Computer Hacking Forensic Investigator Topic 1
Question #: 505
Topic #: 1
During the trial, an investigator observes that one of the principal witnesses is severely ill and cannot be present for the hearing. He decides to record the evidence and present it to the court. Under which rule should he present such evidence?
A. Rule 1003: Admissibility of Duplicates
B. Limited admissibility
C. Locard’s Principle
D. Hearsay
Selected Answer: D
Question #: 358
Topic #: 1
Smith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use.
A. Windows 98
B. Linux
C. Windows 8.1
D. Windows XP
Selected Answer: C
Question #: 117
Topic #: 1
You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case.
How would you permanently erase the data on the hard disk?
A. Throw the hard disk into the fire
B. Run the powerful magnets over the hard disk
C. Format the hard disk multiple times using a low level disk utility
D. Overwrite the contents of the hard disk with Junk data
Selected Answer: A
Question #: 714
Topic #: 1
A cybersecurity investigator is working on a case involving a malicious executable suspected of being packed using a popular program packer. The investigator realizes that the packer used is password-protected. In such a scenario, what should be the investigator’s first course of action to analyze the packed file?
A. Mount compound files
B. Perform static analysis on the packed file
C. Decrypt the password to unpack the file
D. Run the packed file in a controlled environment for dynamic analysis
Selected Answer: A
Question #: 295
Topic #: 1
Harold is finishing up a report on a case of network intrusion, corporate spying, and embezzlement that he has been working on for over six months. He is trying to find the right term to use in his report to describe network-enabled spying. What term should Harold use?
A. Spycrack
B. Spynet
C. Netspionage
D. Hackspionage
Selected Answer: C
Question #: 289
Topic #: 1
When operating systems mark a cluster as used but not allocated, the cluster is considered as _________
A. Corrupt
B. Bad
C. Lost
D. Unallocated
Selected Answer: C
Question #: 268
Topic #: 1
Where are files temporarily written in Unix when printing?
A. /usr/spool
B. /var/print
C. /spool
D. /var/spool
Selected Answer: D
Question #: 267
Topic #: 1
Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?
A. Network
B. Transport
C. Physical
D. Data Link
Selected Answer: C
Question #: 253
Topic #: 1
What file is processed at the end of a Windows XP boot to initialize the logon dialog box?
A. NTOSKRNL.EXE
B. NTLDR
C. LSASS.EXE
D. NTDETECT.COM
Selected Answer: A
Question #: 233
Topic #: 1
What is the slave device connected to the secondary IDE controller on a Linux OS referred to?
A. hda
B. hdd
C. hdb
D. hdc
Selected Answer: B
Question #: 229
Topic #: 1
Given the drive dimensions as follows and assuming a sector has 512 bytes, what is the capacity of the described hard drive?
22,164 cylinders/disk
80 heads/cylinder
63 sectors/track
A. 53.26 GB
B. 57.19 GB
C. 11.17 GB
D. 10 GB
Selected Answer: A
Question #: 225
Topic #: 1
What is the smallest physical storage unit on a hard drive?
A. Track
B. Cluster
C. Sector
D. Platter
Selected Answer: C
Question #: 204
Topic #: 1
How many possible sequence number combinations are there in TCP/IP protocol?
A. 1 billion
B. 320 billion
C. 4 billion
D. 32 million
Selected Answer: B
Question #: 200
Topic #: 1
After passively scanning the network of Department of Defense (DoD), you switch over to active scanning to identify live hosts on their network. DoD is a large organization and should respond to any number of scans. You start an ICMP ping sweep by sending an IP packet to the broadcast address. Only five hosts respond to your ICMP pings; definitely not the number of hosts you were expecting. Why did this ping sweep only produce a few responses?
A. Only IBM AS/400 will reply to this scan
B. Only Windows systems will reply to this scan
C. A switched network will not respond to packets sent to the broadcast address
D. Only Unix and Unix-like systems will reply to this scan
Selected Answer: C
Question #: 198
Topic #: 1
What does ICMP Type 3/Code 13 mean?
A. Host Unreachable
B. Administratively Blocked
C. Port Unreachable
D. Protocol Unreachable
Selected Answer: B
Question #: 191
Topic #: 1
You are running known exploits against your network to test for possible vulnerabilities. To test the strength of your virus software, you load a test network to mimic your production network. Your software successfully blocks some simple macro and encrypted viruses. You decide to really test the software by using virus code where the code rewrites itself entirely and the signatures change from child to child, but the functionality stays the same. What type of virus is this that you are testing?
A. Polymorphic
B. Metamorphic
C. Oligomorhic
D. Transmorphic
Selected Answer: A
Question #: 148
Topic #: 1
An “idle” system is also referred to as what?
A. PC not connected to the Internet
B. Zombie
C. PC not being used
D. Bot
Selected Answer: C
Question #: 141
Topic #: 1
Michael works for Kimball Construction Company as senior security analyst. As part of yearly security audit, Michael scans his network for vulnerabilities. Using
Nmap, Michael conducts XMAS scan and most of the ports scanned do not give a response. In what state are these ports?
A. Closed
B. Open
C. Stealth
D. Filtered
Selected Answer: B
Question #: 135
Topic #: 1
When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?
A. Passive IDS
B. Active IDS
C. Progressive IDS
D. NIPS
Selected Answer: B
Question #: 59
Topic #: 1
Why should you note all cable connections for a computer you want to seize as evidence?
A. to know what outside connections existed
B. in case other devices were connected
C. to know what peripheral devices exist
D. to know what hardware existed
Selected Answer: C
Question #: 147
Topic #: 1
You are the network administrator for a small bank in Dallas, Texas. To ensure network security, you enact a security policy that requires all users to have 14 character passwords. After giving your users 2 weeks notice, you change the Group Policy to force 14 character passwords. A week later you dump the SAM database from the standalone server and run a password-cracking tool against it. Over 99% of the passwords are broken within an hour. Why were these passwords cracked so Quickly?
A. Passwords of 14 characters or less are broken up into two 7-character hashes
B. A password Group Policy change takes at least 3 weeks to completely replicate throughout a network
C. Networks using Active Directory never use SAM databases so the SAM database pulled was empty
D. The passwords that were cracked are local accounts on the Domain Controller
Selected Answer: D
Question #: 187
Topic #: 1
Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?
A. Only an HTTPS session can be hijacked
B. HTTP protocol does not maintain session
C. Only FTP traffic can be hijacked
D. Only DNS traffic can be hijacked
Selected Answer: B
Question #: 179
Topic #: 1
Jason has set up a honeypot environment by creating a DMZ that has no physical or logical access to his production network. In this honeypot, he has placed a server running Windows Active Directory. He has also placed a Web server in the DMZ that services a number of web pages that offer visitors a chance to download sensitive information by clicking on a button. A week later, Jason finds in his network logs how an intruder accessed the honeypot and downloaded sensitive information. Jason uses the logs to try and prosecute the intruder for stealing sensitive corporate information. Why will this not be viable?
A. Entrapment
B. Enticement
C. Intruding into a honeypot is not illegal
D. Intruding into a DMZ is not illegal
Selected Answer: A
Question #: 150
Topic #: 1
John and Hillary works at the same department in the company. John wants to find out Hillary’s network password so he can take a look at her documents on the file server. He enables Lophtcrack program to sniffing mode. John sends Hillary an email with a link to Error! Reference source not found. What information will he be able to gather from this?
A. Hillary network username and password hash
B. The SID of Hillary network account
C. The SAM file from Hillary computer
D. The network shares that Hillary has permissions
Selected Answer: C
Question #: 146
Topic #: 1
What is the following command trying to accomplish?
C:> nmap `”sU `”p445 192.168.0.0/24
A. Verify that UDP port 445 is open for the 192.168.0.0 network
B. Verify that TCP port 445 is open for the 192.168.0.0 network
C. Verify that NETBIOS is running for the 192.168.0.0 network
D. Verify that UDP port 445 is closed for the 192.168.0.0 network
Selected Answer: A
Question #: 144
Topic #: 1
You work as an IT security auditor hired by a law firm in Boston to test whether you can gain access to sensitive information about the company clients. You have rummaged through their trash and found very little information. You do not want to set off any alarms on their network, so you plan on performing passive foot printing against their Web servers. What tool should you use?
A. Ping sweep
B. Nmap
C. Netcraft
D. Dig
Selected Answer: C
Question #: 138
Topic #: 1
You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data from other offices like it is for your main office. You suspect that firewall changes are to blame. What ports should you open for SNMP to work through Firewalls? (Choose two.)
A. 162
B. 161
C. 163
D. 160
Selected Answer: C
Question #: 136
Topic #: 1
Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company’s network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?
A. Send DOS commands to crash the DNS servers
B. Perform DNS poisoning
C. Perform a zone transfer
D. Enumerate all the users in the domain
Selected Answer: C
Question #: 134
Topic #: 1
Which of the following file system is used by Mac OS X?
A. EFS
B. HFS+
C. EXT2
D. NFS
Selected Answer: B
Question #: 133
Topic #: 1
Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:
A. HKEY_LOCAL_MACHINE\hardware\windows\start
B. HKEY_LOCAL_USERS\Software\Microsoft\old\Version\Load
C. HKEY_CURRENT_USER\Microsoft\Default
D. HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run
Selected Answer: D
Question #: 123
Topic #: 1
You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents.
Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?
A. Stringsearch
B. grep
C. dir
D. vim
Selected Answer: B
Question #: 113
Topic #: 1
Printing under a Windows Computer normally requires which one of the following files types to be created?
A. EME
B. MEM
C. EMF
D. CME
Selected Answer: C
Question #: 107
Topic #: 1
You are working as Computer Forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firm’s employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do?
A. Inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned
B. Inform the owner that conducting an investigation without a policy is a violation of the 4th amendment
C. Inform the owner that conducting an investigation without a policy is a violation of the employee’s expectation of privacy
D. Inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies
Selected Answer: C
Question #: 106
Topic #: 1
The ____________________ refers to handing over the results of private investigations to the authorities because of indications of criminal activity.
A. Locard Exchange Principle
B. Clark Standard
C. Kelly Policy
D. Silver-Platter Doctrine
Selected Answer: D
Question #: 105
Topic #: 1
This organization maintains a database of hash signatures for known software.
A. International Standards Organization
B. Institute of Electrical and Electronics Engineers
C. National Software Reference Library
D. American National standards Institute
Selected Answer: C
Question #: 104
Topic #: 1
What is the investigator trying to analyze if the system gives the following image as output?
A. All the logon sessions
B. Currently active logon sessions
C. Inactive logon sessions
D. Details of users who can logon
Selected Answer: B
Question #: 112
Topic #: 1
Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their various activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident?
A. The manufacturer of the system compromised
B. The logic, formatting and elegance of the code used in the attack
C. The nature of the attack
D. The vulnerability exploited in the incident
Selected Answer: D
Question #: 87
Topic #: 1
When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:
A. Recycle Bin
B. MSDOS.sys
C. BIOS
D. Case files
Selected Answer: D
Question #: 58
Topic #: 1
You should make at least how many bit-stream copies of a suspect drive?
A. 1
B. 2
C. 3
D. 4
Selected Answer: B
Question #: 57
Topic #: 1
Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?
A. network-based IDS systems (NIDS)
B. host-based IDS systems (HIDS)
C. anomaly detection
D. signature recognition
Selected Answer: A
Question #: 49
Topic #: 1
When obtaining a warrant, it is important to:
A. particularlydescribe the place to be searched and particularly describe the items to be seized
B. generallydescribe the place to be searched and particularly describe the items to be seized
C. generallydescribe the place to be searched and generally describe the items to be seized
D. particularlydescribe the place to be searched and generally describe the items to be seized
Selected Answer: A
Question #: 29
Topic #: 1
Which is a standard procedure to perform during all computer forensics investigations?
A. with the hard drive removed from the suspect PC, check the date and time in the system’s CMOS
B. with the hard drive in the suspect PC, check the date and time in the File Allocation Table
C. with the hard drive removed from the suspect PC, check the date and time in the system’s RAM
D. with the hard drive in the suspect PC, check the date and time in the system’s CMOS
Selected Answer: D
Question #: 44
Topic #: 1
What binary coding is used most often for e-mail purposes?
A. MIME
B. Uuencode
C. IMAP
D. SMTP
Selected Answer: A
Question #: 298
Topic #: 1
While searching through a computer under investigation, you discover numerous files that appear to have had the first letter of the file name replaced by the hex code byte 5h. What does this indicate on the computer?
A. The files have been marked as hidden
B. The files have been marked for deletion
C. The files are corrupt and cannot be recovered
D. The files have been marked as read-only
Selected Answer: B
Question #: 246
Topic #: 1
Paraben Lockdown device uses which operating system to write hard drive data?
A. Mac OS
B. Red Hat
C. Unix
D. Windows
Selected Answer: D
Question #: 234
Topic #: 1
What will the following command accomplish?
dd if=/dev/xxx of=mbr.backup bs=512 count=1
A. Back up the master boot record
B. Restore the master boot record
C. Mount the master boot record on the first partition of the hard drive
D. Restore the first 512 bytes of the first partition of the hard drive
Selected Answer: A
Question #: 216
Topic #: 1
What is one method of bypassing a system BIOS password?
A. Removing the processor
B. Removing the CMOS battery
C. Remove all the system memory
D. Login to Windows and disable the BIOS password
Selected Answer: B
Question #: 213
Topic #: 1
An investigator is searching through the firewall logs of a company and notices ICMP packets that are larger than 65,536 bytes. What type of activity is the investigator seeing?
A. Smurf
B. Ping of death
C. Fraggle
D. Nmap scan
Selected Answer: B
Question #: 390
Topic #: 1
How will you categorize a cybercrime that took place within a CSP’s cloud environment?
A. Cloud as a Subject
B. Cloud as a Tool
C. Cloud as an Audit
D. Cloud as an Object
Selected Answer: A
Question #: 383
Topic #: 1
Shane has started the static analysis of a malware and is using the tool ResourcesExtract to find more details of the malicious program. What part of the analysis is he performing?
A. Identifying File Dependencies
B. Strings search
C. Dynamic analysis
D. File obfuscation
Selected Answer: B
Question #: 374
Topic #: 1
Which of the following files gives information about the client sync sessions in Google Drive on Windows?
A. sync_log.log
B. Sync_log.log
C. sync.log
D. Sync.log
Selected Answer: A
Question #: 370
Topic #: 1
Which of the following is a database in which information about every file and directory on an NT File System (NTFS) volume is stored?
A. Volume Boot Record
B. Master Boot Record
C. GUID Partition Table
D. Master File Table
Selected Answer: D
Question #: 367
Topic #: 1
Which of the following files stores information about a local Google Drive installation such as User email ID, Local Sync Root Path, and Client version installed?
A. filecache.db
B. config.db
C. sigstore.db
D. Sync_config.db
Selected Answer: D
Question #: 365
Topic #: 1
In Steganalysis, which of the following describes a Known-stego attack?
A. The hidden message and the corresponding stego-image are known
B. During the communication process, active attackers can change cover
C. Original and stego-object are available and the steganography algorithm is known
D. Only the steganography medium is available for analysis
Selected Answer: C
Question #: 346
Topic #: 1
Which of the following is a record of the characteristics of a file system, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups?
A. Inode bitmap block
B. Superblock
C. Block bitmap block
D. Data block
Selected Answer: B
Question #: 328
Topic #: 1
Pagefile.sys is a virtual memory file used to expand the physical memory of a computer. Select the registry path for the page file:
A. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
B. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\System Management
C. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Device Management
D. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
Selected Answer: A
Question #: 325
Topic #: 1
Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:
A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProfileList
C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegList
D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Regedit
Selected Answer: A
Question #: 316
Topic #: 1
Watson, a forensic investigator, is examining a copy of an ISO file stored in CDFS format. What type of evidence is this?
A. Data from a CD copied using Windows
B. Data from a CD copied using Mac-based system
C. Data from a DVD copied using Windows system
D. Data from a CD copied using Linux system
Selected Answer: A
Question #: 820
Topic #: 1
In the middle of a high-pressure cybercrime investigation, you stumble upon a cryptic message. It appears to be encoded with the ASCII standard. The encrypted message contains a combination of lower ASCII and higher ASCII codes. Which statement is the most accurate concerning the interpretation of this message?
A. The lower ASCII codes refer to non-printable system codes, while the higher ASCII codes represent alphanumeric characters and punctuation
B. Both lower and higher ASCII codes primarily contain alphanumeric characters and punctuation
C. ASCII codes at the lower end represent alphanumeric characters and punctuation. On the other hand, those at the higher end are typically used to denote non-printable system codes
D. The lower ASCII codes represent basic alphanumeric characters and punctuation, while the higher ASCII codes are generally used for graphics and non-ASCII characters in documents
Selected Answer: B
Question #: 803
Topic #: 1
A cybersecurity forensics investigator is tasked with acquiring data from a suspect’s drive for a civil litigation case. The suspect drive is 1TB, and due to time constraints, the investigator decides to prioritize and acquire only data of evidentiary value. The original drive cannot be retained. In this context, which of the following steps should the investigator prioritize?
A. Opt for disk-to-image copying for the large suspect drive
B. Execute logical acquisition considering the one-time opportunity to capture data
C. Utilize DriveSpace or DoubleSpace to reduce the data size
D. Use a reliable data acquisition tool to make a copy of the original drive
Selected Answer: B
Question #: 788
Topic #: 1
A forensic investigator is analyzing a Windows system for possible malicious activity. The investigator is specifically interested in the recent actions of a suspect on the system, including any deleted directories or files, mounted drives, and actions taken. Which of the following approaches and tools would be the most effective for obtaining this information?
A. Analyzing LNK files using ShellBags Explorer
B. Investigating Jump Usts using ShellBagsView
C. Parsing the BagMRU and Bags registry keys using SBag
D. Examining the MRUListEx key and NodeSlot value in Windows Explorer
Selected Answer: A
Question #: 777
Topic #: 1
You are a Computer Hacking Forensic Investigator (CHFI) employed by an international tech firm. One of your tasks involves overseeing and providing guidance on legal considerations during digital forensic investigations across different jurisdictions. One day, you find yourself dealing with unauthorized system access and data alteration incidents across multiple branches in Germany, Italy, Canada, Singapore, Belgium, Brazil, the Philippines, and Hong Kong. Recognizing that different countries have different laws that can impact the investigation, which of the following legal provisions should you apply when the main offence is the unauthorized modification of computer data?
A. Canada’s Criminal Code Section 342.1 (Obtain any computer service and interception of a computer system)
B. Italy’s Penal Code Article 615 ter (Unauthorized access to a computer or telecommunication systems)
C. Belgium’s Article 550(b) of the Criminal Code (Exceeding power of access to a computer system)
D. Germany’s Penal Code Section 303a (Alteration of Data)
Selected Answer: B
Question #: 776
Topic #: 1
In a recent cybercrime investigation, a forensic analyst found that the suspect had used anti-forensic techniques to complicate the investigation process. The criminal had been working to erase data, manipulate metadata, and employ encryption, which made the investigation significantly more complex. Which of the following scenarios would indicate that the suspect had overwritten data and metadata in an attempt to evade investigation?
A. The investigator detects that the suspect used VeraCrypt for full-volume encryption to protect critical files
B. AnalyzeMFT tool reveals inconsistencies between $STANDARD_INFORMATION and $FILE_NAME attributes in the NTFS file system
C. The investigator finds the disk has been completely formatted, wiping its address tables and unlinking all files in the file system
D. The investigator finds the majority of the hard drive’s sectors contain the null character, indicating usage of disk wiping utilities
Selected Answer: D
Question #: 770
Topic #: 1
A cybersecurity investigator is conducting a search and seizure operation involving a large data breach. She needs a witness’s signature for the agreement to proceed. She is considering one of her team members as a witness but is unsure whether this would comply with standard procedures. According to best practices in obtaining witness signatures during such operations, what actions should she take?
A. She should not involve any of her team members as a witness to avoid potential bias in court
B. If one witness is needed, she may consider her team member, given that they understand the relevance and can testify voluntarily
C. She should choose anyone present during the seizure as a witness regardless of their understanding of the case
D. She should choose a member from her team as a witness as it saves time and resources
Selected Answer: B
Question #: 731
Topic #: 1
A forensic investigator encounters a suspicious executable on a compromised system, believed to be packed using a known program packer, and is password-protected. The investigator has knowledge of the tool used for packing and has the corresponding unpacking tool. What should be the next best course of action to examine the executable?
A. Use the unpacking tool to decompress the executable, without dealing with the password
B. Run a dynamic analysis on the packed executable in a controlled environment
C. Decrypt the password to unpack the executable before analyzing
D. Use reverse engineering to understand the attack tool hidden inside
Selected Answer: B
Question #: 706
Topic #: 1
A Computer Hacking Forensic Investigator is acquiring volatile data from a Linux-based suspect machine that they cannot physically access. They need to obtain a dump of the system’s RAM remotely. Which of the following sequences of commands and tools should be utilized for a forensically sound extraction?
A. On the forensic workstation: insmod lime-.ko “path= format=lime”; on the suspect machine: nc : > filename.mem
B. On the suspect machine: insmod lime-.ko “path=tcp: format=lime”: on the forensics workstation: nc : > filename.mem
C. On the forensic workstation: nc -l > filename.dd; on the suspect machine: dd if=/dev/fmem bs=l024 | nc
D. On the suspect machine: dd if=/dev/fmem of= bs=lMB; on the forensic workstation: nc -l > filename.dd
Selected Answer: B
Question #: 702
Topic #: 1
A mid-sized enterprise recently suffered a security breach in their AWS-hosted application. The responsibility for identifying the source and cause of this breach falls under the purview of the internal security team. Based on the AWS shared responsibility model, which of the following would be the appropriate action for the team?
A. Investigate AWS’s underlying infrastructure including hardware and databases for security flaws
B. Audit the application security and IAM configurations within the enterprise’s AWS services
C. Conduct a full review of AWS’s global infrastructure including regions, availability zones, and edge locations
D. Check for security vulnerabilities in AWS container services’ OS and application platform
Selected Answer: B
Question #: 701
Topic #: 1
During an incident response to a data breach in a company’s AWS environment, a forensic investigator is tasked to analyze and extract data from different storage types for further examination. What would be the most appropriate and effective course of action given that Amazon S3, EBS, and EFS were used?
A. Implement ACL permissions for S3 buckets, and attach the affected EFS to a Linux instance for data extraction
B. Create IAM policies to restrict access, and proceed with data extraction from EBS and EFS storage types
C. Extract all data directly from Amazon S3 and EBS, and attach the EFS to a Linux instance for data extraction
D. Snapshot the affected EBS volumes and S3 buckets, and mount EFS to a Linux instance for analysis
Selected Answer: A
Question #: 699
Topic #: 1
A Computer Hacking Forensics Investigator (CHFI) is working on a case involving an encrypted file from a user profile that was deleted. The investigator knows that the file was encrypted using the Encrypted File System (EFS) on a Windows operating system. The system is still bootable, but the original user profile is gone, and the system administrator has reset the account password. What would be the most suitable tool to recover this EFS-encrypted file?
A. Shredlt, a disk wiping utility tool
B. VeraCrypt, a widely used tool in anti-forensics encryption
C. AnalyzeMFT, a tool for examining MACE times in NTFS file systems
D. Advanced EFS Data Recovery, a tool for decrypting protected files
Selected Answer: D
Question #: 690
Topic #: 1
A forensic investigator is analyzing a smartphone to gather crucial evidence. To fully understand the device’s working and data flow, he needs to comprehend the various mobile architectural layers. While examining the device’s frequency conversion, the investigator focuses on which of the following hardware components?
A. Baseband part
B. DAC/ADC
C. Antenna
D. RF part
Selected Answer: D
Question #: 679
Topic #: 1
Recently, an internal web app that a government agency utilizes has become unresponsive. Betty, a network engineer for the government agency, has been tasked to determine the cause of the web application’s unresponsiveness. Betty launches Wireshark and begins capturing the traffic on the local network. While analyzing the results, Betty noticed that a syn flood attack was underway. How did Betty know a syn flood attack was occurring?
A. Wireshark capture does not show anything unusual and the issue is related to the web application
B. Wireshark capture shows multiple ACK requests and SYN responses from single/multiple IP address(es)
C. Wireshark capture shows multiple SYN requests and RST responses from single/multiple IP address(es)
D. Wireshark capture shows multiple SYN requests and ACK responses from single/multiple IP address(es)
Selected Answer: C
Question #: 677
Topic #: 1
Fill in the missing Master Boot Record component.
1. Master boot code
2. Partition table
3. ____________
A. Signature word
B. Volume boot record
C. Boot loader
D. Disk signature
Selected Answer: D
Question #: 26
Topic #: 1
Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?
A. bench warrant
B. wire tap
C. subpoena
D. search warrant
Selected Answer: C
Question #: 18
Topic #: 1
The offset in a hexadecimal code is:
A. The last byte after the colon
B. The 0x at the beginning of the code
C. The 0x at the end of the code
D. The first byte after the colon
Selected Answer: B
Question #: 11
Topic #: 1
You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the wording in the graphic being different. What area of the law is the employee violating?
A. trademark law
B. copyright law
C. printright law
D. brandmark law
Selected Answer: A
Question #: 524
Topic #: 1
In a computer that has Dropbox client installed, which of the following files related to the Dropbox client store information about local Dropbox installation and the
Dropbox user account, along with email IDs linked with the account?
A. config.db
B. install.db
C. sigstore.db
D. filecache.db
Selected Answer: A
Question #: 483
Topic #: 1
Which of the following Perl scripts will help an investigator to access the executable image of a process?
A. Lspd.pl
B. Lpsi.pl
C. Lspm.pl
D. Lspi.pl
Selected Answer: D
Question #: 481
Topic #: 1
In which registry does the system store the Microsoft security IDs?
A. HKEY_CLASSES_ROOT (HKCR)
B. HKEY_CURRENT_CONFIG (HKCC)
C. HKEY_CURRENT_USER (HKCU)
D. HKEY_LOCAL_MACHINE (HKLM)
Selected Answer: D
Question #: 827
Topic #: 1
A CHFI has been asked to recover browser history from a seized Microsoft Edge browser on a Windows system. This is important to pinpoint the suspect’s online activities. The suspect was known to clear their browser history frequently. Which tool and path would most efficiently recover the required data?
A. MZCacheView tool; Path: C:\UsersWAppData\Local\Mozilla\Firefox\Profiles\XXXXXXXX.default\cache2
B. MZHistoryView tool; Path:
C:\UsersWAppData\Roaming\Mozilla\Firefox\Profiles\XXXXXXXX.default\places.sqlite
C. Browsing HistoryView tool; Path: C:\Users\Admin\AppData\Local\Microsoft\Windows\History
D. Browsing HistoryView tool; Path: C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache
Selected Answer: C
Question #: 53
Topic #: 1
Area density refers to:
A. the amount of data per disk
B. the amount of data per partition
C. the amount of data per square inch
D. the amount of data per platter
Selected Answer: C
Question #: 38
Topic #: 1
The following excerpt is taken from a honeypot log. The log captures activities across three days.
There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
From the options given below choose the one which best interprets the following entry:
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
A. An IDS evasion technique
B. A buffer overflow attempt
C. A DNS zone transfer
D. Data being retrieved from 63.226.81.13
Selected Answer: B
Question #: 806
Topic #: 1
A computer forensics investigator is analyzing a hard disk drive (HDD) that is suspected to contain evidence of criminal activity. The HDD has 20,000 cylinders, 16 heads, and 63 sectors per track, with each sector having 512 bytes. During the analysis, the investigator discovered a file of 1.5KB in size on the disk. How many sectors are allocated for the file, and what could be the consequences of such allocation for the investigation?
A. 2 sectors; the file might be fragmented, making it harder to retrieve
B. 4 sectors; it may cause inefficiency in space utilization on the disk
C. 3 sectors; it may increase the retrieval time due to increased sector overhead
D. 3 sectors; the file might be fragmented, making it harder to retrieve
Selected Answer: C
Question #: 787
Topic #: 1
A digital forensics investigator is examining a suspect’s hard disk drive. The hard disk is known to have 16,384 cylinders, 16 heads, and 63 sectors per track, with a sector size of 512 bytes. During the investigation, the forensic analyst identifies a particular file that resides in two sectors. Considering that each sector contains data plus overhead information such as ID, synchronization fields. ECC, and gaps, what is the maximum potential size of this particular file stored on the disk?
A. More than 512 bytes but less than 1024 bytes
B. Equal to or more than 1024 bytes
C. Equal to 512 bytes
D. Less than 512 bytes
Selected Answer: A
Question #: 737
Topic #: 1
During a recent network intrusion investigation, a CHFI received logs from Juniper IDS, Check Point IPS, and a Kippo Honeypot. Which log provides information about the network traffic and bandwidth adjustment, aiding in business risk valuation?
A. Kippo Honeypot
B. Juniper IDS
C. None of the above
D. Check Point IPS
Selected Answer: D
Question #: 717
Topic #: 1
A Computer Hacking Forensics Investigator (CHFI) has been asked to retrieve specific email files from a large RAID server after a data breach. Additionally, fragments of unallocated (deleted) data are also required. However, there is a severe constraint on time and resources. Considering these requirements, which type of data acquisition should the investigator primarily focus on?
A. Logical acquisition
B. Bit-stream disk-to-disk
C. Sparse acquisition
D. Bit-stream disk-to-image-file
Selected Answer: C
Question #: 67
Topic #: 1
In a FAT32 system, a 123 KB file will use how many sectors?
A. 34
B. 25
C. 11
D. 56
Selected Answer: D
Question #: 60
Topic #: 1
What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?
A. ICMP header field
B. TCP header field
C. IP header field
D. UDP header field
Selected Answer: A
Question #: 380
Topic #: 1
What is the primary function of the tool CHKDSK in Windows that authenticates the file system reliability of a volume?
A. Repairs logical file system errors
B. Check the disk for hardware errors
C. Check the disk for connectivity errors
D. Check the disk for Slack Space
Selected Answer: A
Question #: 464
Topic #: 1
NTFS sets a flag for the file once you encrypt it and creates an EFS attribute where it stores Data Decryption Field (DDF) and Data Recovery Field (DDR). Which of the following is not a part of DDF?
A. Encrypted FEK
B. Checksum
C. EFS Certificate Hash
D. Container Name
Selected Answer: B
Question #: 467
Topic #: 1
Which of the following is a non-zero data that an application allocates on a hard disk cluster in systems running on Windows OS?
A. Sparse File
B. Master File Table
C. Meta Block Group
D. Slack Space
Selected Answer: A
Question #: 652
Topic #: 1
An investigator wants to extract passwords from SAM and System Files. Which tool can the investigator use to obtain a list of users, passwords, and their hashes in this case?
A. Nuix
B. FileMerlin
C. PWdump7
D. HashKey
Selected Answer: C
Question #: 653
Topic #: 1
Consider a scenario where a forensic investigator is performing malware analysis on a memory dump acquired from a victim’s computer. The investigator uses
Volatility Framework to analyze RAM contents: which plugin helps investigator to identify hidden processes or injected code/DLL in the memory dump?
A. malfind
B. pslist
C. mallist
D. malscan
Selected Answer: A
Question #: 671
Topic #: 1
You are an information security analyst at a large pharmaceutical company. While performing a routine review of audit logs, you have noticed a significant amount of egress traffic to various IP addresses on destination port 22 during off-peak hours. You researched some of the IP addresses and found that many of them are in Eastern Europe. What is the most likely cause of this traffic?
A. The organization’s primary internal DNS server has been compromised and is performing DNS zone transfers to malicious external entities
B. Data is being exfiltrated by an advanced persistent threat (APT)
C. Malicious software on internal system is downloading research data from partner SFTP servers in Eastern Europe
D. Internal systems are downloading automatic Windows updates
Selected Answer: B
Question #: 681
Topic #: 1
Mark works for a government agency as a cyber-forensic investigator. He has been given the task of restoring data from a hard drive. The partition of the hard drive was deleted by a disgruntled employee in order to hide their nefarious actions. What tool should Mark use to restore the data?
A. R-Studio
B. EFSDump
C. Diskview
D. Diskmon
Selected Answer: A
Question #: 718
Topic #: 1
In an email crime investigation, the forensic investigator analyses a computer using the Microsoft Outlook application. The investigator knows that Outlook stores email data in both .pst and .ost file formats. They want to focus on the files that hold the email data even when there is no internet connection. Which files should the investigator target for a deeper analysis?
A. Offline Storage Table (.ost) files located at C:\Users\%USERNAME%\AppData\Local\Microsoft\Outlook
B. Email data located within Mozilla Thunderbird and Apple Mail email clients
C. Archived email files in .pst format located via File —> Options —> Advanced —> AutoArchive Settings
D. Personal Storage Table (.pst) files located at C:\Users\%USERNAME%\Documents\Outlook Files
Selected Answer: A
Question #: 719
Topic #: 1
A major corporation has faced multiple SQL injection attacks on its web application. They have a ModSecurity WAF in place with default settings. However, attacks are still getting through. The forensic investigator recommends a measure to enhance security. What is the most likely recommendation?
A. Customize ModSecurity rules according to their environment
B. Replace ModSecurity with a next-generation firewall (NGFW)
C. Install an additional conventional firewall for protection
D. Implement real-time alerting and extensive logging capabilities
Selected Answer: A
Question #: 723
Topic #: 1
As a Computer Hacking Forensics Investigator, you are tasked with tracing a series of illegal transactions believed to originate from the dark web. You know the transactions were made using Tor, a browser providing anonymity. However, in an authoritarian country where the usage of the Tor network is restricted, the suspect is believed to be using an undisclosed Tor network feature to bypass these restrictions. What feature is likely being used in this scenario?
A. Exit Relay
B. Entry/Guard Relay
C. Tor Bridge Node
D. Middle Relay
Selected Answer: C
Question #: 727
Topic #: 1
A digital forensic investigator examines a Windows system to identify suspicious activity related to a recent cyber incident. She has collected volatile and non-volatile registry hives for analysis. The investigator has noticed modifications in a user’s profile settings, including changes in desktop wallpaper and screen colors. Which hive and component cells in the registry should she examine more closely for further evidence of user-specific activity?
A. Examine HKEY_CLASSES_ROOT; focus on security descriptor cells and value cells
B. Examine HKEY_LOCAI MACHINE; focus on value cells and subkey list cells
C. Examine HKEY_CURRENT_CONFIG: focus on subkey list cells and value cells
D. Examine HKEY_CURRENT_USER; focus on key cells and value list cells
Selected Answer: D
Question #: 728
Topic #: 1
An investigator is examining a compromised system and comes across some files that have been compressed with a packer. The investigator knows that these files contain malicious content, but cannot access them due to a password protection mechanism. The investigator does not have the password. Which approach is the most suitable for accessing the contents of the packed files?
A. The investigator should attempt static analysis on the packed file
B. The investigator should run the packed executable in a controlled environment for dynamic analysis
C. The investigator should attempt to crack the password using a brute force attack
D. The investigator should attempt to reverse engineer the packed file in an attempt to bypass password protection
Selected Answer: C
Question #: 687
Topic #: 1
A large corporation has recently undergone a cyberattack. The forensic analyst finds suspicious activities in the Windows Event logs during the investigation. The analyst notes that a specific service on the machine has been frequently starting and stopping during the time of the attack. What event IDs should the analyst look for in the System log to confirm this suspicious behavior?
A. Event ID 7035 and Event ID 7036
B. Event ID 1 and Event ID 7035
C. Event ID 7031 and Event ID 7032
D. Event ID 7036 and Event ID 7037
Selected Answer: A
Question #: 694
Topic #: 1
In an ongoing investigation, a computer forensics investigator encounters a suspicious file believed to be packed using a password-protected program packer. The investigator possesses both the knowledge of the packing tool used and the necessary unpacking tool. What critical step should the investigator consider before analyzing the packed file?
A. Conduct static analysis on the packed file immediately
B. Reverse engineer the packed file to understand the hidden attack tools
C. Attempt to decrypt the password prior to unpacking the file
D. Run the packed file in a controlled environment for dynamic analysis
Selected Answer: C
Question #: 604
Topic #: 1
Which layer in the IoT architecture is comprised of hardware parts such as sensors, RFID tags, and devices that play an important role in data collection?
A. Access gateway layer
B. Application layer
C. Edge technology layer
D. Middleware layer
Selected Answer: C
Question #: 703
Topic #: 1
An individual skilled in Forensic Investigation has been summoned to look into a potentially unlawful transaction, believed to have unfolded on the shadowy expanses of the dark web. The investigator knows that the suspect used the Tor network for the transaction. Which of the following aspects of the Tor network should the investigator focus on primarily to trace the origin of the data transmission?
A. The Exit Relay, as it sends the data to the destination server
B. The Tor Bridge Node, as it helps to circumvent restrictions on the Tor network
C. The Middle Relay, as it transmits the data in an encrypted format
D. The Entry/Guard Relay, as it provides an entry point to the Tor network
Selected Answer: A
Question #: 645
Topic #: 1
In Java, when multiple applications are launched, multiple Dalvik Virtual Machine instances occur that consume memory and time. To avoid that. Android implements a process that enables low memory consumption and quick start-up time. What is the process called?
A. Init
B. Zygote
C. Daemon
D. Media server
Selected Answer: C
Question #: 566
Topic #: 1
Which of these rootkit detection techniques function by comparing a snapshot of the file system, boot records, or memory with a known and trusted baseline?
A. Signature-Based Detection
B. Integrity-Based Detection
C. Cross View-Based Detection
D. Heuristic/Behavior-Based Detection
Selected Answer: D
Question #: 564
Topic #: 1
Which of the following Linux command searches through the current processes and lists the process IDs those match the selection criteria to stdout?
A. pstree
B. pgrep
C. ps
D. grep
Selected Answer: C
Question #: 461
Topic #: 1
Which of the following examinations refers to the process of providing the opposing side in a trial the opportunity to question a witness?
A. Cross Examination
B. Direct Examination
C. Indirect Examination
D. Witness Examination
Selected Answer: A
Question #: 454
Topic #: 1
What do you call the process in which an attacker uses magnetic field over the digital media device to delete any previously stored data?
A. Disk deletion
B. Disk cleaning
C. Disk degaussing
D. Disk magnetization
Selected Answer: C
Question #: 409
Topic #: 1
You are assigned a task to examine the log files pertaining to MyISAM storage engine. While examining, you are asked to perform a recovery operation on a
MyISAM log file. Which among the following MySQL Utilities allow you to do so?
A. mysqldump
B. myisamaccess
C. myisamlog
D. myisamchk
Selected Answer: C
Question #: 349
Topic #: 1
Which rule requires an original recording to be provided to prove the content of a recording?
A. 1004
B. 1002
C. 1003
D. 1005
Selected Answer: B
Question #: 273
Topic #: 1
What type of analysis helps to identify the time and sequence of events in an investigation?
A. Time-based
B. Functional
C. Relational
D. Temporal
Selected Answer: B
Question #: 251
Topic #: 1
Which of the following is found within the unique instance ID key and helps investigators to map the entry from USBSTOR key to the MountedDevices key?
A. ParentIDPrefix
B. LastWrite
C. UserAssist key
D. MRUListEx key
Selected Answer: D
Question #: 6
Topic #: 1
You are using DriveSpy, a forensic tool and want to copy 150 sectors where the starting sector is 1709 on the primary hard drive. Which of the following formats correctly specifies these sectors?
A. 0:1000, 150
B. 0:1709, 150
C. 1:1709, 150
D. 0:1709-1858
Selected Answer: A
Question #: 97
Topic #: 1
Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events?
A. Connect the target media; prepare the system for acquisition; Secure the evidence; Copy the media
B. Prepare the system for acquisition; Connect the target media; copy the media; Secure the evidence
C. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media
D. Secure the evidence; prepare the system for acquisition; Connect the target media; copy the media
Selected Answer: B
Question #: 78
Topic #: 1
Which of the following is NOT a graphics file?
A. Picture1.tga
B. Picture2.bmp
C. Picture3.nfo
D. Picture4.psd
Selected Answer: C
Question #: 56
Topic #: 1
Jason is the security administrator of ACMA metal Corporation. One day he notices the company’s Oracle database server has been compromised and the customer information along with financial data has been stolen. The financial loss will be in millions of dollars if the database gets into the hands of the competitors. Jason wants to report this crime to the law enforcement agencies immediately.
Which organization coordinates computer crimes investigations throughout the United States?
A. Internet Fraud Complaint Center
B. Local or national office of the U.S. Secret Service
C. National Infrastructure Protection Center
D. CERT Coordination Center
Selected Answer: B
Question #: 47
Topic #: 1
If you plan to startup a suspect’s computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect’s hard drive by booting to the hard drive.
A. deltree command
B. CMOS
C. Boot.sys
D. Scandisk utility
Selected Answer: B
Question #: 36
Topic #: 1
When investigating a potential e-mail crime, what is your first step in the investigation?
A. Trace the IP address to its origin
B. Write a report
C. Determine whether a crime was actually committed
D. Recover the evidence
Selected Answer: D
Question #: 24
Topic #: 1
Lance wants to place a honeypot on his network. Which of the following would be your recommendations?
A. Use a system that has a dynamic addressing on the network
B. Use a system that is not directly interacting with the router
C. Use it on a system in an external DMZ in front of the firewall
D. It doesn’t matter as all replies are faked
Selected Answer: C
Question #: 22
Topic #: 1
Which part of the Windows Registry contains the user’s password file?
A. HKEY_LOCAL_MACHINE
B. HKEY_CURRENT_CONFIGURATION
C. HKEY_USER
D. HKEY_CURRENT_USER
Selected Answer: A
Question #: 12
Topic #: 1
What file structure database would you expect to find on floppy disks?
A. NTFS
B. FAT32
C. FAT16
D. FAT12
Selected Answer: D
Question #: 791
Topic #: 1
A forensic investigator discovers an Android smartwatch at the crime scene during an investigation. The investigator realizes the smartwatch was potentially involved in the crime, but the device associated with it was not found at the scene. What is the most suitable initial step for the investigator to retrieve meaningful data from the smartwatch?
A. The investigator should first physically dismantle the smartwatch to access its internal storage
B. The investigator should immediately turn off the smartwatch to prevent data manipulation
C. The investigator should start by understanding the smartwatch’s basic framework, including its APIs
D. The investigator should directly analyze data stored on the smartwatch using IoT forensics tools
Selected Answer: C
Question #: 734
Topic #: 1
After an unexpected shutdown of a company’s database server, the IT forensics team is tasked with collecting data from the Database Plan Cache to investigate potential issues. What query should they use to retrieve the SQL text of all cached entries and acquire additional aggregate performance statistics?
A. Use: select * from sys.dm_exec_cached_plans cross apply sys.dm_exec_plan_attributes(plan_handle) followed by: select * from sys.dm_exec_query_stats
B. Use: select * from sys.dm_exec_cached_plans cross apply sys.dm_exec_sql_text(plan_handle) followed by: select * from sys.dm_exec_plan_attributes(plan_handle)
C. Use: select * from sys.dm_exec_sql_text(plan_handle) cross apply sys.dm_exec_cached_plans followed by: select * from sys.dm_exec_query_stats
D. Use: select * from sys.dm_exec_cached_plans cross apply sys.dm_exec_sql_text(plan_handle) followed by: select * from sys.dm_exec_query_stats
Selected Answer: D
Question #: 715
Topic #: 1
A cybercrime investigator is evaluating a data breach in a company’s AWS infrastructure. The breached service was categorized as an AWS container service. What primary security aspects were likely managed by the company and not by AWS, which the investigator should first focus on?
A. Physical infrastructure and foundational services
B. Network configuration of the container services
C. Data management and firewall configuration
D. Application platform and Operating System (OS) security
Selected Answer: C
Question #: 705
Topic #: 1
During a complex malware investigation, a forensic investigator found a binary executable suspected to contain malicious code. The investigator decides to perform static malware analysis to identify and analyze the threat. Which of the following actions should be performed next by the investigator to reveal essential information about the executable’s functionalities and features?
A. Performing a string search in the binary using ResourcesExtract tool
B. Submitting the executable to VirusTotal for online scanning
C. Disassembling the binary executable to study its structure and functionality
D. Calculating the cryptographic hash of the binary file for file fingerprinting
Selected Answer: C
