Computer Hacking Forensic Investigator Topic 3
Question #: 140
Topic #: 1
If an attacker’s computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning, what will be the response?
A. The zombie will not send a response
B. 31402
C. 31399
D. 31401
Selected Answer: B
Question #: 86
Topic #: 1
An Employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the
Employees Computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the Employee before he leaves the building and recover the floppy disks and secure his computer. Will you be able to break the encryption so that you can verify that that the employee was in possession of the proprietary information?
A. EFS uses a 128-bit key that can’t be cracked, so you will not be able to recover the information
B. When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information.
C. The EFS Revoked Key Agent can be used on the Computer to recover the information
D. When the Encrypted file was copied to the floppy disk, the EFS private key was also copied to the floppy disk, so you can recover the information.
Selected Answer: D
Question #: 145
Topic #: 1
You are a security analyst performing a penetration tests for a company in the Midwest. After some initial reconnaissance, you discover the IP addresses of some
Cisco routers used by the company. You type in the following URL that includes the IP address of one of the routers: http://172.168.4.131/level/99/exec/show/config
After typing in this URL, you are presented with the entire configuration file for that router. What have you discovered?
A. HTTP Configuration Arbitrary Administrative Access Vulnerability
B. HTML Configuration Arbitrary Administrative Access Vulnerability
C. Cisco IOS Arbitrary Administrative Access Online Vulnerability
D. URL Obfuscation Arbitrary Administrative Access Vulnerability
Selected Answer: A
Question #: 156
Topic #: 1
John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of the traffic produced by Firewalk. Why is that?
A. Firewalk cannot pass through Cisco firewalls
B. Firewalk sets all packets with a TTL of zero
C. Firewalk cannot be detected by network sniffers
D. Firewalk sets all packets with a TTL of one
Selected Answer: D
Question #: 155
Topic #: 1
George is a senior security analyst working for a state agency in Florida. His state’s congress just passed a bill mandating every state agency to undergo a security audit annually. After learning what will be required, George needs to implement an IDS as soon as possible before the first audit occurs. The state bill requires that an IDS with a “time-based induction machine” be used.
What IDS feature must George implement to meet this requirement?
A. Signature-based anomaly detection
B. Pattern matching
C. Real-time anomaly detection
D. Statistical-based anomaly detection
Selected Answer: C
Question #: 175
Topic #: 1
You are running through a series of tests on your network to check for any security vulnerabilities.
After normal working hours, you initiate a DoS attack against your external firewall. The firewall Quickly freezes up and becomes unusable. You then initiate an
FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?
A. The firewall failed-bypass
B. The firewall failed-closed
C. The firewall ACL has been purged
D. The firewall failed-open
Selected Answer: C
Question #: 181
Topic #: 1
What are the security risks of running a “repair” installation for Windows XP?
A. Pressing Shift+F10gives the user administrative rights
B. Pressing Shift+F1gives the user administrative rights
C. Pressing Ctrl+F10 gives the user administrative rights
D. There are no security risks when running the “repair” installation for Windows XP
Selected Answer: D
Question #: 217
Topic #: 1
What technique used by Encase makes it virtually impossible to tamper with evidence once it has been acquired?
A. Every byte of the file(s) is given an MD5 hash to match against a master file
B. Every byte of the file(s) is verified using 32-bit CRC
C. Every byte of the file(s) is copied to three different hard drives
D. Every byte of the file(s) is encrypted using three different methods
Selected Answer: C
Question #: 211
Topic #: 1
If you are concerned about a high level of compression but not concerned about any possible data loss, what type of compression would you use?
A. Lossful compression
B. Lossy compression
C. Lossless compression
D. Time-loss compression
Selected Answer: B
Question #: 228
Topic #: 1
Where does Encase search to recover NTFS files and folders?
A. MBR
B. MFT
C. Slack space
D. HAL
Selected Answer: B
Question #: 237
Topic #: 1
What advantage does the tool Evidor have over the built-in Windows search?
A. It can find deleted files even after they have been physically removed
B. It can find bad sectors on the hard drive
C. It can search slack space
D. It can find files hidden within ADS
Selected Answer: C
Question #: 235
Topic #: 1
Preparing an image drive to copy files to is the first step in Linux forensics. For this purpose, what would the following command accomplish? dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync
A. Fill the disk with zeros
B. Low-level format
C. Fill the disk with 4096 zeros
D. Copy files from the master disk to the slave disk on the secondary IDE controller
Selected Answer: C
Question #: 262
Topic #: 1
Julie is a college student majoring in Information Systems and Computer Science. She is currently writing an essay for her computer crimes class. Julie paper focuses on white-collar crimes in America and how forensics investigators investigate the cases. Julie would like to focus the subject. Julie would like to focus the subject of the essay on the most common type of crime found in corporate America. What crime should Julie focus on?
A. Physical theft
B. Copyright infringement
C. Industrial espionage
D. Denial of Service attacks
Selected Answer: B
Question #: 275
Topic #: 1
What will the following command accomplish in Linux?
fdisk /dev/hda
A. Partition the hard drive
B. Format the hard drive
C. Delete all files under the /dev/hda folder
D. Fill the disk with zeros
Selected Answer: A
Question #: 274
Topic #: 1
Cylie is investigating a network breach at a state organization in Florida. She discovers that the intruders were able to gain access into the company firewalls by overloading them with IP packets. Cylie then discovers through her investigation that the intruders hacked into the company phone system and used the hard drives on their PBX system to store shared music files. What would this attack on the company PBX system be called?
A. Phreaking
B. Squatting
C. Crunching
D. Pretexting
Selected Answer: C
Question #: 296
Topic #: 1
What is considered a grant of a property right given to an individual who discovers or invents a new machine, process, useful composition of matter or manufacture?
A. Copyright
B. Design patent
C. Trademark
D. Utility patent
Selected Answer: A
Question #: 319
Topic #: 1
Bob has encountered a system crash and has lost vital data stored on the hard drive of his Windows computer. He has no cloud storage or backup hard drives. he wants to recover all those data, which includes his personal photos, music, documents, videos, official email, etc. Which of the following tools shall resolve Bob’s purpose?
A. Colasoft’s Capsa
B. Recuva
C. Cain & Abel
D. Xplico
Selected Answer: C
Question #: 345
Topic #: 1
Which MySQL log file contains information on server start and stop?
A. Slow query log file
B. General query log file
C. Binary log
D. Error log file
Selected Answer: D
Question #: 341
Topic #: 1
What is the location of the binary files required for the functioning of the OS in a Linux system?
A. /run
B. /bin
C. /root
D. /sbin
Selected Answer: D
Question #: 357
Topic #: 1
Which file is a sequence of bytes organized into blocks understandable by the system’s linker?
A. executable file
B. source file
C. Object file
D. None of these
Selected Answer: D
Question #: 353
Topic #: 1
Which of the following is an iOS Jailbreaking tool?
A. Kingo Android ROOT
B. Towelroot
C. One Click Root
D. Redsn0w
Selected Answer: A
Question #: 363
Topic #: 1
Which of the following tool enables a user to reset his/her lost admin password in a Windows system?
A. Advanced Office Password Recovery
B. Active@ Password Changer
C. Smartkey Password Recovery Bundle Standard
D. Passware Kit Forensic
Selected Answer: D
Question #: 362
Topic #: 1
What is the size value of a nibble?
A. 0.5 kilo byte
B. 0.5 bit
C. 0.5 byte
D. 2 bits
Selected Answer: D
Question #: 377
Topic #: 1
Jacky encrypts her documents using a password. It is known that she uses her daughter’s year of birth as part of the password. Which password cracking technique would be optimal to crack her password?
A. Rule-based attack
B. Brute force attack
C. Syllable attack
D. Hybrid attack
Selected Answer: B
Question #: 376
Topic #: 1
Richard is extracting volatile data from a system and uses the command doskey/history. What is he trying to extract?
A. Events history
B. Previously typed commands
C. History of the browser
D. Passwords used across the system
Selected Answer: B
Question #: 373
Topic #: 1
Which of the following tools will help the investigator to analyze web server logs?
A. XRY LOGICAL
B. LanWhois
C. Deep Log Monitor
D. Deep Log Analyzer
Selected Answer: C
Question #: 381
Topic #: 1
Which of the following tool enables data acquisition and duplication?
A. Colasoft’s Capsa
B. DriveSpy
C. Wireshark
D. Xplico
Selected Answer: A
Question #: 398
Topic #: 1
Which of the following is NOT a part of pre-investigation phase?
A. Building forensics workstation
B. Gathering information about the incident
C. Gathering evidence data
D. Creating an investigation team
Selected Answer: C
Question #: 396
Topic #: 1
Billy, a computer forensics expert, has recovered a large number of DBX files during the forensic investigation of a laptop. Which of the following email clients can he use to analyze the DBX files?
A. Microsoft Outlook
B. Eudora
C. Mozilla Thunderbird
D. Microsoft Outlook Express
Selected Answer: B
Question #: 407
Topic #: 1
Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen?
A. OpenGL/ES and SGL
B. Surface Manager
C. Media framework
D. WebKit
Selected Answer: B
Question #: 405
Topic #: 1
Which of the following Windows-based tool displays who is logged onto a computer, either locally or remotely?
A. Tokenmon
B. PSLoggedon
C. TCPView
D. Process Monitor
Selected Answer: B
Question #: 401
Topic #: 1
BMP (Bitmap) is a standard file format for computers running the Windows operating system. BMP images can range from black and white (1 bit per pixel) up to
24 bit color (16.7 million colors). Each bitmap file contains a header, the RGBQUAD array, information header, and image data. Which of the following element specifies the dimensions, compression type, and color format for the bitmap?
A. Information header
B. Image data
C. The RGBQUAD array
D. Header
Selected Answer: D
Question #: 420
Topic #: 1
Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses’ testimony during federal legal proceedings?
A. SWGDE & SWGIT
B. IOCE
C. Frye
D. Daubert
Selected Answer: D
Question #: 419
Topic #: 1
Which of the following is a part of a Solid-State Drive (SSD)?
A. Head
B. Cylinder
C. NAND-based flash memory
D. Spindle
Selected Answer: B
Question #: 418
Topic #: 1
Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the_________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.
A. Adjacent memory locations
B. Adjacent bit blocks
C. Adjacent buffer locations
D. Adjacent string locations
Selected Answer: B
Question #: 415
Topic #: 1
Gary is checking for the devices connected to USB ports of a suspect system during an investigation. Select the appropriate tool that will help him document all the connected devices.
A. DevScan
B. Devcon
C. fsutil
D. Reg.exe
Selected Answer: A
Question #: 430
Topic #: 1
Rusty, a computer forensics apprentice, uses the command nbtstat `”c while analyzing the network information in a suspect system. What information is he looking for?
A. Contents of the network routing table
B. Status of the network carrier
C. Contents of the NetBIOS name cache
D. Network connections
Selected Answer: C
Question #: 438
Topic #: 1
Which of the following standard represents a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?
A. SWGDE & SWGIT
B. Daubert
C. Frye
D. IOCE
Selected Answer: C
Question #: 433
Topic #: 1
Tasklist command displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer. Which of the following tasklist commands provides information about the listed processes, including the image name, PID, name, and number of the session for the process?
A. tasklist /p
B. tasklist /v
C. tasklist /u
D. tasklist /s
Selected Answer: B
Question #: 450
Topic #: 1
An investigator has found certain details after analysis of a mobile device. What can reveal the manufacturer information?
A. Equipment Identity Register (EIR)
B. Electronic Serial Number (ESN)
C. International mobile subscriber identity (IMSI)
D. Integrated circuit card identifier (ICCID)
Selected Answer: A
Question #: 449
Topic #: 1
Which of the following application password cracking tool can discover all password-protected items on a computer and decrypts them?
A. TestDisk for Windows
B. R-Studio
C. Windows Password Recovery Bootdisk
D. Passware Kit Forensic
Selected Answer: D
Question #: 448
Topic #: 1
Which U.S. Federal law requires financial institutions that offer consumers financial products or services to protect their customers’ private information?
A. Payment Card Industry Data Security Standard (PCI DSS)
B. Federal Information Security Management Act of 2002 (FISMA)
C. Health insurance Portability and Accountability Act of 1996 (HIPAA)
D. Gramm-Leach-Bliley Act (GLBA)
Selected Answer: D
Question #: 458
Topic #: 1
Which layer of iOS architecture should a forensics investigator evaluate to analyze services such as Threading, File Access, Preferences, Networking and high- level features?
A. Core Services
B. Media services
C. Cocoa Touch
D. Core OS
Selected Answer: A
Question #: 457
Topic #: 1
What is the investigator trying to view by issuing the command displayed in the following screenshot?
A. List of services stopped
B. List of services closed recently
C. List of services recently started
D. List of services installed
Selected Answer: A
Question #: 453
Topic #: 1
Investigators can use the Type Allocation Code (TAC) to find the model and origin of a mobile device. Where is TAC located in mobile devices?
A. International Mobile Equipment Identifier (IMEI)
B. Integrated circuit card identifier (ICCID)
C. International mobile subscriber identity (IMSI)
D. Equipment Identity Register (EIR)
Selected Answer: C
Question #: 466
Topic #: 1
After suspecting a change in MS-Exchange Server storage archive, the investigator has analyzed it. Which of the following components is not an actual part of the archive?
A. PRIV.STM
B. PUB.EDB
C. PRIV.EDB
D. PUB.STM
Selected Answer: C
Question #: 479
Topic #: 1
What system details can an investigator obtain from the NetBIOS name table cache?
A. List of files opened on other systems
B. List of the system present on a router
C. List of connections made to other systems
D. List of files shared between the connected systems
Selected Answer: C
Question #: 487
Topic #: 1
The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin?
A. INFO2
B. INFO1
C. LOGINFO1
D. LOGINFO2
Selected Answer: C
Question #: 482
Topic #: 1
An investigator has extracted the device descriptor for a 1GB thumb drive that looks like: Disk&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15. What does the
`Geek_Squad` part represent?
A. Product description
B. Manufacturer Details
C. Developer description
D. Software or OS used
Selected Answer: D
Question #: 493
Topic #: 1
A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state?
A. /auth
B. /proc
C. /var/log/debug
D. /var/spool/cron/
Selected Answer: B
Question #: 508
Topic #: 1
Which among the following laws emphasizes the need for each Federal agency to develop, document, and implement an organization-wide program to provide information security for the information systems that support its operations and assets?
A. FISMA
B. HIPAA
C. GLBA
D. SOX
Selected Answer: D
Question #: 502
Topic #: 1
In which implementation of RAID will the image of a Hardware RAID volume be different from the image taken separately from the disks?
A. RAID 1
B. The images will always be identical because data is mirrored for redundancy
C. RAID 0
D. It will always be different
Selected Answer: A
Question #: 517
Topic #: 1
The given image displays information about date and time of installation of the OS along with service packs, patches, and sub-directories. What command or tool did the investigator use to view this output?
A. dir /o:d
B. dir /o:s
C. dir /o:e
D. dir /o:n
Selected Answer: C
Question #: 516
Topic #: 1
Which of the following tools is not a data acquisition hardware tool?
A. UltraKit
B. Atola Insight Forensic
C. F-Response Imager
D. Triage-Responder
Selected Answer: A
Question #: 515
Topic #: 1
Chong-lee, a forensics executive, suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. What type of test would confirm his claim?
A. File fingerprinting
B. Identifying file obfuscation
C. Static analysis
D. Dynamic analysis
Selected Answer: A
Question #: 780
Topic #: 1
During an ongoing cybercrime investigation, a non-expert witness, who is an employee of the organization, testifies to observing unusual computer activity. Simultaneously, an expert witness introduces a record of the regularly conducted activity of the organization. The record was kept near the incident’s time adept as part of the regular activity. It reveals a similar observation as the non-expert witness. How would the Federal Rules of Evidence classify and treat these testimonies in this scenario?
A. The lay witness testimony is inadmissible hearsay under Rule 801. but the record is admissible under Rule 803(6)
B. Both testimonies are admissible; the lay witness testimony is under Rule 701, and the record is under Rule 803(6)
C. Both testimonies are inadmissible; the lay witness testimony is hearsay under Rule 801, and the record is hearsay under Rule 803(6)
D. The lay witness testimony is admissible under Rule 701, but the record is inadmissible hearsay under Rule 803(6)
Selected Answer: C
Question #: 764
Topic #: 1
An investigator analyzes event logs from a Windows 10 system for a suspected security breach. The investigator needs to find the logs related to account management events. A peculiar set of actions observed is an account creation followed by a change in the account within a short span of time. Which Event IDs should the investigator look for in the logs?
A. Event ID 102 and Event ID 299
B. Event ID 1 and Event ID 2
C. Event ID 624 and Event ID 642
D. Event ID 301 and Event ID 400
Selected Answer: A
Question #: 712
Topic #: 1
A forensic investigator is examining a potential intrusion involving an Amazon Echo. The investigator has acquired an affected Echo and the smartphone synced to it. For further data analysis, he needs to retrieve relevant database files from the smartphone. Which files will the investigator primarily focus on to retrieve essential information?
A. /data/data/com.amazon.dee.app/databases/map_data_storage_v2.db and
/data/data/com.amazon.dee.app/databases/DataStore.db
B. /data/data/com.amazon.dee.app/databases/DataStore.db and
/data/data/com.amazon.dee.app/databases/map_data_storage_v3.db
C. /data/data/com.amazon.dee.app/databases/map_data_storage_v1.db and
/data/data/com.amazon.dee.app/databases/DataStore.db
D. /data/data/com.amazon.dee.app/databases/map_data_storage_v2.db and
/data/data/com.amazon.dee.app/databases/DeviceInfo.db
Selected Answer: A
Question #: 691
Topic #: 1
As a Computer Hacking Forensic Investigator, you are analysing a system with a UEFI boot process underway. You have reached the Boot Device Selection phase, and you notice that the system is attempting to load MBR boot code into memory. What can you infer from this?
A. The system is transitioning to the DXE phase
B. The system is stuck in the Pre-EFI initialization phase
C. The system follows a UEFI boot process
D. The system is going through a legacy BIOS boot process
Selected Answer: A
Question #: 674
Topic #: 1
A breach resulted from a malware attack that evaded detection and compromised the machine memory without installing any software or accessing the hard drive.
What technique did the adversaries use to deliver the attack?
A. Trojan
B. JavaScript
C. Spyware
D. Fileless
Selected Answer: A
Question #: 670
Topic #: 1
When investigating a system, the forensics analyst discovers that malicious scripts were injected into benign and trusted websites. The attacker used a web application to send malicious code, in the form of a browser side script, to a different end-user. What attack was performed here?
A. SQL injection attack
B. Cookie poisoning attack
C. Cross-site scripting attack
D. Brute-force attack
Selected Answer: D
Question #: 669
Topic #: 1
An investigator is checking a Cisco firewall log that reads as follows:
Aug 21 2019 09:16:44: %ASA-1 -106021: Deny ICMP reverse path check from 10.0.0.44 to 10.0.0.33 on interface outside
What does %ASA-1-106021 denote?
A. Type of request
B. Mnemonic message
C. Firewall action
D. Type of traffic
Selected Answer: A
Question #: 656
Topic #: 1
You are the incident response manager at a regional bank. While performing routine auditing of web application logs, you find several attempted login submissions that contain the following strings:
< SCRIPT type=”text/javascript” >
var adr = ‘../evil.php?cakemonster=’ + escape(document.cookie);
< /SCRIPT >
What kind of attack has occurred?
A. Cross-site scripting
B. Cross-site request forgery
C. Buffer overflow
D. SQL injection
Selected Answer: B
Question #: 628
Topic #: 1
Place the following in order of volatility from most volatile to the least volatile.
A. Archival media, temporary file systems, disk storage, archival media, register and cache
B. Register and cache, temporary file systems, routing tables, disk storage, archival media
C. Registers and cache, routing tables, temporary file systems, disk storage, archival media
D. Registers and cache, routing tables, temporary file systems, archival media, disk storage
Selected Answer: C
Question #: 610
Topic #: 1
What is the extension used by Windows OS for shortcut files present on the machine?
A. .lnk
B. .dat
C. .log
D. .pf
Selected Answer: A
Question #: 607
Topic #: 1
Cloud forensic investigations impose challenges related to multi-jurisdiction and multi-tenancy aspects. To have a better understanding of the roles and responsibilities between the cloud service provider (CSP) and the client, which document should the forensic investigator review?
A. National and local regulation
B. Service level agreement
C. Key performance indicator
D. Service level management
Selected Answer: B
Question #: 580
Topic #: 1
In a Filesystem Hierarchy Standard (FHS), which of the following directories contains the binary files required for working?
A. /mnt
B. /sbin
C. /media
D. /proc
Selected Answer: D
Question #: 560
Topic #: 1
What is the location of a Protective MBR in a GPT disk layout?
A. Logical Block Address (LBA) 2
B. Logical Block Address (LBA) 0
C. Logical Block Address (LBA) 1
D. Logical Block Address (LBA) 3
Selected Answer: B
Question #: 552
Topic #: 1
Checkpoint Firewall logs can be viewed through a Check Point Log viewer that uses icons and colors in the log table to represent different security events and
their severity. What does the icon in the checkpoint logs represent?
A. The firewall rejected a connection
B. A virus was detected in an email
C. The firewall dropped a connection
D. An email was marked as potential spam
Selected Answer: A
Question #: 551
Topic #: 1
A section of your forensics lab houses several electrical and electronic equipment. Which type of fire extinguisher you must install in this area to contain any fire incident?
A. Class B
B. Class D
C. Class C
D. Class A
Selected Answer: A
Question #: 544
Topic #: 1
An attacker successfully gained access to a remote Windows system and plans to install persistent backdoors on it. Before that, to avoid getting detected in future, he wants to cover his tracks by disabling the last-accessed timestamps of the machine. What would he do to achieve this?
A. Set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 0
B. Run the command fsutil behavior set disablelastaccess 0
C. Set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 1
D. Run the command fsutil behavior set enablelastaccess 0
Selected Answer: D
Question #: 539
Topic #: 1
Steve, a forensic investigator, was asked to investigate an email incident in his organization. The organization has Microsoft Exchange Server deployed for email communications. Which among the following files will Steve check to analyze message headers, message text, and standard attachments?
A. PUB.EDB
B. PRIV.EDB
C. PUB.STM
D. PRIV.STM
Selected Answer: D
Question #: 536
Topic #: 1
In which of these attacks will a steganalyst use a random message to generate a stego-object by using some steganography tool, to find the steganography algorithm used to hide the information?
A. Chosen-message attack
B. Known-cover attack
C. Known-message attack
D. Known-stego attack
Selected Answer: B
Question #: 525
Topic #: 1
Robert is a regional manager working in a reputed organization. One day, he suspected malware attack after unwanted programs started to popup after logging into his computer. The network administrator was called upon to trace out any intrusion on the computer and he/she finds that suspicious activity has taken place within Autostart locations. In this situation, which of the following tools is used by the network administrator to detect any intrusion on a system?
A. Hex Editor
B. Internet Evidence Finder
C. Process Monitor
D. Report Viewer
Selected Answer: A
Question #: 521
Topic #: 1
What does the command `C:\>wevtutil gl <log name>` display?
A. Configuration information of a specific Event Log
B. Event logs are saved in .xml format
C. Event log record structure
D. List of available Event Logs
Selected Answer: C
Question #: 520
Topic #: 1
What is the name of the first reserved sector in File allocation table?
A. Volume Boot Record
B. Partition Boot Sector
C. Master Boot Record
D. BIOS Parameter Block
Selected Answer: C
Question #: 504
Topic #: 1
An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s”,” -E as part of collecting the primary data file and logs from a database. What does the
“WIN-CQQMK62867E` represent?
A. Name of the Database
B. Name of SQL Server
C. Operating system of the system
D. Network credentials of the database
Selected Answer: C
Question #: 495
Topic #: 1
Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system?
A. Net config
B. Net sessions
C. Net share
D. Net stat
Selected Answer: A
Question #: 491
Topic #: 1
Where should the investigator look for the Edge browser’s browsing records, including history, cache, and cookies?
A. ESE Database
B. Virtual Memory
C. Sparse files
D. Slack Space
Selected Answer: A
Question #: 490
Topic #: 1
Centralized binary logging is a process in which many websites write binary and unformatted log data to a single log file. What extension should the investigator look to find its log file?
A. .cbl
B. .log
C. .ibl
D. .txt
Selected Answer: A
Question #: 476
Topic #: 1
As a part of the investigation, Caroline, a forensic expert, was assigned the task to examine the transaction logs pertaining to a database named Transfers. She used SQL Server Management Studio to collect the active transaction log files of the database. Caroline wants to extract detailed information on the logs, including AllocUnitId, page id, slot id, etc. Which of the following commands does she need to execute in order to extract the desired information?
A. DBCC LOG(Transfers, 1)
B. DBCC LOG(Transfers, 3)
C. DBCC LOG(Transfers, 0)
D. DBCC LOG(Transfers, 2)
Selected Answer: A
Question #: 460
Topic #: 1
In a Linux-based system, what does the command `Last -F` display?
A. Login and logout times and dates of the system
B. Last run processes
C. Last functions performed
D. Recently opened files
Selected Answer: A
Question #: 444
Topic #: 1
Raw data acquisition format creates _________ of a data set or suspect drive.
A. Segmented image files
B. Simple sequential flat files
C. Compressed image files
D. Segmented files
Selected Answer: D
Question #: 441
Topic #: 1
Which of the following email headers specifies an address for mailer-generated errors, like “no such user” bounce messages, to go to (instead of the sender’s address)?
A. Mime-Version header
B. Content-Type header
C. Content-Transfer-Encoding header
D. Errors-To header
Selected Answer: D
Question #: 440
Topic #: 1
What malware analysis operation can the investigator perform using the jv16 tool?
A. Files and Folder Monitor
B. Installation Monitor
C. Network Traffic Monitoring/Analysis
D. Registry Analysis/Monitoring
Selected Answer: C
Question #: 437
Topic #: 1
Hard disk data addressing is a method of allotting addresses to each _______ of data on a hard disk.
A. Physical block
B. Operating system block
C. Hard disk block
D. Logical block
Selected Answer: D
Question #: 436
Topic #: 1
Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame.
A. 8-bit
B. 32-bit
C. 16-bit
D. 24-bit
Selected Answer: A
Question #: 434
Topic #: 1
Which part of Metasploit framework helps users to hide the data related to a previously deleted file or currently unused by the allocated file.
A. Waffen FS
B. RuneFS
C. FragFS
D. Slacker
Selected Answer: A
Question #: 425
Topic #: 1
Which of the following is a MAC-based File Recovery Tool?
A. VirtualLab
B. GetDataBack
C. Cisdem DataRecovery 3
D. Smart Undeleter
Selected Answer: C
Question #: 416
Topic #: 1
Which of the following is NOT a physical evidence?
A. Removable media
B. Cables
C. Image file on a hard disk
D. Publications
Selected Answer: B
Question #: 403
Topic #: 1
An investigator has acquired packed software and needed to analyze it for the presence of malice. Which of the following tools can help in finding the packaging software used?
A. SysAnalyzer
B. PEiD
C. Comodo Programs Manager
D. Dependency Walker
Selected Answer: D
Question #: 387
Topic #: 1
NTFS has reduced slack space than FAT, thus having lesser potential to hide data in the slack space. This is because:
A. FAT does not index files
B. NTFS is a journaling file system
C. NTFS has lower cluster size space
D. FAT is an older and inefficient file system
Selected Answer: B
Question #: 385
Topic #: 1
Which password cracking technique uses every possible combination of character sets?
A. Rainbow table attack
B. Brute force attack
C. Rule-based attack
D. Dictionary attack
Selected Answer: D
Question #: 356
Topic #: 1
Charles has accidentally deleted an important file while working on his Mac computer. He wants to recover the deleted file as it contains some of his crucial business secrets. Which of the following tool will help Charles?
A. Xplico
B. Colasoft’s Capsa
C. FileSalvage
D. DriveSpy
Selected Answer: D
Question #: 352
Topic #: 1
Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext, where `x` represents the ___________________.
A. Drive name
B. Original file name’s extension
C. Sequential number
D. Original file name
Selected Answer: C
Question #: 351
Topic #: 1
What does the part of the log, `% SEC-6-IPACCESSLOGP`, extracted from a Cisco router represent?
A. The system was not able to process the packet because there was not enough room for all of the desired IP header options
B. Immediate action required messages
C. Some packet-matching logs were missed because the access list log messages were rate limited, or no access list log buffers were available
D. A packet matching the log criteria for the given access list has been detected (TCP or UDP)
Selected Answer: A
Question #: 350
Topic #: 1
The investigator wants to examine changes made to the system’s registry by the suspect program. Which of the following tool can help the investigator?
A. TRIPWIRE
B. RAM Capturer
C. Regshot
D. What’s Running
Selected Answer: B
Question #: 343
Topic #: 1
Ivanovich, a forensics investigator, is trying to extract complete information about running processes from a system. Where should he look apart from the RAM and virtual memory?
A. Swap space
B. Application data
C. Files and documents
D. Slack space
Selected Answer: D
Question #: 336
Topic #: 1
Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?
A. 18 USC ֲ§1029
B. 18 USC ֲ§1030
C. 18 USC ֲ§1361
D. 18 USC ֲ§1371
Selected Answer: B
Question #: 335
Topic #: 1
Casey has acquired data from a hard disk in an open source acquisition format that allows her to generate compressed or uncompressed image files. What format did she use?
A. Portable Document Format
B. Advanced Forensics Format (AFF)
C. Proprietary Format
D. Raw Format
Selected Answer: C
Question #: 308
Topic #: 1
Which US law does the interstate or international transportation and receiving of child pornography fall under?
A. ֲ§18. U.S.C. 1466A
B. ֲ§18. U.S.C 252
C. ֲ§18. U.S.C 146A
D. ֲ§18. U.S.C 2252
Selected Answer: C
Question #: 299
Topic #: 1
While presenting his case to the court, Simon calls many witnesses to the stand to testify. Simon decides to call Hillary Taft, a lay witness, to the stand. Since
Hillary is a lay witness, what field would she be considered an expert in?
A. Technical material related to forensics
B. No particular field
C. Judging the character of defendants/victims
D. Legal issues
Selected Answer: D
Question #: 649
Topic #: 1
Robert needs to copy an OS disk snapshot of a compromised VM to a storage account in different region for further investigation. Which of the following should he use in this scenario?
A. Azure Active Directory
B. Azure Portal
C. Azure CLI
D. Azure Monitor
Selected Answer: B
Question #: 143
Topic #: 1
Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests.
What type of scan is Jessica going to perform?
A. Tracert
B. Smurf scan
C. Ping trace
D. ICMP ping sweep
Selected Answer: B
Question #: 4
Topic #: 1
How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?
A. 128
B. 64
C. 32
D. 16
Selected Answer: B
Question #: 661
Topic #: 1
The information security manager at a national legal firm has received several alerts from the intrusion detection system that a known attack signature was detected against the organization’s file server. What should the information security manager do first?
A. Disconnect the file server from the network
B. Update the anti-virus definitions on the file server
C. Report the incident to senior management
D. Manually investigate to verify that an incident has occurred
Selected Answer: A
Question #: 2
Topic #: 1
Item 2If you come across a sheepdip machine at your client site, what would you infer?
A. A sheepdip coordinates several honeypots
B. A sheepdip computer is another name for a honeypot
C. A sheepdip computer is used only for virus-checking.
D. A sheepdip computer defers a denial of service attack
Selected Answer: D
Question #: 389
Topic #: 1
Which of the following data structures stores attributes of a process, as well as pointers to other attributes and data structures?
A. Lsproc
B. DumpChk
C. RegEdit
D. EProcess
Selected Answer: D
Question #: 344
Topic #: 1
When marking evidence that has been collected with the `aaa/ddmmyy/nnnn/zz` format, what does the `nnnn` denote?
A. The initials of the forensics analyst
B. The sequence number for the parts of the same exhibit
C. The year he evidence was taken
D. The sequential number of the exhibits seized by the analyst
Selected Answer: D
Question #: 616
Topic #: 1
Rule 1002 of Federal Rules of Evidence (US) talks about ______________.
A. Admissibility of duplicates
B. Admissibility of original
C. Admissibility of other evidence of contents
D. Requirement of original
Selected Answer: D
Question #: 618
Topic #: 1
Jacob, a cybercrime investigator, joined a forensics team to participate in a criminal case involving digital evidence. After the investigator collected all the evidence and presents it to the court, the judge dropped the case and the defense attorney pressed charges against Jacob and the rest of the forensics team for unlawful search and seizure. What forensics privacy issue was not addressed prior to collecting the evidence?
A. Compliance with the Third Amendment of the U.S. Constitution
B. None of these
C. Compliance with the Second Amendment of the U.S. Constitution
D. Compliance with the Fourth Amendment of the U.S. Constitution
Selected Answer: D
Question #: 48
Topic #: 1
You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics lab. How many law-enforcement computer investigators should you request to staff the lab?
A. 8
B. 1
C. 4
D. 2
Selected Answer: D
Question #: 326
Topic #: 1
Which of the following commands shows you all of the network services running on Windows-based servers?
A. Netstart
B. Net Session
C. Net use
D. Net config
Selected Answer: C
Question #: 70
Topic #: 1
How many sectors will a 125 KB file use in a FAT32 file system?
A. 32
B. 16
C. 256
D. 25
Selected Answer: B
Question #: 488
Topic #: 1
During an investigation of an XSS attack, the investigator comes across the term `[a-zA-Z0-9\%]+` in analyzed evidence details. What is the expression used for?
A. Checks for upper and lower-case alphanumeric string inside the tag, or its hex representation
B. Checks for forward slash used in HTML closing tags, its hex or double-encoded hex equivalent
C. Checks for opening angle bracket, its hex or double-encoded hex equivalent
D. Checks for closing angle bracket, hex or double-encoded hex equivalent
Selected Answer: A
Question #: 232
Topic #: 1
Why should you never power on a computer that you need to acquire digital evidence from?
A. When the computer boots up, files are written to the computer rendering the data nclean
B. When the computer boots up, the system cache is cleared which could destroy evidence
C. When the computer boots up, data in the memory buffer is cleared which could destroy evidence
D. Powering on a computer has no affect when needing to acquire digital evidence from it
Selected Answer: C
Question #: 61
Topic #: 1
What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?
A. forensic duplication of hard drive
B. analysis of volatile data
C. comparison of MD5 checksums
D. review of SIDs in the Registry
Selected Answer: D
Question #: 366
Topic #: 1
Annie is searching for certain deleted files on a system running Windows XP OS. Where will she find the files if they were not completely deleted from the system?
A. C: $Recycled.Bin
B. C: \$Recycle.Bin
C. C:\RECYCLER
D. C:\$RECYCLER
Selected Answer: C
Question #: 210
Topic #: 1
What type of equipment would a forensics investigator store in a StrongHold bag?
A. PDAPDA?
B. Backup tapes
C. Hard drives
D. Wireless cards
Selected Answer: A
Question #: 195
Topic #: 1
Julia is a senior security analyst for Berber Consulting group. She is currently working on a contract for a small accounting firm in Florid a. They have given her permission to perform social engineering attacks on the company to see if their in-house training did any good. Julia calls the main number for the accounting firm and talks to the receptionist. Julia says that she is an IT technician from the company’s main office in Iowa. She states that she needs the receptionist’s network username and password to troubleshoot a problem they are having. Julia says that Bill Hammond, the CEO of the company, requested this information. After hearing the name of the CEO, the receptionist gave Julia all the information she asked for. What principal of social engineering did Julia use?
A. Social Validation
B. Scarcity
C. Friendship/Liking
D. Reciprocation
Selected Answer: A
Question #: 163
Topic #: 1
In Linux, what is the smallest possible shellcode?
A. 24 bytes
B. 8 bytes
C. 800 bytes
D. 80 bytes
Selected Answer: D
Question #: 62
Topic #: 1
Which response organization tracks hoaxes as well as viruses?
A. NIPC
B. FEDCIRC
C. CERT
D. CIAC
Selected Answer: C
Question #: 45
Topic #: 1
If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?
A. The system files have been copied by a remote attacker
B. The system administrator has created an incremental backup
C. The system has been compromised using a t0rnrootkit
D. Nothing in particular as these can be operational files
Selected Answer: D
Question #: 21
Topic #: 1
When examining the log files from a Windows IIS Web Server, how often is a new log file created?
A. the same log is used at all times
B. a new log file is created everyday
C. a new log file is created each week
D. a new log is created each time the Web Server is started
Selected Answer: B
Question #: 322
Topic #: 1
Company ABC has employed a firewall, IDS, Antivirus, Domain Controller, and SIEM. The company’s domain controller goes down. From which system would you begin your investigation?
A. Domain Controller
B. Firewall
C. SIEM
D. IDS
Selected Answer: C
Question #: 231
Topic #: 1
A forensics investigator is searching the hard drive of a computer for files that were recently moved to the Recycle Bin. He searches for files in C:\RECYCLED using a command line tool but does not find anything. What is the reason for this?
A. He should search in C:\Windows\System32\RECYCLED folder
B. The Recycle Bin does not exist on the hard drive
C. The files are hidden and he must use switch to view them
D. Only FAT system contains RECYCLED folder and not NTFS
Selected Answer: A
Question #: 220
Topic #: 1
A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?
A. Searching for evidence themselves would not have any ill effects
B. Searching could possibly crash the machine or device
C. Searching creates cache files, which would hinder the investigation
D. Searching can change date/time stamps
Selected Answer: A
Question #: 197
Topic #: 1
What will the following command accomplish?
C:\ nmap -v -sS -Po <ip> -data_length 6600 0-packet_trace
A. Test ability of a router to handle over-sized packets
B. Test the ability of a router to handle under-sized packets
C. Test the ability of a WLAN to handle fragmented packets
D. Test the ability of a router to handle fragmented packets
Selected Answer: C
Question #: 668
Topic #: 1
Debbie has obtained a warrant to search a known pedophile’s house. Debbie went to the house and executed the search warrant to seize digital devices that have been recorded as being used for downloading illicit images. She seized all digital devices except a digital camera. Why did she not collect the digital camera?
A. The digital camera was not listed as one of the digital devices in the warrant
B. Debbie overlooked the digital camera because it is not a computer system
C. The digital camera was old. had a cracked screen, and did not have batteries. Therefore, it could not have been used in a crime.
D. The vehicle Debbie was using to transport the evidence was already full and could not carry more items
Selected Answer: A
Question #: 663
Topic #: 1
You are a forensic investigator who is analyzing a hard drive that was recently collected as evidence. You have been unsuccessful at locating any meaningful evidence within the file system and suspect a drive wiping utility may have been used. You have reviewed the keys within the software hive of the Windows registry and did not find any drive wiping utilities. How can you verify that drive wiping software was used on the hard drive?
A. Check the list of installed programs
B. Look for distinct repeating patterns on the hard drive at the bit level
C. Document in your report that you suspect a drive wiping utility was used, but no evidence was found
D. Load various drive wiping utilities offline, and export previous run reports
Selected Answer: B
Question #: 639
Topic #: 1
Frank, a cloud administrator in his company, needs to take backup of the OS disks of two Azure VMs that store business-critical data. Which type of Azure blob storage can he use for this purpose?
A. Append blob
B. Medium blob
C. Block blob
D. Page blob
Selected Answer: D
Question #: 638
Topic #: 1
During an investigation, Noel found a SIM card from the suspect’s mobile. The ICCID on the card is 8944245252001451548.
What does the first four digits (89 and 44) in the ICCID represent?
A. TAC and industry identifier
B. Industry identifier and country code
C. Country code and industry identifier
D. Issuer identifier number and TAC
Selected Answer: B
Question #: 637
Topic #: 1
An investigator seized a notebook device installed with a Microsoft Windows OS. Which type of files would support an investigation of the data size and structure in the device?
A. APFS and HFS
B. Ext2 and Ext4
C. HFS and GNUC
D. NTFS and FAT
Selected Answer: D
Question #: 635
Topic #: 1
Brian has the job of analyzing malware for a software security company. Brian has setup a virtual environment that includes virtual machines running various versions of OSes. Additionally, Brian has setup separated virtual networks within this environment. The virtual environment does not connect to the company’s intranet nor does it connect to the external Internet. With everything setup, Brian now received an executable file from client that has undergone a cyberattack.
Brian ran the executable file in the virtual environment to see what it would do. What type of analysis did Brian perform?
A. Status malware analysis
B. Static OS analysis
C. Static malware analysis
D. Dynamic malware analysis
Selected Answer: D
Question #: 634
Topic #: 1
SO/IEC 17025 is an accreditation for which of the following:
A. CHFI issuing agency
B. Chain of custody
C. Encryption
D. Forensics lab licensing
Selected Answer: D
Question #: 632
Topic #: 1
A computer forensics investigator or forensic analyst is a specially trained professional who works with law enforcement as well as private businesses to retrieve information from computers and other types of data storage devices. For this, the analyst should have an excellent working knowledge of all aspects of the computer. Which of the following is not a duty of the analyst during a criminal investigation?
A. To recover data from suspect devices
B. To fill the chain of custody
C. To create an investigation report
D. To enforce the security of all devices and software in the scene
Selected Answer: D
Question #: 627
Topic #: 1
In forensics ____________ are used to view stored or deleted data from both files and disk sectors.
A. Hex editors
B. SIEM tools
C. Hash algorithms
D. Host interfaces
Selected Answer: A
Question #: 625
Topic #: 1
When installed on a Windows machine, which port does the Tor browser use to establish a network connection via Tor nodes?
A. 49664/49665
B. 49667/49668
C. 9150/9151
D. 7680
Selected Answer: C
