the evidence - B What binary coding is used most often for e-mail purposes? A. SMTP B. IMAP C. Uuencode D. MIME - C In the context of file deletion process, which of the following statement holds true? A. The longer a disk is inuse, the less likely it is that deleted files will be overwritten B. Secure delete programs work by completely overwriting the file in one go C. When files are deleted, the data is overwritten and the cluster marked as available D. While booting, the machine may create temporary files that can delete evidence - D When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk? A. a write-blocker B. a disk editor C. a protocol analyzer D. a firewall - A Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events? A. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media B. Prepare the system for acquisition; Connect the target media; Copy the media; Secure the evidence C. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media D. Secure the evidence; Prepare the system for acquisition; Connect the target media; Copy the media - B In the context of file deletion process, which of the following statement holds true? A. When files are deleted, the data is overwritten and the cluster marked as available B. Secure delete programs work by completely overwriting the file in one go C. The longer a disk is inuse, the less likely it is that deleted files will be overwrittenD. While booting, the machine may create temporary files that can delete evidence - D If you discover a criminal act while investigating a corporate policy abuse, it becomes a public- sector investigation and should be referred to law enforcement? A. True B. False - A What does the acronym POST mean as it relates to a PC? A. PowerOn Self Test B. Primary Operations Short Test C. Pre Operational Situation Test D. Primary Operating System Test - A Which of the following filesystem is used by Mac OS X? A. EXT2 B. HFS+ C. EFS D. NFS - B A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation? Choose the most feasible option. A. Approach the websites for evidence B. Check the Windows registry for connection data (You may or may not recover) C. Seek the help of co-workers who are eye-witnesses D. Image the disk and try to recover deleted files - D This is the original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive. A. Disk Operating System (DOS) B. Master File Table (MFT) C. Master Boot Record (MBR) D. File Allocation Table (FAT) - D Which of the following is NOT a graphics file? A. Picture1.tga B. Picture3.nfo C. Picture4.psd D. Picture2.bmp - B _______________________ is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. A. Event reaction B. Network forensics C. Incident response D. Computer forensics - D If you discover a criminal act while investigating a corporate policy abuse, it becomes a public- sector investigation and should be referred to law enforcement? A. True B. False - A Volatile memory is one of the leading problems for forensics. Worms such as Code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory? A. Use intrusion forensic techniques to study memory resident infections B. Create a separate partition of several hundred megabytes and place the swap file there C. Use VMware to be able to capture the data in memory and examine it D. Give the operating system a minimal amount of memory, forcing it to use a swap file - B Why should you note all cable connections for a computer you want to seize as evidence? A. to know what cable connections existed B. to know what hardware existed C. to prepare for shutting down the computer D. to document the evidence - A What happens when a file is deleted by a Microsoft operating system using the FAT file system? A. the file is erased but can be recovered B. only the reference to the file is removed from the FAT C. the file is erased and cannot be recovered D. a copy of the file is stored and the original file is erased - B In conducting a computer abuse investigation you become aware that the suspect of the investigation is using ABC Company as his Internet Service Provider (ISP). You contact the ISP and request that they provide you assistance with your investigation. What assistance can the ISP provide? A. the ISP can investigate computer abuse committed by their employees, but must preserve the privacy of their customers and therefore cannot assist you without a warrant B. the ISP can investigate anyone using their service and can provide you with assistance C. ISPs never maintain log files so they would be of no use to your investigation D. the ISP cannot conduct any type of investigations on anyone and therefore cannot assist you - A What should you do when approached by a reporter about a case that you are working on or have worked on? A. refer the reporter to the attorney that retained you B. answer only the questions that help your case C. say, "no comment" D. answer all the reporters questions as completely as possible - A You should make at least how many bit-stream copies of a suspect drive? A. 2 B. 3 C. 1 D. 4 - A You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case? A. All forms should be placed in an approved secure container because they are now primary evidence in the case. B. All forms should be placed in the report file because they are now primary evidence in the case. C. The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file. D. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container. - D What happens when a file is deleted by a Microsoft operating system using the FAT file system? A. only the reference to the file is removed from the FAT B. a copy of the file is stored and the original file is erased C. the file is erased and cannot be recovered D. the file is erased but can be recovered - A You are working in the Security Department of a law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is a possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the companys SMTP server? A. 135 B. 110 C. 10 D. 25 - D How many characters long is the fixed-length MD5 algorithm checksum of a critical system file? A. 32 B. 48 C. 16 D. 64 - A When reviewing web logs, you see an entry for resource not found in the HTTP status code field. What is the actual error code that you would see in the log for resource not found? A. 606 B. 202 C. 404 D. 909 - C Where are deleted items stored on Windows Vista and later versions of Windows? A. Drive:\RECYCLED B. Drive:\$Recycle.Bin C. Drive:\RECYCLER D. Drive:\Recycle.Bin$ - B Where are deleted items stored on Windows 98 and earlier versions of Windows? A. Drive:\$Recycle.Bin B. Drive:\RECYCLER C. Drive:\Recycle.Bin$ D. Drive:\RECYCLED - D Where are deleted items stored on the Windows 2000, XP, and NT versions of Windows? A. Drive:\RECYCLER B. Drive:\Recycle.Bin$ C. Drive:\$Recycle.Bin D. Drive:\RECYCLED - A What is the maximum size limit for the Recycle Bin in Windows prior to Windows Vista? A. 3.99 GB B. 0 C. 3.99 MB D. None - A Which of the following is NOT a feature of the Recover My Files tool? A. performing disk recovery after a hard disk crash B. recovering files from a network drive C. recovering from a hard drive, camera card, USB, Zip, floppy disk, or other media D. recovering files even if emptied from the recycle bin data - B What tool is used for format recovery, unformatting and recovering deleted files emptied from the Recycle Bin, or data lost due to partition loss or damage, software crash, virus infection, or unexpected shutdown and supports hardware RAID? A. DiskDigger B. Quick Recovery C. EaseUS D. FileSalvage - C Which tool undeletes and recovers lost files from hard drives, memory cards, and USB flash drives? A. EaseUS B. DiskDigger C. Drive Genius D. Quick Recovery - B Which tool recovers files that have been lost, deleted, corrupted, or even deteriorated? A. Quick Recovery B. EaseUS C. Recover My Files D. DiskDigger - A Which tool recovers lost data from hard drives, RAID, photographs, deleted files, iPods, and removable disks connected via FireWire or USB? A. Recover My Files B. EaseUS C. Total Recall D. DiskDigger - C What tool scans the entire system for deleted files and folders and recovers them? A. Advanced Disk Recovery B. DiskDigger C. EaseUS D. Recover My Files - A What tool for Mac recovers files from a crashed or virus-corrupted hard drive? A. DiskDigger B. Recover My Files C. Data Rescue 4 D. EaseUS - C Which of the following are frequently left by criminals, assisting investigators in understanding the process of crime and the motive behind it, and allowing them to attempt to identify the person(s) who committed it? A. files B. fingerprints C. bread crumbs D. invitations - B In Detecting Rootkits, the following technique is used to compare characteristics of all system processes and executable files with a database of known rootkit fingerprints. A. Runtime Execution Path Profiling B. Integrity-Based Detection C. Cross View-Based Detection D. Signature-Based Detection - D In Anti-Forensics Techniques, which of the following techniques is used to hide a secret message within an ordinary message and extract it at the destination to maintain confidentiality of data? A. decryption B encryption C. cryptography D. steganography - D Which of the following consists of volatile storage? A. RAM B. hard drive C. compact disc D. ROM - A What is NOT a command used to determine logged-on users? A. net sessions B. LogonSessions C. PsLoggedOn D. LoggedSessions - D What is NOT a command used to determine open files? A. Net file B. Openfiles C. Open files D. PsFile - C What command is used to determine the NetBIOS name table cache in Windows? A. Nbtstat B. Netstat C. Ifconfig D. Ipconfig - A Which tool helps collect information about network connections operative in a Windows system? A. Netstat B. Ifconfig C. Nbtstat D. Ipconfig - A Which of the following is NOT a command used to determine running processes in Windows? A. Netstat B. Pslist C. Listdlls D. Tasklist - A Which is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples? A. Volatile Framework B. Volatility Framework C. Volatility Extractor D. Volatile Extractor - B The information about the system users is stored in which file? A. SAM database file B. PAT database file C. NTUSER.BAT D. NTUSER.DAT - A The value 0 associated with the registry entry EnablePrefetcher tells the system to use which prefetch? A. Prefetching is disabled. B. Application prefetching is enabled. C. Boot prefetching is enabled. D. Both application and boot prefetching are enabled. - A What prefetch does value 1 from the registry entry EnablePrefetcher tell the system to use? A. Boot prefetching is enabled. B. Application prefetching is enabled. C. Both application and boot prefetching are enabled. D. Prefetching is disabled. - B What prefetch does value 2 from the registry entry EnablePrefetcher tell the system to use? A. Boot prefetching is enabled. B. Application prefetching is enabled. C. Prefetching is disabled. D. Both application and boot prefetching are enabled. - A What prefetch does value 3 from the registry entry EnablePrefetcher tell the system to use? A. Both application and boot prefetching are enabled. B. Application prefetching is enabled. C. Boot prefetching is enabled. D. Prefetching is disabled. - A What tool enables you to retrieve information about event logs and publishers in Windows 10? A. Wevtutil B. Regedit C. Msconfig D. EventViewer - A Intruders attempting to gain remote access to a system try to find the other systems connected to the network and visible to the compromised system. A. True B. False - A ________ command is used to display the network configuration of the NICs on the system. A. ipconfig /all B. ipconfig \all C. ipconfig //all D. ipconfig \\all - A Investigators can use Linux commands to gather necessary information from the system. Identify the following shell command that is used to display the kernel ring buffer or information about device drivers loaded into the kernel. A. pstree B. Fsck C. Stat D. dmesg - D What are the unique identification numbers assigned to Windows user accounts for granting user access to particular resources? A. security definitions B. user access numbers C. Microsoft security ID D. Windows access number - C In Windows Event Log File Internals, the following file is used to store the Databases related to the system: A. Security.evtx B. Database.evtx C. System.evtx D. Application.evtx - C Thumbnails of images remain on computers even after files are deleted. A. True B. False - A Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime? A. search warrant B. wire tap C. subpoena D. bench warrant - A You are working as computer forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firms employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do? A. inform the owner that conducting an investigation without a policy is a violation of the 4th Amendment B. inform the owner that conducting an investigation without a policy is a violation of the employees expectation of privacy C. inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned D. inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies - B Lance wants to place a honeypot on his network. Which of the following would be your recommendations? A. Itdoesnt matter as all replies are faked B. Use a system that has a dynamic addressing on the network C. Use it on a system in an external DMZ in front of the firewall D. Use a system that is not directlyinteracing with the router - C When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers? A. Universal Time Set B. Network Time Protocol C. Time-Sync Protocol D. SyncTime Service - B The MD5 program is used to: A. view graphics files on an evidence drive B. wipe magnetic media before recycling it C. make directories on a evidence disk D. verify that a disk is not altered when you examine it - D You have used a newly released forensic investigation tool, which doesnt meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case? A. The toolhasnt been tested by the International Standards Organization (ISO) B. You are not certified for using the tool C. Only the local law enforcement should use the tool D. The tool has not been reviewed and accepted by your peers - D When using Windows acquisitions tools to acquire digital evidence, it is important to use a well- tested hardware write-blocking device to A. acquire data from the host-protected area on a disk B. prevent contamination to the evidence drive C. avoiding copying data from the boot partition D. automate collection from image files - B What file structure database would you expect to find on floppy disks? A. FAT16 B. FAT12 C. FAT32 D. NTFS - B Sectors in hard disks typically contain how many bytes?1 A. 512 B. 2048 C. 256 D. 1024 - A When reviewing web logs, you see an entry for resource not found in the HTTP status code field. What is the actual error code that you would see in the log for resource not found? A. 909 B. 606 C. 202 D. 404 - D This organization maintains a database of hash signatures for known software A. International Standards Organization B. Institute of Electrical and Electronics Engineers C. American National Standards Institute D. National Software Reference Library - D Sectors in hard disks typically contain how many bytes? A. 1024 B. 512 C. 2048 D. 256 - B An expert witness may give an opinion if: A. to deter the witness from expanding the scope of his or her investigation beyond the requirements of the case B. to stimulate discussion between the consulting expert and the expert witness C. the opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay jurors D. to define the issues of the case for determination by the finder of fact - C How many characters long is the fixed-length MD5 algorithm checksum of a critical system file? A. 64 B. 48 C. 32 D. 16 - C What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled? A. digital attack B. denial of service C. ARP redirect D. physical attack - B What binary coding is used most often for e-mail purposes? A. Uuencode B. SMTP C. MIME D. IMAP - A To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software? A. Computer Forensics Tools Validation Committee (CFTVC) B. National Institute of Standards and Technology (NIST) C. Society for Valid Forensics Tools and Testing (SVFTT) D. Association of Computer Forensics Software Manufactures (ACFSM) - B You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacturer. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO? A. Trade secrets B. ISO 17799 C. the attorney-work-product rule D. Good manners - C In general, _________________ involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the data. A. computer forensics B. network forensics C. data recovery D. disaster recovery - A Printing under a windows computer normally requires which one of the following files types to be created? A. EME B. CME C. MEM D. EMF - D What is the name of the standard Linux command that is also available as a Windows application that can be used to create bit-stream images? A. dd B. mcopy C. image D. MD5 - A Which of following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file? A. Sector B. Slack Space C. MFT D. Metadata - B Which part of the Windows Registry contains the user's password file? A. HKEY_LOCAL_MACHINE B. HKEY_CURRENT_USER C. HKEY_CURRENT_CONFIGURATION D. HKEY_USER - D E-mail logs contain all but which of the following information to help you in your investigation? A. user account that was used to send the message B. date and time the message was sent C. contents of the e-mail message D. unique message identifier E. attachments sent with the e-mail message - E If a suspect's computer is located in an area that may have toxic chemicals, you must A. coordinate with the HAZMAT team B. determine a way to obtain the suspect computer C. do not enter alone D. assume the suspect machine is contaminated - A Hackers can gain access to the Windows Registry and manipulate user passwords, DNS settings, access rights, or other features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (key) to the following Registry hive: A. HKEY_CURRENT_USER\Microsoft\Default B. HKEY_LOCAL_MACHINE\Hardware\Windows\Start C. HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run D. HKEY_LOCAL_USER\Software\Microsoft\OldVersion\Load - C Windows identifies which application to open a file with by examining which of the following? A. The file attributes B. The file signature at the beginning of the file C. The file signature at the end of the file D. The file extension - D The efforts to obtain information before a trial by demanding documents, depositions, questions and answers written under oath, written requests for admissions of fact, and examination of the scene is a description of what legal term? A. Discovery B. Spoliation C. Detection D. Hearsay - A If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive. A. deltree command B. Scandisk utility C. CMOS D. Boot.sys - C How many characters long is the fixed-length MD5 algorithm checksum of a critical system file? A. 32 B. 64 C. 48 D. 16 - A You have used a newly released forensic investigation tool, which doesn't meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case? A. You are not certified for using the tool B. The tool has not been reviewed and accepted by your peers C. Only the local law enforcement should use the tool D. The tool hasn't been tested by the International Standards Organization (ISO) - B Which of the following filesystem is used by Mac OS X? A. HFS+ B. EFS C. EXT2 D. NFS - A While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense? A. destroy the evidence B. bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge (court) C. present the evidence to the defense attorney D. keep the information on file for later review - B In Microsoft file structures, sectors are grouped together to form A. drives B. clusters C. partitions D. bitstreams - B In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court? A. law of probability B. rules of evidence C. policy of separation D. chain of custody - D When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time? A. there is no way to determine the specific IP address B. in the DHCP Server log files C. in the Web Server log files D. on the individual computer's ARP cache - B Hackers can gain access to the Windows Registry and manipulate user passwords, DNS settings, access rights, or other features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (key) to the following Registry hive: A. HKEY_LOCAL_USER\Software\Microsoft\OldVersion\Load B. HKEY_LOCAL_MACHINE\Hardware\Windows\Start C. HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run D. HKEY_CURRENT_USER\Microsoft\Default - C What should you do when approached by a reporter about a case that you are working on or have worked on? A. refer the reporter to the attorney that retained you B. answer only the questions that help your case C. answer all the reporters questions as completely as possible D. say, "no comment" - A You have completed a forensic investigation case. You would like to destroy the data contained in various hard disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disks? (Recovery of data should be impossible) A. Smash the hard disk with a hammer B. Throw the hard disk into the fire C. Format the hard disk multiple times using a low level disk utility D. Run powerful magnets over the hard disk E. Overwrite the contents of the hard disk with junk data - B You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question wheather evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab? A. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab B. sign a statement attesting that the evidence is the same as it was when it entered the labC. there is no reason to worry about this possible claim because state labs are certifiedD. make an MD5 hash of the evidence and compare it to the standard database developed by NIST - A What type of file is represented by a colon (:) with a name following it in the Master File Table (MFT) of an NTFS disk? A. an encrypted file B. a data streamfile C. a reserved file D. a compressed file - B Which of following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file? A. Metadata B. MFT C. Slack Space D. Sector - C You are working as computer forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firms employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do? A. inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies B. inform the owner that conducting an investigation without a policy is a violation of the 4th Amendment C. inform the owner that conducting an investigation without a policy is a violation of the employees expectation of privacy D. inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned - C When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers? A. Universal Time Set B. SyncTime Service C. Network Time Protocol D. Time-Sync Protocol - C You have completed a forensic investigation case. You would like to destroy the data contained in various hard disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disks? (Recovery of data should be impossible) A. Overwrite the contents of the hard disk with junk data B. Format the hard disk multiple times using a low level disk utility C. Smash the hard disk with a hammer D. Run powerful magnets over the hard disk E. Throw the hard disk into the fire - E One way to identify the presence of hidden partitions on a suspects hard drive is to: A. it is not possible to have hidden partitions on a hard drive B. examine the FAT and identify hidden partitions by noting an H in the Partition Type fieldC. add up the total size of all known partitions and compare it to the total size of the hard driveD. examine the LILO and note an H in the Partition Type field - C What type of file is represented by a colon (:) with a name following it in the Master File Table (MFT) of an NTFS disk? A. a reserved file B. an encrypted file C. a compressed file D. a data streamfile - D Sectors in hard disks typically contain how many bytes? A. 512 B. 2048 C. 256 D. 1024 - A In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case? A. evidence procedures are not important unless you work for a law enforcement agency B. evidence in a civil case must be secured more tightly than in a criminal case C. evidence must be handled in the same way regardless of the type of case D. evidence in a criminal case must be secured more tightly than in a civil case - C What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer? A. offset B. rootkit C. steganography D. key escrow - C You are working in the Security Department of a law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is a possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the companys SMTP server? A. 25 B. 10 C. 135 D. 110 - A As a CHFI professional, which of the following is the most important to your professional reputation? A. The correct, successful management of each and every case B. The fee that you charge C. Your certifications D. The friendship of local law enforcement officers - A How many characters long is the fixed-length MD5 algorithm checksum of a critical system file? A. 16 B. 64 C. 32 D. 48 - C How many sectors will a 125 KB file use in a FAT32 file system? A. 256 B. 32 C. 25 D. 16 - A Jason is the security administrator of ACMA metal Corporation. One day he notices that the company's Oracle database server has been compromised and the customer information along with financial data has been stolen. The financial loss will be in millions of dollars if the database gets into the hands of the competitors. Jason wants to report this crime to the law enforcement agencies immediately. Which organization coordinates computer crimes investigations throughout the United States? A. CERT Coordination Center B. Internet Fraud Complaint Center C. National Infrastructure Protection Center D. Local or national office of the U.S. Secret Service - C With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________. A. 2 B. 0 C. 10 D. 1 - B In Microsoft file structures, sectors are grouped together to form A. drives B. clusters C. partitions D. bitstreams - B What file structure database would you expect to find on floppy disks? A. FAT12 B. NTFS C. FAT16 D. FAT32 - A E-mail logs contain all but which of the following information to help you in your investigation? A. contents of the e-mail message B. attachments sent with the e-mail message C. unique message identifier D. date and time the message was sent E. user account that was used to send the message - B You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the wording in the graphic being different. What area of the law is the employee violating? A. patent law B. copyright law C. IP Law D. trademark law - D You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published? A. 70 years B. the life of the author C. copyrights last forever D. the life of the author plus 70 years - D The use of warning banners helps a company avoid litigation by overcoming an employees assumed ___________________ when connecting to the companys intranet, network, or virtual private network (VPN) and will allow the companys investigators to monitor, search, and retrieve information stored within the network. A. right to work B. right to Internet access C. right of privacy D. right of free speech - C Which of the following filesystem is used by Mac OS X? A. EFS B. NFS C. HFS+ D. EXT2 - C When obtaining a warrant it is important to: A. generallydescribe the place to be searched and generally describe the items to be seized B. generallydescribe the place to be searched and particularly describe the items to be seized C. particularlydescribe the place to be searched and particularly describe the items to be seized D. particularlydescribe the place to be searched and generally describe the items to be seized Answer: C - C Why should you note all cable connections for a computer you want to seize as evidence? A. to prepare for shutting down the computer B. to document the evidence C. to know what cable connections existed D. to know what hardware existed - C When examining a file with a Hex Editor, what space does the file header occupy? A. one byte at the beginning of the file B. the first several bytes of the file C. none, file headers are contained in the FAT D. the last several bytes of the file - B Which of the following should a computer forensics investigations lab have? A. an entry log B. restricted access C. isolation D. open access - B Which is a standard procedure to perform during all computer forensics investigations? A. with the hard drive in the suspect PC, check the date and time in the File Allocation TableB. with the hard drive in the suspect PC, check the date and time in the systems CMOSC. with the hard drive removed from the suspect PC, check the date and time in the systems RAMD. with the hard drive removed from the suspect PC, check the date and time in the systems CMOS - D When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time? A. on the individual computer's ARP cache B. in the DHCP Server log files C. there is no way to determine the specific IP address D. in the Web Server log files - B Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime? A. wire tap B. search warrant C. subpoena D. bench warrant - B You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protected. What are two common methods used by password cracking software that you can use to obtain the password? A. maximum force and thesaurus attack B. minimum force and appendix attack C. brute force and dictionary attack D. limited force and library attack - C The use of warning banners helps a company avoid litigation by overcoming an employees assumed ___________________ when connecting to the companys intranet, network, or virtual private network (VPN) and will allow the companys investigators to monitor, search, and retrieve information stored within the network. A. right of free speech B. right to work C. right to Internet access D. right of privacy - D What information do you need to recover when searching a victims computer for a crime committed with specific e-mail message? A. E-mail header B. Firewall log C. Internet service provider information D. Username and password - A When investigating a potential e-mail crime, what is your first step in the investigation? A. Trace the IP address to its origin B. Determine whether a crime was actually committed C. Recover the evidence D. Write a report - A When investigating a potential e-mail crime, what is your first step in the investigation? A. Write a report B. Trace the IP address to its origin C. Recover the evidence D. Determine whether a crime was actually committed - B You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer? A. dir B. strsearch C. grep D. grem - C In general, _________________ involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the data. A. disaster recovery B. network forensics C. data recovery D. computer forensics - D What is the name of the standard Linux command that is also available as a Windows application that can be used to create bit-stream images? A. mcopy B. image C. dd D. MD5 - C _______________________ is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. A. Computer forensics B. Network forensics C. Incident response D. Event reaction - A When you carve an image, recovering the image depends on which of the following skills? A. recovering the image from a tape backup B. recognizing the pattern of a corrupt file C. recognizing the pattern of the header content D. recognizing the pattern of the data content - C What is NOT one of the three tiers a log management infrastructure typically comprises? A. log generation B. log monitoring C. log rotation D. log analysis and storage - C Which is NOT a log management system function? A. log reduction B. log generation C. log compression D. log conversion - B What is NOT one of the three major concerns regarding log management? A. log viewing B. log protection and availability C. log analysis D. log creation and storage - A Which is a type of network-based attack? A. eavesdropping B. spamming C. social engineering D. phishing - A Which attack does NOT directly lead to unauthorized access? A. spoofing B. denial-of-service C. sniffing D. man-in-the-middle - B How can an attacker exploit a network? A. through wired or wireless connections B. through special cables C. through wireless connections only D. through wired connections only - A What is the primary reason for forensic investigators to examine logs? A. to gain an insight into events that occurred in the affected devices/network B. to record their own access to the device C. to make notes of critical events because logs are not admissible as evidence D. to begin collecting information for a crime in progress - A Which is true about the transport layer in the TCP/IP model? A. It is the backbone for data flow between two devices in a network. B. It is the lowest layer in the TCP/IP model. C. It includes protocols with HTTP, FTP, SMTP, and DNS. D. It is located between the network access layer and the internet layer. - A What is an ongoing process that returns results simultaneously so that the system or operators can respond to attacks immediately? A. postmortem B. premortem C. past-time analysis D. real-time analysis - D Which of the following is an internal network vulnerability? A. enumeration B. eavesdropping C. spoofing D. bottleneck - D Which attack is specific to wireless networks? A. jamming signal attack B. man-in-the-middle attack C. denial-of-service D. password-based attacks - A Where can congressional security standards and guidelines be found, along with an emphasis for federal agencies to develop, document, and implement organization-wide programs for information security? A. HIPAA B. FISMA C. GLBA D. PCI DSS - B What requires companies that offer financial products or services to protect customer information against security threats? A. HIPAA B. PCI DSS C. FISMA D. GLBA - D Which of the following includes security standards for health information? A. FISMA B. PCI DSS C. GLBA D. HIPAA - D What is the act passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations? A. SOX B. GLBA C. FISMA D. PCI DSS - A What is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards? A. SOX B. PCI DSS C. GLBA D. FISMA - B In what type of forensic examination do investigators perform an examination of logs to detect something that has already occurred in a network/device and determine what it is? A. systems B. real-time C. postmortem D. log file - C Which are the most common network attacks launched against wireless networks? A. router attacks B. buffer overflow C. AP MAC spoofing D. IP address spoofing - C In Event Correlation Approaches, which approach is used to monitor the computers' and computer users' behavior and provide an alert if something anomalous is found? A. Bayesian correlation B. vulnerability-based approach C. role-based approach D. route correlation - C The investigator uses which of the following commands to view the ARP table in Windows? A. arp .a B. arp -a C. arp // D. arp /all - B Which is NOT an indication of a web attack? A. network performance being unusually slow B. access denied to normally available web services C. web pages redirected to an unknown website D. logs found to have no known anomalies - D Which is a threat to web applications? A. secure storage B. validated input C. cookie poisoning D. error handling - C What layer of web application architecture includes all the web appliances, such as smartphones and PCs, where interaction with a web application deployed on a web server occurs? A. business layer B. client layer C. database layer D. web server layer - B What layer of web application architecture contains components that parse the request (HTTP Request Parser) coming in and forwards the response back? A. client layer B. database layer C. web server layer D. business layer - C What layer of web application architecture is responsible for the core functioning of the system and includes logic and applications, such as .NET, used by developers to build websites according to client requirements? A. client layer B. web server layer C. database layer D. business layer - D What layer of web application architecture is composed of cloud services that hold all commercial transactions and a server that supplies an organization's production data in a structured form? A. client layer B. database layer C. web server layer D. business layer - B Which web application threat occurs when the application fails to guard memory properly and allows writing beyond maximum size? A. information leakage B. SQL injection C. cookie poisoning D. buffer overflow - D Which web application threat refers to the modification of a website's remnant data for bypassing security measures or gaining unauthorized information? A. cookie poisoning B. SQL injection C. buffer overflow D. information leakage - A Which web application threat occurs when an attacker is allowed to gain access as a legitimate user to a web application or data such as account records, credit card numbers, passwords, or other authenticated information? A. buffer overflow B. cookie poisoning C. information leakage D. insecure storage - D Which web application threat refers to a drawback in a web application where it unintentionally reveals sensitive data to an unauthorized user? A. cookie poisoning B. SQL injection C. information leakage D. buffer overflow - C Which web application threat arises when a web application is unable to handle technical issues properly and the website returns information, such as database dumps, stack traces, and codes? A. SQL injection B. cookie poisoning C. buffer overflow D. improper error handling - D Which web application threat refers to vulnerable management functions, including user updates, recovery of passwords, or resetting passwords? A. SQL injection B. broken account management C. cookie poisoning D. buffer overflow - B Which web application threat occurs when attackers exploit HTTP, gain access to unauthorized directories, and execute commands outside the web server's root directory? A. cookie poisoning B. directory traversal C. buffer overflow D. SQL injection - B Which web application threat occurs when attackers insert commands via input data and are able to tamper with the data? A. buffer overflow B. SQL injection C. denial-of-service D. cookie poisoning - B Which web application threat occurs when attackers intend to manipulate the communication exchanged between the client and server to make changes in application data? A. buffer overflow B. cookie poisoning C. SQL injection D. parameter tampering - D Which web application threat is a method intended to terminate website or server operations by making resources unavailable to clients? A. cookie poisoning B. denial-of-service C. SQL injection D. buffer overflow - B Which web application threat occurs when attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, or query strings? A. unvalidated input B. buffer overflow C. SQL injection D. cookie poisoning - A Which web application threat occurs when attackers bypass the client's ID security mechanisms, gain access privileges, and inject malicious scripts into specific fields in web pages? A. buffer overflow B. cookie poisoning C. SQL injection D. cross-site scripting - D Which web application threat occurs when attackers insert malicious code, commands, or scripts into the input gates of web applications, enabling the applications to interpret and run the newly supplied malicious input? A. SQL injection B. buffer overflow C. cookie poisoning D. injection flaws - D Which web application threat occurs when an authenticated user is forced to perform certain tasks on the web application chosen by an attacker? A. buffer overflow B. cross-site request forgery C. SQL injection D. cookie poisoning - B Which web application threat occurs when attackers identify a flaw, bypass authentication, and compromise the network? A. SQL injection B. buffer overflow C. broken access control D. cookie poisoning - C Which supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP? A. web server B. Windows Server C. logs D. Internet Information Server (IIS) - D On Windows Server 2012, by default, the IIS log files are stored at which of the following locations? A. %SystemDrive%\inetpub\Logs\LogFiles B. %SystemDrive%\PerfLogs\LogFiles C. %SystemDrive%\inetpub\LogFiles D. %SystemDrive%\PerfLogs\Logs\LogFiles - A Which of the following is a web analytics solution for small and medium size websites? A. root cause analyzer B. deep log analyzer C. forensic analyzer D. event appreciation, event formulation, event including, root cause analysis - B Which command is used to find if TCP and UDP ports have unusual listening? A. netstat -na B. netstat -s C. netstat -ns D. netstat -n - A What type of file is represented by a colon (:) with a name following it in the Master File Table (MFT) of an NTFS disk? A. a reserved file B. a compressed file C. a data streamfile D. an encrypted file - C From the following spam mail header, identify the host IP that sent this spam? From [email protected] [email protected] Tue Nov 27 17:27:11 2001 Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk (8.11.6/8.11.6) with ESMTP id fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT) Received: from mydomain.com (pcd249020. netvigator.com [203.218.39.20]) by viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1) with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT) Message-Id: >[email protected] From: "china hotel web" To: "Shlam" Subject: SHANGHAI (HILTON HOTEL) PACKAGE Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail Priority: Normal Reply-To: "china hotel web" A. 137.189.96.52 B. 203.218.39.50 C. 8.12.1.0 D. 203.218.39.20 - D Before you are called to testify as an expert, what must an attorney do first? A. qualify you as an expert witness B. read your curriculum vitae to the jury C. prove that the tools you used to conduct your examination are perfect D. engage in damage control - A When a file is deleted by Windows Explorer or through the MS-DOS Delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database. A. the lowercase Greek letter sigma (s) B. a capital X C. a blank space D. the underscore symbol (_) - A When reviewing web logs, you see an entry for resource not found in the HTTP status code field. What is the actual error code that you would see in the log for resource not found? A. 202 B. 909 C. 404 D. 606 - C In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court? A. rules of evidence B. chain of custody C. policy of separation D. law of probability - B An employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the employees computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the employee before he leaves the building and recover the floppy disk and secure his computer. Will you be able to break the encryption so that you can verify that the employee was in possession of the proprietary information? A. EFSuses a 128-bit key that cannot be cracked, so you will not be able to recover the information. B. The EFS Revoked Key Agent can be used on the computer to recover the information. C. When the encrypted file was copied to the floppy disk, the EFS private key was also copied to the floppy disk, so you can recover the information. D. When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information. - D From the following spam mail header, identify the host IP that sent this spam? From [email protected] [email protected] Tue Nov 27 17:27:11 2001 Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk (8.11.6/8.11.6) with ESMTP id fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT) Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1) with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT) Message-Id: >[email protected] From: "china hotel web" To: "Shlam" Subject: SHANGHAI (HILTON HOTEL) PACKAGE Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail Priority: Normal Reply-To: "china hotel web" A. 203.218.39.50 B. 137.189.96.52 C. 203.218.39.20 D. 8.12.1.0 - C An expert witness may give an opinion if: A. the opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay jurors B. to deter the witness from expanding the scope of his or her investigation beyond the requirements of the case C. to stimulate discussion between the consulting expert and the expert witness D. to define the issues of the case for determination by the finder of fact - A What does the acronym POST mean as it relates to a PC? A. PowerOn Self Test B. Pre Operational Situation Test C. Primary Operating System Test D. Primary Operations Short Test - A When obtaining a warrant it is important to: A. generallydescribe the place to be searched and particularly describe the items to be seizedB. particularlydescribe the place to be searched and particularly describe the items to be seizedC. generallydescribe the place to be searched and generally describe the items to be seizedD. particularlydescribe the place to be searched and generally describe the items to be seized - B A state department site was recently attacked and all the servers had their hard disks erased. The incident response team sealed the area and commenced investigation. During evidence collection, they came across a zip disk that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong? A. They examined the actual evidence on an unrelated system B. They tampered with the evidence by using it C. They attempted to implicate personnel without proof D. They called in the FBI without correlating with the fingerprint data - B You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case? A. The recycle bin B. The metadata C. Theswapfile D. The registry - C One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a .jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension? A. the file header B. the file footer C. the File Allocation Table D. the sector map - A This organization maintains a database of hash signatures for known software A. Institute of Electrical and Electronics Engineers B. International Standards Organization C. American National Standards Institute D. National Software Reference Library - D During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore you report this evidence. This type of evidence is known as: A. Exculpatory evidence B. Terrible evidence C. Inculpatory evidence D. Mandatory evidence - A To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software? A. Computer Forensics Tools Validation Committee (CFTVC) B. National Institute of Standards and Technology (NIST) C. Association of Computer Forensics Software Manufactures (ACFSM) D. Society for Valid Forensics Tools and Testing (SVFTT) - B When investigating a Windows system, it is important to view the contents of the "page" or "swap" file because: A. Windows stores all of the systems configuration information in this file B. this is the file that Windows uses to store the history of the last 100 commands that were run from the command line C. a large volume of data can exist within the swap file of which the computer user has no knowledgeD. this is the file that Windows uses to communicate directly with the Registry - C What does the superblock in Linux define? A. file system names B. disk geometry C. location of the firstinode D. available space - C The __________________________ refers to handing over the results of private investigations to the authorities because of indications of criminal activity. A. Locard Exchange Principle B. Clark Standard C. Silver-Platter Doctrine D. Kelly Policy - C Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks? A. Host-based IDS systems (HIDS) B. Anomaly detection C. Network-based IDS systems (NIDS) D. Signature recognition - B Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events? A. Prepare the system for acquisition; Connect the target media; Copy the media; Secure the evidenceB. Secure the evidence; Prepare the system for acquisition; Connect the target media; Copy the mediaC. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the mediaD. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media - A Corporate investigations are typically easier than public investigations because A. the investigator has to get a warrant B. the users have standard corporate equipment and software C. the users can load whatever they want on their machines D. the investigator does not have to get a warrant - D What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer? A. offset B. rootkit C. steganography D. key escrow - C A(n) _____________________ is one that performed by a computer program rather than the attacker manually performing the steps in the attack sequence. A. blackout attack B. central processing attack C. automated attack D. distributed attack - C What does the superblock in Linux define? A. location of the firstinode B. file system names C. disk geometry D. available space - A While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense? A. keep the information on file for later review B. bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge (court) C. present the evidence to the defense attorney D. destroy the evidence - B To preserve digital evidence, an investigator should _____________________. A. only store the original evidence item B. make a single copy of each evidence item using an approved imaging tool C. make two copies of each evidence item using different imaging tools D. make two copies of each evidence item using a single imaging tool - C You should make at least how many bit-stream copies of a suspect drive? A. 3 B. 2 C. 1 D. 4 - B Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events? A. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the mediaB. Prepare the system for acquisition; Connect the target media; Copy the media; Secure the evidenceC. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the mediaD. Secure the evidence; Prepare the system for acquisition; Connect the target media; Copy the media - B You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protected. What are two common methods used by password cracking software that you can use to obtain the password? A. maximum force and thesaurus attack B. limited force and library attack C. minimum force and appendix attack D. brute force and dictionary attack - D If a suspect's computer is located in an area that may have toxic chemicals, you must A. determine a way to obtain the suspect computer B. coordinate with the HAZMAT team C. do not enter alone D. assume the suspect machine is contaminated - B You have been asked to investigate after a user has reported a threatening e-mail they've received from an external source. Which of the following are you most interested in when trying to trace the source of the message? A. The E-mail Header B. The X509 address C. The Host Domain Name D. The SMTP reply address - A Law enforcement officers are conducting a legal search for which a valid warrant was obtained. While conducting the search, officers observe an item of evidence for an unrelated crime that was not included in the warrant. The item was clearly visible to the officers and immediately identified as evidence. What is the term used to describe how this evidence is admissible? A. corpusdelicti B. Locard Exchange Principle C. Ex Parte Order D. plain view doctrine - D A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation? Choose the most feasible option. A. Seek the help of co-workers who are eye-witnesses B. Check the Windows registry for connection data (You may or may not recover) C. Image the disk and try to recover deleted files D. Approach the websites for evidence - C Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called? A. Personal Application Protocol B. Individual ASCII String C. Microsoft Virtual Machine Identifier D. Globally Unique ID - D When conducting computer forensic analysis, you must guard against _________ so that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected. A. hard drive failure B. scope creep C. unauthorized expenses D. overzealous marketing - B What does the acronym POST mean as it relates to a PC? A. Pre Operational Situation Test B. Primary Operations Short Test C. Primary Operating System Test D. PowerOn Self Test - D Sectors in hard disks typically contain how many bytes? A. 1024 B. 256 C. 2048 D. 512 - D An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet. A. anti-magnetic B. magnetic C. logical D. optical - D Which of the three different files storing data and logs in SQL servers holds the entire log information associated with the database? A. MDF B. PDF C. LDF D. NDF - C Which of the three different files storing data and logs in SQL servers is optional? A. MDF B. PDF C. NDF D. LDF - C What file format is used by Windows Vista and later versions to store event logs as simple text files in XML format? A. TXTX B. EVTX C. .txt D. .log - B What type of forensics takes action when a security incident has occurred and both detection and analysis of the malicious activities performed by criminals over the SQL database file are required? A. data file forensics B. primary data file C. data forensics D. MSSQL forensics - D For Forensic Analysis, which of the following MySQL Utility Programs is used to export metadata, data, or both from one or more databases? A. mysqldatabase B. mysqldbexport C. mysqldbdata D. mysqldbmeta - B Which command line utility is used to take a backup of the database? A. mysqlbackup B. mysqldbdump C. mysqldump D. mysqldatabase - C Which of the three different files storing data and logs in SQL servers is the starting point of a database and points to other files in the database? A. LDF B. MDF C. PDF D. NDF - B What cloud service offers a platform for developing applications and services? A. IaaS B. SaaS C. PaaS D. AaaS - C What cloud service enables subscribers to use fundamental IT resources—such as computing power, virtualization, data storage, network, etc.—on demand? A. PaaS B. AaaS C. SaaS D. IaaS - D What cloud service offers application software to subscribers on demand or over the internet and is charged for by the provider on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users? A. PaaS B. AaaS C. SaaS D. IaaS - C Which of the following is also known as an internal or corporate cloud and is a cloud infrastructure that a single organization operates? A. hybrid cloud B. community cloud C. public cloud D. private cloud - D What is a cloud environment composed of two or more clouds that remain unique entities but are bound together to offer the benefits of multiple deployment models? A. private cloud B. community cloud C. hybrid cloud D. public cloud - C Which cloud environment is a multi-tenant infrastructure shared among organizations with common computing concerns, such as security, regulatory compliance, performance requirements, and jurisdiction? A. hybrid cloud B. private cloud C. public cloud D. community cloud - D Which cloud environment allows the provider to make services—such as applications, servers, and data storage—available to the public over the internet? A. public cloud B. hybrid cloud C. private cloud D. community cloud - A Which of the following stakeholders includes professionals—such as cloud security architects, network administrators, security administrators, and ethical hackers— responsible for managing and maintaining all aspects of the cloud? A. law advisors B. incident handlers C. investigators D. IT professionals - D Which of the following stakeholders is responsible for conducting forensic examinations against allegations made regarding wrongdoings, found vulnerabilities, and attacks over the cloud? A. IT professionals B. investigators C. incident handlers D. law advisors - B Which of the following stakeholders are the first responders for all the security events or occurrences taking place on a cloud? A. IT professionals B. investigators C. incident handlers D. law advisors - C Which of the following stakeholders are responsible to make sure all the forensic activities are within the jurisdiction and not violating any regulations or agreements? A. incident handlers B. law advisors C. IT professionals D. investigators - B What type of cloud testing should organizations perform regularly to monitor their security posture? A. deployment B. installations C. pen testing D. cloning - C On-demand ________ is a type of service rendered by cloud service providers that allow provisions for cloud resources such as computing power, storage, network, and so on— always on demand, without the need for human interaction with service providers. A. full service B. a la carte C. self-service D. catering - C Identify the following Cloud computing services that enable subscribers to use fundamental IT resources such as computing power, virtualization, data storage, network, and so on—on demand. A. Infrastructure-as-a-Service (IaaS) B. Platform-as-a-Service (PaaS) C. Software-as-a-Service (SaaS) - A On Windows 10 OS, by default, the Google Drive Client is installed at which of the following locations? A. C:\Program Files (x86)\Google\Drive B. C:\ProgramData\Google\Drive C. C:\Program Files\Drive D. C:\Google\Drive - A Which of the following is a disadvantage of a private cloud? A. lack of control B. expense C. security is not guaranteed D. difficulty achieving data compliance - B What is a common technique used to distribute malware on the web by injecting malware into legitimate looking websites to trick users into selecting them? A. click-jacking B. malvertising C. drive-by downloads D. Blackhat SEO - A What is a common technique used to distribute malware on the web with tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to get higher search-engine ranking for malware pages? A. drive-by downloads B. Blackhat SEO C. click-jacking D. malvertising - B What is a common technique used to distribute malware on the web by mimicking legitimate institutions in an attempt to steal passwords, credit cards, and bank account data? A. drive-by downloads B. spear phishing sites C. Blackhat SEO D. malvertising - B What is a common technique used to distribute malware on the web by embedding malware-laden advertisements in authentic online advertising channels to spread onto systems of unsuspecting users? A. malvertising B. compromised websites C. drive-by downloads D. Blackhat SEO - A What is a common technique used to distribute malware on the web when an attacker exploits flaws in browser software to install malware just by merely visiting a website? A. Blackhat SEO B. click-jacking C. drive-by downloads D. malvertising - C When a reputable website is infected with malware that secretly installs itself on a visitor's system and thereafter carries out malicious activities, it is an example of which common technique used by hackers to distribute malware? A. compromised legitimate websites B. spear phishing sites C. social engineering D. malvertising - A Why is it safe to conduct static analysis? A. The process is necessary. B. The file used is a copy. C. Forensic analysts know software. D. The investigator does not install or execute the suspect file. - D In Port Monitoring, the following command is used to look for connections established to unknown or suspicious IP addresses. A. netstat -an B. netstat -sL C. netstat -ns D. netstat -sn - A What is NOT one of CAN-SPAM's main requirements for senders? A. The commercial email must be identified as an ad. B. Honor recipients' opt-out request within 30 business days. C. Do not use false or misleading header information. D. The email must have your valid physical postal address. - B Which is a violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act? A. accessing someone else's computer to send spam mails with permission B. taking advantage of open relays or open proxies with permission C. using legitimate information to register for multiple email accounts or domain names D. retransmitting spam messages through a computer to mislead others about the origin of the message - D What is the first step an investigator should take to carry out the on-site examination of an email server? A. seize the computers and email accounts suspected to be involved. B. seize the email accounts by changing the existing password of the email account. C. obtain a search warrant application in the appropriate language. D. conduct a forensics test on the permitted equipment. - C What is the primary information required for starting an email investigation? A. the unique message B. the unique IP address C. the SMTP log D. the date and time - B What is NOT true of email crimes? A. Forging the email header can hide the attacker's identity. B. Unsolicited commercial email is considered spam. C. Communication can occur without human intervention. D. Email crime is not limited by the email organization. - D Which RFC defines normal email communication? A. RFC 5422 B. RFC 5322 C. RFC 2050 D. RFC 2525 - B Which of the following is an internet protocol that's designed for transmitting email over IP networks? A. Internet Message Access Protocol (IMAP) server B. TCP / IP C. Simple Mail Transfer Protocol (SMTP) D. Post Office Protocol Version 3 (POP3) Server - C Where do email archives store received and sent emails? A. on the internet B. on the mail server C. in the cache file D. on the system hard drive - D An email client connects with a POP3 server via which of the following? A. Port 111 B. Port 101 C. Port 110 D. Port 011 - C You are working as computer forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firms employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do? A. inform the owner that conducting an investigation without a policy is a violation of the 4th Amendment B. inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies C. inform the owner that conducting an investigation without a policy is a violation of the employees expectation of privacy D. inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned - C You are working as a computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact local law enforcement and provide them with the evidence that you have found. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subjects computer. You inform the officer that you will not be able to comply with that request because doing so would: A. cause network congestion B. write information to the subjects hard drive C. violate your contract D. make you an agent of law enforcement - D The police believe that Mevin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers, and educational institutions. They also suspect that he has been stealing, copying, and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant? A. the Federal Rules of Evidence B. the Fourth Amendment C. theUSA Patriot Act D. the Good Samaritan Laws - B You are assisting in the investigation of a possible Web Server hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a pornographic web site. The company checked the web server and nothing appears wrong. When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site? A. ARP Poisoning B. IP Spoofing C. HTTP redirect attack D. DNS Poisoning - D When examining a file with a Hex Editor, what space does the file header occupy? A. the first several bytes of the file B. none, file headers are contained in the FAT C. one byte at the beginning of the file D. the last several bytes of the file - A You should make at least how many bit-stream copies of a suspect drive? A. 3 B. 4 C. 2 D. 1 - C You have completed a forensic investigation case. You would like to destroy the data contained in various hard disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disks? (Recovery of data should be impossible) A. Run powerful magnets over the hard disk B. Smash the hard disk with a hammer C. Throw the hard disk into the fire D. Overwrite the contents of the hard disk with junk data E. Format the hard disk multiple times using a low level disk utility - C When a file is deleted by Windows Explorer or through the MS-DOS Delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database. A. the underscore symbol (_) B. a capital X C. the lowercase Greek letter sigma (s) D. a blank space Answer: C - C Microsoft Outlook maintains email messages in a proprietary format in what type of file? A. .email B. .doc C. .mail D. .pst - D Volatile memory is one of the leading problems for forensics. Worms such as Code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory? A. Use intrusion forensic techniques to study memory resident infections B. Create a separate partition of several hundred megabytes and place the swap file there C. Use VMware to be able to capture the data in memory and examine it D. Give the operating system a minimal amount of memory, forcing it to use a swap file - B You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question wheather evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab? A. make an MD5 hash of the evidence and compare it to the standard database developed by NIST B. there is no reason to worry about this possible claim because state labs are certified C. sign a statement attesting that the evidence is the same as it was when it entered the lab D. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab - D You are a computer forensics investigator working with a local police department and you are called to assist in an investigation of threatening emails. The complainant has printed out 27 email messages from the suspect and gives the printouts to you. You inform her that you will need to examine her computer because you need access to the ___________________________ in order to track the emails back to the suspect. A. firewall log B. email headers C. routing table D. configuration files - B With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________. A. 2 B. 0 C. 1 D. 10 - B What should you do when approached by a reporter about a case that you are working on or have worked on? A. answer all the reporters questions as completely as possible B. say, "no comment" C. refer the reporter to the attorney that retained you D. answer only the questions that help your case - C A state department site was recently attacked and all the servers had their hard disks erased. The incident response team sealed the area and commenced investigation. During evidence collection, they came across a zip disk that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong? A. They attempted to implicate personnel without proof B. They called in the FBI without correlating with the fingerprint data C. They examined the actual evidence on an unrelated system D. They tampered with the evidence by using it - D In the context of file deletion process, which of the following statement holds true? A. Secure delete programs work by completely overwriting the file in one go B. While booting, the machine may create temporary files that can delete evidence C. The longer a disk is inuse, the less likely it is that deleted files will be overwritten D. When files are deleted, the data is overwritten and the cluster marked as available - B When a file is deleted by Windows Explorer or through the MS-DOS Delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database. A. a blank space B. the underscore symbol (_) C. the lowercase Greek letter sigma (s) D. a capital X - C To preserve digital evidence, an investigator should _____________________. A. only store the original evidence item B. make two copies of each evidence item using a single imaging tool C. make a single copy of each evidence item using an approved imaging tool D. make two copies of each evidence item using different imaging tools - D When investigating a Windows system, it is important to view the contents of the "page" or "swap" file because: A. this is the file that Windows uses to store the history of the last 100 commands that were run from the command line B. Windows stores all of the systems configuration information in this file C. this is the file that Windows uses to communicate directly with the Registry D. a large volume of data can exist within the swap file of which the computer user has no knowledge - D Jones had been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the system for a period of three weeks. However law enforcement agencies were recording his every activity and this was later presented as evidence. The organization had used a virtual environment to trap Jones. What is a virtual environment? A. Ahoneypot that traps hackers B. An environment set up beforean user logs in C. A system usingTrojaned commands D. An environment set up after the user logs in - A The __________________________ refers to handing over the results of private investigations to the authorities because of indications of criminal activity. A. Kelly Policy B. Silver-Platter Doctrine C. Locard Exchange Principle D. Clark Standard - B When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers? A. SyncTime Service B. Network Time Protocol C. Universal Time Set D. Time-Sync Protocol - B The police believe that Mevin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers, and educational institutions. They also suspect that he has been stealing, copying, and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant? A. the Good Samaritan Laws B. the Fourth Amendment C. the Federal Rules of Evidence D. theUSA Patriot Act - B _______________________ is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. A. Event reaction B. Incident response C. Computer forensics D. Network forensics - C Printing under a windows computer normally requires which one of the following files types to be created? A. CME B. EME C. MEM D. EMF - D Which is a standard procedure to perform during all computer forensics investigations? A. with the hard drive in the suspect PC, check the date and time in the systems CMOS B. with the hard drive in the suspect PC, check the date and time in the File Allocation Table C. with the hard drive removed from the suspect PC, check the date and time in the systems CMOS D. with the hard drive removed from the suspect PC, check the date and time in the systems RAM - C You are working in the Security Department of a law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is a possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the company's SMTP server? A. 135 B. 10 C. 110 D. 25 - D Which of the following should a computer forensics investigations lab have? A. restricted access B. open access C. an entry log D. isolation - A You have been asked to investigate after a user has reported a threatening e-mail they've received from an external source. Which of the following are you most interested in when trying to trace the source of the message? A. The E-mail Header B. The SMTP reply address C. The X509 address D. The Host Domain Name - A Which is a standard procedure to perform during all computer forensics investigations? A. with the hard drive removed from the suspect PC, check the date and time in the systems RAM B. with the hard drive removed from the suspect PC, check the date and time in the systems CMOS C. with the hard drive in the suspect PC, check the date and time in the systems CMOS D. with the hard drive in the suspect PC, check the date and time in the File Allocation Table - B When using Windows acquisitions tools to acquire digital evidence, it is important to use a well- tested hardware write-blocking device to A. avoiding copying data from the boot partition B. automate collection from image files C. prevent contamination to the evidence drive D. acquire data from the host-protected area on a disk - C In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court? A. chain of custody B. law of probability C. rules of evidence D. policy of separation - A The MD5 program is used to: A. make directories on a evidence disk B. view graphics files on an evidence drive C. wipe magnetic media before recycling it D. verify that a disk is not altered when you examine it - D Which of the following filesystem is used by Mac OS X? A. NFS B. EXT2 C. EFS D. HFS+ - D One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a .jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension? A. the sector map B. the file header C. the File Allocation Table D. the file footer - B As a CHFI professional, which of the following is the most important to your professional reputation? A. The fee that you charge B. The friendship of local law enforcement officers C. Your certifications D. The correct, successful management of each and every case - D When you carve an image, recovering the image depends on which of the following skills? A. recovering the image from a tape backup B. recognizing the pattern of the header content C. recognizing the pattern of a corrupt file D. recognizing the pattern of the data content - B You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacturer. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO? A. Good manners B. the attorney-work-product rule C. ISO 17799 D. Trade secrets - B The rule of the thumb when shutting down a system is to pull the power plug. However, it has certain drawbacks. Which of the following would that be? A. All running processes will be lost B. Any data not yet flushed to the system will be lost C. Power interruption will corrupt thepagefile D. The /tmp directory will be flushed - A You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data. What method would be most efficient for you to acquire digital evidence from this network? A. make a bit-stream disk-to-disk file B. make a bit-stream disk-to-image file C. create a compressed copy of the file with DoubleSpace D. create a sparse data copy of a folder or file - D nnnn represents A. the initials of the forensic analyst B. the sequential number of the exhibits seized by the investigator C. the sequential level of investigative process D. the sequence number for parts of the same exhibit - B Shamika is the VP of Technology at XYZ, Inc. She suspects that her newest employee, David, may be using his work computer to look at child pornography. What type of investigation(s) should be started? A. Civil B. Criminal and Civil C. Administrative and Civil D. Criminal and Administrative - D The Master Boot Record (MBR) starts at this sector. A. sector 32 B. sector 8 C. sector 1 D. sector 0 - D Johnny has been with the DEA for 17 years. He shows up on the scene and notices the suspect's computer is turned on. After securing the scene, Johnny should: A. Leave the computer on and document the scene. B. Turn the computer off and document the scene. C. Turn the computer off and unplug the power cords. D. Pull the power cord and place the computer in an anti-static box. - A This rule governs proceedings in the courts of the United States. A. Rule 622 B. Rule 493 C. Rule 101 D. Rule 103 - C In UEFI SEC, this is initialized. A. code B. SEC_boot C. MBR D. HOBL - A Tools involved in Hashing include all of the following EXCEPT: A. SuperHasher B. HashCalc C. MD5 Calculator D. HashMyFiles - A An internal investigation, undertaken by an organization, to determine if employees are following rules and/or policies is called. A. Administrative B. Civil C. Criminal D. Frye - A These determine the sector addressing for individual sectors on a disk. A. Heads, Sectors, and Tracks (HST). B. Cylinders, Heads, and Sectors (CHS). C. Clusters, Cylinders, and Tracks (CCT). D. Clusters, Heads, and Sectors (CHS). - B Which Windows version boots in either UEFI-GPT or BIOS-MBR? A. Vista B. 10 C. 7 D. XP - B This is the smallest physical storage unit on the hard disk platter. A. platter B. sector C. cluster D. track - B This command can be used to obtain details about partitions. A. Get-GPT-Partition B. Get-PartitionTable C. Get-GPT D. Get-detailsPartition - B This is wasted area of the disk cluster, lying between the end of the file and end of the cluster. A. Slack space B. Stream space C. Recycled space D. Spare space - A In exhibit numbering, the aaa is: A. The initials of the individual seizing the equipment B. The sequential number of exhibits C. The sequence number for parts of the same exhibit D. The investigator's badge number - A The FBI is investigating Sally for hacking her school's network. What type of warrant should they obtain in order to search and seize Sally's personal laptop? A. Powerless warrant B. Felony warrant C. Federal warrant D. Electronic storage device warrant - D A Digital Forensic Investigator investigates this type of crime (choose the best answer). A. Narcotics B. Gang violence C. Crime not involving computers D. Digital Crime - D John is a forensic investigator working on a case for a WHC hospital. John finds a USB drive sitting behind an access control door in the server room. The hospital provides John access to retrieve the device. John knows that the USB represents: A. a cluster B. volatile data C. a partition D. non-volatile data - D System time is an example of non-volatile data. A. True B. False - B This is a tool for Mac that can be used to recover files from crashed or virus corrupted hard drives. A. Total Recall B. Recover My Files C. File Salvage D. Data Recovery Pro - C The zz in exhibit numbering stands for: A. The date of the evidence collection B. The date of evidence seizure C. The investigator's initials D. The sequence number for parts of the same exhibit - D A warrantless seizure of digital evidence is used when: A. The destruction of evidence is non-imminent and there is no cause to believe that the item being seized constitutes evidence of criminal activity. B. The destruction of evidence is imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity. C. The destruction of evidence is imminent and there is no cause to believe that the item being seized constitutes evidence of criminal activity. D. The destruction of evidence is non-imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity. - B Jennifer is studying for her CHFI exam and knows that the MBR is: A. 64 bytes B. 512 bytes C. 256 bytes D. 128 bytes - B The GUID has this number of hexadecimal digits, with groups separated by hyphens. A. 64 B. 128 C. 512 D. 32 - D This is a network sniffer that can support several hundred network protocols. A. Capsa B. Snort C. Cain & Abel D. Recuva - A Sara is an Assistant U.S. Attorney. She knows that this rule covers the general admissibility of relevant evidence. A. Rule 402 B. Rule 804 C. Rule 701 D. Rule 502 - A What does ETI stand for? A. Elite and Tactical Investigation Team B. Enterprise Theory of Investigation C. Extra-Technology Investigator D. Enterprise Technology Investigator - B All of these are a part of the Pre-investigation phase EXCEPT: A. Acquiring the evidence B. Securing the perimeter C. Setting up the CFL D. Building the investigation team - A Phil is a digital forensic investigator that needs to obtain information from a suspect's service provider about billing records and subscriber information. What type of warrant would Phil need to obtain in this case? A. Search warrant B. Service provider search warrant C. Electronic storage device warrant D. Felony warrant - B Sectors are how many bytes long. A. 128 B. 32 C. 256 D. 512 - D Circular, metal disks mounted into the drive enclosure are called: A. Tracks B. Platters C. Plates D. Clusters - B A computer forensics lab should have windows all around the perimeter. A. True B. False - B The MBR signature is always: A. 0x55AA B. hw66ax C. 0xssAA D. AA0xss - A UTC stands for: A. Universal Time to Compute figures B. Universal Computer Time C. Coordinated Universe Timing D. Coordinated Universal Time - D 18 USC §1030 covers: A. malicious mischief B. misleading domain activity C. fraud and related activity in connection with computers D. child pornography - C A deposition is different from a regular trial in that: A. The jury is present B. Both attorneys are present C. A judge is present D. Both the judge and jury are present - B Randill, Inc has initiated an informal evidence collection process. Which type of investigation usually has an informal process for evidence collection? A. Criminal B. NV Investigation C. Civil D. Administrative - C Keira is an investigator with the FBI that needs to recover lost files from a USB flash drive. Which tool can help her do this? A. Tripwire B. R-Studio C. Disk Digger D. Capsa - C This rule involves rulings on evidence. A. Rule 101 B. Rule 107 C. Rule 103 D. Rule 104 - C Before acquiring evidence, the digital forensic investigator should always (choose the BEST answer): A. Email the judge B. Obtain a search warrant the specifies exactly what evidence can be collected C. Obtain a warrant D. Call for backup - B The SWGDE 1.1 standard maintains that agencies seizing or examining digital evidence must do this. A. Maintain written copies of the technical procedures. B. Maintain an appropriate SOP document. C. Review the SOP every 6 months. D. Evaluate damages of each security breach. - B All investigators keep track of the evidence path by using the: A. evidence progression document B. chain of custody document C. exhibit numbering standard D. evidence path document - B Sandra needs to see details about GPT partition tables in Mac OS. Which tool should she use? A. Disk Digger B. Recover My Files C. VFS D. Disk Utility - D This Federal statute covers child pornography. A. 18 USC §20000AB B. 18 USC §2252B C. 18 USC §2252A D. Texas Penal Code §2281 - C Rule 1003 covers: A. admissibility of original evidence B. admissibility of other evidence C. admissibility of duplicates D. definitions - C There are this many bits for storing Logical Block Addresses (LBAs) on the Master Boot Record (MBR). A. 128 B. 90 C. 64 D. 32 - D Disk Density is calculated with: A. Track, area, and Bit density B. Cylinder circumference, area density, and Cluster density C. Cluster, area, and track density D. Bit, area, and cluster density - A For a router, the investigator should: A. unplug the network cable from the router B. leave the router at the site as it does not contain any evidence C. cut the power cord with a 3b72 knife D. search the closest PC for the router password - A Tasha is looking for the UEFI phase that involves clearing UEFI from memory. A. RT B. BSD C. SEC D. DXE - A The GUID is how many bits? A. 512 B. 256 C. 128 D. 64 - C This person provides legal advice about the investigation and any potential legal issues in the forensic investigation process. A. Investigator B. Attorney C. Photographer D. Incident responder - B What is considered the biggest threat to mobile devices? A. data integrity threat B. data loss C. mobile malware D. social engineering attack - B Which architectural layer of mobile device environments represents any program that runs on the Android platform? A. client application B. GUI API C. phone API D. communication API - A Which architectural layer of mobile device environments simplifies the process of interacting with web services and other applications such as email, internet, and SMS? A. phone API B. communication API C. client application D. GUI API - B Which architectural layer of mobile device environments is responsible for creating menus and sub-menus in designing applications? A. client application B. GUI API C. communication API D. phone API - B Which architectural layer of mobile device environments provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS? A. client application B. phone API C. GUI API D. communication API - B Which architectural layer of mobile device environments offers utilities for scheduling multiple tasks, memory management tasks, synchronization, and priority allocation? A. client application B. GUI API C. operating system D. communication API - C Which architectural layer of mobile device environments contains items that are responsible for mobile operations—such as a display device, keypad, RAM, flash, embedded processor, and media processor? A. hardware B. operating system C. client application D. communication API - A Which architectural layer of mobile device environments allows a mobile device to communicate with the network? A. GUI API B. operating system C. network D. client application - C What operating system was Android based on? A. Linux B. Mac C. iOS D. Windows - A Identify which code can be used to obtain the International Mobile Equipment Identifier (IMEI) number on a mobile phone. A. *06# B. #*06* C. *#06# D. #*06# - C Which of the following is a unique 32-bit identifier recorded on a secure chip in a mobile phone by the manufacturer? A. International Mobile Equipment Identifier (IMEI) B. Subscriber Identity Module C. Electronic Serial Number (ESN) D. Integrated Circuit Card Identification - C The mobile forensics investigation team should consist of persons who have expertise in responding, seizing, collecting, and reporting the evidence from the mobile devices. A. False B. True - B How should expert witnesses conduct themselves while presenting testimony to any court or attorney? A. Never pay a compliment to the jury. B. Maintain a relaxed body expression. C. Avoid leaning and develop self-confidence. D. Always be unenthusiastic while giving testimony. - C Which statement is correct about who attends a trial or deposition? A. Both jury and judge are present in a deposition. B. Both attorneys are present in a deposition. C. No attorneys are present in a trial. D. Only the judge is present in a deposition. - B Which of the following standards is a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases? A. Frye Standard B. Both Frye Standard and Daubert Standard C. Daubert Standard - A The main objective of a cybercrime investigation is to identify which of the following? A. IP addresses of criminals B. evidence and facts C. malware D. crimes - B Which of the following Perl scripts will help an investigator to access the executable image of a process? A. Lspi.pl B. Lspd.pl C. Lspm.pl D. Lpsn.pl - A An expert witness is a ________ who is normally appointed by a party to assist in the formulation and preparation of a party's claim or defense. A. subject matter specialist B. expert in criminal investigation C. witness present at the crime scene D. expert law graduate appointed by attorney - A Which Event Correlation Approach checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields? A. graph-based approach B. rule-based approach C. field-based approach D. automated field correlation - D An executive had leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system? A. postmortem analysis B. real-time analysis C. malware analysis D. packet analysis - A Which of the following attacks allows an attacker to access restricted directories, including application source code and configuration and critical system files, and execute commands outside of the web server's root directory? A. directory traversal B. unvalidated input C. parameter/form tampering D. security misconfiguration - A A small law firm located in the Midwest has possibly been breached by a computer hacker who was looking to obtain information on their clientele. The law firm does not have any on-site IT employees but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended? A. Searching can change date/time stamps B. Searching could possibly crash the machine or device C. Searching creates cache files that would hinder the investigation D. Searching for evidence themselves would not have any ill effects. - A Adam, a forensic investigator, is investigating an attack on the Microsoft Exchange Server of a large organization. As the first step of the investigation, he examined the PRIV.EDB file and found the source from where the mail originated and the name of the file that disappeared upon execution. Now, he wants to examine the MIME stream content. Which of the following files is he going to examine? A. PRIV.EDB B. PUB.EDB C. PRIV.STM D. gwcheck.db - C Which of the following email headers specifies an address for mailer-generated errors, like "no such user" bounce messages (instead of the sender's address)? A. Errors-To header B. Content-Transfer-Encoding header C. MIME-Version header D. Content-Type header - A Which among the following laws emphasizes the need for each federal agency to develop, document, and implement an organization-wide program to provide information security for the information systems that support its operations and assets? A. FISMA B. GLBA C. HIPAA D. SOX - A Jacob is a computer forensics investigator with over 10 years of experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob's testimony in this case? A. justification B. authentication C. reiteration D. certification - B Sniffers that place NICs in promiscuous mode work at what layer of the OSI model? A. Transport B. Network C. Physical D. Session - C Which among the following is an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations? A. FISMA B. GLBA C. HIPAA D. SOX - D Which among the following search warrants allows the first responder to search and seize the victim's computer components such as hardware, software, storage devices, and documentation? A. John Doe search warrant B. electronic storage device search warrant C. service provider search warrant D. citizen informant search warrant - B Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following laws is related to fraud and related activity in connection with computers? A. 18 U.S.C. § 1029 B. 18 U.S.C. § 1030 C. 18 U.S.C. § 1361 D. 18 U.S.C. § 1371 - B Which rule requires an original recording to be provided to prove the content of a recording? A. 1003 B. 1005 C. 1004 D. 1002 - D Madison is on trial for allegedly breaking into her university's internal network. The police raided her dorm room and seized all of her computer equipment. Madison's lawyer is trying to convince the judge that the seizure was unfounded and baseless. Which U.S. amendment is Madison's lawyer trying to prove the police violated? A. the First Amendment B. the Fourth Amendment C. the Fifth Amendment D. the Tenth Amendment - B The surface of a hard disk consists of several concentric rings known as tracks; each of these tracks has smaller partitions called disk blocks. What is the size of each block? A. 256 bits B. 256 bytes C. 512 bits D. 512 bytes - D Which MySQL log file contains information on server start and stop? A. general query log file B. slow query log file C. server error log file D. binary log - C Ivanovich, a forensics investigator, is trying to extract complete information about running processes from a system. Where should he look apart from the RAM and virtual memory? A. files and documents B. application data C. swap space D. slack space - C Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as FF D8 FF E1. What is the file type of the image? A. JPEG B. PNG C. GIF D. BMP - A Hard disk data addressing is a method of allotting addresses to each ________ of data on a hard disk. A. logical block B. operating system block C. hard disk block D. physical block - D In which implementation of RAID will the image of a Hardware RAID volume be different from the image taken separately from the disks? A. The images will always be identical because data is mirrored for redundancy. B. RAID 1 C. RAID 0 D. It will always be different. - C NTFS uses less slack space than FAT, thus having reduced potential to hide data in the slack space. This is because: A. NTFS has lower cluster size space. B. FAT is an older and inefficient file system. C. NTFS is a journaling file system. D. FAT does not index files. - A You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the internet to a PC in the computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a "simple backup copy" of the hard drive in the PC and put it on this drive, and requests that you examine the drive for evidence of the suspected images. You inform him that a "simple backup copy" will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings? A. bit-stream copy B. robust copy C. full backup copy D. incremental backup copy - A When analyzing logs, it is important that the clocks on the devices on the network are synchronized. Which protocol will help in synchronizing these clocks? A. PTP B. NTP C. Time Protocol D. UTC - B Examination of a computer by a technically unauthorized person will almost always result in: A. rendering any evidence found admissible in a court of law B. the chain of custody being fully maintained C. completely accurate results of the examination D. rendering any evidence found inadmissible in a court of law - D Which of the following is NOT a responsibility of the first responder? A. Share the collected information to determine the root cause. B. Determine the severity of the incident. C. Collect as much information about the incident as possible. D. Document the findings. - A Which of the following is NOT a first response procedure? A. Preserve volatile data. B. Take photos. C. Crack passwords. D. Fill forms. - C Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system? A. net stat B. net config C. net share D. net sessions - D Which of the following is NOT a part of the pre-investigation phase? A. building forensics workstation B. gathering information about the incident C. gathering evidence data D. creating an investigation team - C Which network attack is described by the following statement? "At least five major Russian banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries." A. DDoS B. buffer overflow C. man-in-the-middle attack D. sniffer attack - A A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation? Choose the most feasible option. A. image the disk and try to recover deleted files B. seek the help of coworkers who are eyewitnesses C. check the Windows registry for connection data (you may or may not recover) D. approach the websites for evidence - A Which of the following registry components includes offsets to other cells as well as the LastWrite time for the key? A. security descriptor cell B. value list cell C. key cell D. value cell - C Gill is a computer forensics investigator who has been called upon to examine a seized computer. This computer, according to the police, was used by a hacker who gained access to numerous banking institutions to steal customer information. After preliminary investigations, Gill finds in the computer's log files that the hacker was able to gain access to these banks through the use of Trojan horses. The hacker then used these Trojan horses to obtain remote access to the companies' domain controllers. From this point, Gill found that the hacker pulled off the SAM files from the domain controllers to then attempt to crack network passwords. What is the most likely password-cracking technique used by this hacker to break the user passwords from the SAM files? A. hybrid attack B. brute-force attack C. dictionary attack D. syllable attack - B The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin? A. INFO2 B. INFO1 C. LOGINFO2 D. LOGINFO1 - A Rusty, a computer forensics apprentice, uses the command nbtstat -c while analyzing the network information in a suspect system. What information is he looking for? A. network connections B. contents of the network routing table C. contents of the NetBIOS name cache D. status of the network carrier - C Which of the following files stores information about a local Google Drive installation, such as user email ID, local sync root path, and client version installed? A. sync_config.db B. filecache.db C. sigstore.db D. config.db - A Which password-cracking technique uses details such as length of the password, character sets used to construct the password, etc.? A. brute-force attack B. dictionary attack C. rule-based attack D. man-in-the-middle attack - C What is the purpose of using Obfuscator in malware? A. execute malicious code in the system B. avoid encryption while passing through a VPN C. propagate malware to other connected devices D. avoid detection by security mechanisms - D Which file is a sequence of bytes organized into blocks understandable by the system's linker? A. object file B. executable file C. source file D. none of these - A Which of the following tools creates a bit-by-bit image of an evidence media? A. Recuva B. AccessData FTK Imager C. FileMerlin D. Xplico - B Which of the following tools enables a user to reset his or her lost admin password in a Windows system? A. SmartKey Password Recovery Bundle Standard B. Passware Kit Forensic C. Active@ Password Changer D. Advanced Office Password Recovery - C Which of the following is a tool to reset a Windows admin password? A. TestDisk for Windows B. Windows Password Recovery Bootdisk C. R-Studio D. Windows Data Recovery Software - B Which of the following Windows-based tools displays who is logged onto a computer, either locally or remotely? A. Tokenmon B. Process Monitor C. PSLoggedon D. TCPView - C Which of the following application password cracking tools can discover all passwordprotected items on a computer and decrypts them? A. TestDisk for Windows B. Windows Password Recovery Bootdisk C. Passware Kit Forensic D. R-Studio - C Charles has accidentally deleted an important file while working on his Mac computer. He wants to recover the deleted file, as it contains some of his crucial business secrets. Which of the following tools will help Charles? A. Xplico B. FileSalvage C. Colasoft's Capsa D. DriveSpy - B Which of the following is an iOS jailbreaking tool? A. Towelroot B. Kingo Android ROOT C. One Click Root D. Redsn0w - D Answer the following 50 questions to see your results. Question 48 of 50 Which of the following tools enables data acquisition and duplication? A. DriveSpy B. Wireshark C. Xplico D. Colasoft's Capsa - A Which of the following tools is used to locate IP addresses? A. Deep Log Analyzer B. SmartWhois C. Towelroot D. XRY LOGICAL - B Which of the following tools can reverse machine code to assembly language? A. IDA Pro B. RAM Capturer C. PEiD D. Deep Log Analyzer - A An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet. A. anti-magnetic B. magnetic C. logical D. optical - D You are working as computer forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firms employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do? A. inform the owner that conducting an investigation without a policy is a violation of the 4th Amendment B. inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies C. inform the owner that conducting an investigation without a policy is a violation of the employees expectation of privacy D. inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned - C You are working as a computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact local law enforcement and provide them with the evidence that you have found. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subjects computer. You inform the officer that you will not be able to comply with that request because doing so would: A. cause network congestion B. write information to the subjects hard drive C. violate your contract D. make you an agent of law enforcement - D The police believe that Mevin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers, and educational institutions. They also suspect that he has been stealing, copying, and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant? A. the Federal Rules of Evidence B. the Fourth Amendment C. theUSA Patriot Act D. the Good Samaritan Laws - B You are assisting in the investigation of a possible Web Server hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a pornographic web site. The company checked the web server and nothing appears wrong. When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site? A. ARP Poisoning B. IP Spoofing C. HTTP redirect attack D. DNS Poisoning - D When examining a file with a Hex Editor, what space does the file header occupy? A. the first several bytes of the file B. none, file headers are contained in the FAT C. one byte at the beginning of the file D. the last several bytes of the file - A You should make at least how many bit-stream copies of a suspect drive? A. 3 B. 4 C. 2 D. 1 - C You have completed a forensic investigation case. You would like to destroy the data contained in various hard disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disks? (Recovery of data should be impossible) A. Run powerful magnets over the hard disk B. Smash the hard disk with a hammer C. Throw the hard disk into the fire D. Overwrite the contents of the hard disk with junk data E. Format the hard disk multiple times using a low level disk utility - C When a file is deleted by Windows Explorer or through the MS-DOS Delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database. A. the underscore symbol (_) B. a capital X C. the lowercase Greek letter sigma (s) D. a blank space - C Microsoft Outlook maintains email messages in a proprietary format in what type of file? A. .email B. .doc C. .mail D. .pst - D Volatile memory is one of the leading problems for forensics. Worms such as Code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory? A. Use intrusion forensic techniques to study memory resident infections B. Create a separate partition of several hundred megabytes and place the swap file there C. Use VMware to be able to capture the data in memory and examine it D. Give the operating system a minimal amount of memory, forcing it to use a swap file - B You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question wheather evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab? A. make an MD5 hash of the evidence and compare it to the standard database developed by NIST B. there is no reason to worry about this possible claim because state labs are certified C. sign a statement attesting that the evidence is the same as it was when it entered the lab D. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab - D You are a computer forensics investigator working with a local police department and you are called to assist in an investigation of threatening emails. The complainant has printed out 27 email messages from the suspect and gives the printouts to you. You inform her that you will need to examine her computer because you need access to the ___________________________ in order to track the emails back to the suspect. A. firewall log B. email headers C. routing table D. configuration files - B With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________. A. 2 B. 0 C. 1 D. 10 - B What should you do when approached by a reporter about a case that you are working on or have worked on? A. answer all the reporters questions as completely as possible B. say, "no comment" C. refer the reporter to the attorney that retained you D. answer only the questions that help your case - C A state department site was recently attacked and all the servers had their hard disks erased. The incident response team sealed the area and commenced investigation. During evidence collection, they came across a zip disk that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong? A. They attempted to implicate personnel without proof B. They called in the FBI without correlating with the fingerprint data C. They examined the actual evidence on an unrelated system D. They tampered with the evidence by using it - D In the context of file deletion process, which of the following statement holds true? A. Secure delete programs work by completely overwriting the file in one go B. While booting, the machine may create temporary files that can delete evidence C. The longer a disk is inuse, the less likely it is that deleted files will be overwritten D. When files are deleted, the data is overwritten and the cluster marked as available - B When a file is deleted by Windows Explorer or through the MS-DOS Delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database. A. a blank space B. the underscore symbol (_) C. the lowercase Greek letter sigma (s) D. a capital X - C To preserve digital evidence, an investigator should _____________________. A. only store the original evidence item B. make two copies of each evidence item using a single imaging tool C. make a single copy of each evidence item using an approved imaging tool D. make two copies of each evidence item using different imaging tools - D When investigating a Windows system, it is important to view the contents of the "page" or "swap" file because: A. this is the file that Windows uses to store the history of the last 100 commands that were run from the command line B. Windows stores all of the systems configuration information in this file C. this is the file that Windows uses to communicate directly with the Registry D. a large volume of data can exist within the swap file of which the computer user has no knowledge - D Jones had been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the system for a period of three weeks. However law enforcement agencies were recording his every activity and this was later presented as evidence. The organization had used a virtual environment to trap Jones. What is a virtual environment? A. Ahoneypot that traps hackers B. An environment set up beforean user logs in C. A system usingTrojaned commands D. An environment set up after the user logs in - A The __________________________ refers to handing over the results of private investigations to the authorities because of indications of criminal activity. A. Kelly Policy B. Silver-Platter Doctrine C. Locard Exchange Principle D. Clark Standard - B When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers? A. SyncTime Service B. Network Time Protocol C. Universal Time Set D. Time-Sync Protocol - B The police believe that Mevin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers, and educational institutions. They also suspect that he has been stealing, copying, and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant? A. the Good Samaritan Laws B. the Fourth Amendment C. the Federal Rules of Evidence D. theUSA Patriot Act - B _______________________ is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. A. Event reaction B. Incident response C. Computer forensics D. Network forensics - C Printing under a windows computer normally requires which one of the following files types to be created? A. CME B. EME C. MEM D. EMF - D Which is a standard procedure to perform during all computer forensics investigations? A. with the hard drive in the suspect PC, check the date and time in the systems CMOS B. with the hard drive in the suspect PC, check the date and time in the File Allocation Table C. with the hard drive removed from the suspect PC, check the date and time in the systems CMOS D. with the hard drive removed from the suspect PC, check the date and time in the systems RAM - C You are working in the Security Department of a law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is a possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the companys SMTP server? A. 135 B. 10 C. 110 D. 25 - D Which of the following should a computer forensics investigations lab have? A. restricted access B. open access C. an entry log D. isolation - A You have been asked to investigate after a user has reported a threatening e-mail theyve received from an external source. Which of the following are you most interested in when trying to trace the source of the message? A. The E-mail Header B. The SMTP reply address C. The X509 address D. The Host Domain Name - A Which is a standard procedure to perform during all computer forensics investigations? A. with the hard drive removed from the suspect PC, check the date and time in the systems RAM B. with the hard drive removed from the suspect PC, check the date and time in the systems CMOS C. with the hard drive in the suspect PC, check the date and time in the systems CMOS D. with the hard drive in the suspect PC, check the date and time in the File Allocation Table - B When using Windows acquisitions tools to acquire digital evidence, it is important to use a well- tested hardware write-blocking device to A. avoiding copying data from the boot partition B. automate collection from image files C. prevent contamination to the evidence drive D. acquire data from the host-protected area on a disk - C In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court? A. chain of custody B. law of probability C. rules of evidence D. policy of separation - A The MD5 program is used to: A. make directories on a evidence disk B. view graphics files on an evidence drive C. wipe magnetic media before recycling it D. verify that a disk is not altered when you examine it - D Which of the following filesystem is used by Mac OS X? A. NFS B. EXT2 C. EFS D. HFS+ - D One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a .jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension? A. the sector map B. the file header C. the File Allocation Table D. the file footer - B As a CHFI professional, which of the following is the most important to your professional reputation? A. The fee that you charge B. The friendship of local law enforcement officers C. Your certifications D. The correct, successful management of each and every case - D When you carve an image, recovering the image depends on which of the following skills? A. recovering the image from a tape backup B. recognizing the pattern of the header content C. recognizing the pattern of a corrupt file D. recognizing the pattern of the data content - B You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacturer. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO? A. Good manners B. the attorney-work-product rule C. ISO 17799 D. Trade secrets - B The rule of the thumb when shutting down a system is to pull the power plug. However, it has certain drawbacks. Which of the following would that be? A. All running processes will be lost B. Any data not yet flushed to the system will be lost C. Power interruption will corrupt thepagefile D. The /tmp directory will be flushed - A You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data. What method would be most efficient for you to acquire digital evidence from this network? A. make a bit-stream disk-to-disk file B. make a bit-stream disk-to-image file C. create a compressed copy of the file with DoubleSpace D. create a sparse data copy of a folder or file - D What happens when a file is deleted by a Microsoft operating system using the FAT file system? A. the file is erased and cannot be recovered B. only the reference to the file is removed from the FAT C. the file is erased but can be recovered D. a copy of the file is stored and the original file is erased - B With regard to using an antivirus scanner during a computer forensics investigation, you should: A. scan your forensics workstation at intervals of no more than once every five minutes during an investigation B. scan your forensics workstation before beginning an investigation C. neverrun a scan on your forensics workstation because it could change your systems configurationD. scan the suspect hard drive before beginning an investigation - B What type of file is represented by a colon (:) with a name following it in the Master File Table (MFT) of an NTFS disk? A. a reserved file B. a data streamfile C. a compressed file D. an encrypted file - B When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time? A. in the Web Server log files B. on the individual computer's ARP cache C. there is no way to determine the specific IP address D. in the DHCP Server log files - D If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive. A. CMOS B. Scandisk utility C. Boot.sys D. deltree command - A You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data. What method would be most efficient for you to acquire digital evidence from this network? A. make a bit-stream disk-to-image file B. create a compressed copy of the file with DoubleSpace C. create a sparse data copy of a folder or file D. make a bit-stream disk-to-disk file - C How many sectors will a 125 KB file use in a FAT32 file system? A. 32 B. 16 C. 25 D. 256 - D In the context of file deletion process, which of the following statement holds true? A. While booting, the machine may create temporary files that can delete evidence B. When files are deleted, the data is overwritten and the cluster marked as available C. The longer a disk is inuse, the less likely it is that deleted files will be overwritten D. Secure delete programs work by completely overwriting the file in one go - A Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime? A. search warrant B. wire tap C. subpoena D. bench warrant - A You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case? A. All forms should be placed in the report file because they are now primary evidence in the case. B. The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file. C. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container. D. All forms should be placed in an approved secure container because they are now primary evidence in the case. - C One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a .jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension? A. the File Allocation Table B. the sector map C. the file footer D. the file header - D In general, _________________ involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the data. A. data recovery B. network forensics C. disaster recovery D. computer forensics - D You have used a newly released forensic investigation tool, which doesnt meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case? A. You are not certified for using the tool B. Only the local law enforcement should use the tool C. The toolhasnt been tested by the International Standards Organization (ISO) D. The tool has not been reviewed and accepted by your peers - D What does mactime, an essential part of the coroner's toolkit do? A. It traverses the file system and produces a listing of all files based on the modification, access and change timestamps B. It is a tool specific to the MAC OS and forms a core component of the toolkit C. The toolsscans for i-node information, which is used by other tools in the tool kit D. It can recover deleted file space and search it for data. However, it does not allow the investigator to preview them - A An expert witness may give an opinion if: A. to stimulate discussion between the consulting expert and the expert witness B. to define the issues of the case for determination by the finder of fact C. to deter the witness from expanding the scope of his or her investigation beyond the requirements of the case D. the opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay jurors - D You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacturer. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO? A. the attorney-work-product rule B. Good manners C. ISO 17799 D. Trade secrets - A Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool? A. Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file B. A disk imaging tool would check for CRC32s for internal self checking and validation and have MD5 checksum C. There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector D. A simple DOS copy will not include deleted files, file slack and other information - D The use of warning banners helps a company avoid litigation by overcoming an employees assumed ___________________ when connecting to the companys intranet, network, or virtual private network (VPN) and will allow the companys investigators to monitor, search, and retrieve information stored within the network. A. right to Internet access B. right of privacy C. right to work D. right of free speech - B When conducting computer forensic analysis, you must guard against _________ so that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected. A. hard drive failure B. scope creep C. unauthorized expenses D. overzealous marketing - B You are assisting in the investigation of a possible Web Server hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a pornographic web site. The company checked the web server and nothing appears wrong. When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site? A. IP Spoofing B. ARP Poisoning C. DNS Poisoning D. HTTP redirect attack - C Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool? A. A disk imaging tool would check for CRC32s for internal self checking and validation and have MD5 checksum B. A simple DOS copy will not include deleted files, file slack and other information C. There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector D. Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file - B In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case? A. evidence in a civil case must be secured more tightly than in a criminal case B. evidence in a criminal case must be secured more tightly than in a civil case C. evidence procedures are not important unless you work for a law enforcement agencyD. evidence must be handled in the same way regardless of the type of case - D Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime? A. bench warrant B. search warrant C. wire tap D. subpoena - B Before you are called to testify as an expert, what must an attorney do first? A. read your curriculum vitae to the jury B. engage in damage control C. qualify you as an expert witness D. prove that the tools you used to conduct your examination are perfect - C A state department site was recently attacked and all the servers had their hard disks erased. The incident response team sealed the area and commenced investigation. During evidence collection, they came across a zip disk that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong? A. They examined the actual evidence on an unrelated system B. They called in the FBI without correlating with the fingerprint data C. They attempted to implicate personnel without proof D. They tampered with the evidence by using it - D During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore you report this evidence. This type of evidence is known as: A. Mandatory evidence B. Exculpatory evidence C. Inculpatory evidence D. Terrible evidence - B Jason is the security administrator of ACMA metal Corporation. One day he notices that the company's Oracle database server has been compromised and the customer information along with financial data has been stolen. The financial loss will be in millions of dollars if the database gets into the hands of the competitors. Jason wants to report this crime to the law enforcement agencies immediately. Which organization coordinates computer crimes investigations throughout the United States? A. CERT Coordination Center B. Internet Fraud Complaint Center C. National Infrastructure Protection Center D. Local or national office of the U.S. Secret Service - C When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk? A. a protocol analyzer B. a disk editor C. a write-blocker D. a firewall - C What should you do when approached by a reporter about a case that you are working on or have worked on? A. refer the reporter to the attorney that retained you B. say, "no comment" C. answer only the questions that help your case D. answer all the reporters questions as completely as possible - A If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive. A. Boot.sys B. CMOS C. deltree command D. Scandisk utility - B When reviewing web logs, you see an entry for resource not found in the HTTP status code field. What is the actual error code that you would see in the log for resource not found? A. 606 B. 404 C. 202 D. 909 - B During the course of a corporate investigation, you find that an employee is committing a crime. Can the employer file a criminal complain with the police? A. no, because the investigation was conducted without following standard police procedures B. no, because the investigation was conducted without a warrant C. yes, but only if you turn the evidence over to a federal law enforcement agencyD. yes, and all evidence can be turned over to the police - D You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question wheather evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab? A. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab B. there is no reason to worry about this possible claim because state labs are certified C. sign a statement attesting that the evidence is the same as it was when it entered the lab D. make an MD5 hash of the evidence and compare it to the standard database developed by NIST - A Windows identifies which application to open a file with by examining which of the following? A. The file extension B. The file signature at the beginning of the file C. The file attributes D. The file signature at the end of the file - A [Show More]

Last updated: 1 year ago

Preview 1 out of 120 pages