CCT240 Exam Prep
Which of the following parameters in the common log format of Apache represents the client's IP address?
%h
Colson, a forensic officer, was attempting to track a cybercriminal who had performed an online attack by gaining remote access to a Windows system of an organization. In this process, Colson executed an nbtstat command that displays the contents of the NetBIOS name cache as well as NetBIOS name-to-IP address mappings, which will help him in tracking the perpetrator. Which of the following nbtstat parameters helps Colson view the contents of the NetBIOS name cache?
-c
Identify the netstat parameter that displays the active TCP connections and retrieves the process ID for each connection.
-o
Santino, a forensic expert, was investigating a victim's Ubuntu system, which had been accessed by an attacker from a remote location. He collected network-related information from the system and executed a netstat command to extract the details of the routing table from the system. Identify the netstat parameter that helps Santino extract the routing table information.
-rn
Which of the following types of domain is used to host a website anonymously using Tor's hidden service protocol and can only be accessed by Tor network users?
.onion
Jaxton, a forensics expert, was analyzing the IIS logs in a Windows-based server that was compromised earlier. He initiated the investigation process by extracting the IIS log entries and monitored the "sc-status" field to identify how the attacker's request was fulfilled without error. Which of the following codes represents the "sc-status" in the IIS log entry?
200
Which of the following data acquisition formats consists of generic objects such as volumes, streams, and graphs with externally accessible behavior?
AFF4
Which of the following is a set of techniques that attackers use to avert or sidetrack the forensics investigation process or increase its difficulty?
Anti-forensics
Which of the following processes is defined as a set of techniques that attackers or perpetrators use to avert or sidetrack a forensic investigation process or substantially increase its difficulty?
Anti-forensics
Identify the evidence source that contains the least volatile data as the digital information in such data sources does not automatically change, unless it is damaged under physical force.
Archival media
Which of the following will be present in the "Supporting Files" section of a forensics investigation report?
Attachments and appendices
Identify the member of an investigation team who provides legal advice on conducting the investigation and addresses the legal issues involved in the forensic investigation process.
Attorney
Malcolm, a professional hacker, was attempting to intrude into an organization's network. In this process, he obtained the credentials of an employee using packet sniffers. Using the stolen credentials, Malcolm impersonated the employee to intrude into the organization's network. identify the type of attack performed by Malcolm in the above scenario.
Authentication hijacking
Ronan, a forensic investigator, was tasked with investigating a system based on NTFS. After thoroughly examining the system's hard drive, he discovered that most files were recently deleted from the file system but were recoverable. Ronan employed an automated tool to recover the deleted files from the hard disk. Identify the tool that Ronan used to recover the deleted files from the drive.
Autopsy
George, a forensics specialist, was investigating a suspected machine found at a crime scene. He started inspecting the storage media of the device by creating a bit-by-bit copy of it but failed to do so as the suspected drive was very old and incompatible with the imaging software he was using. Which of the following data acquisition methods failed in the above scenario because the suspect system drive was old?
Bit-stream disk-to-image file
Arnold, a crime investigator, wants to retrieve all the deleted files and folders in the suspected media without affecting the original files. For this purpose, he uses a method that involves the creation of a cloned copy of the entire media and prevents the contamination of the original media. Identify the method utilized by Arnold in the above scenario.
Bit-stream imaging
Which of the following commands is used by security specialists to check whether sessions have been opened with other systems?
C:> netstat -na
Which of the following commands is used to find any unusual listening on TCP and UDP ports?
C:> netstat -na
Ryder, a computer user, has a system running on Windows OS with a FAT file system. He encountered a blue screen issue; as a result, he turned off the system without closing the running applications. Ryder employed a Windows built-in utility to check for any bad sectors and lost clusters on his hard disk to overcome this issue. Identify the utility employed by Ryder in the above scenario.
Chkdsk.exe
Which of the following components in the internal structure of a solid-state drive (SSD) acts as a bridge between the flash memory components and the system by executing firmware-level software?
Controller
Williams, a forensic specialist, was appointed to perform data acquisition on a victim system that was involved in cybercrime related to a phishing campaign. As the system was in a powered-off state, Williams extracted static data from the hard disk. dentify the static data recovered by Williams in the above scenario.
Cookies
Which of the following types of cybercrime is an offensive activity in which a computer connected to the web is employed as a source point to damage an organization's reputation?
Cyber defamation
Which of the following is a process of imaging or collecting information from various media in accordance with certain standards for analyzing its forensic value?
Data acquisition
Which of the following functionalities of Autopsy recovers deleted files from unallocated space using PhotoRec?
Data carving
In a layer of the web, contents are not indexed by search engines and can only be accessed by a user with due authorization. Identify this layer of the web.
Deep Web
Kasen, a professional hacker, performed an attack against a company's web server by flooding it with large amounts of invalid traffic; thereafter, the webserver stopped responding to legitimate incoming requests. Identify the type of attack performed by Kasen in the above scenario.
Denial-of-service attack
Identify the part in the MBR structure that is located at the end of the MBR, holds only 2 bytes of data, and is required by BIOS during booting?
Disk signature
In which of the following phases of the computer forensics investigation methodology must the investigator take a photograph of the computer monitor's screen and note down what was observed on the screen?
Documentation of the electronic crime scene
Sam, a forensic specialist, was investigating a Windows 10 system based on NTFS. While analyzing the data, Sam discovered that some important files were deleted from the file system but can be recovered from Recycle Bin. Identify the location of Recycle Bin in the Windows 10 system.
Drive:$Recycle.Bin\
Which of the following components of EFS uses CryptoAPI to extract the file encryption key (FEK) for a data file and uses it to encode the FEK to produce the DDF?
EFS Service
Which of the following tasks is the responsibility of a forensic investigator?
Evaluate the damage due to a security breach
Identify the technique that refers to missing events related to systems downstream from a failed system and avoids events that can cause the system to crash.
Event masking
Easton, a forensics investigation team member, accumulated information from each person involved in the forensics process and developed a report of it in an orderly fashion, from the incident occurrence to the end of the investigation. Identify the role played by Easton in the investigation team.
Evidence documenter
Identify the forensics investigation report section that includes the tools and techniques used for collecting the evidence during the investigation process.
Evidence information
Which of the following acts contains Article 32, which deals with technical and organizational measures to encrypt personal data and ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services?
GDPR
Which of the following laws was enacted in 1999 and requires financial institutions—companies offering consumers financial products or services such as loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data?
GLBA
Identify the AFF4 object that includes collections of RDF statements.
Graphs
Which of the following registry hives contains file extension association information and programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data?
HKEY_CLASSES_ROOT
Williams, a forensic investigator, was tasked with analyzing an image file. In this process, he identified that the metadata of the image file was deleted; therefore, he could only recover the files using the file header signature, which is a constant numeric or text value. Which of the following tools can help Williams identify and recover the files using the file header signatures?
Hex Editor Neo
Joshua, a certified forensic expert, built a forensic lab for conducting a computer-based investigation. To make the investigation processes effective, he recruited experienced individuals and experts. Joshua then assigned job roles to each team member. Which of the following considerations is illustrated in the above scenario?
Human resource considerations
Which of the following contents of a sector contains the sector number and location, which identify sectors on the disk, as well as status information on the sector?
ID information
Which of the following steps of forensic readiness planning defines the purpose of evidence collection and gathering information to determine evidence sources that can help deal with the crime and design the best methods of collection?
Identify the potential evidence required for an incident*
Which of the following countermeasures helps forensic experts overcome anti-forensics attempts?
Impose strict laws against the illegal use of anti-forensics tools
Cooper, a member of a forensics investigation team, was investigating a cyber-attack performed on an organization. During the investigation process, Cooper secured the incident area and collected all the evidence, following which he disconnected the affected systems from other systems to stop the spread of the incident. Identify the role played by Cooper in the investigation team.
Incident responder
Kane, a disgruntled employee of an organization, was waiting for an opportunity to target the organization. One day, he gained access to the project manager's system and copied all the secret codes to his portable device. After copying, Kane handed over the code to a rival company, which released the software to the public with their proprietary patents. Identify the type of attack Kane has launched in the above scenario.
Intellectual Property Theft
Which of the following phases of a forensic investigation involves acquiring, preserving, and analyzing evidence found in the crime scene to identify the culprit?
Investigation Phase
In which of the following investigation phases does the forensic officer perform data acquisition, preservation, and analysis of evidentiary data to identify the source of a crime and the culprit?
Investigation phase
Which of the following tools can be used by an investigator to view, retrieve, and in some cases modify the metadata embedded in JPEG image files?
IrfanView
Alexis, a professional hacker, performed an attack against an organization's WLAN. In this process, he used a specially designed radio transmitter to transmit signals that can overwhelm and deny the use of the access point by legitimate clients. Which of the following types of attack is performed by Alexis in the above scenario?
Jamming Attack
Cyril, a forensic investigator, was appointed to prepare strategies to lure attackers and extract their whereabouts. For this purpose, he employed a honeypot machine, which is a dummy system used to trick attackers into connecting to it. Soon after attackers connect to the system, it provides log details, along with their source IP, session ID, and a message with other useful information about the attackers. Identify the honeypot employed by Cyril in the above scenario.
Kippo
Richin, a forensics investigator, was tasked with investigating a Linux machine that was used as a remote controller for performing malicious online activities. As part of the investigation, Richin employed a forensic tool that performs RAM dumps so that he can view all running processes in the memory and recently executed commands. Which of the following tools was utilized by Richin in the above scenario?
LiMe
Hudson, a forensic expert, was investigating an active computer that was executing various processes. Hudson wanted to check whether this system was used in an incident that occurred earlier. He started inspecting and gathering the contents of RAM, cache, and DLLs to identify incident signatures. which of the following data acquisition methods has Hudson initiated in the above scenario?
Live data acquisition
Which of the following structures of the HFS volume keeps track of the allocation blocks in use and those that are free?
Logical Block 2
Gael, a forensic expert, was working on a case related to fake email broadcasting. Gael extracted the data from the victim system to investigate and find the source of the email server. In this process, Gael extracted only ".ost" files from the system as they can provide potential information about the incident. Which of the following types of data acquisition has Gael performed in the above scenario?
Logical acquisition
In which of the following attacks does the attacker connect to a port on a switch and flood its interface by sending a large volume of Ethernet frames from various fake hardware addresses?
MAC flooding
Williams, a forensic expert, was performing an investigation on a system that was suspected to be involved in spreading adult content over the Internet. The attacker accessed various adult sites using the Mozilla Firefox browser and shared associated links with other individuals. Williams employed a forensic tool that helped him extract the list of websites accessed from the system to confirm this suspicion. Which of the following tools has Williams employed in the above scenario?
MZHistoryView
Robert, a computer user, unintentionally installed software by clicking on a malicious link of an insecure website. Upon installing the software, his system degraded in performance and started showing signs of suspicious activities. Which of the following types of attack is Robert a victim of?
Malware attack
A command, when executed, changes the modification time and date of a file but retains its creation time and date in the NTFS file system. Identify this command.
Move sample.txt from E:\ to E:\subdir on the NTFS file system
Which of the following command-line tools helps investigators analyze a suspect Office document and check whether any components are labeled as malicious?
Oleid
Identify the color code in a Check Point firewall that signifies traffic detected as suspicious but accepted by the firewall.
Orange
Which of the following tools helps a forensics investigator develop and test across multiple operating systems in a virtual machine for Mac and allows access to Microsoft Office for Windows?
Parallels Desktop 16
Flora recently received a mail from a bank that contained a malicious link along with some instructions. The malicious link redirected her to a form requesting details such as her name, phone number, date of birth, credit card number, CVV code, SNNs, and email address. Identify the type of cybercrime being performed on Flora in the above scenario.
Phishing
Allen, a forensics expert, was analyzing a forensically extracted memory dump from an Ubuntu machine. While attempting to extract lost files from the dump, Allen employed an open-source tool that uses data carving techniques to recover deleted files or lost data. hich of the following tools did Allen employ in the above scenario?
PhotoRec
Which of the following techniques in digital forensics investigation involves a backup program that an investigator should have in case certain hardware or software does not work or a failure occurs during an acquisition?
Plan for contingency
Which of the following is a search and seizure step that involves seeking consent, obtaining witness signatures, obtaining a warrant for search and seizure, and collecting incident information?
Planning of the search and seizure
Lincoln, a forensic investigator, collected evidence from a crime scene. He used some hardware and software tools to complete the investigation process. Lincoln then created a report and documented all the actions performed during the investigation. Identify the investigation phase Lincoln is currently in.
Post-investigation phase
Which of the following phases of the UEFI boot process initializes the CPU, permanent memory, and boot firmware volume (BFV) as well as locates and initializes the hardware found in the system?
Pre-EFI initialization phase
Calvin, a forensic crime investigator, retrieved evidence from a device that consists of usage logs, time and date information, network identity information, and ink cartridges. Identify the device from which Calvin obtained the evidence.
Printer
A data acquisition format creates a bit-by-bit copy of the suspected drive, and images in this format are usually obtained using the dd command. Identify this data acquisition format.
Raw format
Raphael, a forensics expert at an organization, was asked to analyze an issue that blocked devices from accessing the organization's network. In this process, Raphael employed a network behavior monitoring tool to identify and categorize different events and determine the events that caused the issue. In which of the following event correlation steps did Raphael identify the reason behind the issue?
Root cause analysis
In which of the following phases of the UEFI boot process does the system clear the UEFI program from memory and transfer it to the OS?
Runtime phase
Samuel, a computer forensic investigator, collects evidence data and verifies the integrity of the data. In this process, he uses a cryptographic hash algorithm that can create a unique and fixed-size 256-bit hash, which is ideal for anti-tamper technologies, password validation, digital signatures, and challenge hash authentication. Identify the algorithm utilized by Samuel to verify the integrity of the data.
SHA
Which of the following is an outgoing mail server that allows users to send emails to a valid email address using port number 25?
SMTP server
Which of the following email features enables organizations to specify servers that can send emails on behalf of their domains?
SPF
Which of the following types of cybercrime involves taking advantage of unsanitized input vulnerabilities to pass commands through a web application and thereby retrieve information from the target database?
SQL injection attack
Identify the smallest physical storage unit on a hard disk drive that normally stores 512 bytes of data for HDDs and 2048 bytes for CD-ROMs and DVD-ROMs.
Sector
Which of the following characteristics of a hard disk represents the time taken by a hard-disk controller to identify a particular piece of data?
Seek time
Which of the following features of Mac OS is an integrated search feature that indexes files by type, making it easy for forensic investigators to trace suspicious files and applications on a system?
Spotlight
Which of the following types of cells in the Windows Registry structure comprises a series of indexes pointing to the parent key cell?
Subkey list cell
Which of the following is a library and collection of command-line tools that assist in the investigation of disk images?
The Sleuth Kit
Which of the following tools can an investigator use to investigate disk images as well as analyze a volume and file-system data?
The Sleuth Kit
Which of the following titles of ECPA addresses the privacy of the contents of files stored by service providers and records held about the subscriber by service providers, such as subscriber name, billing records, and IP addresses?
Title 2
Identify the rule of evidence stating that investigators and prosecutors must present evidence in a clear and comprehensible manner to the members of the jury.
Understandable
Freddy, a professional hacker, was attempting to bypass the security measures of a target organization by keenly analyzing the vulnerabilities in their web application. He identified that employee login IDs were stored in cookies; therefore, he can tamper with the URL, HTTP requests, headers, hidden fields, form fields, and query strings. Identify the type of threat demonstrated in the above scenario.
Unvalidated input
Identify the attack in which the attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, and query strings to bypass security implementations.
Unvalidated input
Which of the following measures helps security professionals defend against anti-forensics techniques?
Use latest and updated CFTs and test them for vulnerabilities.
While investigating a web attack on a Windows-based server, Jessy executed the following command on her system: C:> net view <10.10.10.11> What was Jessy's objective in running the above command?
Verify the users using open sessions
Which of the following types of digital evidence is temporary information on a digital device that requires constant power supply to retain and is deleted if the power supply is interrupted?
Volatile data
Identify the tool that provides the pslist plugin to retrieve information on all the processes executing on the system when the memory dump was collected.
Volatility Framework
Which of the following file dependencies is a networking DLL that helps connect to a network or perform network-related tasks?
WSock32.dll
Which of the following tools is mainly used to inspect and edit all types of files as well as to recover deleted files or lost data from hard drives with corrupt file systems or from memory cards of digital cameras?
WinHex
Which of the following fields in the IIS log entry indicates that the user wanted to download a file from a folder?
cs-uri-stem
Which of the following Apache web-server architecture elements handles server startups/timeouts and contains the main server loop that waits for connections?
http_main
Identify the Volatility Framework plugin that provides information on all TCP and UDP port connections, which can help in detecting any malicious network communications running on a system?
linux_netstat
David, a forensics investigator, analyzed a RAM dump extracted from a suspected Linux system. He used the Volatility Framework to extract information from the dump file. In this process, David employed a plugin to extract the parent and child processes to determine whether any malicious processes are running on it. Identify the plugin used by David in the above scenario.
linux_pstree
Which of the following commands helps investigators retrieve information on all active processes and open files?
lsof
Harrison, a forensic investigator, was working on a criminal case in which he had to extract all the possible data related to criminal activity on a device running Windows OS. For this purpose, Harrison wanted to view the detailed partition layout for the GPT disk, along with the MBR details. Which of the following commands will help Harrison in the above scenario?
mmls
Zayn, a forensic expert, was tasked with investigating an incident that occurred on a Windows machine. Zayn wanted to check whether the attacker was still active on the network and spreading the infection. In this process, Zayn executed a netstat command that helped him view the TCP and UDP network connections, listening ports, and identifiers of the processes. Identify the command executed by Zayn in the above scenario.
netstat -ano
Which of the following commands helps investigators retrieve important information such as the MAC times of any file and timestamps of applications in a Mac system?
stat [-FlLnqrsx] [-f format] [-t timefmt] [file ...]
Identify the Wireshark filter that is used to detect a SYN-FIN flood DoS attack.
tcp.flags==0X003
