CHFI-1
QUESTION 10 Which of the following commands shows you the NetBIOS name table each? A. nbtstat -n B. nbtstat -c C. nbtstat -r D. nbtstat -s
Answer: A
QUESTION 74 Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain the confidentiality of data. A. True B. False
Answer: A
;QUESTION 1 Which of the following commands shows you all of the network services running on Windowsbased servers? A. Net start B. Net use C. Net Session D. Net share
Answer: A
QUESTION 11 What is a bit-stream copy? A. Bit-Stream Copy is a bit-by-bit copy of the original storage medium and exact copy of the original disk B. A bit-stream image is the file that contains the NTFS files and folders of all the data on a disk or partition C. A bit-stream image is the file that contains the FAT32 files and folders of all the data on a disk or partition D. Creating a bit-stream image transfers only non-deleted files from the original disk to the image disk
Answer: A
QUESTION 13 Tracks numbering on a hard disk begins at 0 from the outer edge and moves towards the center, typically reaching a value of ___________. A. 1023 B. 1020 C. 1024 D. 2023
Answer: A
QUESTION 14 What is the goal of forensic science? A. To determine the evidential value of the crime scene and related evidence B. Mitigate the effects of the information security breach C. Save the good will of the investigating organization D. It is a disciple to deal with the legal processes
Answer: A
QUESTION 15 Attackers can manipulate variables that reference files with "dot-dot-slash (./)" sequences and their variations such as http://www.juggyDoy.corn/GET/process.php./././././././././etc/passwd. Identify the attack referred. A. Directory traversal B. SQL Injection C. XSS attack D. File injection
Answer: A
QUESTION 16 Which Is a Linux journaling file system? A. Ext3 B. HFS C. FAT D. BFS
Answer: A
QUESTION 18 Which of the following log injection attacks uses white space padding to create unusual log entries? A. Word wrap abuse attack B. HTML injection attack C. Terminal injection attack D. Timestamp injection attack
Answer: A
QUESTION 2 Data compression involves encoding the data to take up less storage space and less bandwidth for transmission. It helps in saving cost and high data manipulation in many business applications. Which data compression technique maintains data integrity? A. Lossless compression B. Lossy compression C. Speech encoding compression D. Lossy video compression
Answer: A
QUESTION 20 Recovery of the deleted partition is the process by which the investigator evaluates and extracts the deleted partitions. A. True B. False
Answer: A
QUESTION 22 What is a SCSI (Small Computer System Interface)? A. A set of ANSI standard electronic interfaces that allow personal computers to communicate with peripheral hardware such as disk drives, tape drives. CD-ROM drives, printers, and scanners B. A standard electronic interface used between a computer motherboard's data paths or bus and the computer's disk storage devices C. A "plug-and-play" interface, which allows a device to be added without an adapter card and without rebooting the computer D. A point-to-point serial bi-directional interface for transmitting data between computer devices at data rates of up to 4 Gbps
Answer: A
QUESTION 23 An attack vector is a path or means by which an attacker can gain access to computer or network resources in order to deliver an attack payload or cause a malicious outcome. A. True B. False
Answer: A
QUESTION 24 Network forensics can be defined as the sniffing, recording, acquisition and analysis of the network traffic and event logs in order to investigate a network security incident. A. True B. False
Answer: A
QUESTION 26 LBA (Logical Block Address) addresses data by allotting a ___________to each sector of the hard disk. A. Sequential number B. Index number C. Operating system number D. Sector number
Answer: A
QUESTION 27 Which of the following attacks allows attacker to acquire access to the communication channels between the victim and server to extract the information? A. Man-in-the-middle (MITM) attack B. Replay attack C. Rainbow attack D. Distributed network attack
Answer: A
QUESTION 28 SMTP (Simple Mail Transfer protocol) receives outgoing mail from clients and validates source and destination addresses, and also sends and receives emails to and from other SMTP servers. A. True B. False
Answer: A
QUESTION 29 In Windows 7 system files, which file reads the Boot.ini file and loads Ntoskrnl.exe. Bootvid.dll. Hal.dll, and boot-start device drivers? A. Ntldr B. Gdi32.dll C. Kernel32.dll D. Boot.in
Answer: A
QUESTION 30 What is the "Best Evidence Rule"? A. It states that the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy B. It contains system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, and command history C. It contains hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, hidden partitions, registry settings, and event logs D. It contains information such as open network connection, user logout, programs that reside in memory, and cache data
Answer: A
QUESTION 31 What is the First Step required in preparing a computer for forensics investigation? A. Do not turn the computer off or on, run any programs, or attempt to access data on a computer B. Secure any relevant media C. Suspend automated document destruction and recycling policies that may pertain to any relevant media or users at Issue D. Identify the type of data you are seeking, the Information you are looking for, and the urgency level of the examination
Answer: A
QUESTION 32 What is the smallest allocation unit of a hard disk? A. Cluster B. Spinning tracks C. Disk platters D. Slack space
Answer: A
QUESTION 34 An expert witness is a witness, who by virtue of education, profession, or experience, is believed to have special knowledge of his/her subject beyond that of the average person, sufficient that others legally depend upon his/her opinion. A. True B. False
Answer: A
QUESTION 35 Physical security recommendations: There should be only one entrance to a forensics lab A. True B. False
Answer: A
QUESTION 39 Digital photography helps in correcting the perspective of the Image which Is used In taking the measurements of the evidence. Snapshots of the evidence and incident-prone areas need to be taken to help in the forensic process. Is digital photography accepted as evidence in the court of law? A. Yes B. No
Answer: A
QUESTION 4 Centralized logging is defined as gathering the computer system logs for a group of systems in a centralized location. It is used to efficiently monitor computer system logs with the frequency required to detect security violations and unusual activity. A. True B. False
Answer: A
QUESTION 41 Shortcuts are the files with the extension .Ink that are created and are accessed by the users. These files provide you with information about: A. Files or network shares B. Running application C. Application logs D. System logs
Answer: A
QUESTION 42 A computer forensic report is a report which provides detailed information on the complete forensics investigation process. A. True B. False
Answer: A
QUESTION 44 Computer security logs contain information about the events occurring within an organization's systems and networks. Application and Web server log files are useful in detecting web attacks. The source, nature, and time of the attack can be determined by _________of the compromised system. A. Analyzing log files B. Analyzing SAM file C. Analyzing rainbow tables D. Analyzing hard disk boot records
Answer: A
QUESTION 46 What is a first sector ("sector zero") of a hard disk? A. Master boot record B. System boot record C. Secondary boot record D. Hard disk boot record
Answer: A
QUESTION 48 Which of the following is the certifying body of forensics labs that investigate criminal cases by analyzing evidence? A. The American Society of Crime Laboratory Directors (ASCLD) B. International Society of Forensics Laboratory (ISFL) C. The American Forensics Laboratory Society (AFLS) D. The American Forensics Laboratory for Computer Forensics (AFLCF)
Answer: A
QUESTION 49 When a system is compromised, attackers often try to disable auditing, in Windows 7; modifications to the audit policy are recorded as entries of Event ID____________. A. 4902 B. 3902 C. 4904 D. 3904
Answer: A
QUESTION 5 Which wireless standard has bandwidth up to 54 Mbps and signals in a regulated frequency spectrum around 5 GHz? A. 802.11a B. 802.11b C. 802.11g D. 802.11i
Answer: A
QUESTION 51 Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext, where, "X" represents the _________. A. Drive name B. Sequential number C. Original file name's extension D. Original file name
Answer: A
QUESTION 53 When collecting electronic evidence at the crime scene, the collection should proceed from the most volatile to the least volatile A. True B. False
Answer: A
QUESTION 55 Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is: A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion \ProfileList B. HKEY_LOCAL_MACHlNE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \NetworkList C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentsVersion \setup D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
Answer: A
QUESTION 56 Which device in a wireless local area network (WLAN) determines the next network point to which a packet should be forwarded toward its destination? A. Wireless router B. Wireless modem C. Antenna D. Mobile station
Answer: A
QUESTION 58 The ARP table of a router comes in handy for Investigating network attacks, as the table contains IP addresses associated with the respective MAC addresses. The ARP table can be accessed using the __________command in Windows 7. A. C:\arp -a B. C:\arp -d C. C:\arp -s D. C:\arp -b
Answer: A
QUESTION 59 International Mobile Equipment Identifier (IMEI) is a 15-dlgit number that indicates the manufacturer, model type, and country of approval for GSM devices. The first eight digits of an IMEI number that provide information about the model and origin of the mobile device is also known as: A. Type Allocation Code (TAC) B. Device Origin Code (DOC) C. Manufacturer identification Code (MIC) D. Integrated Circuit Code (ICC)
Answer: A
QUESTION 6 Hash injection attack allows attackers to inject a compromised hash into a local session and use the hash to validate network resources. A. True B. False
Answer: A
QUESTION 60 Who is responsible for the following tasks? - Secure the scene and ensure that it is maintained In a secure state until the Forensic Team advises- Make notes about the scene that will eventually be handed over to the Forensic Team A. Non-Laboratory Staff B. System administrators C. Local managers or other non-forensic staff D. Lawyers
Answer: A
QUESTION 63 How do you define forensic computing? A. It is the science of capturing, processing, and investigating data security incidents and making it acceptable to a court of law. B. It is a methodology of guidelines that deals with the process of cyber investigation C. It Is a preliminary and mandatory course necessary to pursue and understand fundamental principles of ethical hacking D. It is the administrative and legal proceeding in the process of forensic investigation
Answer: A
QUESTION 64 Which of the following steganography types hides the secret message in a specifically designed pattern on the document that is unclear to the average reader? A. Open code steganography B. Visual semagrams steganography C. Text semagrams steganography D. Technical steganography
Answer: A
QUESTION 65 What is the first step that needs to be carried out to crack the password? A. A word list is created using a dictionary generator program or dictionaries B. The list of dictionary words is hashed or encrypted C. The hashed wordlist is compared against the target hashed password, generally one word at a time D. If it matches, that password has been cracked and the password cracker displays the unencrypted version of the password
Answer: A
QUESTION 66 During first responder procedure you should follow all laws while collecting the evidence, and contact a computer forensic examiner as soon as possible A. True B. False
Answer: A
QUESTION 67 Buffer Overflow occurs when an application writes more data to a block of memory, or buffer, than the buffer is allocated to hold. Buffer overflow attacks allow an attacker to modify the _______________in order to control the process execution, crash the process and modify internal variables. A. Target process's address space B. Target remote access C. Target rainbow table D. Target SAM file
Answer: A
QUESTION 70 Web applications provide an Interface between end users and web servers through a set of web pages that are generated at the server-end or contain script code to be executed dynamically within the client Web browser. A. True B. False
Answer: A
QUESTION 71 Data Acquisition is the process of imaging or otherwise obtaining information from a digital device and its peripheral equipment and media A. True B. False
Answer: A
QUESTION 72 Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system or device that holds electronic information. A. True B. False
Answer: A
QUESTION 75 When the operating system marks cluster as used, but does not allocate them to any file, such clusters are known as ___________. A. Lost clusters B. Bad clusters C. Empty clusters D. Unused clusters
Answer: A
QUESTION 77 Syslog is a client/server protocol standard for forwarding log messages across an IP network. Syslog uses ___________to transfer log messages in a clear text format. A. TCP B. FTP C. SMTP D. POP
Answer: A
QUESTION 78 How do you define Technical Steganography? A. Steganography that uses physical or chemical means to hide the existence of a message B. Steganography that utilizes written natural language to hide the message in the carrier in some non-obvious ways C. Steganography that utilizes written JAVA language to hide the message in the carrier in some non-obvious ways D. Steganography that utilizes visual symbols or signs to hide secret messages
Answer: A
QUESTION 8 Injection flaws are web application vulnerabilities that allow untrusted data to be Interpreted and executed as part of a command or query. Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access. Which of the following injection flaws involves the injection of malicious code through a web application? A. SQL Injection B. Password brute force C. Nmap Scanning D. Footprinting
Answer: A
QUESTION 81 If the partition size Is 4 GB, each cluster will be 32 K. Even If a file needs only 10 K, the entire 32 K will be allocated, resulting In 22 K of___________. A. Slack space B. Deleted space C. Cluster space D. Sector space
Answer: A
QUESTION 88 All the Information about the user activity on the network, like details about login and logoff attempts, is collected in the security log of the computer. When a user's login is successful, successful audits generate an entry whereas unsuccessful audits generate an entry for failed login attempts in the logon event ID table. In the logon event ID table, which event ID entry (number) represents a successful logging on to a computer? A. 528 B. 529 C. 530 D. 531
Answer: A
QUESTION 91 Jason, a renowned forensic investigator, is investigating a network attack that resulted in the compromise of several systems in a reputed multinational's network. He started Wireshark to capture the network traffic. Upon investigation, he found that the DNS packets travelling across the network belonged to a non-company configured IP. Which of the following attack Jason can infer from his findings? A. DNS Poisoning B. Cookie Poisoning Attack C. DNS Redirection D. Session poisoning
Answer: A
QUESTION 92 In what circumstances would you conduct searches without a warrant? A. When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity B. Agents may search a place or object without a warrant if he suspect the crime was committed C. A search warrant is not required if the crime involves Denial-Of-Service attack over the Internet D. Law enforcement agencies located in California under section SB 567 are authorized to seize computers without warrant under all circumstances
Answer: A
QUESTION 94 Quality of a raster Image is determined by the _________________and the amount of information in each pixel. A. Total number of pixels B. Image file format C. Compression method D. Image file size
Answer: A
QUESTION 95 What is a chain of custody? A. A legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory B. It is a search warrant that is required for seizing evidence at a crime scene C. It Is a document that lists chain of windows process events D. Chain of custody refers to obtaining preemptive court order to restrict further damage of evidence in electronic seizures
Answer: A
QUESTION 96 A steganographic file system is a method to store the files in a way that encrypts and hides the data without the knowledge of others A. True B. False
Answer: A
QUESTION 99 Email archiving is a systematic approach to save and protect the data contained in emails so that it can be accessed fast at a later date. There are two main archive types, namely Local Archive and Server Storage Archive. Which of the following statements is correct while dealing with local archives? A. It is difficult to deal with the webmail as there is no offline archive in most cases. So consult your counsel on the case as to the best way to approach and gain access to the required data on servers B. Local archives do not have evidentiary value as the email client may alter the message data C. Local archives should be stored together with the server storage archives in order to be admissible in a court of law D. Server storage archives are the server information and settings stored on a local system whereas the local archives are the local email client information stored on the mail server
Answer: A
QUESTION 100 File signature analysis involves collecting information from the __________ of a file to determine the type and function of the file A. First 10 bytes B. First 20 bytes C. First 30 bytes D. First 40 bytes
Answer: B
QUESTION 25 Digital evidence validation involves using a hashing algorithm utility to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a disk drive or file. Which of the following hash algorithms produces a message digest that is 128 bits long? A. CRC-32 B. MD5 C. SHA-1 D. SHA-512
Answer: B
QUESTION 36 When dealing with the powered-off computers at the crime scene, if the computer is switched off, turn it on A. True B. False
Answer: B
QUESTION 43 Which one of the following statements is not correct while preparing for testimony? A. Go through the documentation thoroughly B. Do not determine the basic facts of the case before beginning and examining the evidence C. Establish early communication with the attorney D. Substantiate the findings with documentation and by collaborating with other computer forensics professionals
Answer: B
QUESTION 45 An intrusion detection system (IDS) gathers and analyzes information from within a computer or a network to identify any possible violations of security policy, including unauthorized access, as well as misuse. Which of the following intrusion detection systems audit events that occur on a specific host? A. Network-based intrusion detection B. Host-based intrusion detection C. Log file monitoring D. File integrity checking
Answer: B
QUESTION 54 Which of the following commands shows you the names of all open shared files on a server and number of file locks on each file? A. Net sessions B. Net file C. Netconfig D. Net share
Answer: B
QUESTION 57 When NTFS Is formatted, the format program assigns the __________ sectors to the boot sectors and to the bootstrap code A. First 12 B. First 16 C. First 22 D. First 24
Answer: B
QUESTION 61 Which of the following reports are delivered under oath to a board of directors/managers/panel of jury? A. Written informal Report B. Verbal Formal Report C. Written Formal Report D. Verbal Informal Report
Answer: B
QUESTION 62 You should always work with original evidence A. True B. False
Answer: B
QUESTION 68 Damaged portions of a disk on which no read/Write operation can be performed is known as ______________. A. Lost sector B. Bad sector C. Empty sector D. Unused sector
Answer: B
QUESTION 69 Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox, or overwhelm the server where the email address is hosted, to cause a denial-of-service attack? A. Email spamming B. Mail bombing C. Phishing D. Email spoofing
Answer: B
QUESTION 76 Cyber-crime is defined as any Illegal act involving a gun, ammunition, or its applications. A. True B. False
Answer: B
QUESTION 79 Digital evidence is not fragile in nature. A. True B. False
Answer: B
QUESTION 80 Depending upon the Jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers? A. 18 USC 7029 B. 18 USC 1030 C. 18 USC 7361 D. 18 USC 7371
Answer: B
QUESTION 82 Deposition enables opposing counsel to preview an expert witness's testimony at trial. Which of the following deposition is not a standard practice? A. Both attorneys are present B. Only one attorneys is present C. No jury or judge D. Opposing counsel asks ;QUESTIONs
Answer: B
QUESTION 86 The Apache server saves diagnostic information and error messages that it encounters while processing requests. The default path of this file is usr/local/apache/logs/error.log in Linux. Identify the Apache error log from the following logs. A. 127.0.0.1 - frank [10/Oct/2000:13:55:36-0700] "GET /apache_pb.grf HTTP/1.0" 200 B. [Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/home/live/ap/htdocs/test C. http://victim.com/scripts/..%c0%af./..%c0%af./..%c0%af./..%c0%af./..%c0%af./..%c0%af./..%c0% af./..%c0%af./../winnt/system32/cmd.exe?/c+dir+c:\wintt\system32\Logfiles\W3SVC1 D. 127.0.0.1 --[10/Apr/2007:10:39:11 +0300] ] [error] "GET /apache_pb.gif HTTP/1.0' 200
Answer: B
QUESTION 87 A mobile operating system is the operating system that operates a mobile device like a mobile phone, smartphone, PDA, etc. It determines the functions and features available on mobile devices such as keyboards, applications, email, text messaging, etc. Which of the following mobile operating systems is free and open source? A. Web OS B. Android C. Apple IOS D. Symbian OS
Answer: B
QUESTION 89 P0P3 (Post Office Protocol 3) is a standard protocol for receiving email that deletes mail on the server as soon as the user downloads it. When a message arrives, the POP3 server appends it to the bottom of the recipient's account file, which can be retrieved by the email client at any preferred time. Email client connects to the POP3 server at _______________by default to fetch emails. A. Port 109 B. Port 110 C. Port 115 D. Port 123
Answer: B
QUESTION 90 JPEG is a commonly used method of compressing photographic Images. It uses a compression algorithm to minimize the size of the natural image, without affecting the quality of the image. The JPEG lossy algorithm divides the image in separate blocks of____________. A. 4x4 pixels B. 8x8 pixels C. 16x16 pixels D. 32x32 pixels
Answer: B
QUESTION 98 Wi-Fi Protected Access (WPA) is a data encryption method for WLANs based on 802.11 standards. Temporal Key Integrity Protocol (TKIP) enhances WEP by adding a rekeying mechanism to provide fresh encryption and integrity keys. Temporal keys are changed for every____________. A. 5,000 packets B. 10.000 packets C. 15,000 packets D. 20.000 packets
Answer: B
QUESTION 19 Subscriber Identity Module (SIM) is a removable component that contains essential information about the subscriber. Its main function entails authenticating the user of the cell phone to the network to gain access to subscribed services. SIM contains a 20-digit long Integrated Circuit Card identification (ICCID) number, identify the issuer identifier Number from the ICCID below. A. 89 B. 44 C. 245252 D. 001451548
Answer: C
QUESTION 21 If a file (readme.txt) on a hard disk has a size of 2600 bytes, how many sectors are normally allocated to this file? A. 4 Sectors B. 5 Sectors C. 6 Sectors D. 7 Sectors
Answer: C
QUESTION 37 Computer forensics report provides detailed information on complete computer forensics investigation process. It should explain how the incident occurred, provide technical details of the incident and should be clear to understand. Which of the following attributes of a forensics report can render it inadmissible in a court of law? A. It includes metadata about the incident B. It includes relevant extracts referred to In the report that support analysis or conclusions C. It is based on logical assumptions about the incident timeline D. It maintains a single document style throughout the text
Answer: C
QUESTION 38 A forensic investigator is a person who handles the complete Investigation process, that is, the preservation, identification, extraction, and documentation of the evidence. The investigator has many roles and responsibilities relating to the cybercrime analysis. The role of the forensic investigator is to: A. Take permission from all employees of the organization for investigation B. Harden organization network security C. Create an image backup of the original evidence without tampering with potential evidence D. Keep the evidence a highly confidential and hide the evidence from law enforcement agencies
Answer: C
QUESTION 47 Ever-changing advancement or mobile devices increases the complexity of mobile device examinations. Which or the following is an appropriate action for the mobile forensic investigation? A. To avoid unwanted interaction with devices found on the scene, turn on any wireless interfaces such as Bluetooth and Wi-Fi radios B. Do not wear gloves while handling cell phone evidence to maintain integrity of physical evidence C. If the device's display is ON. the screen's contents should be photographed and, if necessary, recorded manually, capturing the time, service status, battery level, and other displayed icons D. If the phone is in a cradle or connected to a PC with a cable, then unplug the device from the computer
Answer: C
QUESTION 7 Which of the following standard is based on a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases? A. Daubert Standard B. Schneiderman Standard C. Frye Standard D. FERPA standard
Answer: C
QUESTION 83 Which of the following statements does not support the case assessment? A. Review the case investigator's request for service B. Identify the legal authority for the forensic examination request C. Do not document the chain of custody D. Discuss whether other forensic processes need to be performed on the evidence
Answer: C
QUESTION 93 First response to an incident may involve three different groups of people, and each will have differing skills and need to carry out differing tasks based on the incident. Who is responsible for collecting, preserving, and packaging electronic evidence? A. System administrators B. Local managers or other non-forensic staff C. Forensic laboratory staff D. Lawyers
Answer: C
QUESTION 12 Which of the following is not a part of disk imaging tool requirements? A. The tool should not change the original content B. The tool should log I/O errors in an accessible and readable form, including the type and location of the error C. The tool must have the ability to be held up to scientific and peer review D. The tool should not compute a hash value for the complete bit stream copy generated from an image file of the source
Answer: D
QUESTION 17 Which of the following statements is not a part of securing and evaluating electronic crime scene checklist? A. Locate and help the victim B. Transmit additional flash messages to other responding units C. Request additional help at the scene if needed D. Blog about the incident on the internet
Answer: D
QUESTION 3 Which of the following statements is incorrect related to acquiring electronic evidence at crime scene? A. Sample banners are used to record the system activities when used by the unauthorized user B. In warning banners, organizations give clear and unequivocal notice to intruders that by signing onto the system they are expressly consenting to such monitoring C. The equipment is seized which is connected to the case, knowing the role of the computer which will indicate what should be taken D. At the time of seizing process, you need to shut down the computer immediately
Answer: D
QUESTION 33 An Internet standard protocol (built on top of TCP/IP) that assures accurate synchronization to the millisecond of computer clock times in a network of computers. Which of the following statement is true for NTP Stratum Levels? A. Stratum-0 servers are used on the network; they are not directly connected to computers which then operate as stratum-1 servers B. Stratum-1 time server is linked over a network path to a reliable source of UTC time such as GPS, WWV, or CDMA transmissions C. A stratum-2 server is directly linked (not over a network path) to a reliable source of UTC time such as GPS, WWV, or CDMA transmissions D. A stratum-3 server gets its time over a network link, via NTP, from a stratum-2 server, and so on
Answer: D
QUESTION 40 Which one of the following is not a consideration in a forensic readiness planning checklist? A. Define the business states that need digital evidence B. Identify the potential evidence available C. Decide the procedure for securely collecting the evidence that meets the requirement fn a forensically sound manner D. Take permission from all employees of the organization
Answer: D
QUESTION 50 MAC filtering is a security access control methodology, where a ___________ is assigned to each network card to determine access to the network A. 16-bit address B. 24-bit address C. 32-bit address D. 48-bit address
Answer: D
QUESTION 52 Wireless access control attacks aim to penetrate a network by evading WLAN access control measures, such as AP MAC filters and Wi-Fi port access controls. Which of the following wireless access control attacks allows the attacker to set up a rogue access point outside the corporate perimeter, and then lure the employees of the organization to connect to it? A. War driving B. Rogue access points C. MAC spoofing D. Client mis-association
Answer: D
QUESTION 73 In which step of the computer forensics investigation methodology would you run MD5 checksum on the evidence? A. Obtain search warrant B. Evaluate and secure the scene C. Collect the evidence D. Acquire the data
Answer: D
QUESTION 84 Windows Security Event Log contains records of login/logout activity or other security- related events specified by the system's audit policy. What does event ID 531 in Windows Security Event Log indicates? A. A user successfully logged on to a computer B. The logon attempt was made with an unknown user name or a known user name with a bad password C. An attempt was made to log on with the user account outside of the allowed time D. A logon attempt was made using a disabled account
Answer: D
QUESTION 85 Task list command displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer. Which of the following task list commands provides information about the listed processes, including the image name, PID, name, and number of the session for the process? A. tasklist/s B. tasklist/u C. tasklist/p D. tasklist/V
Answer: D
QUESTION 9 Which of the following approaches checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields? A. Graph-based approach B. Neural network-based approach C. Rule-based approach D. Automated field correlation approach
Answer: D
QUESTION 97 Data is striped at a byte level across multiple drives and parity information is distributed among all member drives. What RAID level is represented here? A. RAID Level0 B. RAID Level 1 C. RAID Level 3 D. RAID Level 5
Answer: D