Pre-Winter Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

ECCouncil 312-49v10 Dumps

Page: 1 / 26
Total 704 questions

Computer Hacking Forensic Investigator (CHFI-v10) Questions and Answers

Question 1

An "idle" system is also referred to as what?

Options:

A.

PC not connected to the Internet

B.

Zombie

C.

PC not being used

D.

Bot

Buy Now
Question 2

When examining the log files from a Windows IIS Web Server, how often is a new log file created?

Options:

A.

the same log is used at all times

B.

a new log file is created everyday

C.

a new log file is created each week

D.

a new log is created each time the Web Server is started

Question 3

When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time?

Options:

A.

on the individual computer's ARP cache

B.

in the Web Server log files

C.

in the DHCP Server log files

D.

there is no way to determine the specific IP address

Question 4

Which of the following should a computer forensics lab used for investigations have?

Options:

A.

isolation

B.

restricted access

C.

open access

D.

an entry log

Question 5

What will the following command accomplish?

Options:

A.

Test ability of a router to handle over-sized packets

B.

Test the ability of a router to handle under-sized packets

C.

Test the ability of a WLAN to handle fragmented packets

D.

Test the ability of a router to handle fragmented packets

Question 6

What will the following command produce on a website login page? SELECT email, passwd, login_id, full_name FROM members WHERE email = 'someone@somehwere.com'; DROP TABLE members; --'

Options:

A.

Deletes the entire members table

B.

Inserts the Error! Reference source not found.email address into the members table

C.

Retrieves the password for the first user in the members table

D.

This command will not produce anything since the syntax is incorrect

Question 7

Why is it a good idea to perform a penetration test from the inside?

Options:

A.

It is never a good idea to perform a penetration test from the inside

B.

Because 70% of attacks are from inside the organization

C.

To attack a network from a hacker's perspective

D.

It is easier to hack from the inside

Question 8

You are a security analyst performing a penetration tests for a company in the Midwest. After some initial reconnaissance, you discover the IP addresses of some Cisco routers used by the company. You type in the following URL that includes the IP address of one of the routers:

After typing in this URL, you are presented with the entire configuration file for that router. What have you discovered?

Options:

A.

HTTP Configuration Arbitrary Administrative Access Vulnerability

B.

HTML Configuration Arbitrary Administrative Access Vulnerability

C.

Cisco IOS Arbitrary Administrative Access Online Vulnerability

D.

URL Obfuscation Arbitrary Administrative Access Vulnerability

Question 9

What does the superblock in Linux define?

Options:

A.

filesynames

B.

diskgeometr

C.

location of the firstinode

D.

available space

Question 10

A law enforcement officer may only search for and seize criminal evidence with _______________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searched.

Options:

A.

Mere Suspicion

B.

A preponderance of the evidence

C.

Probable cause

D.

Beyond a reasonable doubt

Question 11

When examining a file with a Hex Editor, what space does the file header occupy?

Options:

A.

the last several bytes of the file

B.

the first several bytes of the file

C.

none, file headers are contained in the FAT

D.

one byte at the beginning of the file

Question 12

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

Options:

A.

The registry

B.

The swap file

C.

The recycle bin

D.

The metadata

Question 13

What information do you need to recover when searching a victim’s computer for a crime committed with specific e-mail message?

Options:

A.

Internet service provider information

B.

E-mail header

C.

Username and password

D.

Firewall log

Question 14

This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

Options:

A.

Master Boot Record (MBR)

B.

Master File Table (MFT)

C.

File Allocation Table (FAT)

D.

Disk Operating System (DOS)

Question 15

A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation?

Options:

A.

Image the disk and try to recover deleted files

B.

Seek the help of co-workers who are eye-witnesses

C.

Check the Windows registry for connection data (you may or may not recover)

D.

Approach the websites for evidence

Question 16

You have compromised a lower-level administrator account on an Active Directory network of a small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect to one of the Domain Controllers on port 389 using ldp.exe. What are you trying to accomplish here?

Options:

A.

Poison the DNS records with false records

B.

Enumerate MX and A records from DNS

C.

Establish a remote connection to the Domain Controller

D.

Enumerate domain user accounts and built-in groups

Question 17

A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker. Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you are required to infer only what is explicit in the excerpt.

(Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)

03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111

TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF

***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32

TCP Options (3) => NOP NOP TS: 23678634 2878772

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111

UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84

Len: 64

01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................

00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................

00 00 00 11 00 00 00 00 ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773

UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104

Len: 1084

47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8

Options:

A.

The attacker has conducted a network sweep on port 111

B.

The attacker has scanned and exploited the system using Buffer Overflow

C.

The attacker has used a Trojan on port 32773

D.

The attacker has installed a backdoor

Question 18

Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

Options:

A.

HKEY_LOCAL_MACHINE\hardware\windows\start

B.

HKEY_LOCAL_USERS\Software\Microsoft\old\Version\Load

C.

HKEY_CURRENT_USER\Microsoft\Default

D.

HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run

Question 19

The police believe that Melvin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers and Educational Institutions. They also suspect that he has been stealing, copying and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant?

Options:

A.

The Fourth Amendment

B.

The USA patriot Act

C.

The Good Samaritan Laws

D.

The Federal Rules of Evidence

Question 20

You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data from other offices like it is for your main office. You suspect that firewall changes are to blame. What ports should you open for SNMP to work through Firewalls? (Choose two.)

Options:

A.

162

B.

161

C.

163

D.

160

Question 21

What will the following URL produce in an unpatched IIS Web Server?

co%af../..%co%af../windows/system32/cmd.exe?/c+dir+c:\

Options:

A.

Directory listing of C: drive on the web server

B.

Insert a Trojan horse into the C: drive of the web server

C.

Execute a buffer flow in the C: drive of the web server

D.

Directory listing of the C:\windows\system32 folder on the web server

Question 22

Item 2If you come across a sheepdip machine at your client site, what would you infer?

Options:

A.

A sheepdip coordinates several honeypots

B.

A sheepdip computer is another name for a honeypot

C.

A sheepdip computer is used only for virus-checking.

D.

A sheepdip computer defers a denial of service attack

Question 23

Sectors in hard disks typically contain how many bytes?

Options:

A.

256

B.

512

C.

1024

D.

2048

Question 24

In conducting a computer abuse investigation you become aware that the suspect of the investigation is using ABC Company as his Internet Service Provider (ISP). You contact ISP and request that they provide you assistance with your investigation. What assistance can the ISP provide?

Options:

A.

The ISP can investigate anyone using their service and can provide you with assistance

B.

The ISP can investigate computer abuse committed by their employees, but must preserve the privacy of their customers and therefore cannot assist you without a warrant

C.

The ISP can't conduct any type of investigations on anyone and therefore can't assist you

D.

ISP's never maintain log files so they would be of no use to your investigation

Question 25

What should you do when approached by a reporter about a case that you are working on or have worked on?

Options:

A.

Refer the reporter to the attorney that retained you

B.

Say, "no comment"

C.

Answer all the reporter’s questions as completely as possible

D.

Answer only the questions that help your case

Question 26

When conducting computer forensic analysis, you must guard against ______________ So that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected.

Options:

A.

Hard Drive Failure

B.

Scope Creep

C.

Unauthorized expenses

D.

Overzealous marketing

Question 27

After passively scanning the network of Department of Defense (DoD), you switch over to active scanning to identify live hosts on their network. DoD is a large organization and should respond to any number of scans. You start an ICMP ping sweep by sending an IP packet to the broadcast address. Only five hosts respond to your ICMP pings; definitely not the number of hosts you were expecting. Why did this ping sweep only produce a few responses?

Options:

A.

Only IBM AS/400 will reply to this scan

B.

Only Windows systems will reply to this scan

C.

A switched network will not respond to packets sent to the broadcast address

D.

Only Unix and Unix-like systems will reply to this scan

Question 28

What does the Rule 101 of Federal Rules of Evidence states?

Options:

A.

Scope of the Rules, where they can be applied

B.

Purpose of the Rules

C.

Limited Admissibility of the Evidence

D.

Rulings on Evidence

Question 29

You are a Penetration Tester and are assigned to scan a server. You need to use a scanning technique wherein the TCP Header is split into many packets so that it becomes difficult to detect what the packets are meant for. Which of the below scanning technique will you use?

Options:

A.

Inverse TCP flag scanning

B.

ACK flag scanning

C.

TCP Scanning

D.

IP Fragment Scanning

Question 30

During an investigation, Noel found the following SIM card from the suspect's mobile. What does the code 89 44 represent?

Options:

A.

Issuer Identifier Number and TAC

B.

Industry Identifier and Country code

C.

Individual Account Identification Number and Country Code

D.

TAC and Industry Identifier

Question 31

A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state?

Options:

A.

/auth

B.

/proc

C.

/var/log/debug

D.

/var/spool/cron/

Question 32

What does the command “C:\>wevtutil gl ” display?

Options:

A.

Configuration information of a specific Event Log

B.

Event logs are saved in .xml format

C.

Event log record structure

D.

List of available Event Logs

Question 33

Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen?

Options:

A.

OpenGL/ES and SGL

B.

Surface Manager

C.

Media framework

D.

WebKit

Question 34

Which part of Metasploit framework helps users to hide the data related to a previously deleted file or currently unused by the allocated file.

Options:

A.

Waffen FS

B.

RuneFS

C.

FragFS

D.

Slacker

Question 35

Which of the following techniques delete the files permanently?

Options:

A.

Steganography

B.

Artifact Wiping

C.

Data Hiding

D.

Trail obfuscation

Question 36

Hard disk data addressing is a method of allotting addresses to each _______ of data on a hard disk.

Options:

A.

Physical block

B.

Operating system block

C.

Hard disk block

D.

Logical block

Question 37

Which of the following file system uses Master File Table (MFT) database to store information about every file and directory on a volume?

Options:

A.

FAT File System

B.

ReFS

C.

exFAT

D.

NTFS File System

Question 38

Which of the following statements is TRUE about SQL Server error logs?

Options:

A.

SQL Server error logs record all the events occurred on the SQL Server and its databases

B.

Forensic investigator uses SQL Server Profiler to view error log files

C.

Error logs contain IP address of SQL Server client connections

D.

Trace files record, user-defined events, and specific system events

Question 39

As a part of the investigation, Caroline, a forensic expert, was assigned the task to examine the transaction logs pertaining to a database named Transfers. She used SQL Server Management Studio to collect the active transaction log files of the database. Caroline wants to extract detailed information on the logs, including AllocUnitId, page id, slot id, etc. Which of the following commands does she need to execute in order to extract the desired information?

Options:

A.

DBCC LOG(Transfers, 1)

B.

DBCC LOG(Transfers, 3)

C.

DBCC LOG(Transfers, 0)

D.

DBCC LOG(Transfers, 2)

Question 40

In Windows, prefetching is done to improve system performance. There are two types of prefetching: boot prefetching and application prefetching. During boot prefetching, what does the Cache Manager do?

Options:

A.

Determines the data associated with value EnablePrefetcher

B.

Monitors the first 10 seconds after the process is started

C.

Checks whether the data is processed

D.

Checks hard page faults and soft page faults

Question 41

Which of the following stand true for BIOS Parameter Block?

Options:

A.

The BIOS Partition Block describes the physical layout of a data storage volume

B.

The BIOS Partition Block is the first sector of a data storage device

C.

The length of BIOS Partition Block remains the same across all the file systems

D.

The BIOS Partition Block always refers to the 512-byte boot sector

Question 42

What must an attorney do first before you are called to testify as an expert?

Options:

A.

Qualify you as an expert witness

B.

Read your curriculum vitae to the jury

C.

Engage in damage control

D.

Prove that the tools you used to conduct your examination are perfect

Question 43

In a computer that has Dropbox client installed, which of the following files related to the Dropbox client store information about local Dropbox installation and the Dropbox user account, along with email IDs linked with the account?

Options:

A.

config.db

B.

install.db

C.

sigstore.db

D.

filecache.db

Question 44

What malware analysis operation can the investigator perform using the jv16 tool?

Options:

A.

Files and Folder Monitor

B.

Installation Monitor

C.

Network Traffic Monitoring/Analysis

D.

Registry Analysis/Monitoring

Question 45

Which of the following files contains the traces of the applications installed, run, or uninstalled from a system?

Options:

A.

Virtual Files

B.

Image Files

C.

Shortcut Files

D.

Prefetch Files

Question 46

> NMAP -sn 192.168.11.200-215 The NMAP command above performs which of the following?

Options:

A.

A trace sweep

B.

A port scan

C.

A ping scan

D.

An operating system detect

Question 47

Which component in the hard disk moves over the platter to read and write information?

Options:

A.

Actuator

B.

Spindle

C.

Actuator Axis

D.

Head

Question 48

Which cloud model allows an investigator to acquire the instance of a virtual machine and initiate the forensics examination process?

Options:

A.

PaaS model

B.

IaaS model

C.

SaaS model

D.

SecaaS model

Question 49

Which of the following files store the MySQL database data permanently, including the data that had been deleted, helping the forensic investigator in examining the case and finding the culprit?

Options:

A.

mysql-bin

B.

mysql-log

C.

iblog

D.

ibdata1

Question 50

Which of the following examinations refers to the process of providing the opposing side in a trial the opportunity to question a witness?

Options:

A.

Cross Examination

B.

Direct Examination

C.

Indirect Examination

D.

Witness Examination

Question 51

Adam, a forensic analyst, is preparing VMs for analyzing a malware. Which of the following is NOT a best practice?

Options:

A.

Isolating the host device

B.

Installing malware analysis tools

C.

Using network simulation tools

D.

Enabling shared folders

Question 52

Which U.S. law sets the rules for sending emails for commercial purposes, establishes the minimum requirements for commercial messaging, gives the recipients of emails the right to ask the senders to stop emailing them, and spells out the penalties in case the above said rules are violated?

Options:

A.

NO-SPAM Act

B.

American: NAVSO P-5239-26 (RLL)

C.

CAN-SPAM Act

D.

American: DoD 5220.22-M

Question 53

Which one of the following is not a first response procedure?

Options:

A.

Preserve volatile data

B.

Fill forms

C.

Crack passwords

D.

Take photos

Question 54

What does the 56.58.152.114(445) denote in a Cisco router log?

Jun 19 23:25:46.125 EST: %SEC-4-IPACCESSLOGP: list internet-inbound denied udp 67.124.115.35(8084) -> 56.58.152.114(445), 1 packet

Options:

A.

Source IP address

B.

None of the above

C.

Login IP address

D.

Destination IP address

Question 55

Which of the following is a record of the characteristics of a file system, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups?

Options:

A.

Inode bitmap block

B.

Superblock

C.

Block bitmap block

D.

Data block

Question 56

Given the drive dimensions as follows and assuming a sector has 512 bytes, what is the capacity of the described hard drive?

22,164 cylinders/disk

80 heads/cylinder

63 sectors/track

Options:

A.

53.26 GB

B.

57.19 GB

C.

11.17 GB

D.

10 GB

Question 57

When should an MD5 hash check be performed when processing evidence?

Options:

A.

After the evidence examination has been completed

B.

On an hourly basis during the evidence examination

C.

Before and after evidence examination

D.

Before the evidence examination has been completed

Question 58

What does the 63.78.199.4(161) denotes in a Cisco router log?

Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) -> 63.78.199.4(161), 1 packet

Options:

A.

Destination IP address

B.

Source IP address

C.

Login IP address

D.

None of the above

Question 59

Which of the following commands shows you all of the network services running on Windows-based servers?

Options:

A.

Netstart

B.

Net Session

C.

Net use

D.

Net config

Question 60

What will the following Linux command accomplish?

dd if=/dev/mem of=/home/sam/mem.bin bs=1024

Options:

A.

Copy the master boot record to a file

B.

Copy the contents of the system folder to a file

C.

Copy the running memory to a file

D.

Copy the memory dump file to an image file

Question 61

Watson, a forensic investigator, is examining a copy of an ISO file stored in CDFS format. What type of evidence is this?

Options:

A.

Data from a CD copied using Windows

B.

Data from a CD copied using Mac-based system

C.

Data from a DVD copied using Windows system

D.

Data from a CD copied using Linux system

Question 62

Which of the following are small pieces of data sent from a website and stored on the user’s computer by the user’s web browser to track, validate, and maintain specific user information?

Options:

A.

Temporary Files

B.

Open files

C.

Cookies

D.

Web Browser Cache

Question 63

Which of the following file contains the traces of the applications installed, run, or uninstalled from a system?

Options:

A.

Shortcut Files

B.

Virtual files

C.

Prefetch Files

D.

Image Files

Question 64

When carrying out a forensics investigation, why should you never delete a partition on a dynamic disk?

Options:

A.

All virtual memory will be deleted

B.

The wrong partition may be set to active

C.

This action can corrupt the disk

D.

The computer will be set in a constant reboot state

Question 65

If a PDA is seized in an investigation while the device is turned on, what would be the proper procedure?

Options:

A.

Keep the device powered on

B.

Turn off the device immediately

C.

Remove the battery immediately

D.

Remove any memory cards immediately

Question 66

What advantage does the tool Evidor have over the built-in Windows search?

Options:

A.

It can find deleted files even after they have been physically removed

B.

It can find bad sectors on the hard drive

C.

It can search slack space

D.

It can find files hidden within ADS

Question 67

When making the preliminary investigations in a sexual harassment case, how many investigators are you recommended having?

Options:

A.

One

B.

Two

C.

Three

D.

Four

Question 68

An executive has leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system?

Options:

A.

Postmortem Analysis

B.

Real-Time Analysis

C.

Packet Analysis

D.

Malware Analysis

Question 69

Casey has acquired data from a hard disk in an open source acquisition format that allows her to generate compressed or uncompressed image files. What format did she use?

Options:

A.

Portable Document Format

B.

Advanced Forensics Format (AFF)

C.

Proprietary Format

D.

Raw Format

Question 70

What feature of Decryption Collection allows an investigator to crack a password as quickly as possible?

Options:

A.

Cracks every password in 10 minutes

B.

Distribute processing over 16 or fewer computers

C.

Support for Encrypted File System

D.

Support for MD5 hash verification

Question 71

Which program is the bootloader when Windows XP starts up?

Options:

A.

KERNEL.EXE

B.

NTLDR

C.

LOADER

D.

LILO

Question 72

Where does Encase search to recover NTFS files and folders?

Options:

A.

MBR

B.

MFT

C.

Slack space

D.

HAL

Question 73

When reviewing web logs, you see an entry for resource not found in the HTTP status code field.

What is the actual error code that you would see in the log for resource not found?

Options:

A.

202

B.

404

C.

606

D.

999

Question 74

Where is the startup configuration located on a router?

Options:

A.

Static RAM

B.

BootROM

C.

NVRAM

D.

Dynamic RAM

Question 75

All Blackberry email is eventually sent and received through what proprietary RIM-operated mechanism?

Options:

A.

Blackberry Message Center

B.

Microsoft Exchange

C.

Blackberry WAP gateway

D.

Blackberry WEP gateway

Question 76

The investigator wants to examine changes made to the system’s registry by the suspect program. Which of the following tool can help the investigator?

Options:

A.

TRIPWIRE

B.

RAM Capturer

C.

Regshot

D.

What’s Running

Question 77

While looking through the IIS log file of a web server, you find the following entries:

What is evident from this log file?

Options:

A.

Web bugs

B.

Cross site scripting

C.

Hidden fields

D.

SQL injection is possible

Question 78

Which of the following tool creates a bit-by-bit image of an evidence media?

Options:

A.

Recuva

B.

FileMerlin

C.

AccessData FTK Imager

D.

Xplico

Question 79

Which of the following tool enables a user to reset his/her lost admin password in a Windows system?

Options:

A.

Advanced Office Password Recovery

B.

Active@ Password Changer

C.

Smartkey Password Recovery Bundle Standard

D.

Passware Kit Forensic

Question 80

When operating systems mark a cluster as used but not allocated, the cluster is considered as _________

Options:

A.

Corrupt

B.

Bad

C.

Lost

D.

Unallocated

Question 81

What is the location of the binary files required for the functioning of the OS in a Linux system?

Options:

A.

/run

B.

/bin

C.

/root

D.

/sbin

Question 82

A clothing company has recently deployed a website on Its latest product line to Increase Its conversion rate and base of customers. Andrew, the network administrator recently appointed by the company, has been assigned with the task of protecting the website from Intrusion and vulnerabilities. Which of the following tool should Andrew consider deploying in this scenario?

Options:

A.

ModSecurity

B.

CryptaPix

C.

Recuva

D.

Kon-Boot

Question 83

Matthew has been assigned the task of analyzing a suspicious MS Office document via static analysis over an Ubuntu-based forensic machine. He wants to see what type of document It Is. whether It Is encrypted, or contains any flash objects/VBA macros. Which of the following python-based script should he run to get relevant information?

Options:

A.

oleform.py

B.

oleid.py

C.

oledir.py

D.

pdfid.py

Question 84

Which of the following applications will allow a forensic investigator to track the user login sessions and user transactions that have occurred on an MS SQL Server?

Options:

A.

ApexSQL Audit

B.

netcat

C.

Notepad++

D.

Event Log Explorer

Question 85

During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to Identify attributes such as "author name," "organization name." "network name," or any additional supporting data that is meant for the owner's Identification purpose. Which term describes these attributes?

Options:

A.

Data header

B.

Data index

C.

Metabase

D.

Metadata

Question 86

In forensics.______are used lo view stored or deleted data from both files and disk sectors.

Options:

A.

Hash algorithms

B.

SI EM tools

C.

Host interfaces

D.

Hex editors

Question 87

Williamson is a forensic investigator. While investigating a case of data breach at a company, he is maintaining a document that records details such as the forensic processes applied on the collected evidence, particulars of people handling It. the dates and times when it Is being handled, and the place of storage of the evidence. What do you call this document?

Options:

A.

Consent form

B.

Log book

C.

Authorization form

D.

Chain of custody

Question 88

What is the extension used by Windows OS for shortcut files present on the machine?

Options:

A.

.log

B.

.pf

C.

.lnk

D.

.dat

Question 89

Jacob, a cybercrime investigator, joined a forensics team to participate in a criminal case involving digital evidence. After the investigator collected all the evidence and presents it to the court, the judge dropped the case and the defense attorney pressed charges against Jacob and the rest of the forensics team for unlawful search and seizure. What forensics privacy issue was not addressed prior to collecting the evidence?

Options:

A.

Compliance with the Second Amendment of the U.S. Constitution

B.

Compliance with the Third Amendment of the U.S. Constitution

C.

None of these

D.

Compliance with the Fourth Amendment of the U.S. Constitution

Question 90

Edgar is part of the FBI's forensic media and malware analysis team; he Is analyzing a current malware and Is conducting a thorough examination of the suspect system, network, and other connected devices. Edgar's approach Is to execute the malware code to know how It Interacts with the host system and Its Impacts on It. He is also using a virtual machine and a sandbox environment.

What type of malware analysis is Edgar performing?

Options:

A.

Malware disassembly

B.

VirusTotal analysis

C.

Static analysis

D.

Dynamic malware analysis/behavioral analysis

Question 91

Web browsers can store relevant information from user activities. Forensic investigators may retrieve files, lists, access history, cookies, among other digital footprints. Which tool can contribute to this task?

Options:

A.

Most Recently Used (MRU) list

B.

MZCacheView

C.

Google Chrome Recovery Utility

D.

Task Manager

Question 92

When Investigating a system, the forensics analyst discovers that malicious scripts were Injected Into benign and trusted websites. The attacker used a web application to send malicious code. In the form of a browser side script, to a different end-user. What attack was performed here?

Options:

A.

Brute-force attack

B.

Cookie poisoning attack

C.

Cross-site scripting attack

D.

SQL injection attack

Question 93

Debbie has obtained a warrant to search a known pedophiles house. Debbie went to the house and executed the search warrant to seize digital devices that have been recorded as being used for downloading Illicit Images. She seized all digital devices except a digital camera. Why did she not collect the digital camera?

Options:

A.

The digital camera was not listed as one of the digital devices in the warrant

B.

The vehicle Debbie was using to transport the evidence was already full and could not carry more items

C.

Debbie overlooked the digital camera because it is not a computer system

D.

The digital camera was old. had a cracked screen, and did not have batteries. Therefore, it could not have been used in a crime.

Question 94

The information security manager at a national legal firm has received several alerts from the intrusion detection system that a known attack signature was detected against the organization's file server. What should the information security manager do first?

Options:

A.

Report the incident to senior management

B.

Update the anti-virus definitions on the file server

C.

Disconnect the file server from the network

D.

Manually investigate to verify that an incident has occurred

Question 95

According to RFC 3227, which of the following is considered as the most volatile item on a typical system?

Options:

A.

Registers and cache

B.

Temporary system files

C.

Archival media

D.

Kernel statistics and memory

Question 96

When installed on a Windows machine, which port does the Tor browser use to establish a network connection via Tor nodes?

Options:

A.

7680

B.

49667/49668

C.

9150/9151

D.

49664/49665

Question 97

Which Federal Rule of Evidence speaks about the Hearsay exception where the availability of the declarant Is immaterial and certain characteristics of the declarant such as present sense Impression, excited utterance, and recorded recollection are also observed while giving their testimony?

Options:

A.

Rule 801

B.

Rule 802

C.

Rule 804

D.

Rule 803

Question 98

Storage location of Recycle Bin for NTFS file systems (Windows Vista and later) is located at:

Options:

A.

Drive:\$ Recycle. Bin

B.

DriveARECYClE.BIN

C.

Drive:\RECYCLER

D.

Drive:\REYCLED

Question 99

An EC2 instance storing critical data of a company got infected with malware. The forensics team took the EBS volume snapshot of the affected Instance to perform further analysis and collected other data of evidentiary value. What should be their next step?

Options:

A.

They should pause the running instance

B.

They should keep the instance running as it stores critical data

C.

They should terminate all instances connected via the same VPC

D.

They should terminate the instance after taking necessary backup

Question 100

Which of the following statements is true with respect to SSDs (solid-state drives)?

Options:

A.

Like HDDs. SSDs also have moving parts

B.

SSDs cannot store non-volatile data

C.

SSDs contain tracks, clusters, and sectors to store data

D.

Faster data access, lower power usage, and higher reliability are some of the m

Question 101

Mark works for a government agency as a cyber-forensic investigator. He has been given the task of restoring data from a hard drive. The partition of the hard drive was deleted by a disgruntled employee In order to hide their nefarious actions. What tool should Mark use to restore the data?

Options:

A.

EFSDump

B.

Diskmon D

C.

iskvlew

D.

R-Studio

Question 102

James, a forensics specialist, was tasked with investigating a Windows XP machine that was used for malicious online activities. During the Investigation, he recovered certain deleted files from Recycle Bin to Identify attack clues.

Identify the location of Recycle Bin in Windows XP system.

Options:

A.

Drive:\$Recycle.Bin\

B.

Iocal/sha re/Trash

C.

Drive:\RECYCLER\

D.

DriveARECYCLED

Question 103

Choose the layer in iOS architecture that provides frameworks for iOS app development?

Options:

A.

Media services

B.

Cocoa Touch

C.

Core services

D.

Core OS

Question 104

Which of the following is a requirement for senders as per the CAN-SPAM act?

Options:

A.

Senders cannot use misleading or false header information

B.

Senders should never share their physical postal address in the email

C.

Senders must use deceptive subject lines

D.

Emails must not contain information regarding how to stop receiving emails from the sender in future

Question 105

Which of the following is the most effective tool for acquiring volatile data from a Windows-based system?

Options:

A.

Coreography

B.

Datagrab

C.

Ethereal

D.

Helix

Page: 1 / 26
Total 704 questions