Computer Hacking Forensic Investigator Topic 2
Question #: 829
Topic #: 1
A forensics investigator is studying the Event ID logs on a domain controller for a corporation, following a suspected security breach. He notices that a domain user account was created, then modified, and then added to a group in a very short span of time. The investigator realizes that he must cross-verify the audit policies on the local system to understand if any changes were made to it. Assuming that the investigator has the correct audit policy settings, which of the following Event IDs should he focus on?
A. Event ID 642
B. Event ID 644
C. Event ID 624
D. Event ID 612
Selected Answer: C
Question #: 825
Topic #: 1
In a computer forensics investigation, an investigator is dealing with a system that has been recently shut down. The data they need is of a non-volatile nature. Which type of data acquisition methodology should the investigator adopt in this scenario and why?
A. The investigator should not perform any data acquisition as the system is already powered off
B. The investigator should use either live or dead data acquisition as both methods can collect non-volatile data from the system
C. The investigator should use live data acquisition since it is intended to capture dynamic data from the computer’s memory, caches, and registries
D. The investigator should use dead data acquisition because it is designed to collect unaltered data from storage devices such as hard drives and USB thumb drives
Selected Answer: D
Question #: 824
Topic #: 1
A CHFI professional is investigating a data breach in a Windows 10 system. The initial analysis revealed some alterations in the system event logs. As part of the investigation, the professional uses the ‘wevtutil’ command-line tool. The command ‘wevtutil gl Security’ was executed, but the results seemed abnormal. Which of the following could be a plausible reason for this outcome?
A. The command ‘wevtutil gl Security’ does not exist in the ‘wevtutil’ command set
B. The ‘wevtutil’ command cannot retrieve data from XML-based EVTX file format
C. The Event Log service was temporarily unresponsive or down
D. The EVTX file storing the Security log was corrupted or tampered with
Selected Answer: D
Question #: 823
Topic #: 1
A Computer Hacking Forensic Investigator (CHFI) arrives at the crime scene in an incident involving cybercrime. While performing the initial search of the scene, the investigator spots a GPS device, a keyboard, and a telephone line connected to a caller ID box. Considering the steps involved in searching for evidence, which of the following actions should the investigator perform first?
A. Secure the keyboard to protect any potential fingerprints
B. Initiate the search and seizure evidence log to document details of the identified devices
C. Record observations about the current situation at the scene
D. Survey the GPS device to explore potential sources of digital information
Selected Answer: A
Question #: 818
Topic #: 1
A CHFI expert creates a forensics image of a pen drive using AccessData FTK Imager during a computer forensics investigation. The investigator uses The Sleuth Kit (TSK) to examine an ext4 file system on a Linux disk image and suspects data tampering. The expert decides to verify inode metadata for a critical file. However, he notes an unexpected block allocation in the inode details. Which TSK command-line tool and argument should the investigator utilize to examine the addresses of all allocated disk units for the suspicious inode?
A. fsstat -f ext4
B. img_stat -i raw
C. fls -o imgoffset
D. istat -B num
Selected Answer: D
Question #: 814
Topic #: 1
During a malware forensic investigation, a newly added entry was identified in the Windows AutoStart registry keys after a malware execution on a compromised system. The entry indicates a VB script file named “CaoClboog.vbs” installed in the ‘Run’ key to achieve persistence and run automatically upon user login. As a Computer Hacking Forensic Investigator (CHFI), where would you expect to find this suspicious entry in the registry hive?
A. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Startup
B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
C. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
D. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Common Startup
Selected Answer: C
Question #: 813
Topic #: 1
Investigator Janet comes across a suspicious Windows registry key during a computer hacking forensic investigation. She believes modifying this key is associated with the recent cyberattack on the company’s servers. In order to confirm this, Janet needs to reference a timestamp embedded inside the registry key. What is the correct name of this timestamp?
A. Last Write Time
B. User Activity Time
C. System Modification Time
D. Current System Time
Selected Answer: A
Question #: 812
Topic #: 1
During a computer hacking forensic investigation, an investigator is tasked with acquiring volatile data from a live Linux system with limited physical access. Which methodology would be the most suitable for this scenario?
A. Using Belkasoft Live RAM Capturer to extract the entire contents of the computer’s volatile memory
B. Performing remote acquisition of volatile data from a Linux machine using dd and netcat
C. Using the fmem module and dd command locally to access the RAM and acquire its content directly
D. Performing local acquisition of RAM using the LiME tool
Selected Answer: B
Question #: 811
Topic #: 1
A multinational company has recently fallen victim to a severe cyberattack. As part of the incident response team, you are analyzing the Apache web server logs to track the attacker s activities. You notice that modifications are made to the HTTP.REQUEST component of the Apache core, suggesting changes in request handling. To discern the type of modifications made, which of the following elements of the Apache web server architecture would you focus on examining?
A. Apache modules: To uncover extended functionalities that may have been tampered with
B. http_protocol module: To identify the client and server data exchange details
C. http_config module: To check alterations in configuration files and modules management
D. http_main module: To identify server startups and timeouts
Selected Answer: A
Question #: 804
Topic #: 1
An organization has suffered a significant data breach and called in a Computer Hacking Forensics Investigator (CHFI) to gather evidence. The investigator has decided to use the dead acquisition technique to gather nonvolatile data from the compromised system. Which of the following would NOT typically be acquired during this type of forensic data acquisition process?
A. Web browser cache
B. Unallocated drive space
C. Active network connections
D. Boot sectors
Selected Answer: C
Question #: 781
Topic #: 1
A CHFI is analyzing suspicious activity on a company’s AWS account. She suspects an unauthorized user accessed and deleted a crucial bucket object. To trace the potential perpetrator, she should primarily rely on the following:
A. S3 Server Access logs to understand actions performed on a bucket object
B. AWS CloudTrail logs to determine when and where the specific API calls were made
C. Amazon CloudWatch logs to monitor system and application log data in real time
D. Amazon VPC Flow Logs to scrutinize the IP traffic entering and leaving the specific VPC
Selected Answer: B
Question #: 799
Topic #: 1
During an investigation of a suspected email crime, the forensics team noted that the criminal used emails to sell illegal narcotics and execute numerous frauds. The team identified that the criminal had also used an advanced phishing technique to target a specific executive in the victim’s organization. Which phishing technique was likely used in this scenario?
A. Spimming
B. Whaling
C. Pharming
D. Spear Phishing
Selected Answer: B
Question #: 798
Topic #: 1
An organization suspects that a former temporary employee may have used steganography to hide sensitive information within multimedia files for unauthorized extraction. The company has launched an internal steganalysis process to uncover the potential breach. The steganalyst discovered some unusual patterns within a specific image file as part of the investigation. Which steganalysis attack techniques are most likely being applied in this scenario?
A. Known-message Attack
B. Known-stego Attack
C. Stego-only Attack
D. Chosen-message Attack
Selected Answer: C
Question #: 796
Topic #: 1
You are a Computer Hacking Forensic Investigator working on a high-profile case involving an Android device. You discovered an SQLite database during your investigation. However, this database has an unusual extension type and does not display content using your current tools. You recall that you have the following tools at your disposal: Oxygen Forensics SQLite Viewer, DB Browser for SQLite, X-plore, SQLitePlus Database Explorer, and SQLite Viewer. Given that this particular SQLite database may contain important evidence, what should be your approach?
A. Switch between all the available tools until you find one that works with the unknown database extension
B. Use X-plore, as it offers root access which can provide access to the database
C. Stick to using Oxygen Forensics SQLite Viewer, which can analyze actual and deleted data
D. Use the SQLite “.dump” command to extract the data into a readable format
Selected Answer: D
Question #: 793
Topic #: 1
In the event of a fileless malware attack, a Computer Hacking Forensics Investigator (CHFI) notes that the fileless malware has managed to persist even after the system reboots. What built-in Windows tool/utility might the attacker most likely have leveraged for this persistent behavior?
A. Windows Operation system components
B. Windows Task Scheduler
C. Windows AutoStart registry keys
D. Windows Process Explorer
Selected Answer: B
Question #: 790
Topic #: 1
A cybersecurity forensic investigator analyzes log files to investigate an SQL Injection attack. While going through the Apache across.log, they come across a GET request from the IP 10.0.0.19 containing an encoded query string:
GET /sqli/examplel.php?name=root’ UniON SeLeCT 1,table_name,3,4,5 From information_schema.tables where Table_Schema=DatabasE() limit 1,2—
What is the intention behind the attacker’s query?
A. To erase the data in the specific tables of the database
B. To retrieve the names of the tables in the database
C. To bypass the website’s authentication mechanism and view all user details
D. To manipulate the order of the columns in the database
Selected Answer: B
Question #: 786
Topic #: 1
A sophisticated cyber-attack has targeted an organization, and the forensic team is called upon for incident response. Their assets are largely hosted on AWS, particularly using S3 and EC2 instances. As a forensic investigator, your first step to retaining valuable evidence in the EC2 instances is:
A. Retrieve and analyze log data from the affected EC2 instances
B. Encrypt all the data present in the EC2 instances to avoid further unauthorized access
C. Immediately isolate the affected EC2 instances from the network to avoid data corruption
D. Create a snapshot of the EBS volume in the affected EC2 instance and share it with the forensic team for analysis
Selected Answer: D
Question #: 785
Topic #: 1
A forensic investigator is tasked with logically acquiring data from an Android device involved in a cybercrime incident. The device is passcode protected, and the suspect refuses to reveal the passcode. How should the investigator proceed?
A. Enable USB debugging on the Android device and use adb commands to gain root access and extract data
B. Connect the Android device to a computer with iTunes installed to perform a backup and extract data
C. Use an adb pull command to download all the data, including system files and deleted data
D. Use the adb push command to extract data from the device without bypassing the passcode
Selected Answer: A
Question #: 783
Topic #: 1
A large corporation hired an independent marketing firm to manage its email advertising campaign. Subsequently, it was found that the firm was sending commercial emails without including necessary information about how to stop receiving emails in the future. In addition, they failed to honor the opt-out requests of the recipients within 10 business days. Under the CAN-SPAM Act, which of the following is true?
A. Both the corporation and the marketing firm could be held legally responsible for the violation
B. Only the corporation would be held legally responsible for the violation
C. The marketing firm alone would be held legally responsible for the violation
D. Neither the corporation nor the marketing firm would be held legally responsible for the violation
Selected Answer: A
Question #: 778
Topic #: 1
Consider the scenario where a large multinational corporation suspects an internal security breach, with significant data possibly compromised. The corporate forensic team initiates the process of conducting a comprehensive forensic investigation following the search and seizure protocols. During this process, they want to ensure they capture all the required information and minimize disruption to the company’s ongoing business operations. Which among the following activities should NOT be a part of their plan for this search and seizure operation?
A. Generating a comprehensive list of all potentially involved devices along with their specifications, status, and locations
B. Obtaining formal written consent from the company’s owner before beginning the investigation process
C. Requesting a warrant for search and seizure detailing the exact locations and types of evidence expected to be found
D. Carrying out all search and seizure activities without seeking witness signatures for the activities performed
Selected Answer: D
Question #: 774
Topic #: 1
A Computer Hacking Forensic Investigator (CHFI) is trying to identify a hidden data leak happening through seemingly benign PDF documents sent from a corporate network. While examining a suspicious PDF, he discovers a series of unexpected objects in the file’s body. Given the following hex signatures of various file formats: JPEG (0xffd8), BMP (0x424d), GIF (0x474946), and PNG (0x89504e), which of the following actions should he take next?
A. Search for the existence of the hex signature 0x89504e in the PDF’s body as a PNC could be embedded
B. Check for the existence of the hex signature 0xffd8 in the PDF’s body as a JPEG could be hidden
C. Examine the cross-reference table (xref table) for any unusual links to objects
D. Verify if the PDF document ends with the %EOF value
Selected Answer: B
Question #: 773
Topic #: 1
An organization discovered an internal policy violation that resulted in financial loss. The incident involved unauthorized resource misuse, possibly by a staff member. The case is significant enough to warrant a thorough investigation but does not warrant law enforcement involvement. The organization wants to ensure the investigation is conducted appropriately without affecting the overall operations. What type of investigation would be most appropriate in this scenario?
A. Civil Investigation
B. Criminal Investigation
C. Regulatory Compliance Investigation Significant consequences. The combination (Option D) could dilute the focus on the criminal element of the case, which is crucial for this specific scenario
D. Administrative Investigation
Selected Answer: D
Question #: 772
Topic #: 1
An investigator is tasked with analyzing metadata from a suspected MAC system in a case of data theft. They have decided to parse the Spotlight database file, store.db. Which of the following tools and steps would be most effective for obtaining recently accessed file details from this MacOS system?
A. Running the spotlight_parser Python script on the store.db file to extract file metadata
B. Using the OS X Auditor to hash artifacts on the running system
C. Implementing the Stellar Data Recovery Professional for Mac to recover lost or deleted data
D. Utilizing Memoryze for the Mac to analyze the memory images of the Mac machine
Selected Answer: A
Question #: 769
Topic #: 1
A large multinational corporation suspects an internal breach of its data center and hires a forensic investigator. The investigator is required to conduct a search on the emails of an employee who is a US citizen, believed to be communicating classified information with a foreign entity. The forensic investigator, while respecting international laws and US privacy laws, should:
A. Utilize the Privacy Act of 1974 to access the individual’s personal records without their written consent
B. Use the Foreign Intelligence Surveillance Act of 1978 (FISA) to get judicial authorization for electronic surveillance
C. Refer to the Protect America Act of 2007 to conduct surveillance without a specific warrant on the employee’s electronic communication
D. Apply the provisions under the Cybercrime Act 2001 of Australia to initiate electronic surveillance
Selected Answer: B
Question #: 766
Topic #: 1
A cybersecurity investigator has identified a potential incident of hidden information in a file. The investigator uses Autopsy’s Extension Mismatch Detector Module to look for file extension mismatches. While examining the module’s output, which of the following information should be mainly considered to verify the potential incident?
A. The file’s size
B. The first 20 bytes of the file
C. The file’s timestamp
D. The last 20 bytes of the file
Selected Answer: B
Question #: 761
Topic #: 1
In a recent cyber-attack, a malicious driver was installed on a Windows system. The investigator in charge is now tasked with analyzing the system behavior to identify and verify the authenticity of the suspicious device driver. Which of the following approaches should the investigator use to complete this task efficiently?
A. Use Tripwire Enterprise to monitor servers, desktops, directory servers, hypervisors, databases, middleware applications, and network devices
B. Use DriverView utility to list all device drivers currently loaded on the system and check their details such as load address, description, version, product name, and the company that created the driver
C. Use the FCIV utility to generate and verify hash values of files using MD5 or SHA-1 algorithms
D. Utilize PA File Sight to track who is deleting, moving, or reading files: detect users copying files: and optionally block access
Selected Answer: B
Question #: 759
Topic #: 1
An investigator is studying a suspicious Windows service discovered on a corporate system that seems to be associated with malware. The service has a name similar to a genuine Windows service, runs as a SYSTEM account, and exhibits potentially harmful behavior. Which tool and method should the investigator use to study the service’s behavior without allowing it to inflict more damage?
A. Deploy Autoruns for Windows to check if the suspicious service is configured to run at system bootup
B. Inspect the startup folder for the presence of the suspicious service using command prompt commands
C. Use SrvMan to stop the suspicious service and analyze its impact on the system
D. Utilize the Windows Service Manager to create an identical service and study its behavior
Selected Answer: A
Question #: 758
Topic #: 1
A forensic investigator has collected a compromised Amazon Echo Dot and a smartphone from a crime scene. The Alexa app on the smartphone is synced with the Echo Dot. To begin investigating these devices, the investigator needs to obtain certain artifacts. In this scenario, which of the following sequence of steps should the investigator follow to acquire the necessary artifacts for a client-based analysis?
A. Retrieve database files using the adb pull command -> Generate an image of the firmware -> Parse database files -> Conduct data analysis
B. Parse database files -> Retrieve database files using the adb pull command -> Generate an image of the firmware -> Conduct data analysis
C. Generate an image of the firmware -> Retrieve database files using the adb pull command -> Parse database files -> Conduct data analysis
D. Retrieve database files using the adb pull command -> Parse database files -> Generate an image of the firmware -> Conduct data analysis
Selected Answer: A
Question #: 755
Topic #: 1
An investigator is conducting a forensic analysis on a Windows machine suspected of accessing the Dark Web. The investigator has found Tor browser artifacts, but the Tor browser has been uninstalled. Which of the following steps should the investigator take next to obtain more information on the user’s activities?
A. Use the netstat -ano command to check the active network connections
B. Check the prefetch files using a tool such as WinPrefetchView
C. Look for the ‘State’ file in the \Tor Browser\Browser\TorBrowser\Data\Tor\ directory
D. Examine the registry key: HKEY_USERS\\SOFTWARE\Mozilla\Firefox\Launcher for path information
Selected Answer: B
Question #: 754
Topic #: 1
In the midst of a cybercrime investigation, a key witness has suddenly become unavailable due to a serious illness. According to Federal Rule 804, which exception to the rule against hearsay allows for introducing this witness’s previous testimony at a different trial in a current proceeding?
A. Statement Under the Belief of Imminent Death
B. Statement of Personal or Family History
C. Statement Against Interest
D. Former Testimony
Selected Answer: D
Question #: 752
Topic #: 1
During a digital forensics investigation, you discovered an SQL injection attack that occurred on a MySQL database using the MyISAM storage engine. You found the ‘.MYD’ and ‘.MYI’ files for the attacked table in the MySQL data directory. You also identified the type of SQL injection attack as a UNION-based attack. Which of the following steps would be the most effective in your investigation?
A. Analyzing the MySQL error log (HOSTNAME.err) for irregularities
B. Checking the ‘.MYD’ file to find evidence of the attack in the table data
C. Investigating the ‘.MYI’ file to inspect the index of the attacked table
D. Inspecting the Binary log (HOSTNAME-bin.nnnnnn) for unusual transactions
Selected Answer: D
Question #: 751
Topic #: 1
A Computer Hacking Forensics Investigator is analyzing a malware sample named “payload.exe”. They have run the malware on a test workstation, and used a tool named WhatChanged Portable to monitor host integrity by capturing the system state before and after the malware execution. After comparing these two snapshots, the investigator observes that an entry named CjNWWyUJ has been created under the Run registry key with value C:\Users\\AppData\Local\Temp\xKNkeLQI.vbs. Given this information, what conclusion can the investigator draw?
A. The malware has corrupted the Windows registry
B. The malware is performing a denial of service attack
C. The malware creates a persistent connection with the machine on startup
D. The malware has deleted system files on the workstation
Selected Answer: C
Question #: 750
Topic #: 1
As a Computer Hacking Forensics Investigator, you are analyzing a TCP dump of network traffic during a suspected breach. During the investigation, you noticed that the “Packets dropped by kernel” count was unusually high. Given that the network has a high load, what could be the most probable reason for this situation?
A. The Tcpdump tool was run without the -c flag, causing it to capture packets indefinitely
B. The TCP packets were not matching the input expression of Tcpdump
C. The Boolean expression used with Tcpdump was too restrictive, missing some packets
D. The buffer space in the OS running Tcpdump was insufficient, leading to dropped packets
Selected Answer: D
Question #: 747
Topic #: 1
A company is investigating an issue with one of their Windows servers that fails to boot up. The IT forensics team is called upon to determine the cause of the issue. According to the standard Windows Boot Process (BIOS-MBR method), what is the likely issue if the system fails right after the BIOS completes the power-on self-test (POST) and before the master boot record (MBR) is loaded?
A. Failure in loading the OS kernel ntoskrnl.exe
B. The system boot disk is not detected
C. Failure of the Boot Configuration Data (BCD)
D. Failure of the Bootmgr.exe
Selected Answer: B
Question #: 746
Topic #: 1
A forensic investigator is examining an attack on a MySQL database. The investigator has been given access to a server, but the physical MySQL data files are encrypted, and the database is currently inaccessible. The attacker seems to have tampered with the data. Which MySQL utility program would most likely assist the investigator in determining the changes that occurred during the attack?
A. Mysqlbinlog, because it reads the binary log files directly and displays them in text format
B. Myisamchk, because it views the status of the MylSAM table or checks, repairs, and optimizes them
C. Mysqldump, because it allows dumping a database for backup purposes
D. Mysqlaccess, because it checks the access privileges defined for a hostname or username
Selected Answer: A
Question #: 745
Topic #: 1
During an international cybercrime investigation, your team discovers an intercepted email with a sequence of special characters. Believing that the Unicode standard might have been used in encoding the message, which of the following elements could serve as the strongest indicator of this suspicion?
A. The presence of characters from multiple modern and historic scripts
B. The presence of over 128.000 different characters in the intercepted email
C. The presence of a unique number for each character, irrespective of the platform, program, and language
D. The presence of characters from a single non-English script
Selected Answer: C
Question #: 743
Topic #: 1
An organization is concerned about potential attacks using steganography to hide malicious data within image files. After a recent breach, the incident response team found that an attacker had managed to sneak past their defenses by hiding a keylogger inside a legitimate image. Given that the attacker has knowledge of the organization’s steganography detection techniques, which method of steganalysis would likely be the most effective in detecting such a steganographic attack in the future?
A. Chi-square attack, where the analyst performs probability analysis to test whether the stego object and original data are identical
B. Known-message attack, where the analyst has a known hidden message in the corresponding stego-image and looks for patterns that arise from hiding the message
C. Known-stego attack, where the analyst knows both the steganography algorithm and original and stego-object
D. Chosen-message attack, where the analyst uses a known message to generate a stego-object in order to find the steganography algorithm used
Selected Answer: D
Question #: 741
Topic #: 1
Your organization is implementing a new database system and has chosen MySQL due to its pluggable storage engine capability and ability to handle parallel write operations securely. You are responsible for selecting the best-suited storage engine for your company’s needs, which predominantly involves transactional processing, crash recovery, and high data consistency requirements. What would be the most appropriate choice?
A. InnoDB storage engine, because it supports traditional ACID and crash recovery, and is used in online transaction processing systems
B. Memory storage engine, because it offers in-memory tables and implements a hashing mechanism for faster data retrieval
C. MyISAM storage engine, because it offers unlimited data storage and high-speed data loads
D. BDB storage engine, because it provides an alternative to InnoDB and supports additional transaction methods such as COMMIT and ROLLBACK
Selected Answer: A
Question #: 740
Topic #: 1
In a situation where an investigator needs to acquire volatile data from a live Linux system, the physical access to the suspect machine is either restricted or unavailable. Which of the following steps will be the most suitable approach to perform this task?
A. The investigator should use the Belkasoft Live RAM Capturer on the forensic workstation, then remotely execute the tool on the suspect machine to acquire the RAM image
B. The investigator should initiate a listening session on the forensic workstation using ‘netcat’, then execute a ‘dd’ command on the suspect machine and pipe the output using ‘netcat’
C. The investigator should leverage OSXPMem to remotely parse the physical memory in the Linux machine and create AFF4 format images for analysis
D. The investigator should employ the LiME tool and ‘netcat’, starting a listening session using tcp:port on the suspect machine and then establishing a connection from the forensic workstation using ‘netcat’
Selected Answer: D
Question #: 733
Topic #: 1
In a forensic investigation on an Android device, a Computer Hacking Forensics Investigator is required to extract information from the SQLite database. They aim to recover the user’s web browsing history. Which is the correct SQLite database path that the investigator should focus on?
A. \data\com.android.providers.calendar\databases\calendar.db
B. \data\data\com.android.browser\databases\browser2.db
C. \data\data\com.android.providers.telephony\databases\mmssms.db
D. \data\data\com.android.providers.contacts\databases\contacts2.db
Selected Answer: B
Question #: 732
Topic #: 1
In a cyber-forensic investigation, a CHFI expert found a Linux system unexpectedly booting into a different OS kernel. The system was configured with the Grand Unified Bootloader (GRUB). The expert suspects that an attacker may have tampered with the bootloader stage of the Linux boot process. Which one of the following is NOT a step performed during the bootloader stage in a normal Linux boot process?
A. Execution of the Linuxrc program to generate the real file system for the kernel
B. Detecting the device that contains the file system and loading the necessary modules
C. Loading the kernel into memory
D. Loading the Linux kernel and optional initial RAM disk
Selected Answer: A
Question #: 720
Topic #: 1
As a Computer Hacking Forensic Investigator, you are analyzing an intrusion incident in a corporate network. You discovered the traces of a fileless malware attack that utilized a memory exploit. The indicators suggest that the initial payload was delivered via a malicious Word document received through a phishing email. As part of the response and prevention plan, which among the following steps would be the most effective to disrupt the Infection Chain of the detected fileless malware?
A. Disabling the use of all scripting languages, such as JavaScript, in the corporate environment
B. Patching the vulnerabilities in Flash and Java plugins in all browsers within the corporate network
C. Implementing a strict policy on macros embedded in Office documents across the organization
D. Replacing the currently used traditional antivirus solution with the latest signature-based IDS
Selected Answer: D
Question #: 708
Topic #: 1
A Forensic Investigator is examining a potential malware incident on a corporate network. The investigator believes the malware might hide in the system’s device drivers or alter system files and folders. Which combination of tools would be the most effective for uncovering and analyzing any potential malware hidden in these locations?
A. DriverView and SIGVERIF for device driver analysis and unsigned driver detection
B. PA File Sight and WinMD5 for file and folder monitoring and MD5 hash value computation
C. DriverView and FastSum for device driver analysis and file integrity checking
D. PA File Sight and SIGVERIF for file and folder monitoring and unsigned driver detection
Selected Answer: A
Question #: 707
Topic #: 1
As a Computer Hacking Forensics Investigator, you have been tasked with examining a suspicious.E01 disk image file using The Sleuth Kit (TSK). You need to display the metadata structure of an inode but also want to show the addresses of its disk units. Which TSK command would best serve this purpose?
A. istat [-B num ] [-f fstype ] [-i imgtype] [-o imgoffset] [-b dev_sector_size] [-vV] [-z zone ] [-s seconds ] image [images] inode
B. img_stat [-i imgtype] [-b dev_sector_size] [-tvV] image [images]
C. fsstat [-f fstype ] [-i imgtype] [-o imgoffset] [-b dev_sector_size] [-tvV] image [images]
D. fls [-adDFIpruvV] [-m mnt ] [-z zone ] [-f fstype ] [-s seconds ] [-i imgtype ] [-o imgoffset ] [-b dev_sector_size] image [images] [ inode]
Selected Answer: A
Question #: 704
Topic #: 1
There’s a digital forensics investigator delving into a case right now. The situation involves an SQL Server database that’s been tampered with by an intruder. Some data from the database has vanished, and the real kicker is that there aren’t any backup files to be found. The investigator’s task is to recover as much data as possible. The investigator needs to understand which SQL Server data file will most likely assist in the data recovery. What should be the investigator’s primary focus?
A. Page Header because it contains metadata about the page like page ID, page type
B. LDF because it holds the log information associated with the database
C. MDF because it stores all data in the database objects
D. NDF because it can store additional data separate from the primary data file
Selected Answer: B
Question #: 676
Topic #: 1
Which of the following is considered as the starting point of a database and stores user data and database objects in an MS SQL server?
A. ibdata1
B. Application data files (ADF)
C. Transaction log data files (LDF)
D. Primary data files (MDF)
Selected Answer: D
Question #: 660
Topic #: 1
Which of the following directory contains the binary files or executables required for system maintenance and administrative tasks on a Linux system?
A. /lib
B. /bin
C. /usr
D. /sbin
Selected Answer: D
Question #: 659
Topic #: 1
Which of the following attacks refers to unintentional download of malicious software via the Internet? Here, an attacker exploits flaws in browser software to install malware merely by the user visiting the malicious website.
A. Drive-by downloads
B. Phishing
C. Internet relay chats
D. Malvertising
Selected Answer: A
Question #: 650
Topic #: 1
Choose the layer in iOS architecture that provides frameworks for iOS app development?
A. Core OS
B. Core services
C. Media services
D. Cocoa Touch
Selected Answer: D
Question #: 647
Topic #: 1
Data density of a disk drive is calculated by using _________.
A. Track density, areal density, and bit density.
B. Track space, bit area, and slack space.
C. Slack space, bit density, and slack density.
D. Track density, areal density, and slack density.
Selected Answer: A
Question #: 646
Topic #: 1
In which IoT attack does the attacker use multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks?
A. Blueborne attack
B. Replay attack
C. Sybil attack
D. Jamming attack
Selected Answer: C
Question #: 643
Topic #: 1
Which following forensic tool allows investigator to detect and extract hidden streams on NTFS drive?
A. Autopsy
B. TimeStomp
C. analyzeMFT
D. Stream Detector
Selected Answer: D
Question #: 642
Topic #: 1
Which of the following methods of mobile device data acquisition captures all the data present on the device, as well as all deleted data and access to unallocated space?
A. Direct acquisition
B. Physical acquisition
C. Logical acquisition
D. Manual acquisition
Selected Answer: B
Question #: 641
Topic #: 1
Which of the following applications will allow a forensic investigator to track the user login sessions and user transactions that have occurred on an MS SQL
Server?
A. Event Log Explorer
B. ApexSQL Audit
C. Notepad++
D. netcat
Selected Answer: B
Question #: 640
Topic #: 1
Which of the following Windows event logs record events related to device drives and hardware changes?
A. Application log
B. Security log
C. Forwarded events log
D. System log
Selected Answer: D
Question #: 636
Topic #: 1
_____________ allows a forensic investigator to identify the missing links during investigation.
A. Chain of custody
B. Exhibit numbering
C. Evidence preservation
D. Evidence reconstruction
Selected Answer: D
Question #: 633
Topic #: 1
Jeff is a forensics investigator for a government agency’s cyber security office. Jeff is tasked with acquiring a memory dump of a Windows 10 computer that was involved in a DDoS attack on the government agency’s web application. Jeff is onsite to collect the memory. What tool could Jeff use?
A. Memcheck
B. RAMMapper
C. Autopsy
D. Volatility
Selected Answer: D
Question #: 630
Topic #: 1
A clothing company has recently deployed a website on its latest product line to increase its conversion rate and base of customers. Andrew, the network administrator recently appointed by the company, has been assigned with the task of protecting the website from intrusion and vulnerabilities. Which of the following tool should Andrew consider deploying in this scenario?
A. Kon-Boot
B. Recuva
C. CryptaPix
D. ModSecurity
Selected Answer: D
Question #: 626
Topic #: 1
What command-line tool enables forensic investigator to establish communication between an Android device and a forensic workstation in order to perform data acquisition from the device?
A. SDK Manager
B. Android Debug Bridge
C. Xcode
D. APK Analyzer
Selected Answer: B
Question #: 623
Topic #: 1
Web browsers can store relevant information from user activities. Forensic investigators may retrieve files, lists, access history, cookies, among other digital footprints. Which tool can contribute to this task?
A. MZCacheView
B. Google Chrome Recovery Utility
C. Task Manager
D. Most Recently Used (MRU) list
Selected Answer: A
Question #: 613
Topic #: 1
Maria has executed a suspicious executable file in a controlled environment and wants to see if the file adds/modifies any registry value after execution via
Windows Event Viewer. Which of the following event ID should she look for in this scenario?
A. Event ID 4657
B. Event ID 4688
C. Event ID 7040
D. Event ID 4624
Selected Answer: A
Question #: 612
Topic #: 1
Harry has collected a suspicious executable file from an infected system and seeks to reverse its machine code to instructions written in assembly language.
Which tool should he use for this purpose?
A. HashCalc
B. Ollydbg
C. BinText
D. oledump
Selected Answer: B
Question #: 547
Topic #: 1
Which of the following statements is TRUE about SQL Server error logs?
A. SQL Server error logs record all the events occurred on the SQL Server and its databases
B. Forensic investigator uses SQL Server Profiler to view error log files
C. Error logs contain IP address of SQL Server client connections
D. Trace files record, user-defined events, and specific system events
Selected Answer: C
Question #: 528
Topic #: 1
Data Files contain Multiple Data Pages, which are further divided into Page Header, Data Rows, and Offset Table. Which of the following is true for Data Rows?
A. Data Rows store the actual data
B. Data Rows present Page type. Page ID, and so on
C. Data Rows point to the location of actual data
D. Data Rows spreads data across multiple databases
Selected Answer: A
Question #: 519
Topic #: 1
Joshua is analyzing an MSSQL database for finding the attack evidence and other details, where should he look for the database logs?
A. Model.log
B. Model.txt
C. Model.ldf
D. Model.lgf
Selected Answer: C
Question #: 513
Topic #: 1
Which of the following protocols allows non-ASCII files, such as video, graphics, and audio, to be sent through the email messages?
A. MIME
B. BINHEX
C. UT-16
D. UUCODE
Selected Answer: A
Question #: 510
Topic #: 1
What is an investigator looking for in the rp.log file stored in a system running on Windows 10 operating system?
A. Restore point interval
B. Automatically created restore points
C. System CheckPoints required for restoring
D. Restore point functions
Selected Answer: B
Question #: 597
Topic #: 1
Matthew has been assigned the task of analyzing a suspicious MS Office document via static analysis over an Ubuntu-based forensic machine. He wants to see what type of document it is, whether it is encrypted, or contains any flash objects/VBA macros. Which of the following python-based script should he run to get relevant information?
A. oleid.py
B. oleform.py
C. oledir.py
D. pdfid.py
Selected Answer: A
Question #: 596
Topic #: 1
On NTFS file system, which of the following tools can a forensic investigator use in order to identify timestomping of evidence files?
A. Exiv2
B. analyzeMFT
C. Timestomp
D. wbStego
Selected Answer: B
Question #: 595
Topic #: 1
“In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court.” Which ACPO principle states this?
A. Principle 1
B. Principle 2
C. Principle 3
D. Principle 4
Selected Answer: B
Question #: 593
Topic #: 1
Which “Standards and Criteria” under SWDGE states that “the agency must use hardware and software that are appropriate and effective for the seizure or examination procedure”?
A. Standards and Criteria 1.4
B. Standards and Criteria 1.5
C. Standards and Criteria 1.6
D. Standards and Criteria 1.7
Selected Answer: B
Question #: 588
Topic #: 1
Which Federal Rule of Evidence speaks about the Hearsay exception where the availability of the declarant is immaterial and certain characteristics of the declarant such as present sense impression, excited utterance, and recorded recollection are also observed while giving their testimony?
A. Rule 801
B. Rule 802
C. Rule 803
D. Rule 804
Selected Answer: C
Question #: 586
Topic #: 1
Which of the following malware targets Android mobile devices and installs a backdoor that remotely installs applications from an attacker-controlled server?
A. Unflod
B. Felix
C. XcodeGhost
D. xHelper
Selected Answer: D
Question #: 585
Topic #: 1
Which OWASP IoT vulnerability talks about security flaws such as lack of firmware validation, lack of secure delivery, and lack of anti-rollback mechanisms on IoT devices?
A. Insecure default settings
B. Use of insecure or outdated components
C. Lack of secure update mechanism
D. Insecure data transfer and storage
Selected Answer: C
Question #: 584
Topic #: 1
Ronald, a forensic investigator, has been hired by a financial services organization to investigate an attack on their MySQL database server, which is hosted on a
Windows machine named WIN-DTRAI83202X. Ronald wants to retrieve information on the changes that have been made to the database. Which of the following files should Ronald examine for this task?
A. WIN-DTRAI83202X-bin.nnnnnn
B. WIN-DTRAI83202Xslow.log
C. relay-log.info
D. WIN-DTRAI83202Xrelay-bin.index
Selected Answer: A
Question #: 582
Topic #: 1
Assume there is a file named myfile.txt in C: drive that contains hidden data streams. Which of the following commands would you issue to display the contents of a data stream?
A. echo text > program:source_file
B. C:\>ECHO text_message > myfile.txt:stream1
C. C:\MORE < myfile.txt:stream1
D. myfile.dat:stream1
Selected Answer: C
Question #: 581
Topic #: 1
A forensic examiner encounters a computer with a failed OS installation and the master boot record (MBR) or partition sector damaged. Which of the following tools can find and restore files and information in the disk?
A. NetCat
B. Helix
C. R-Studio
D. Wireshark
Selected Answer: C
Question #: 576
Topic #: 1
Which of the following files store the MySQL database data permanently, including the data that had been deleted, helping the forensic investigator in examining the case and finding the culprit?
A. mysql-bin
B. mysql-log
C. iblog
D. ibdata1
Selected Answer: D
Question #: 573
Topic #: 1
Which of the following stand true for BIOS Parameter Block?
A. The BIOS Partition Block describes the physical layout of a data storage volume
B. The BIOS Partition Block is the first sector of a data storage device
C. The length of BIOS Partition Block remains the same across all the file systems
D. The BIOS Partition Block always refers to the 512-byte boot sector
Selected Answer: A
Question #: 571
Topic #: 1
You are asked to build a forensic lab and your manager has specifically informed you to use copper for lining the walls, ceilings, and floor. What is the main purpose of lining the walls, ceilings, and floor with copper?
A. To control the room temperature
B. To strengthen the walls, ceilings, and floor
C. To avoid electromagnetic emanations
D. To make the lab sound proof
Selected Answer: C
Question #: 570
Topic #: 1
What document does the screenshot represent?
A. Expert witness form
B. Search warrant form
C. Chain of custody form
D. Evidence collection form
Selected Answer: C
Question #: 569
Topic #: 1
What does the Rule 101 of Federal Rules of Evidence states?
A. Scope of the Rules, where they can be applied
B. Purpose of the Rules
C. Limited Admissibility of the Evidence
D. Rulings on Evidence
Selected Answer: A
Question #: 568
Topic #: 1
What does the bytes 0x0B-0x53 represent in the boot sector of NTFS volume on Windows 2000?
A. Jump instruction and the OEM ID
B. BIOS Parameter Block (BPB) and the OEM ID
C. BIOS Parameter Block (BPB) and the extended BPB
D. Bootstrap code and the end of the sector marker
Selected Answer: C
Question #: 556
Topic #: 1
Which of the following components within the android architecture stack take care of displaying windows owned by different applications?
A. Media Framework
B. Surface Manager
C. Resource Manager
D. Application Framework
Selected Answer: B
Question #: 555
Topic #: 1
James, a hacker, identifies a vulnerability in a website. To exploit the vulnerability, he visits the login page and notes down the session ID that is created. He appends this session ID to the login URL and shares the link with a victim. Once the victim logs into the website using the shared URL, James reloads the webpage (containing the URL with the session ID appended) and now, he can browse the active session of the victim. Which attack did James successfully execute?
A. Cross Site Request Forgery
B. Cookie Tampering
C. Parameter Tampering
D. Session Fixation Attack
Selected Answer: D
Question #: 550
Topic #: 1
Which Linux command when executed displays kernel ring buffers or information about device drivers loaded into the kernel?
A. pgrep
B. dmesg
C. fsck
D. grep
Selected Answer: B
Question #: 542
Topic #: 1
Which of the following statements is TRUE with respect to the Registry settings in the user start-up folder HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\RunOnce\
A. All the values in this subkey run when specific user logs on, as this setting is user-specific
B. The string specified in the value run executes when user logs on
C. All the values in this key are executed at system start-up
D. All values in this subkey run when specific user logs on and then the values are deleted
Selected Answer: D
Question #: 541
Topic #: 1
While collecting Active Transaction Logs using SQL Server Management Studio, the query Select * from ::fn_dblog(NULL, NULL) displays the active portion of the transaction log file. Here, assigning NULL values implies?
A. Start and end points for log sequence numbers are specified
B. Start and end points for log files are not specified
C. Start and end points for log files are specified
D. Start and end points for log sequence numbers are not specified
Selected Answer: D
Question #: 530
Topic #: 1
The MAC attributes are timestamps that refer to a time at which the file was last modified or last accessed or originally created. Which of the following file systems store MAC attributes in Coordinated Universal Time (UTC) format?
A. File Allocation Table (FAT)
B. New Technology File System (NTFS)
C. Hierarchical File System (HFS)
D. Global File System (GFS)
Selected Answer: C
Question #: 1
Topic #: 1
When an investigator contacts by telephone the domain administrator or controller listed by a Who is lookup to request all e-mails sent and received for a user account be preserved, what U.S.C. statute authorizes this phone call and obligates the ISP to preserve e-mail records?
A. Title 18, Section 1030
B. Title 18, Section 2703(d)
C. Title 18, Section Chapter 90
D. Title 18, Section 2703(f)
Selected Answer: D
Question #: 500
Topic #: 1
Gill is a computer forensics investigator who has been called upon to examine a seized computer. This computer, according to the police, was used by a hacker who gained access to numerous banking institutions to steal customer information. After preliminary investigations, Gill finds in the computer’s log files that the hacker was able to gain access to these banks through the use of Trojan horses. The hacker then used these Trojan horses to obtain remote access to the companies’ domain controllers. From this point, Gill found that the hacker pulled off the SAM files from the domain controllers to then attempt and crack network passwords. What is the most likely password cracking technique used by this hacker to break the user passwords from the SAM files?
A. Syllable attack
B. Hybrid attack
C. Brute force attack
D. Dictionary attack
Selected Answer: D
Question #: 499
Topic #: 1
Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted so as to cause a denial-of-service attack?
A. Email spamming
B. Phishing
C. Email spoofing
D. Mail bombing
Selected Answer: A
Question #: 489
Topic #: 1
Which among the following search warrants allows the first responder to search and seize the victim’s computer components such as hardware, software, storage devices, and documentation?
A. John Doe Search Warrant
B. Citizen Informant Search Warrant
C. Electronic Storage Device Search Warrant
D. Service Provider Search Warrant
Selected Answer: C
Question #: 474
Topic #: 1
During an investigation, Noel found the following SIM card from the suspect’s mobile. What does the code 89 44 represent?
A. Issuer Identifier Number and TAC
B. Industry Identifier and Country code
C. Individual Account Identification Number and Country Code
D. TAC and Industry Identifier
Selected Answer: B
Question #: 470
Topic #: 1
Select the data that a virtual memory would store in a Windows-based system.
A. Information or metadata of the files
B. Documents and other files
C. Application data
D. Running processes
Selected Answer: A
Question #: 468
Topic #: 1
Which of the following is a tool to reset Windows admin password?
A. R-Studio
B. Windows Password Recovery Bootdisk
C. Windows Data Recovery Software
D. TestDisk for Windows
Selected Answer: C
Question #: 459
Topic #: 1
Which command can provide the investigators with details of all the loaded modules on a Linux-based system?
A. list modules -a
B. lsmod
C. plist mod -a
D. lsof -m
Selected Answer: B
Question #: 456
Topic #: 1
Which of the following file formats allows the user to compress the acquired data as well as keep it randomly accessible?
A. Proprietary Format
B. Generic Forensic Zip (gfzip)
C. Advanced Forensic Framework 4
D. Advanced Forensics Format (AFF)
Selected Answer: D
Question #: 455
Topic #: 1
Which of the following tool can reverse machine code to assembly language?
A. PEiD
B. RAM Capturer
C. IDA Pro
D. Deep Log Analyzer
Selected Answer: C
Question #: 452
Topic #: 1
Which of the following processes is part of the dynamic malware analysis?
A. Process Monitoring
B. Malware disassembly
C. Searching for the strings
D. File fingerprinting
Selected Answer: D
Question #: 400
Topic #: 1
Which tool does the investigator use to extract artifacts left by Google Drive on the system?
A. PEBrowse Professional
B. RegScanner
C. RAM Capturer
D. Dependency Walker
Selected Answer: C
Question #: 379
Topic #: 1
When a user deletes a file or folder, the system stores complete path including the original filename is a special hidden file called `INFO2` in the Recycled folder. If the INFO2 file is deleted, it is recovered when you ______________________.
A. Undo the last action performed on the system
B. Reboot Windows
C. Use a recovery tool to undelete the file
D. Download the file from Microsoft website
Selected Answer: C
Question #: 378
Topic #: 1
Which of the following tool can the investigator use to analyze the network to detect Trojan activities?
A. Regshot
B. TRIPWIRE
C. RAM Computer
D. Capsa
Selected Answer: D
Question #: 443
Topic #: 1
When a user deletes a file, the system creates a $I file to store its details. What detail does the $I file not contain?
A. File Size
B. File origin and modification
C. Time and date of deletion
D. File Name
Selected Answer: B
Question #: 428
Topic #: 1
An International Mobile Equipment Identifier (IMEI) is a 15-digit number that indicates the manufacturer, model type, and country of approval for GSM devices. The first eight digits of an IMEI number that provide information about the model and origin of the mobile device is also known as:
A. Type Allocation Code (TAC)
B. Integrated Circuit Code (ICC)
C. Manufacturer Identification Code (MIC)
D. Device Origin Code (DOC)
Selected Answer: B
Question #: 411
Topic #: 1
Randy has extracted data from an old version of a Windows-based system and discovered info file Dc5.txt in the system recycle bin. What does the file name denote?
A. A text file deleted from C drive in sixth sequential order
B. A text file deleted from C drive in fifth sequential order
C. A text file copied from D drive to C drive in fifth sequential order
D. A text file copied from C drive to D drive in fifth sequential order
Selected Answer: A
Question #: 402
Topic #: 1
Identify the file system that uses $BitMap file to keep track of all used and unused clusters on a volume.
A. NTFS
B. FAT
C. EXT
D. FAT32
Selected Answer: A
Question #: 171
Topic #: 1
What is kept in the following directory? HKLM\SECURITY\Policy\Secrets
A. Cached password hashes for the past 20 users
B. Service account passwords in plain text
C. IAS account names and passwords
D. Local store PKI Kerberos certificates
Selected Answer: B
Question #: 337
Topic #: 1
Linux operating system has two types of typical bootloaders namely LILO (Linux Loader) and GRUB (Grand Unified Bootloader). In which stage of the booting process do the bootloaders become active?
A. Bootloader Stage
B. Kernel Stage
C. BootROM Stage
D. BIOS Stage
Selected Answer: A
Question #: 329
Topic #: 1
Which of the following commands shows you the names of all open shared files on a server and the number of file locks on each file?
A. Net config
B. Net file
C. Net share
D. Net sessions
Selected Answer: B
Question #: 320
Topic #: 1
Which of the following files stores information about local Dropbox installation and account, email IDs linked with the account, current version/build for the local application, the host_id, and local path information?
A. host.db
B. sigstore.db
C. config.db
D. filecache.db
Selected Answer: C
Question #: 312
Topic #: 1
Which of the following stages in a Linux boot process involve initialization of the system’s hardware?
A. BIOS Stage
B. Bootloader Stage
C. BootROM Stage
D. Kernel Stage
Selected Answer: D
Question #: 306
Topic #: 1
Which of the following file contains the traces of the applications installed, run, or uninstalled from a system?
A. Shortcut Files
B. Virtual files
C. Prefetch Files
D. Image Files
Selected Answer: C
Question #: 280
Topic #: 1
On an Active Directory network using NTLM authentication, where on the domain controllers are the passwords stored?
A. SAM
B. AMS
C. Shadow file
D. Password.conf
Selected Answer: B
Question #: 240
Topic #: 1
Harold is a computer forensics investigator working for a consulting firm out of Atlanta Georgia. Harold is called upon to help with a corporate espionage case in
Miami Florida. Harold assists in the investigation by pulling all the data from the computers allegedly used in the illegal activities. He finds that two suspects in the company where stealing sensitive corporate information and selling it to competing companies. From the email and instant messenger logs recovered, Harold has discovered that the two employees notified the buyers by writing symbols on the back of specific stop signs. This way, the buyers knew when and where to meet with the alleged suspects to buy the stolen material. What type of steganography did these two suspects use?
A. Text semagram
B. Visual semagram
C. Grill cipher
D. Visual cipher
Selected Answer: B
Question #: 224
Topic #: 1
Heather, a computer forensics investigator, is assisting a group of investigators working on a large computer fraud case involving over 20 people. These 20 people, working in different offices, allegedly siphoned off money from many different client accounts. Heather responsibility is to find out how the accused people communicated between each other. She has searched their email and their computers and has not found any useful evidence. Heather then finds some possibly useful evidence under the desk of one of the accused.
In an envelope she finds a piece of plastic with numerous holes cut out of it. Heather then finds the same exact piece of plastic with holes at many of the other accused peoples desks. Heather believes that the 20 people involved in the case were using a cipher to send secret messages in between each other. What type of cipher was used by the accused in this case?
A. Grill cipher
B. Null cipher
C. Text semagram
D. Visual semagram
Selected Answer: B
Question #: 199
Topic #: 1
How many bits is Source Port Number in TCP Header packet?
A. 16
B. 32
C. 48
D. 64
Selected Answer: D
Question #: 196
Topic #: 1
Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. He knows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT. Which firewall would be most appropriate for Harold? needs?
A. Circuit-level proxy firewall
B. Packet filtering firewall
C. Application-level proxy firewall
D. Data link layer firewall
Selected Answer: D
Question #: 193
Topic #: 1
You are the security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the bank security defenses are very strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoring some of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic and extract usernames and passwords. What tool could you use to get this information?
A. Airsnort
B. Snort
C. Ettercap
D. RaidSniff
Selected Answer: D
Question #: 189
Topic #: 1
James is testing the ability of his routers to withstand DoS attacks. James sends ICMP ECHO requests to the broadcast address of his network. What type of DoS attack is James testing against his network?
A. Smurf
B. Trinoo
C. Fraggle
D. SYN flood
Selected Answer: C
Question #: 177
Topic #: 1
Software firewalls work at which layer of the OSI model?
A. Application
B. Network
C. Transport
D. Data Link
Selected Answer: B
Question #: 176
Topic #: 1
You just passed your ECSA exam and are about to start your first consulting job running security audits for a financial institution in Los Angeles. The IT manager of the company you will be working for tries to see if you remember your ECSA class. He asks about the methodology you will be using to test the company’s network. How would you answer?
A. Microsoft Methodology
B. Google Methodology
C. IBM Methodology
D. LPT Methodology
Selected Answer: C
Question #: 174
Topic #: 1
When setting up a wireless network with multiple access points, why is it important to set each access point on a different channel?
A. Multiple access points can be set up on the same channel without any issues
B. Avoid over-saturation of wireless signals
C. So that the access points will work on different frequencies
D. Avoid cross talk
Selected Answer: D
Question #: 63
Topic #: 1
Which federal computer crime law specifically refers to fraud and related activity in connection with access devices like routers?
A. 18 U.S.C. 1029
B. 18 U.S.C. 1362
C. 18 U.S.C. 2511
D. 18 U.S.C. 2703
Selected Answer: A
Question #: 34
Topic #: 1
Study the log given below and answer the following question:
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?
A. Disallow UDP53 in from outside to DNS server
B. Allow UDP53 in from DNS server to outside
C. Disallow TCP53 in from secondaries or ISP server to DNS server
D. Block all UDP traffic
Selected Answer: A
Question #: 14
Topic #: 1
When examining a file with a Hex Editor, what space does the file header occupy?
A. the last several bytes of the file
B. the first several bytes of the file
C. none, file headers are contained in the FAT
D. one byte at the beginning of the file
Selected Answer: B
Question #: 65
Topic #: 1
What TCP/UDP port does the toolkit program netstat use?
A. Port 7
B. Port 15
C. Port 23
D. Port 69
Selected Answer: B
