EC Council DFE Practice
Which of the following is a library and collection of command-line tools that assist in the investigation of disk images?
The Sleuth Kit
Which of the following NTFS system files contains definitions of all system- and user-defined attributes of the volume?
$attrdef
Identify the numeric code that indicates the error condition message in Cisco IOS router logs.
3
Identify the smallest physical storage unit on a hard disk drive that normally stores 512 bytes of data for HDDs and 2048 bytes for CD-ROMs and DVD-ROMs.
Sector
Joselyn, a forensic investigator in an organization, was investigating a cyber-attack. In this process, she found that the attack was performed from within the office premises. To obtain the list of users logged into the office system, she executed a command to extract the login history and system boot time. Identify the command executed by Joselynin theabove scenario.
last -f /var/log/wtmp
Which of the following commands helps investigators retrieve important information such as the MAC times of any file and timestamps of applications in a Mac system?
stat [-FlLnqrsx] [-f format] [-t timefmt] [file ...]
Identify the command that helps forensics investigators check the Linux kernel version on a system.
uname -r
Which of the following log files in a Mac system contains information related to network interface history?
/var/log/daily.out
John, a forensics specialist, was instructed to investigate an email crime. As part of the investigation, John seized a computer, along with the email accounts used in the system. Identify the next step that John needs to follow in the email crime investigation process.
Acquiring the email data
Ronan, a forensic investigator, was tasked with investigating a system based on NTFS. After thoroughly examining the system's hard drive, he discovered that most files were recently deleted from the file system but were recoverable. Ronan employed an automated tool to recover the deleted files from the hard disk. Identify the tool that Ronan used to recover the deleted files from the drive.
Autopsy
Sherin, a forensic investigator, is attempting to recover deleted files and data from a suspected system. To recover the deleted files and data, he used an automated tool that scans the system's hard drive. Which of the following tools was utilized by Sherin in the above scenario?
Autopsy
Brennan, a digital forensics investigator, was appointed by an organization to inspect a system suspected to be involved in cybercrime. In this process, Brennan employed a tool that helped him perform an automated scan of the suspected machine to identify traces of malware presence and its capabilities. Which of the following tools did Brennan employin theabove scenario?
Balbuzard
Which of the following is an advanced correlation approach that predicts what an attacker can do next after an attack based on statistics and probability theory and uses only two variables?
Bayesian correlation
Dillon, a forensics officer, was instructed to examine the memory dumps acquired from a suspected machine. For this purpose, Dillon employed a tool that helped him to process the memory dumps and retrieve useful information such as the browsed URLs, used email IDs, and personally identifiable information entered on websites. Identify the tool employed by Dillon in the above scenario.
Bulk Extractor
Which of the following time standards is used by the IIS server to record IIS logs, helping synchronize servers in multiple time zones?
Coordinated Universal Time (UTC)
In which of the following attacks does the attacker make an authenticated user perform certain tasks on the web application chosen by the attacker?
Cross-site request forgery
Which of the following malware components refers to a software program that conceals the existence of malware and is used by attackers to elude antivirus detection?
Crypter
Which of the following elements of an email header refers to an email authentication method that helps safeguard the senders and recipients of emails from phishing, spoofing, and spamming?
DKIM
Which of the following Windows registry hives contains configuration information related to the applications used to open various system files?
HKEY_CLASSES_ROOT
Which of the following contents of a sector contains the sector number and location, which identify sectors on the disk, as well as status information on the sector?
ID information
Identify the hidden file in Windows that is crucial for the recovery of data and contains various details of deleted files such as their original file names, original file sizes, date and time of deletion, unique identifying number, and the drive number in which the files were stored.
INFO2
Which of the following components of email communication accepts the email messages from the sender and routes them to their destination?
Mail transfer agent
Identify the color code in a Check Point firewall that signifies traffic detected as suspicious but accepted by the firewall.
Orange
Before investigating a cybercrime, Joyce, a forensic investigator, sets up a computer forensics lab, builds a forensics workstation, develops an investigation toolkit, and secures the case perimeter and involved devices. Identify the investigation phase Joyce is currently in.
Pre-investigation phase
Tyler, a forensic officer, was investigating a crime scene. After collecting a suspected laptop from the spot, Tyler started inspecting a specific portion of the drive where the criminal had saved the victim's data while performing a malicious activity. Tyler collected files required for the investigation as well as fragments of deleted data. Which of the following data acquisition methods did Tyler perform in the above scenario?
Sparse Acquisition
Identify the SWGDE standards and criteria stating that the agency must use hardware and software appropriate and effective for the seizure or examination procedure.
Standards and Criteria 1.5
Which of the following commands helps investigators check for the creation of new accounts in the administrator group?
Start -> Run -> lusrmgr.msc -> OK
Which of the following types of attack is performed using a seemingly harmless program containing malicious code that can later gain control and cause damage, such as destruction of the file allocation table on a hard disk?
Trojan horse attack
Which of the following countries implements the cyber law "Regulation of Investigatory Powers Act 2000"?
United Kingdom
Which of the following measures helps security professionals defend against anti-forensics techniques?
Use latest and updated CFTs and test them for vulnerabilities.
Franklin, a forensics investigator, was working on a suspected machine to gather evidence. He employed a forensic tool on the suspected device and quickly extracted volatile data as such data would be erased as soon as the system is powered off. Identify the volatile data Franklin has collected from the suspected machine.
User events
Which of the following strings in an Apache access log entry provides the details of the platform, system, and browser being used by the client while requesting a resource?
\"%{User-agent}i\"
Identify the command used to retrieve file system type, volume ID, last mounted timestamps, and last mounted directory.
fsstat -i <input _filetype> <filename.extension>
Don, a professional hacker, targeted Johana's official email account to steal her project-related files stored in it. In this process, Don tried all the possible combinations of password characters through the trial-and-error method and finally logged into her account. Identify the type of cybercrime demonstrated in the above scenario.
Brute-force attack
Boney, a forensics officer, was tasked with investigating a Windows Server machine suspected of being used for malicious online activities. He initiated the investigation process by executing a built-in Windows tool that helped him analyze NetBIOS over TCP/IP activity. Identify the command used by Boney in the above scenario.
C:\> nbtstat -S
Which of the following mnemonics in Cisco IOS logs is described as "A packet matching the log criteria for the given access list has been detected (TCP or UDP)"?
%SEC-6-IPACCESSLOGP
Colson, a forensic officer, was attempting to track a cybercriminal who had performed an online attack by gaining remote access to a Windows system of an organization. In this process, Colson executed an nbtstat command that displays the contents of the NetBIOS name cache as well as NetBIOS name-to-IP address mappings, which will help him in tracking the perpetrator. Which of the following nbtstat parameters helps Colson view the contents of the NetBIOS name cache?
-c
Given below is the syntax for executing Autorunsc command-line version. autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-vt] [[-z ] | [user]]] Which of the following parameters in the above syntax specifies printing output as tab-delimited values?
-ct
Given below is an example of an Apache access log entry in the common log format: "10.10.10.10 - Jason [17/Aug/2019:00:12:34 +0300] "GET/images/content/bg_body_1.jpg HTTP/1.0" 500 1458" From the above log entry, identify the status code indicating that the response was successful.
500
Moises, a professional hacker, targeted an employee of an organization to steal confidential data. For this purpose, he compelled the employee to attach a malicious USB adapter to one of the host machines in the organization. As a result, the host machine was forced to connect to an unsecured network. Next, Moises collected all the confidential data passing through the unsecured network. Identify the type of attack performed by Moises in the above scenario.
Ad-hoc connection attack
An open-source data acquisition format stores disk images and related metadata, and the objective behind the development of the format was to create an open disk imaging format that provides users an alternative to being locked into a proprietary format. Identify this data acquisition format.
Advanced Forensics Format
Malcolm, a professional hacker, was attempting to intrude into an organization's network. In this process, he obtained the credentials of an employee using packet sniffers. Using the stolen credentials, Malcolm impersonated the employee to intrude into the organization's network. Identify the type of attack performed by Malcolm in the above scenario.
Authentication hijacking
Marshall, a professional hacker, targeted Grace to steal an amount from her banking account. For this purpose, he employed a social engineering technique and prompted Grace to share her credentials. Using those credentials, Marshall impersonated Grace and logged into her account on the concerned banking website to perform illegitimate transactions. Identify the web application threat demonstrated in the above scenario.
Authentication hijacking
Arnold, a crime investigator, wants to retrieve all the deleted files and folders in the suspected media without affecting the original files. For this purpose, he uses a method that involves the creation of a cloned copy of the entire media and prevents the contamination of the original media. Identify the method utilized by Arnold in the above scenario.
Bit-stream imaging
Ryder, a computer user, has a system running on Windows OS with a FAT file system. He encountered a blue screen issue; as a result, he turned off the system without closing the running applications. Ryder employed a Windows built-in utility to check for any bad sectors and lost clusters on his hard disk to overcome this issue. Identify the utility employed by Ryder in the above scenario.
Chkdsk.exe
Aziel, a mobile user, was accessing a secure Wi-Fi network at a coffee shop. As a result of a power outage at the coffee shop, the Wi-Fi router got switched off, and Aziel's mobile device automatically got connected to an attacker-installed hotspot. The attacker was thus able to capture all the Internet traffic originating from Aziel's mobile device. Which of the following attacks is demonstrated in the above scenario?
Client misassociation
Identify the component of SSD serves that acts as a bridge between the flash memory components and the system by executing firmware-level software.
Controller
Jude, a forensic professional in an investigation department, was tasked with analyzing a suspected Windows machine. During the investigation, Jude found that some of the drive's volumes were encrypted and needed to be decrypted for further investigation. Which of the following tools can help Jude in decrypting the drive?
CrypTool
Kevin, a forensics officer, was tasked with investigating a Windows machine reported with abnormal behavior. To investigate the causes for this abnormal behavior, Kevin first wanted to check Windows update information to determine whether new patches are causing this disruption. Which of the following Windows files will provide Kevin with the required information?
DataStore.edb
Bruno, a forensics investigator, was tasked with investigating a recent cyber-attack on an organization. To protect the evidence, Bruno maintained a logbook of the project to record observations related to the evidence, used tagging to uniquely identify any evidence, and created a chain of custody record. In the above scenario, identify the investigation phase Bruno is currently in.
Evidence preservation
Identify the Tor relay that receives the client's data from the middle relay and sends the data to the destination website's server.
Exit relay
Which of the following Tor relays is treated as suspected because it is perceived to be the origin of malicious traffic?
Exit relay
Which of the following versions of the FAT file system uses 4 bytes per cluster within the file allocation table?
FAT32
Which of the following laws was enacted in 1999 and requires financial institutions—companies offering consumers financial products or services such as loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data?
GLBA
Which of the following elements is a 128-bit unique number generated by the Windows OS to identify a specific device, document, database entry, and/or the user?
GUID
Which of the following contents of a hard disk drive sector is used to provide time for the controller to continue the read process?
Gaps
Which of the following registry hives contains file extension association information and programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data?
HKEY_CLASSES_ROOT
Duke, a forensics expert, was investigating a Windows machine suspected to contain a Tor browser instance. As part of the investigation, he navigated to Windows Registry to obtain the path from which the Tor browser was executed. In which of the following paths did Duke discover the Tor browser's existence on the suspected machine?
HKEY_USERS\<SID>\SOFTWARE\Mozilla\Firefox\Launcher
Identify the registry location in which Tor browser artifacts are stored and can provide information on user activities on the dark web.
HKEY_USERS\<SID>\SOFTWARE\Mozilla\Firefox\Launcher
Which of the following commands is used to identify the current system name and examine the logs, DNS, and network traffic?
Hostname
Joshua, a certified forensic expert, built a forensic lab for conducting a computer-based investigation. To make the investigation processes effective, he recruited experienced individuals and experts. Joshua then assigned job roles to each team member. Which of the following considerations is illustrated in the above scenario?
Human resource considerations
Which of the following steps of forensic readiness planning defines the purpose of evidence collection and gathering information to determine evidence sources that can help deal with the crime and design the best methods of collection?
Identify the potential evidence required for an incident
Helen, a shopping freak, lost an amount from her banking account. Immediately, she raised a complaint at the concerned bank. The security teams at the bank started investigating her account and discovered that she had accessed a fake website for shopping. Attackers stole her credentials through the fake website to make illegal transactions. Which of the following crimes is demonstrated in the above scenario?
Identity fraud
Which of the following is a digital forensic artifact that helps investigators detect a security incident that has occurred on a host system and includes logs related to systems, applications, networks, and firewalls?
Indicators of compromise
Which of the following considerations helps investigators create an appropriate testbed for malware analysis?
Installing a virtual machine (VMware, Hyper-V, etc.) on the system
Identify the type of cybercrime that involves the theft of trade secrets, copyrights, or patent rights of an asset or material belonging to individuals or entities, resulting in huge losses to the target organization.
Intellectual property theft
Which of the following is a user-created evidence source that can assist forensic investigators in recording and analyzing whether the victim stored any malicious links or URLs?
Internet bookmarks
In which of the following investigation phases does the forensic officer perform data acquisition, preservation, and analysis of evidentiary data to identify the source of a crime and the culprit?
Investigation phase
Richin, a forensics investigator, was tasked with investigating a Linux machine that was used as a remote controller for performing malicious online activities. As part of the investigation, Richin employed a forensic tool that performs RAM dumps so that he can view all running processes in the memory and recently executed commands. Which of the following tools was utilized by Richin in the above scenario?
LiME
Hudson, a forensic expert, was investigating an active computer that was executing various processes. Hudson wanted to check whether this system was used in an incident that occurred earlier. He started inspecting and gathering the contents of RAM, cache, and DLLs to identify incident signatures. Which of the following data acquisition methods has Hudson initiated in the above scenario?
Live Data Acquisition
In which of the following attacks does the attacker connect to a port on a switch and flood its interface by sending a large volume of Ethernet frames from various fake hardware addresses?
MAC flooding
Williams, a forensic expert, was performing an investigation on a system that was suspected to be involved in spreading adult content over the Internet. The attacker accessed various adult sites using the Mozilla Firefox browser and shared associated links with other individuals. Williams employed a forensic tool that helped him extract the list of websites accessed from the system to confirm this suspicion. Which of the following tools has Williams employed in the above scenario?
MZHistoryView
Which of the following is a high-speed serial expansion card integrating flash directly into the motherboard and is connected to the host machine through its own serial link by eliminating the need to share a bus, reducing latency, and enhancing the data transfer speeds between a server and storage?
PCIe SSD
Identify the approach that assists forensic officers in correlating specific packets with other packets and comparing them with attack signatures to list new potential attacks on the network.
Payload correlation
Lincoln, a forensic investigator, collected evidence from a crime scene. He used some hardware and software tools to complete the investigation process. Lincoln then created a report and documented all the actions performed during the investigation. Identify the investigation phase Lincoln is currently in.
Post-investigation phase
Which of the following phases of the forensics investigation process involves reporting and documenting all actions undertaken and the findings obtained during the investigation?
Post-investigation phase
Xavier, a security specialist, was appointed to investigate a crime scene at an organization. He completed the investigation process successfully and created a document that includes all the individual tasks performed in resolving the case. Which of the following forensics investigation phases is Xavier currently in?
Post-investigation phase
Calvin, a forensic crime investigator, retrieved evidence from a device that consists of usage logs, time and date information, network identity information, and ink cartridges. Identify the device from which Calvin obtained the evidence.
Printer
Benjamin, a professional hacker, joined as an intern in an organization and obtained some permissions to access the resources related to his job. Soon after gaining trust in the organization, he obtained elevated permissions to access restricted parts of the network. Thus, he gained access to confidential data of the organization. Identify the type of attack performed by Benjamin in the above scenario.
Privilege escalation attack
Which of the following can be classified as the most volatile type of data that persists only for nanoseconds?
Processor cache
Which of the following is an open-source tool, written in Perl, for extracting/parsing information, i.e., keys, values, and data from the registry and presenting it for analysis?
RegRipper
Identify the tool that helps simulate all network types and technologies, including VoIP, TCP, OSPFv3, MPLS, LTE, WLAN, IoT protocols, and IPv6, to analyze and compare the impacts of different technology designs on end-to-end behavior.
Riverbed Modeler
Raphael, a forensics expert at an organization, was asked to analyze an issue that blocked devices from accessing the organization's network. In this process, Raphael employed a network behavior monitoring tool to identify and categorize different events and determine the events that caused the issue. In which of the following event correlation steps did Raphael identify the reason behind the issue?
Root cause analysis
Which of the following email header fields prevents sender address forgery and allows organizations to designate servers that can send emails on behalf of their domains?
SPF
Which of the following types of cybercrime involves taking advantage of unsanitized input vulnerabilities to pass commands through a web application and thereby retrieve information from the target database?
SQL-Injection Attack
While preparing testbeds for malware analysis, which of the following techniques is used to perform dynamic analysis manually?
Sandbox
Which of the following measures helps security professionals defend against anti-forensics techniques?
Save data in secure locations.
Austin, a forensic investigator, was tasked with examining a crime scene. In this process, he identified a few devices that were affected during the attack process. Austin secured all these devices in a lawful manner for further investigation. Identify the investigation phase Austin is currently performing in the above scenario.
Search and seizure
Identify the smallest physical storage unit on a hard-disk platter that is a mathematical term denoting a pie-shaped part of a circle and is enclosed by the perimeter of the circle and two radii.
Sector
Which of the following characteristics of a hard disk represents the time taken by a hard-disk controller to identify a particular piece of data?
Seek time
Identify the process of extracting and gathering the data in an unaltered manner from storage media such as DVD-ROMs, USB drives, flash cards, and word processor documents.
Static Acquisition
Which of the following types of cells in the Windows Registry structure comprises a series of indexes pointing to the parent key cell?
Subkey list cell
Identify the portable executable information that shows whether the program is a command-line or GUI application.
Subsystem
Identify the web that forms the topmost layer and stores content that can be accessed as well as indexed by search engines such as Google, Yahoo, and Bing.
Surface web
Which of the following layers of the Internet is the visible part of the web, where contents are indexed by search engines such as Google, Yahoo, and Bing?
Surface web
Which of the following tools can an investigator use to investigate disk images as well as analyze a volume and file-system data?
The Sleuth Kit
In which of the following anti-forensics techniques do attackers mislead investigators via log tampering, false e-mail header generation, timestamp modification, and the modification of various file headers?
Trail obfuscation
Identify the packet sniffing tool that assists forensic specialists in browsing data packets from a live network traffic interactively.
Wireshark
Which of the following is a networking DLL that helps connect to a network or perform network-related tasks?
Ws2_32.dll
The following regular expression can be used to detect an "<img src" XSS attack: /((\%3c)|<) ((\%69) |I| (\%49)) ((\%6D) |m| (\%4D)) ((\%67) |g| (\%47)) [^\n] + ((\%3E) |>) /I Identify the signature in the above expression that searches for any character other than a new line?
[^\n]+
In which of the following URLs did attackers double-encode the input to perform an SQL injection attack?
http://ww.bank.com/accounts.php?id=1%252f%252a*/union%252f%252a/select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--
Which of the following elements of Apache core handles server startups and timeouts?
http_main
Which of the following elements of Apache core is responsible for managing the routines and interacts with the client and handles all the data exchange and socket connections between the client and the server?
http_protocol
Which of the following elements of Apache core controls the stepwise procedure followed among modules to complete a client request and is responsible for error handling?
http_request
Which of the following commands is used to retrieve the metadata of a file, such as MAC times, file size, and file access permissions?
istat -f <fstype> -i <imgtype> <imagefile_name> <inode_number>
Which of the following commands helps forensic investigators retrieve information about all active processes and open files?
lsof
Which of the following commands is used to collect information about the files opened by an intruder using remote login?
net file [ID [/close]]
Which of the following commands is used to extract the content of the macro stream from a suspicious Word document?
oledump.py -s <stream number> <path to the suspect document>
Jayden, a forensic investigator, was appointed to investigate a powered-off system recovered from a crime scene. He found many locked files in that computer and suspected that those files might contain information useful to identify the criminals. Which of the following evidence sources provided Jayden with useful information during the investigation?
password-protected files
John, a security specialist, was investigating a criminal case. He extracted all the possible evidence from a suspected laptop, created an exact copy of the evidence, and submitted the evidence as is to the jury members without any intermediary tampering. Identify the evidence rule demonstrated in the above scenario.
reliable
Identify the AFF4 object that stores segments that are indivisible blocks of data.
volume
Frank, a forensics specialist, was tasked with examining an attack on a website hosted on Windows Server 2016. In this process, Frank extracted the following IIS log entry: "2019-12-12 06:11:41 192.168.0.10 GET /images/content/bg_body_1.jpg - 80 - 192.168.0.27 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome /48.0.2564.103+Safari/537.36 http://www.moviescope.com/css/style.css 200 0 0 365" Which of the following fields in the above IIS log entry indicates that the user was anonymous?
-
Given below is the syntax of a netstat command. netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] Identify the netstat parameter that is used to display all active TCP connections on which the computer is listening.
-n
Identify the PsLoggedOn parameter that forces the associated command to not show logon times while displaying logged-in users' details.
-x
Which of the following PsList parameters displays processes, memory information, and threads?
-x
Which of the following tasklist parameters specifies the types of process(es) to include in or exclude from the main query?
/fi FilterName
Identify the evidence source that contains the least volatile data as the digital information in such data sources does not automatically change, unless it is damaged under physical force.
Archival Media
Which of the following is a set of techniques that attackers use to avert or sidetrack the forensics investigation process or increase its difficulty?
Anti-forensics
Nasir, a forensics expert, was investigating a live machine recovered from a crime scene. He used an automated tool to extract the volatile memory from the system in the ".mem" format, which can be later used to extract information such as running processes from the memory. Identify the tool employed by Nasir in the above scenario.
AccessData FTK Imager
Which of the following tools helps forensic investigators acquire a memory dump from the RAM of the suspect machine?
AccessData FTK Imager
Which of the following data acquisition formats is created by Michael Cohen, Simson Garfinkel, and Bradly Schatz and is designed to support storage media with large capacities?
Advanced Forensic Framework 4
Waylon, a security professional, was inspecting an active machine to track down any malicious running programs. In this process, he inspected the DVD-ROM in the machine and identified suspicious programs stored in it. He immediately detached it from the machine because it contained data that cannot be eliminated even after the system is shut down. Identify the evidence source from which Waylon collected the evidence.
Archival Media
Which of the following will be present in the "Supporting Files" section of a forensics investigation report?
Attachments and appendices
Charles, a forensics team member familiar with all the applicable laws, participated in a crime investigation process. The role of Charles in the team was to assist the forensic investigators by providing legal advice on how to conduct the investigation and address the legal issues involved in various tasks. Which of the following roles did Charles play in the above scenario?
Attorney
Which of the following tools retrieves information about the process that opened the port, including the process name, the full path of the process, version information of the process, the process creation time, and the user who created it?
Currports
Identify the crime in which attackers harass an individual, a group, or an organization using emails or IMs.
Cyberstalking
Which of the following layers of TCP/IP is responsible for selecting the best path through the network for data flow between the source and destination?
Internet layer
Which of the following commands is used to find any unusual listening on TCP and UDP ports?Which of the following commands is used to find any unusual listening on TCP and UDP ports?
C:\> netstat -na
Which of the following commands is used by investigators to find scheduled and unscheduled tasks on localhost?
C:\> schtasks.exe
In which of the following Windows system locations will Mozilla Firefox store the history file?
C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXXXX.default\places.sqlite
Which of the following tasks is NOT the responsibility of a forensic investigator?
Configure network components
Identify the technique that includes the disintegration, incineration, pulverizing, shredding, and melting of digital media to make evidentiary data unavailable to forensics investigators.
Disk destruction
In which of the following phases of the computer forensics investigation methodology must the investigator take a photograph of the computer monitor's screen and note down what was observed on the screen?
Documentation of the electronic crime scene
Which of the following malware distribution techniques involves the exploitation of flaws in browser software to install malware upon a simple visit to a web page?
Drive-by downloads
Sam, a forensic specialist, was investigating a Windows 10 system based on NTFS. While analyzing the data, Sam discovered that some important files were deleted from the file system but can be recovered from Recycle Bin. Identify the location of Recycle Bin in the Windows 10 system.
Drive:\$Recycle.Bin\<SID>
Which of the following components of EFS uses CryptoAPI to extract the file encryption key (FEK) for a data file and uses it to encode the FEK to produce the DDF?
EFS Service
Stetson, a professional hacker, targeted an organization to secretly listen to a client's conversation with a development team. In this process, he secretly installed a sniffing device in the organization's network, which allowed him to listen to voice messages actively. Identify the type of attack performed by Stetson in the above scenario.
Eavesdropping
Renit, a professional hacker, is attempting to obtain sensitive information from a target network. In this process, he employs a technique to collect information such as network topology, live hosts, and potential vulnerabilities in host systems. Identify the technique employed by Renitin theabove scenario.
Enumeration
Medicing Inc. targeted their competitor organization to steal information about their product that gained immense popularity within a brief period. For this purpose, Medicing Inc. employed Don, a professional hacker. Don performed open-source intelligence gathering and analyzed the target product's details. Using the obtained information, Medicing Inc. created a similar product and launched it with a lower price. Identify the cybercrime demonstrated in the above scenario.
Espionage
Williams, a forensic investigator, was tasked with analyzing an image file. In this process, he identified that the metadata of the image file was deleted; therefore, he could only recover the files using the file header signature, which is a constant numeric or text value. Which of the following tools can help Williams identify and recover the files using the file header signatures?
Hex Editor Neo
While verifying the file format of evidence files, Patrick, a forensic investigator, detected that the suspect had changed the file extensions of some files from .jpg to .dll. Patrick used an automated tool to verify the file formats. Identify the tool employed by Patrick in the above scenario.
Hexinator
Which of the following practices is NOT a countermeasure to defend against anti-forensic techniques?
Impose strict laws against legal use of anti-forensics tools
Which of the following is a quality that makes one a good computer forensics investigator?
Knowledge of the laws relevant to the case
Which of the following methods includes the dismantling of a given executable into the binary format to study its functionalities and features?
Malware disassembly
Simon, a forensics investigator, was attempting to extract various Tor browser artifacts to reconstruct a recent crime incident. He employed a technique that can examine the RAM dump to extract various Tor browser artifacts. Which of the following techniques was utilized by Simonin theabove scenario?
Memory acquisition
Caiden, a forensics expert, was tasked with investigating fraud that occurred in an organization. An employee of the organization accessed a restricted file from the organization's server and modified some crucial word documents. To initiate an investigation, Caiden employed an online tool that reveals the last user who accessed the file and how many times the file has been edited. Which of the following tools did Caiden employ in the above scenario?
Metashield Analyzer
Identify the Tor relay used for data transmission in an encrypted format, receiving the client's data from the entry relay, and passing the client's data to the exit relay.
Middle relay
Identify the information in the superblock of ext2 that allows the system to determine whether it needs to check the file system fully.
Mount count and maximum mount count
Melvin, an attacker, started sending spam emails to target users carrying a file attachment in the .PPSX extension. Nova, a target user, opened the spam email and moved his mouse pointer over the hyperlinked malicious attachment; as a result, malware was executed automatically on Nova's system. Identify the technique employed by Melvin to distribute malware in the above scenario.
Mouse hovering
Which of the following is a search and seizure step that involves seeking consent, obtaining witness signatures, obtaining a warrant for search and seizure, and collecting incident information?
Planning of the search and seizure
Given below is the syntax for executing Autorunsc command-line version. autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-r] [-vt] [[-z ] | [user]]] Which of the following parameters in the above syntax specifies the LSA security providers to scan?
R
A data acquisition format creates a bit-by-bit copy of the suspected drive, and images in this format are usually obtained using the dd command. Identify this data acquisition format.
Raw format
Which of the following results of an email exchange means that the sender's IP address is neither authorized nor restricted from sending emails on behalf of the organization's domain?
Received-SPF: Neutral
Which of the following results of an email exchange indicates a possibility of IP addresses having or not having the authorization to send emails on behalf of the domain mentioned?
Received-SPF: Softfail
Which of the following tools allows forensic investigators to analyze memory, detect malicious activities that occurred on the system, and construct the timeline and scope of a cybercrime incident?
Redline
Serin, a forensics investigator, wants to investigate the overall profile of network traffic in his organization. For this purpose, he used network-based evidence, which provided him with the summary of a conversation between two network devices. Identify the type of data utilized by Serin in the above scenario.
Session data
Which of the following sections of an email contains additional information including the name and contact details of the email sender?
Signature
Identify the subkey of the HKEY_LOCAL_MACHINE registry that stores information on the configuration settings of hardware drivers and services.
System
Identify the type of analysis that involves monitoring the changes on operating system resources upon malware execution.
System behavior analysis
Which of the following refers to non-volatile data that do not change when the machine is powered off?
System logs
Identify the mandatory requirement for every tool used for the disk imaging process.
The tool must be able to compare the source and destination and alert the user if the destination is smaller than the source.
Which of the following features of Mac OS includes a BackupAlias file containing binary information related to the hard disk used to store backups?
Time Machine
Which of the following tools helps a perpetrator delete and modify the metadata of files to confuse forensic investigators?
Timestomp
Which of the following titles of ECPA addresses the privacy of the contents of files stored by service providers and records held about the subscriber by service providers, such as subscriber name, billing records, and IP addresses?
Title II
Which of the following qualities is required for a good computer forensics investigator?
Well-versed in more than one computer platform
Marcel, a professional hacker, targeted the CFO of a multinational company. He sent a well-crafted email with a carefully designed website link to the CFO and lured him to reveal critical corporate financial data. Identify the type of crime performed by Marcel in the above scenario.
Whaling
Which of the following tools is mainly used to inspect and edit all types of files as well as to recover deleted files or lost data from hard drives with corrupt file systems or from memory cards of digital cameras?
WinHex
Identify the AFF4 object that includes collections of RDF statements.
graphs
Grayson, a forensic investigator, was able to retrieve evidence from a device by authenticating with the information of a card and the user through the level of access, configurations, and permissions. Identify the device utilized by Grayson to obtain the evidence.
biometric scanner
Which of the following fields in the IIS log entry indicates that the user wanted to download a file from a folder?
cs-uri-stem
Which of the following types of cybercrime is an offensive activity in which a computer connected to the web is employed as a source point to damage an organization's reputation?
cyber defamation
Which of the following commands is executed by forensic investigators to calculate the epoch time of a suspected machine?
date +%s
Kayden, a forensic team member, was instructed to handle an infected system. He was assigned the responsibility of analyzing and extracting all the possible data from the suspected Linux machine without altering the original data on the system. Kayden carefully analyzed the suspected machine and executed a Linux command to create a backup and restore MBR. Which of the following commands did Kayden execute in the above scenario?
dd command
Asher, a forensics specialist, was able to retrieve evidence from a device through its address book, notes, appointment calendars, phone numbers, email, etc. Which of the following devices did Asher acquire the evidence from?
digital watch
George, a forensic expert, was investigating a cybercrime. As part of the investigation, he examined a system running Windows OS based on NTFS to discover any malicious events. George accessed and analyzed the file system's metadata files stored in the root directory; the metadata files contain a record for every file in the file system. Which of the following system files has George accessed in the above scenario?
$mft
The following regular expression can be used to detect simple XSS attacks: /((\%3C)|<)((\%2F)|\/)*[a-ZA-Z0-9\%]+((\%3E)|(\%253E)|>)/ix Identify the signature in the above expression that searches for an opening angle bracket or its hex equivalent.
(\%3C)|<)
Given below is the syntax of a netstat command. netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] Identify the netstat parameter that is used to display all active TCP connections as well as the TCP and UDP ports on which the computer is listening.
-a
Which of the following netstat parameters displays all active TCP connections as well as UDP ports on which the computer is listening?
-a
Jaylen, a forensic investigator, was inspecting a suspected system and wanted to gather the details of all the users who logged in to the suspected system. For this purpose, he executed a PsLoggedOn command to obtain information about locally logged-in users. Identify the PsLoggedOn parameter that helps Jaylen retrieve the details of locally logged-in users.
-l
Identify the netstat parameter that displays the active TCP connections and retrieves the process ID for each connection.
-o
Given below is the syntax of a netstat command. netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] Identify the netstat parameter that is used to display the contents of the IP routing table.
-r
Santino, a forensic expert, was investigating a victim's Ubuntu system, which had been accessed by an attacker from a remote location. He collected network-related information from the system and executed a netstat command to extract the details of the routing table from the system. Identify the netstat parameter that helps Santino extract the routing table information.
-rn
Given below is the syntax for executing the command-line version of Autorunsc. autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-vt] [[-z ] | [user]]] Which of the following parameters in the above syntax commands the offline Windows system to scan?
-z
Which of the following regular expressions is used by investigators to detect an "<img src" XSS attack on a dynamic web page?
/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I
Identify the regular expression that is used to detect meta-characters in an SQL injection attack.
/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i
Identify the anti-forensics command that deletes a file from a Linux machine but retains the file on the disk until it is overwritten with new data.
/bin/rm/
Jayce, a forensic specialist, was inspecting a suspected Linux system with an FHS file system. John initiated the investigation process by checking the file system. In this process, he extracted essential device files from the system, which served as potential evidence to track down the culprits. In which of the following directories of FHS did Jayce identify the essential device files?
/dev
Jonas, a forensics professional, was tasked with investigating an application hosted on an Apache server running on an Ubuntu machine. As the first step of the investigation, Jonas navigated to the storage location of the log files to view all the access and error logs. Identify the storage location of the log files in Ubuntu where Jonas could find useful information for the investigation.
/etc/apache2/apache2.conf
Gavin, a forensic expert, was analyzing a Linux system with an FHS file system that was affected by a security incident. Gavin suspected that an unauthorized removable storage device is plugged into the system, providing remote access to the system. Which of the following FHS directories can help Gavin in identifying mount points for removable storage devices?
/media
Rhett, a forensic expert, was inspecting a suspected Linux system with an FHS file system. In this process, he listed all the binary files present in the system and extracted these binary files from the root directory of the system. In which of the following directories of FHS did Rhett identify the binary files?
/sbin
Which of the following tasklist parameters lists all the service information for each process without truncation?
/svc
Identify the location of the logs on a Linux system that record details about the running services, such as squid and ntpd.
/var/log/daemon.log
Damon, a forensics specialist, was solving a case at an organization. He started collecting information from different log files of a victim system running Linux to locate potential evidence generated the security incident. In this process, he obtained printer logs from the victim system to track evidence. Identify the location of printer logs on a Linux system.
/var/log/lpr.log
Which of the following values of EnablePrefetcher corresponds to "Application prefetching is enabled"?
1
Given below are the various steps involved in analyzing suspicious MS Office documents. 1. Finding suspicious components 2. Dumping macro streams 3. Identifying suspicious VBA keywords 4. Finding macro streams What is the correct sequence of steps involved in analyzing suspicious MS Office documents?
1 -> 4 -> 2 -> 3
Given below are the different phases involved in the UEFI boot process: 1. Security phase 2. Boot Device Selection phase 3. Driver Execution Environment phase 4. Pre-EFI initialization phase 5. Runtime phase What is the correct sequence of phases involved in the UEFI boot process?
1 -> 4 -> 3 -> 2 -> 5
Given below are the various steps involved in retrieving an email header from Microsoft Outlook. 1. Launch the Microsoft Outlook desktop application. 2. When the Properties window opens, select the message header text from the Internet headers box. 3. Click the File button located on the top-left and then the Properties icon. 4. Copy and paste the text in any text editor and save the file. 5. Review all email messages of the suspect's email account and double-click on the email message to be saved. What is the correct sequence of steps involved in retrieving an email header from Microsoft Outlook?
1 -> 5 -> 3 -> 2 -> 4
Corey, a network forensics analyst, was tasked with investigating a malware attack that infected a host system in an organization. Corey collected the network packets and identified that a malicious port used by the njRAT Trojan is active in the system. Which of the following ports is used by the njRAT Trojan?
1177
Given below are various activities involved in the computer forensics investigation methodology. 1. Evidence preservation 2. Documentation of the electronic crime scene 3. Search and seizure 4. Case analysis 5. Reporting 6. Data analysis 7. Testimony as an expert witness 8. Data acquisition What is the correct sequence of activities involved in the computer forensics investigation methodology?
2 -> 3 -> 1 -> 8 -> 6 -> 4 -> 5 -> 7
Given below are the steps involved in preparing a testbed for dynamic malware analysis. 1. Install the tools that will be used to capture the changes performed by the malware to the network properties and other system resources. 2. Create a fresh baseline of both Windows and Linux workstations. 3. Generate hash values of the OSes and tools used. 4. This baseline state can be compared with the system's state after executing the malware. 5. Run the malware that has been collected from the suspect machines on the forensic workstations and begin monitoring. 6. List all device drivers, Windows services, and startup programs. Identify the correct procedure for preparing a testbed for dynamic malware analysis.
2 -> 4 -> 6 -> 1 -> 3 -> 5
Given below are the various steps involved in the data acquisition methodology. 1. Enabling write protection on the evidence media 2. Determining the data acquisition method 3. Validating data acquisition 4. Acquiring non-volatile data 5. Acquiring volatile data 6. Sanitizing the target media 7. Determining the data acquisition tool 8. Planning for contingency What is the correct sequence of steps involved in the data acquisition methodology?
2 -> 7 -> 6 -> 5 -> 1 -> 4 -> 8 -> 3
Jaxton, a forensics expert, was analyzing the IIS logs in a Windows-based server that was compromised earlier. He initiated the investigation process by extracting the IIS log entries and monitored the "sc-status" field to identify how the attacker's request was fulfilled without error. Which of the following codes represents the "sc-status" in the IIS log entry?
200
Given below are different steps involved in forensic readiness planning. 1. Determine the sources of evidence. 2. Establish a legal advisory board to guide the investigation process. 3. Establish a policy for securely handling and storing the collected evidence. 4. Identify the potential evidence required for an incident. 5. Keep an incident response team ready to review the incident and preserve the evidence. 6. Identify if the incident requires full or formal investigation. 7. Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption. 8. Create a process for documenting the procedure. What is the correct sequence of steps involved in forensic readiness planning?
4 -> 1 -> 7 -> 3 -> 6 -> 8 -> 2 -> 5
Given below are the various steps involved in the dead acquisition process. 1. Run any forensic acquisition tool suitable for acquiring/collecting data. 2. Write-block the hard disk to ensure that it provides only read-only access to the hard drive and prevents any modification or tampering of its contents. 3. Connect the hard drive to a forensic workstation to perform the acquisition. 4. Remove the hard drive from the suspected drive. Identify the correct sequence of steps involved in the dead acquisition process.
4 -> 3 -> 2 -> 1
Given below are the different steps involved in the email investigation process. 1. Examining email messages 2. Analyzing email headers 3. Recovering deleted email messages 4. Acquiring the email data 5. Retrieving email headers 6. Seizing the computer and email accounts Identify the correct sequence of steps involved in the email investigation process.
6 -> 4 -> 1 -> 5 -> 2 -> 3
Which of the following types of data is triggered by tools such as Snort IDS and Suricata that inspect network traffic flow and report potential security events as alerts?
Alert data
Which of the following information will be present in the "Investigation process" section of the forensics investigation report?
Allotted investigators
Which of the following measures is defined as the number of bits per square inch on a platter?
Areal density
Johnson, a newly appointed crime investigator, needed clarifications for some doubts before performing an investigation. For this purpose, he approached a team member responsible for providing legal advice about how to conduct the investigation and address the legal issues involved in the forensics investigation process. Identify the individual Johnson approached before performing the investigation.
Attorney
Graham, a forensic expert, was analyzing raw data extracted from a suspected Windows system. In this process, he employed an automated tool to extract and analyze the deleted files. Which of the following tools did Graham employ in the above scenario?
Autopsy
In which of the following data acquisition techniques can the geometry of the target disk, including its head, cylinder, and track configuration, be modified to align with the suspected drive?
Bit-stream disk-to-disk
George, a forensics specialist, was investigating a suspected machine found at a crime scene. He started inspecting the storage media of the device by creating a bit-by-bit copy of it but failed to do so as the suspected drive was very old and incompatible with the imaging software he was using. Which of the following data acquisition methods failed in the above scenario because the suspect system drive was old?
Bit-stream disk-to-image file
Lennox, a security specialist, was attempting to recover the data from an encrypted drive of a compromised system. Lennox suspected that the system might contain potential evidence related to the attack. For this purpose, he employed a technique using which he tried every possible key to recover the data and files stored in the drive. Identify the technique employed by Lennox to recover the encrypted drive.
Brute-force attack
Which of the following techniques uses a program that attempts every combination of characters until the correct password is discovered?
Brute-forcing attack
Which of the following commands helps investigators analyze NetBIOS over TCP/IP activity in a Windows system?
C:\> nbtstat -S
Which of the following is a volatile form of memory, requires power to retain data, and is included in an SSD to increase its read/write performance?
DRAM
Which of the following functionalities of Autopsy recovers deleted files from unallocated space using PhotoRec?
Data carving
In which of the following steps of forensic readiness planning do investigators devise a strategy to ensure the collection of evidence from all relevant sources and ensure its preservation in a legally sound manner while causing minimal disruption to work?
Define a policy that determines the pathway to legally extract electronic evidence
Kasen, a professional hacker, performed an attack against a company's web server by flooding it with large amounts of invalid traffic; thereafter, the webserver stopped responding to legitimate incoming requests. Identify the type of attack performed by Kasen in the above scenario.
Denial-of-service attack
Identify the tool that lists all the related modules within an executable file and builds a hierarchical tree diagram as well as records all the functions exported and called by each module.
Dependency Walker
In which of the following steps of forensic readiness planning does an investigator determine what currently happens to the potential evidence data and its impact on the business while retrieving the information?
Determine the sources of evidence
Harry, a professional hacker, targeted Johana's official email to gain access and view her banking transactions. To crack the password, Harry used a text file that contained several predetermined character combinations, which allowed him to log into her account. Which of the following techniques was employed by Harry in the above scenario?
Dictionary attack
Which of the following is a process by which a strong magnetic field is applied to a storage device, resulting in a device devoid of any previously stored data?
Disk degaussing
To solve a case, Steve, a digital forensics investigator, was inspecting a disk from which the attacker wiped all the data using a technique that deletes only address tables and unlinks all the files in the file system. Steve used an automated tool to recover the erased data from the disk. Identify the artifact wiping technique employed by the attacker in the above scenario.
Disk formatting
Jude, a forensics expert, was inspecting a Cisco router as part of an investigation process. During analysis, Jude frequently received syslog messages describing the system unusable message on the Cisco router with number code 0. Identify the severity level of the syslog message in the above scenario.
Emergency
Identify HIPAA's administrative statute and rules that require employers to have standard national numbers that identify them on standard transactions.
Employer Identifier Standard
Identify the benefit an incident response team offers an organization if the team is forensically ready.
Ensures that the investigation meets all regulatory requirements
Which of the following tasks is the responsibility of a forensic investigator?
Evaluate the damage due to a security breach
Identify the technique that refers to missing events related to systems downstream from a failed system and avoids events that can cause the system to crash.
Event masking
Easton, a forensics investigation team member, accumulated information from each person involved in the forensics process and developed a report of it in an orderly fashion, from the incident occurrence to the end of the investigation. Identify the role played by Easton in the investigation team.
Evidence documenter
Identify the forensics investigation report section that includes investigative techniques used during the investigation process.
Evidence information
Identify the forensics investigation report section that includes the tools and techniques used for collecting the evidence during the investigation process.
Evidence information
Russell, a forensics expert, was tasked with investigating a system found at a crime scene. During the investigation, Russell discovered some .jpeg images in a locked folder that were suspected to be loaded by the attacker. Russell employed a tool to extract the metadata associated with those images for further investigation. Which of the following tools assisted Russell in the above scenario?
ExifTool
Identify the member in the forensics investigation team who offers a formal opinion in the form of a testimony in a court of law.
Expert witness
Henry, a professional hacker, targeted an organization to gain illegitimate access to its server. He launched an SQL injection attack from a remote location on the target server to obtain users' credentials. Which of the following types of attack has Henry performed in the above scenario?
External Attack
Which of the following tools is built upon the MD5 algorithm and is used to check the integrity of a file?
FastSum
Which of the following is the default Mac application that helps retrieve specific files and folders and sort them in the required order?
Finder
Identify the approach that helps users identify whether a system serves as a relay to a hacker and aids in gathering a series of data sets from forensic event data.
Fingerprint-based approach
Serah, a forensic investigator, was tasked with analyzing the disk layout with details such as locations of the partition area as well as the partition table and its backup copies. In this process, she executed a command to parse the GPTs of both types of hard disks and analyzed the first sector of the hard drive, determined the formatting type used, and then parsed the GPT. Identify the cmdlet utilized by Serah in the above scenario.
Get-BootSector
Bryson, a forensic investigator, was tasked with analyzing a hard disk containing Windows OS. As details about the hard disk were scarcely available, Bryson extracted the GUID partition table and its backup copies to analyze the hard disk layout through Windows PowerShell. Identify the cmdlet used by Bryson in the above scenario.
Get-GPT
Which of the following file systems is developed by Apple Computer, Inc. to support Mac OS in its proprietary Macintosh system and as a replacement for the Macintosh File System (MFS)?
Hierarchical File System
Robert, a forensics team member, was tasked with investigating an attack on a system. He investigated the attack based on the evidence, identified its type, determined how it affected the system, and identified other threats and vulnerabilities associated with the target system.
Incident analyzer
Jack, a disgruntled employee of an organization, gained access to the organization's database server. He manipulated client records stored on the database server to damage the reputation of the organization and to make the organization face legal consequences for losing integrity. Identify the type of attack performed by Jack in the above scenario.
Internal Attack
Which of the following layers of the TCP/IP model handles the movement of a data packet over a network, from the source to the destination, using protocols such as IP, ICMP, and ARP?
Internet layer
Alexis, a professional hacker, performed an attack against an organization's WLAN. In this process, he used a specially designed radio transmitter to transmit signals that can overwhelm and deny the use of the access point by legitimate clients. Which of the following types of attack is performed by Alexis in the above scenario?
Jamming attack
Bruce, an attacker, targeted a Wi-Fi zone to temporarily block users from accessing the Wi-Fi network. To achieve this, Bruce used a specially designed radio transmitter that emits radio signals to overwhelm the access point. Which of the following types of attack has Bruce performed in the above scenario?
Jamming attack
Cyril, a forensic investigator, was appointed to prepare strategies to lure attackers and extract their whereabouts. For this purpose, he employed a honeypot machine, which is a dummy system used to trick attackers into connecting to it. Soon after attackers connect to the system, it provides log details, along with their source IP, session ID, and a message with other useful information about the attackers. Identify the honeypot employed by Cyrilin theabove scenario.
Kippo
Which of the following practices is NOT a good quality of a computer forensics investigator?
Lack of patience and willingness to work long hours
Gael, a forensic expert, was working on a case related to fake email broadcasting. Gael extracted the data from the victim system to investigate and find the source of the email server. In this process, Gael extracted only ".ost" files from the system as they can provide potential information about the incident. Which of the following types of data acquisition has Gael performed in the above scenario?
Logical Acquisition
Which of the following structures of the HFS volume keeps track of the allocation blocks in use and those that are free?
Logical block 3
Identify the attack that refers to the process of repeatedly sending an email message to a particular address at a specific victim's site.
Mail bombing
Which of the following components of email communication is an email client/desktop application for reading, sending, and organizing emails?
Mail user agent
A command, when executed, changes the modification time and date of a file but retains its creation time and date in the NTFS file system. Identify this command.
Move sample.txt from E:\ to E:\subdir on the NTFS file system
The system administrator of an organization identified that an attacker gained access to a system from a remote location and performed malicious activities. The administrator thoroughly analyzed the compromised system to determine whether the attacker is still accessing the system. Which of the following tools can help the administrator view active TCP and UDP connections in the system?
Netstat
Which of the following components of NFTS acts as a boot loader and accesses the file system to load the contents of the boot.ini file?
Ntldlr.dll
Which of the following is a program that conceals the malicious code of malware via various techniques, making it difficult for security mechanisms to detect or remove the malware?
Obfuscator
Which of the following techniques involves live monitoring of the activity of the chosen malware that is currently operating on the system?
Observation of runtime behavior
Which of the following is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards?
PCI DSS
Gatlin, a forensics expert, was analyzing malware executable samples found in a victim's system. After a thorough analysis, he discovered that the malware was packed. Therefore, Gatlin employed a tool to scan and detect the packers used in those samples. Identify the tool employed by Gatlin in the above scenario.
PEiD
Which of the following is a program that allows bundling all files together into a single executable file via compression to bypass security software detection?
Packer
Which of the following attacks involves the capture of traffic flowing through a network to obtain sensitive information such as usernames and passwords?
Packet Sniffing
Which of the following tools can recover deleted email messages depending on how soon the recovery is attempted?
Paraben's (E3)
Reid, an attacker, targeted an online COVID survey website, where citizens provide their personal and health-related details. He took advantage of a vulnerability present in the web application and manipulated the communication between the users and the server to make changes to the application data. Identify the type of attack performed by Reid in the above scenario.
Parameter/form tampering
Identify the type of password that is a signature of the original password generated using a one-way algorithm such as MD5.
Password hashes
Identify the social engineering technique in which an attacker executes malicious programs on a victim's computer and automatically redirects the victim's traffic to a website controlled by the attacker when the victim enters any URL?
Pharming
Identify the social engineering technique in which an attacker executes malicious programs on a victim's computer or server.
Pharming
Brendan, a professional hacker, drafted an email that appears legitimate and attached malicious links to lure victims into revealing private information such as account numbers. Identify the type of attack Brendan has performed in the above scenario.
Phishing
James, a newly recruited employee of an organization, received an email containing a fake appointment letter. The letter claims to have been sent by the real organization. James failed to identify the legitimacy of the letter and downloaded it. Consequently, malicious software was installed on his system, and it provided remote access to the attacker. Identity the type of cybercrime performed by James in the above scenario.
Phishing Attack
Allen, a forensics expert, was analyzing a forensically extracted memory dump from an Ubuntu machine. While attempting to extract lost files from the dump, Allen employed an open-source tool that uses data carving techniques to recover deleted files or lost data. Which of the following tools did Allen employ in the above scenario?
PhotoRec
Identify the consideration that recommends maintaining a log register at the entrance of a lab to record visitor data such as the address and name of the visitor, date, time, and purpose of the visit, and name of the contact person.
Physical security considerations
Which of the following refers to an analysis of logs performed to detect and study an incident that may have already occurred in a network or device, to determine what exactly occurred, and to identify the source of the event?
Postmortem
Which of the following phases of the forensics investigation process involves setting up a computer forensics lab, building a forensics workstation, developing an investigation toolkit, building an investigation team, and obtaining approval from the relevant authority?
Pre-investigation phase
Which of the following artifacts can help investigators explore the Tor browser when it is uninstalled from a machine or installed in a location other than the Windows desktop?
Prefetch files
Identify the tool that displays basic information about the running processes on a system, including the amount of time each process has been running for in both kernel and user modes.
PsList
Which of the following Federal Rules of Evidence states, "rules should be construed so as to administer every proceeding fairly, eliminating unjustifiable expense and delay, and promoting the development of evidence law, to the end of ascertaining the truth and securing a just determination"?
Rule 102: Purpose
In which of the following phases of the UEFI boot process does the system clear the UEFI program from memory and transfer it to the OS?
Runtime phase
Identify the standard for sanitizing target media that is a wiping method that writes zeros in the first pass and random bytes in the next pass.
Russian Standard, GOST P50739-95 (6 passes)
Which of the following types of disk interface is a set of ANSI standard electronic interfaces that allow personal computers to communicate with peripheral hardware such as disk drives, tape drives, CD-ROM drives, printers, and scanners?
SCSI
Identify the component of email communication that allows users to receive emails only in conjunction with other email communication components such as POP or IMAP.
SMTP server
Which of the following acts was passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations?
SOX
Identify the term that refers to the portions of a hard drive that may contain either data from a previously deleted file or space unused by the currently allocated file.
Slack space
Which of the following is the wasted area of a disk cluster lying between the end of a file and the end of the cluster and is created when the file system allocates a full cluster to a file smaller than the cluster size?
Slack space
Eliana, a forensics expert, was inspecting a suspected machine and aimed to gather and record all the criminal evidence from the machine. She initiated the task by activating a screen recording tool that records all the activities by quickly capturing the screens and adding additional context, as well as saves all the data on a disk after the completion of recording. Identify the tool used by Eliana in the above scenario.
Snagit
Which of the following features of Mac OS is an integrated search feature that indexes files by type, making it easy for forensic investigators to trace suspicious files and applications on a system?
Spotlight
Identify the SWGDE standards and criteria stating that the agency must maintain written copies of appropriate technical procedures.
Standards and Criteria 1.4
Identify the SWGDE standards and criteria insisting that all the activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and made available for review and testimony.
Standards and Criteria 1.6
Which of the following techniques is referred to as the art of hiding data or a message "behind" other data without the target's knowledge, thereby hiding the existence of the message itself?
Steganography
Alden, who works in the HR department of an organization, was tasked with selecting suitable candidates for a new project. He went through all the candidates' profiles on a job portal, interviewed them, and prepared an excel sheet shortlisting candidates. Alden then used the company's email client to share the excel sheet with his superior, Chris. Identify the field in the email message header where Alden must add Chris's email address.
To
Wilson, a forensics analyst, was extracting artifacts related to the Tor browser from a memory dump obtained from a victim's system. In this process, he identified that the dump contains the maximum possible number of artifacts as evidence. Which of the following conditions provided Wilson with the maximum possible number of artifacts?
Tor browser opened
Marcelo, a forensics analyst, was extracting artifacts related to the Tor browser from a memory dump obtained from a victim's system. In this process, he employed a forensic tool that extracted the information and identified that the dump contains the least possible number of artifacts as evidence. Which of the following conditions provided Marcelo with the least possible number of artifacts?
Tor browser uninstalled
Which of the following is a tool for assessing IT configurations as well as detecting, analyzing, and reporting any change activity across IT infrastructure?
Tripwire Enterprise
Tanner, a professional hacker, sent a fake email to Killian describing new offers on his credit card. Killian, without verifying the legitimacy of the email, clicked on the malicious link in the email. As a result, a malicious script was executed on Killian's system, granting backdoor access to Tanner. Identify the type of attack performed by Tanner in the above scenario.
Unvalidated redirects and forwards
Which of the following steps of the forensic data acquisition methodology involves calculating the target media's hash value and comparing it with the forensic counterpart to ensure that the data have been completely acquired?
Validating data acquisition
Identify the tool that provides the pslist plugin to retrieve information on all the processes executing on the system when the memory dump was collected.
Volatility Framework
Identify the functionality of Autopsy, which extracts history, bookmarks, and cookies from Firefox, Chrome, and Internet Explorer.
Web artifacts
Agnes, a forensics investigator, was exploring the Tor browser installed on a suspect machine. In this process, she used an automated tool to obtain metadata related to the browser, which includes browser-created timestamps, last-run timestamps of the browser, number of times the browser was executed, browser execution directory, filename, and file size. Identify the tool employed by Agnes in the above scenario.
WinPrefetchView
Which of the following rules of evidence states that investigators must provide supporting documents regarding the legitimacy of the evidence, with details such as the source of the evidence and its relevance to the case?
authentic
Williams, a forensic specialist, was appointed to perform data acquisition on a victim system that was involved in cybercrime related to a phishing campaign. As the system was in a powered-off state, Williams extracted static data from the hard disk. Identify the static data recovered by Williams in the above scenario.
cookies
Erick, a forensics expert, was tasked with investigating a compromised machine that had been involved in various online attacks. In this process, Erick identified a corrupted file in the system. He scanned the Recycle Bin folder for the metadata of that file, but it was deleted from that location. Subsequently, he used a command to recover the deleted file. Identify the command that Erick used to recover the deleted file.
copy <$R
Aiden, an investigation officer, was investigating a suspected system from which a critical document was sent without permission. In this process, he discovered potential evidence from documents, film cartridges, and phone numbers to which the document was sent. Identify the source of potential evidence from which Aiden gathered the above information.
fax machine
Williams, a forensics investigator, was performing forensics analysis on a suspected Linux system. In this process, Williams used a command from The Sleuth Kit to extract the details of the file system from the evidence image. Identify the command executed by Williams in the above scenario.
fsstat
Which of the following display filters helps administrators in monitoring all the unsuccessful login attempts on an FTP server?
ftp.response.code == 530
Eric, a forensic investigator in an organization, was continuously monitoring the network activity of the organization's employees. In this process, he used a command to detect the systems running in the promiscuous mode to maliciously capture all incoming packets. Identify the command used by Ericin theabove scenario.
ifconfig <interface>
While inspecting a suspected machine, Kaison, a forensics investigator, discovered that a malicious file was uploaded on the system that caused disruptions in the system's functionality. Kaison wanted to view the metadata of the file, such as MAC times, file size, and file access permissions. Which of the following commands will help Kaison retrieve the metadata of the file?
istat
David, a forensics investigator, analyzed a RAM dump extracted from a suspected Linux system. He used the Volatility Framework to extract information from the dump file. In this process, David employed a plugin to extract the parent and child processes to determine whether any malicious processes are running on it. Identify the plugin used by David in the above scenario.
linux_pstree
Identify the Volatility Framework plugin that helps forensic investigators detect hidden or injected files, which are generally DLL files, in the memory.
malfind
Harrison, a forensic investigator, was working on a criminal case in which he had to extract all the possible data related to criminal activity on a device running Windows OS. For this purpose, Harrison wanted to view the detailed partition layout for the GPT disk, along with the MBR details. Which of the following commands will help Harrison in the above scenario?
mmls
Eduardo, a forensic investigator, wants to collect network information such as session information, network packets, port scan results, IDS/IPS, firewall, server, and application log data. For this purpose, he executes a command that can troubleshoot NetBIOS name resolution problems and collect network information. Which of the following commands is executed by Eduardoin theabove scenario?
nbtstat [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval]
Identify the command used for managing computer connections that displays information about all the logged-in sessions of the local computer when used without parameters.
net sessions [\\<ComputerName>] [/delete] [/list]
Peyton, a forensic investigator, was inspecting a suspected machine to gather details of malicious activities related to a security incident. In this process, he employed a tool to collect information related to all open TCP and UDP ports, routing tables, multicast memberships, interference statistics, and masquerade connections. Identify the tool employed by Peyton in the above scenario.
netstat
Isaac, a forensics expert, was inspecting a suspected machine. He initiated the process by testing active network connections on the machine to identify whether the Tor browser was used to launch malicious activities. Which of the following commands can help Isaac determine whether the Tor browser was used on the suspected machine?
netstat -ano
Zayn, a forensic expert, was tasked with investigating an incident that occurred on a Windows machine. Zayn wanted to check whether the attacker was still active on the network and spreading the infection. In this process, Zayn executed a netstat command that helped him view the TCP and UDP network connections, listening ports, and identifiers of the processes. Identify the command executed by Zayn in the above scenario.
netstat -ano
Which of the following netstat commands allows forensic investigators to view the list of network interfaces on a system?
netstat -i
While investigating a cyber incident, Edwin, a forensics specialist, inspected an affected system. In this process, Edwin retrieved the routing table and checked if any persistent routes were enabled in that system. Identify the command that Edwin used to retrieve the required information.
netstat [-a] [-e] [-n] [-o] [-p <Protocol>] [-r] [-s] [<Interval>]
Kylo, a forensics investigator, was tasked with investigating a security incident in an organization. In this process, Kylo employed a network scanning tool to identify open ports that allowed attackers to install malicious services on the target system. Identify the tool employed by Kylo in the above scenario.
nmap
Which of the following commands helps forensic investigators identify open TCP ports on a system and obtain information on them?
nmap -sT localhost
Identify the Wireshark filter that is used to detect a SYN-FIN flood DoS attack.
tcp.flags==0X003
Identify the rule of evidence stating that investigators and prosecutors must present evidence in a clear and comprehensible manner to the members of the jury.
understandable
Which of the following types of digital evidence in a computer system will be lost as soon as the system is powered off?
volatile data
Which of the following types of digital evidence is temporary information on a digital device that requires constant power supply to retain and is deleted if the power supply is interrupted?
volatile data
Steve, a professional hacker, performed malicious activities using a compromised system of an organization. To maintain persistence and hide the traces of attack, he employed an anti-forensics tool that helped him keep his malicious files or code untraceable. Identify the tool employed by Steve in the above scenario.
wbStego
Which of the following is an anti-forensics tool that helps attackers destroy or hide traces of illegal activities, hindering the forensics investigation process?
wbStego
