Ver 2

Location of Recycle Bin in Windows Vista and later

$Recycle.Bin

Which file extension should the investigator search for to find the archived message on an MS Exchange server?

.EDB

What is the maximum file system size in ext4?

1 EiB (exbibyte)

How many tracks are typically contained on a platter of a 3.5 in HDD?

1000

What is the maximum single file size in the ext4 file system?

16 TB

How many bit values does HFS use to address allocation blocks?

16 bit

What is the maximum single file size in the ext3 file system?

2 TB

What is the maximum file system size in ext3?

32 TB

How many bytes each are the logical blocks that HFS divides the volume into?

512-bytes

How many bytes is each logical block in GPT?

512-bytes

How large is the partition table structure that stores information about the partitions present on the hard disk in the MBR?

64-byte

a graphical tool that generates the web, streaming, ftp or mail server statistics

AWStats

Which computer crime forensics step requires an investigator to duplicate and image the collected digital information?

Acquiring data

Why should investigators use the bit-stream disk-to-disk data acquisition method rather than the disk-to-image method?

Addresses potential errors and incompatibilities

Which forensic tool allows an investigator to acquire database files for analysis from a mobile device?

Andriller

Which tool should a forensic team use to research unauthorized changes in a database?

ApexSQL DBA

What describes the physical layout of a data storage volume, like the number of heads and the size of the tracks on the drive ?

BIOS Parameter Block (BPB)

tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords in an effort to get higher search engine ranking for their malware pages

Blackhat Search Engine Optimization (SEO)

What component of a typical FAT32 file system consists of data that the document framework uses to get to the volume and utilizes the framework parcel to stack the working portion documents?

Boot Sector

hardware write blocker examples

CRU® WiebeTech® USB WriteBlockerTM, Tableau Forensic Bridges

allows recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force, and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords, and analyzing routing protocols

Cain & Abel

a network analyzer that allows monitoring of network traffic, troubleshooting network issues, and analyzing packets

Capsa

Which tool is used to search and analyze PC messaging logs?

Chat Stick

Steganalysis with known message to generate a stego-object by using some steganography tool in order to find the steganography algorithm used to hide the information

Chosen-message attack

Steganalysis with both the stego-object and steganographic tool or algorithm used to hide the message.

Chosen-stego attack

Which step preserves the forensic integrity of volatile evidence when a device is discovered in the powered-on state?

Collecting information with a secure (trusted) command shell

What component of a typical FAT32 file system occupies the largest part of a partition and stores the actual files and directories?

Data Area

What tool for Mac recovers files from a crashed or virus-corrupted hard drive?

Data Rescue 4

Which inode field contain pointers to the blocks containing the data that this inode is describing?

Data blocks

password cracker aiming at brute-forcing OS X user passwords

DaveGrohl

unintentional downloading of software via the Internet; attacker exploits flaws in browser software to install malware just merely by visiting a web site

Drive-by Downloads

Which software tool allows forensic examiners to direct information from one sector range to another?

DriveSpy

A forensic investigator makes a bit-stream copy of a Windows hard drive that has been reformatted. The investigator needs to locate only the Adobe PDF files on the hard drive. Which tool should this investigator use?

EaseUS Data Recovery

What tool is used for format recovery, unformatting, and recovering deleted files emptied from the Recycle Bin or data lost due to partition loss or damage, software crash, virus infection, or unexpected shutdown, and supports hardware RAID?

EaseUS Data Recovery Wizard

Which tool allows an investigator to review or process information in a Windows environment but does not rely on the Windows API?

EnCase

Which action maintains the integrity of evidence when a forensic laptop is used to acquire data from a compromised computer?

Enabling a hardware write blocker

also called event de-duplication. It compiles the repeated events to a single event and avoids duplication of the same event

Event aggregation

discards the irrelevant events.

Event filtering

refers to missing events related to systems that are downstream of a failed system

Event masking

type of report an investigator should prepare for an affidavit statement

Formal written

Which architectural layer of mobile device environments is responsible for creating menus and sub-menus in designing applications?

GUI API

Software which provides quick searches for botnets, Trojans, steganography, encryption, and keyloggers?

Gargoyle Investigator Forensic Pro

Which cmdlet can investigators use in Windows PowerShell to analyze the GUID Partition Table data structure of the hard disk?

Get-GPT

open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser

GoAccess

The stakeholders responsible for managing and maintaining all the aspects of the cloud, such as cloud security architects, network administrators, security administrators, ethical hackers, etc

IT Professionals

An employee steals a sensitive text file by embedding it into a PNG file. Which type of steganography did this employee use?

Image

The stakeholders that are the first responders for all the security incidents taking place on a cloud?

Incident Handlers

On Macintosh computers, which architecture utilizes EFI to initialize the hardware interfaces after the BootROM performs POST?

Intel

Which legal document contains a summary of findings and is used to prosecute?

Investigation report

The stakeholders responsible for conducting forensic examinations against allegations made regarding wrongdoings, found vulnerabilities, and attacks over the cloud?

Investigators

Which part of the Linux file system architecture has the memory space where the system supplies all services through an executed system call?

Kernel Space

Steganalysis with knowledge of both the stego-object and the original cover-medium

Known-cover attack

Steganalysis with the message and the stego-medium

Known-message attack

Steganalysis with the steganographic algorithm as well as original and stego-object

Known-stego attack

helps to recover lost Microsoft Windows passwords by using dictionary attacks, hybrid attacks, rainbow tables, and brute-force attacks

L0phtCrack

utility that displays a list of all LSA secrets stored in the Registry on a computer

LSASecretsView

What should this first responder do while securing the crime scene after discovering devices?

Leave the devices as found and fill out chain of custody paperwork

How can a forensic investigator verify an Android mobile device is on, without potentially changing the original evidence or interacting with the operating system?

Look for flashing lights

embedding malware-laden advertisements in authentic online advertising channels to spread malware onto the systems of unsuspecting users

Malvertising

Which inode field determines what the inode describes and the permissions that users have to it?

Mode

Which field type of an ISO 9660 disk refers to the volume descriptor as a boot record?

Number 0

Which field type of an ISO 9660 disk refers to the volume descriptor as a primary volume descriptor?

Number 1

Which field type of an ISO 9660 disk refers to the volume descriptor as a supplementary?

Number 2

Which software tool gives network engineers real-time visibility and expert analysis into every part of the network from a single interface, including Ethernet, Gigabit, 10 Gigabit, 802.11a/b/g/n wireless, VoIP, and video to remote offices?

OmniPeek

Which architectural layer of mobile device environments offers utilities for scheduling multiple tasks, memory management tasks, synchronization, and priority allocation?

Operating system

Windows password cracker based on rainbow tables

Ophcrack

Which inode field enables the file system to correctly allow the right sort of access?

Owner Information

What is a responsibility of the first responder at a crime scene?

Package and transport the evidence

On Macintosh computers, which architecture utilizes Open Firmware to initialize the hardware interfaces after the BootROM performs POST?

PowerPC

Which tool should a forensic investigator use on a Windows computer to locate all the data on a computer disk, protect evidence, and create evidentiary reports for use in legal proceedings?

ProDiscover

A forensic investigator is called to the stand as a technical witness in an internet payment fraud case. Which behavior is considered ethical by this investigator while testifying?

Providing and explaining facts found during the investigation

Location of Recycle Bin in Windows 98 and older

RECYCLED

Location of Recycle Bin in Windows 2000, XP, and NT

RECYCLER

captures live traffic and processes packet files from virtually any existing network collection device for analysis

RSA NetWitness Investigator

event correlator identifies all the devices that became inaccessible due to network failures

Root cause analysis

software write blocker examples

SAFE Block, MacForensicsLab Write Controller

The information about the system users is stored in which file?

SAM database file

The five UEFI boot process phases?

SEC, PEI, DXE, BDS, RT

Which of the three different files storing data and logs in SQL servers is optional?

Secondary (.ndf)

Which graphical tool should investigators use to identify publicly available information about a public IP address?

SmartWhois

Windows-based image conversion and file conversion application that converts large batches of image or document files from one format to another.

SnowBatch

a common technique used to distribute malware on the web by injecting malware into legitimate-looking websites to trick users into selecting them?

Social Engineered Click-jacking

technique helps attacker in mimicking legitimate institutions, such as banks, in an attempt to steal passwords, credit card and bank account data, and other sensitive information

Spearphishing Sites

Steganalysis with only the stego-medium or stego-object

Stego-only attack

What is the minimum number of workstations a forensics lab needs?

Two

Which part of the Linux file system architecture has the protected memory area where the user processes run and contains the available memory?

User Space

supports over 1200 different conversions such as Video Converter, Audio Converter, Music Converter, eBook Converter, Image Converter, and CAD Converter

Zamzar

Command for Linux servers to track all events of a user

ausearch

Which characteristic describes an organization's forensic readiness in the context of cybercrimes?

cost considerations

What UFS file system part comprises a collection, including a header with statistics and free lists, a number of inodes containing file attributes, and a number of data blocks?

cylinder groups

Which position does the protective MBR occupy in the GPT at Logical Block Address 0 (LBA 0)?

first

Which command from The Sleuth Kit (TSK) displays details of a metadata structure such as inode?

istat

Which HFS volume structure is the starting block of the volume bitmap?

logical block 3

Which command line utility enables an investigator to analyze privileges assigned to database files?

mysqlaccess

command is used to analyze the file headers and section of the ELF files

readelf

What is Folder Steganography?

refers to hiding one or more files in a folder. In this process, user moves the file physically but still keeps the associated files in its original folder for recovery.

Which information held by the superblock contains major and minor items that allow the mounting code to determine whether or not supported features are available to the file system?

revision level

What UFS file system part includes a magic number identifying the file system and vital numbers describing the file system's geometry and statistics and behavioral tuning parameters?

super block

What is the primary information required for starting an email investigation?

the unique IP address

What is Document steganography?

user adds white spaces and tabs at the end of the lines.