C702 CHFI (1st 150 set)

Fred, a cybercrime investigator for the FBI, nished storing a solid-state drive in a static resistant bag and lled out the chain of custody form. Two days later, John grabbed the solid-state drive and created a clone of it (with write blockers enabled) in order to investigate the drive. He did not document the chain of custody though. When John was nished, he put the solid-state drive back in the static resistant and placed it back in the evidence locker. A day later, the court trial began and upon presenting the evidence and the supporting documents, the chief justice outright rejected them. Which of the following statements strongly support the reason for rejecting the evidence? A. John did not document the chain of custody B. Block clones cannot be created with solid-state drives C. Write blockers were used while cloning the evidence D. John investigated the clone instead of the original evidence itself

A. John did not document the chain of custody

Web browsers can store relevant information from user activities. Forensic investigators may retrieve files, lists, access history, cookies, among other digital footprints. Which tool can contribute to this task? A. MZCacheView B. Google Chrome Recovery Utility C. Task Manager D. Most Recently Used (MRU) list

A. MZCacheView

You are working on a thesis for your doctorate degree in Computer Science. Your thesis is based on HTML, DHTML, and other web-based languages and how they have evolved over the years.You navigate to archive. org and view the HTML code of news.com. You then navigate to the current news.com website and copy over the source code. While searching through the code, you come across something abnormal: What have you found? A. Web bug B. CGI code C. Trojan.downloader D. Blind bug

A. Web bug

You are using DriveSpy, a forensic tool and want to copy 150 sectors where the starting sector is 1709 on the primary hard drive. Which of the following formats correctly specifies these sectors? A. 0:1000, 150 B. 0:1709, 150 C. 1:1709, 150 D. 0:1709-1858

B. 0:1709, 150

What command-line tool enables forensic investigator to establish communication between an Android device and a forensic workstation in order to perform data acquisition from the device? A. SDK Manager B. Android Debug Bridge C. Xcode D. APK Analyzer

B. Android Debug Bridge

Which of the following applications will allow a forensic investigator to track the user login sessions and user transactions that have occurred on an MS SQLServer? A. Event Log Explorer B. ApexSQL Audit C. Notepad++ D. netcat

B. ApexSQL Audit

Robert needs to copy an OS disk snapshot of a compromised VM to a storage account in different region for further investigation. Which of the following should he use in this scenario? A. Azure Active Directory B. Azure Portal C. Azure CLI D. Azure Monitor

B. Azure Portal

The newer Macintosh Operating System is based on: A. OS/2 B. BSD Unix C. Linux D. Microsoft Windows

B. BSD Unix

Which of the following tools will allow a forensic investigator to acquire the memory dump of a suspect machine so that it may be investigated on a forensic workstation to collect evidentiary data like processes and Tor browser artifacts? A. DB Browser SQLite B. Belkasoft Live RAM Capturer and AccessData FTK Imager C. Bulk Extractor D. Hex Editor

B. Belkasoft Live RAM Capturer and AccessData FTK Imager

You are an information security analyst at a large pharmaceutical company. While performing a routine review of audit logs, you have noticed a signicant amount of egress trac to various IP addresses on destination port 22 during off-peak hours. You researched some of the IP addresses and found that many of them are in Eastern Europe. What is the most likely cause of this trac? A. The organization's primary internal DNS server has been compromised and is performing DNS zone transfers to malicious external entities B. Data is being exltrated by an advanced persistent threat (APT) C. Malicious software on internal system is downloading research data from partner SFTP servers in Eastern Europe D. Internal systems are downloading automatic Windows updates

B. Data is being exltrated by an advanced persistent threat (APT)

Which of the following is the most effective tool for acquiring volatile data from a Windows-based system? A. Helix B. Datagrab C. Coreography D. Ethereal

B. Datagrab

Storage location of Recycle Bin for NTFS le systems (Windows Vista and later) is located at: A. Drive:\RECYCLE.BIN B. Drive:\$Recycle.Bin C. Drive:\REYCLEDD. Drive:\RECYCLER

B. Drive:\$Recycle.Bin

James, a forensics specialist, was tasked with investigating a Windows XP machine that was used for malicious online activities. During the investigation, he recovered certain deleted files from Recycle Bin to identify attack clues.Identify the location of Recycle Bin in Windows XP system. A. local/share/Trash B. Drive:\RECYCLER\ C. Drive:\RECYCLED D. Drive:\$Recycle.Bin\

B. Drive:\RECYCLER\

Harry has collected a suspicious executable file from an infected system and seeks to reverse its machine code to instructions written in assembly language.Which tool should he use for this purpose? A. HashCalc B. Ollydbg C. BinText D. oledump

B. Ollydbg

Cloud forensic investigations impose challenges related to multi-jurisdiction and multi-tenancy aspects. To have a better understanding of the roles and responsibilities between the cloud service provider (CSP) and the client, which document should the forensic investigator review? A. National and local regulation B. Service level agreement C. Key performance indicator D. Service level management

B. Service level agreement

Brian has the job of analyzing malware for a software security company. Brian has setup a virtual environment that includes virtual machines running various versions of OSes. Additionally, Brian has setup separated virtual networks within this environment. The virtual environment does not connect to the company's intranet nor does it connect to the external Internet. With everything setup, Brian now received an executable file from client that has undergone a cyberattack.Brian ran the executable file in the virtual environment to see what it would do. What type of analysis did Brian perform? A. Status malware analysis B. Static OS analysis C. Static malware analysis D. Dynamic malware analysis

D. Dynamic malware analysis

Edgar is part of the FBI's forensic media and malware analysis team; he is analyzing a current malware and is conducting a thorough examination of the suspect system, network, and other connected devices. Edgar's approach is to execute the malware code to know how it interacts with the host system and its impacts on it. He is also using a virtual machine and a sandbox environment.What type of malware analysis is Edgar performing? A. VirusTotal analysis B. Static analysis C. Malware disassembly D. Dynamic malware analysis/behavioral analysis

D. Dynamic malware analysis/behavioral analysis

_____________ allows a forensic investigator to identify the missing links during investigation. A. Chain of custody B. Exhibit numbering C. Evidence preservation D. Evidence reconstruction

D. Evidence reconstruction

What file structure database would you expect to find on floppy disks? A. NTFS B. FAT32 C. FAT16 D. FAT12

D. FAT12

SO/IEC 17025 is an accreditation for which of the following: A. CHFI issuing agency B. Chain of custody C. Encryption D. Forensics lab licensing

D. Forensics lab licensing

Derrick, a forensic specialist, was investigating an active computer that was executing various processes. Derrick wanted to check whether this system was used in an incident that occurred earlier. He started inspecting and gathering the contents of RAM, cache, and DLLs to identify incident signatures. Identify the data acquisition method employed by Derrick in the above scenario. A. Dead data acquisition B. Non-volatile data acquisition C. Static data acquisition D. Live data acquisition

D. Live data acquisition

A clothing company has recently deployed a website on its latest product line to increase its conversion rate and base of customers. Andrew, the network administrator recently appointed by the company, has been assigned with the task of protecting the website from intrusion and vulnerabilities. Which of the following tool should Andrew consider deploying in this scenario? A. Kon-Boot B. Recuva C. CryptaPix D. ModSecurity

D. ModSecurity

An investigator seized a notebook device installed with a Microsoft Windows OS. Which type of files would support an investigation of the data size and structure in the device? A. APFS and HFS B. Ext2 and Ext4 C. HFS and GNUC D. NTFS and FAT

D. NTFS and FAT

When analyzing logs, it is important that the clocks of all the network devices are synchronized. Which protocol will help in synchronizing these clocks? A. UTC B. PTP C. UCT D. NTP

D. NTP

Which of the following directory contains the binary les or executables required for system maintenance and administrative tasks on a Linux system? A. /lib B. /bin C. /usr D. /sbin

D. /sbin

Which layer in the IoT architecture is comprised of hardware parts such as sensors, RFID tags, and devices that play an important role in data collection? A. Access gateway layer B. Application layer C. Edge technology layer D. Middleware layer

C. Edge technology layer

Jack is reviewing file headers to verify the file format and hopefully find more information of the file. After a careful review of the data chunks through a hex editor;Jack finds the binary value 0xffd8ff. Based on the above information, what type of format is the file/image saved as? A. BMP B. ASCII C. JPEG D. GIF

C. JPEG

An investigator wants to extract passwords from SAM and System Files. Which tool can the investigator use to obtain a list of users, passwords, and their hashes in this case? A. Nuix B. FileMerlin C. PWdump7 D. HashKey

C. PWdump7

A file requires 10 KB space to be saved on a hard disk partition. An entire cluster of 32 KB has been allocated for this file. The remaining, unused space of 22 KB on this cluster will be identified as ____________. A. Swap space B. Cluster space C. Slack space D. Sector space

C. Slack space

In which IoT attack does the attacker use multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks? A. Blueborne attack B. Replay attack C. Sybil attack D. Jamming attack

C. Sybil attack

"No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court" - this principle is advocated by which of the following? A. FBI Cyber Division B. Scientific Working Group on Imaging Technology (SWGIT) C. The Association of Chief Police Officers (ACPO) Principles of Digital Evidence D. Locard's exchange principle

C. The Association of Chief Police Officers (ACPO) Principles of Digital Evidence

This law sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. A. European Anti-Spam act B. Federal Spam act C. The CAN-SPAM act D. Telemarketing act

C. The CAN-SPAM act

Which among the following acts has been passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations? A. Gramm-Leach-Bliley act B. Federal Information Security Management act of 2002 C. Health Insurance Probability and Accountability act of 1996 D. Sarbanes-Oxley act of 2002

D. Sarbanes-Oxley act of 2002

The offset in a hexadecimal code is: A. The last byte after the colon B. The 0x at the beginning of the code C. The 0x at the end of the code D. The first byte after the colon

D. The first byte after the colon

When an investigator contacts by telephone the domain administrator or controller listed by a Who is lookup to request all e-mails sent and received for a user account be preserved, what U.S.C. statute authorizes this phone call and obligates the ISP to preserve e-mail records? A. Title 18, Section 1030 B. Title 18, Section 2703(d) C. Title 18, Section Chapter 90 D. Title 18, Section 2703(f)

D. Title 18, Section 2703(f)

A computer forensics investigator or forensic analyst is a specially trained professional who works with law enforcement as well as private businesses to retrieve information from computers and other types of data storage devices. For this, the analyst should have an excellent working knowledge of all aspects of the computer. Which of the following is not a duty of the analyst during a criminal investigation? A. To recover data from suspect devices B. To fill the chain of custody C. To create an investigation report D. To enforce the security of all devices and software in the scene

D. To enforce the security of all devices and software in the scene

According to RFC 3227, which of the following is considered as the most volatile item on a typical system? A. Archival media B. Temporary system files C. Kernel statistics and memory D. Registers and cache

D. Registers and cache

Rule 1002 of Federal Rules of Evidence (US) talks about ______________. A. Admissibility of duplicates B. Admissibility of original C. Admissibility of other evidence of contents D. Requirement of original

D. Requirement of original

What is the extension used by Windows OS for shortcut files present on the machine? A. .lnk B. .dat C. .log D. .pf

A. .lnk

With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________. A. 0 B. 10 C. 100 D. 1

A. 0

For the purpose of preserving the evidentiary chain of custody, which of the following labels is not appropriate? A. SSN of the person collecting the evidence B. Exact location the evidence was collected from C. Relevant circumstances surrounding the collection D. General description of the evidence

A. SSN of the person collecting the evidence

The information security manager at a national legal rm has received several alerts from the intrusion detection system that a known attack signature was detected against the organization's file server. What should the information security manager do first? A. Disconnect the file server from the network B. Update the anti-virus denitions on the le server C. Report the incident to senior management D. Manually investigate to verify that an incident has occurred

A. Disconnect the file server from the network

Which of the following attacks refers to unintentional download of malicious software via the Internet? Here, an attacker exploits aws in browser software to install malware merely by the user visiting the malicious website. A. Drive-by downloads B. Phishing C. Internet relay chats D. Malvertising

A. Drive-by downloads

Maria has executed a suspicious executable file in a controlled environment and wants to see if the file adds/modifies any registry value after execution viaWindows Event Viewer. Which of the following event ID should she look for in this scenario? A. Event ID 4657 B. Event ID 4688 C. Event ID 7040 D. Event ID 4624

A. Event ID 4657

Which of the following statements pertaining to First Response is true? A. First Response is neither a part of pre-investigation phase nor a part of investigation phase. It only involves attending to a crime scene rst and taking measures that assist forensic investigators in executing their tasks in the investigation phase more eciently B. First Response is a part of the post-investigation phase C. First Response is a part of the investigation phaseD. First Response is a part of the pre-investigation phase

A. First Response is neither a part of pre-investigation phase nor a part of investigation phase. It only involves attending to a crime scene rst and taking measures that assist forensic investigators in executing their tasks in the investigation phase more eciently

Which part of the Windows Registry contains the user's password file? A. HKEY_LOCAL_MACHINE B. HKEY_CURRENT_CONFIGURATION C. HKEY_USER D. HKEY_CURRENT_USER

A. HKEY_LOCAL_MACHINE

Adam is thinking of establishing a hospital in the US and approaches John, a software developer to build a site and host it for him on one of the servers, which would be used to store patient health records. He has learned from his legal advisors that he needs to have the server's log data reviewed and managed according to certain standards and regulations. Which of the following regulations are the legal advisors referring to? A. Health Insurance Portability and Accountability Act of 1996(HIPAA) B. Payment Card Industry Data Security Standard (PCI DSS) C. Data Protection Act of 2018 D. Electronic Communications Privacy Act

A. Health Insurance Portability and Accountability Act of 1996(HIPAA)

In forensics ____________ are used to view stored or deleted data from both files and disk sectors. A. Hex editors B. SIEM tools C. Hash algorithms D. Host interfaces

A. Hex editors

A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation? A. Image the disk and try to recover deleted files B. Seek the help of co-workers who are eye-witnesses C. Check the Windows registry for connection data (you may or may not recover) D. Approach the websites for evidence

A. Image the disk and try to recover deleted files

A cybercriminal is attempting to remove evidence from a Windows computer. He deletes the file evidence1.doc, sending it to Windows Recycle Bin. The cybercriminal then empties the Recycle Bin. After having been removed from the Recycle Bin, what will happen to the data? A. The data will remain in its original clusters until it is overwritten B. The data will be overwritten with zeroes C. The data will be moved to new clusters in unallocated space D. The data will become corrupted, making it unrecoverable

A. The data will remain in its original clusters until it is overwritten

Debbie has obtained a warrant to search a known pedophile's house. Debbie went to the house and executed the search warrant to seize digital devices that have been recorded as being used for downloading illicit images. She seized all digital devices except a digital camera. Why did she not collect the digital camera? A. The digital camera was not listed as one of the digital devices in the warrant B. Debbie overlooked the digital camera because it is not a computer system C. The digital camera was old. had a cracked screen, and did not have batteries. Therefore, it could not have been used in a crime. D. The vehicle Debbie was using to transport the evidence was already full and could not carry more items

A. The digital camera was not listed as one of the digital devices in the warrant

Data density of a disk drive is calculated by using _________. A. Track density, areal density, and bit density. B. Track space, bit area, and slack space. C. Slack space, bit density, and slack density. D. Track density, areal density, and slack density.

A. Track density, areal density, and bit density.

Consider a scenario where a forensic investigator is performing malware analysis on a memory dump acquired from a victim's computer. The investigator usesVolatility Framework to analyze RAM contents: which plugin helps investigator to identify hidden processes or injected code/DLL in the memory dump? A. malfind B. pslist C. mallist D. malscan

A. malfind

You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the wording in the graphic being different. What area of the law is the employee violating? A. trademark law B. copyright law C. printright law D. brandmark law

A. trademark law

E-mail logs contain which of the following information to help you in your investigation? (Choose four.) A. user account that was used to send the account B. attachments sent with the e-mail message C. unique message identifier D. contents of the e-mail message E. date and time the message was sent

A. user account that was used to send the account C. unique message identifier D. contents of the e-mail message E. date and time the message was sent

During an investigation, Noel found a SIM card from the suspect's mobile. The ICCID on the card is 8944245252001451548.What does the first four digits (89 and 44) in the ICCID represent? A. TAC and industry identifier B. Industry identifier and country code C. Country code and industry identifier D. Issuer identifier number and TAC

B. Industry identifier and country code

You are a forensic investigator who is analyzing a hard drive that was recently collected as evidence. You have been unsuccessful at locating any meaningful evidence within the le system and suspect a drive wiping utility may have been used. You have reviewed the keys within the software hive of the Windows registry and did not nd any drive wiping utilities. How can you verify that drive wiping software was used on the hard drive? A. Check the list of installed programs B. Look for distinct repeating patterns on the hard drive at the bit level C. Document in your report that you suspect a drive wiping utility was used, but no evidence was found D. Load various drive wiping utilities oine, and export previous run reports

B. Look for distinct repeating patterns on the hard drive at the bit level

An investigator is checking a Cisco rewall log that reads as follows:Aug 21 2019 09:16:44: %ASA-1 -106021: Deny ICMP reverse path check from 10.0.0.44 to 10.0.0.33 on interface outside What does %ASA-1-106021 denote? A. Type of request B. Mnemonic message C. Firewall action D. Type of trac

B. Mnemonic message

Which of the following methods of mobile device data acquisition captures all the data present on the device, as well as all deleted data and access to unallocated space? A. Direct acquisition B. Physical acquisition C. Logical acquisition D. Manual acquisition

B. Physical acquisition

What does the acronym POST mean as it relates to a PC? A. Primary Operations Short Test B. PowerOn Self Test C. Pre Operational Situation Test D. Primary Operating System Test

B. PowerOn Self Test

Malware analysis can be conducted in various manners. An investigator gathers a suspicious executable le and uploads it to VirusTotal in order to conrm whether the le is malicious, provide information about its functionality, and provide information that will allow to produce simple network signatures. What type of malware analysis was performed here? A. Hybrid B. Static C. Volatile D. Dynamic

B. Static

You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation.Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case? A. All forms should be placed in an approved secure container because they are now primary evidence in the case. B. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container. C. The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file. D. All forms should be placed in the report file because they are now primary evidence in the case.

B. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.

During an investigation, the first responders stored mobile devices in specific containers to provide network isolation. All the following are examples of such pieces of equipment, except for: A. Faraday bag B. VirtualBox C. Wireless StrongHold bag D. RF shield box

B. VirtualBox

In Java, when multiple applications are launched, multiple Dalvik Virtual Machine instances occur that consume memory and time. To avoid that. Android implements a process that enables low memory consumption and quick start-up time. What is the process called? A. Init B. Zygote C. Daemon D. Media server

B. Zygote

When examining the log files from a Windows IIS Web Server, how often is a new log file created? A. the same log is used at all times B. a new log file is created everyday C. a new log file is created each week D. a new log is created each time the Web Server is started

B. a new log file is created everyday

Chloe is a forensic examiner who is currently cracking hashed passwords for a crucial mission and hopefully solve the case. She is using a lookup table used for recovering a plain text password from cipher text; it contains word list and brute-force list along with their computed hash values. Chloe is also using a graphical generator that supports SHA1. a. What password technique is being used? b. What tool is Chloe using? A. a. Cain & Able b. Rten B. a. Rainbow Tables b. Winrtgen C. a. Dictionary attack b. Cisco PIX D. a. Brute-force b. MScache

B. a. Rainbow Tables b. Winrtgen

A(n) _____________________ is one that's performed by a computer program rather than the attacker manually performing the steps in the attack sequence. A. blackout attack B. automated attack C. distributed attack D. central processing attack

B. automated attack

What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled? A. digital attack B. denial of service C. physical attack D. ARP redirect

B. denial of service

When examining a file with a Hex Editor, what space does the file header occupy? A. the last several bytes of the file B. the first several bytes of the file C. none, file headers are contained in the FAT D. one byte at the beginning of the file

B. the first several bytes of the file

How many characters long is the fixed-length MD5 algorithm checksum of a critical system file? A. 128 B. 64 C. 32 D. 16

C. 32

When installed on a Windows machine, which port does the Tor browser use to establish a network connection via Tor nodes? A. 49664/49665 B. 49667/49668 C. 9150/9151 D. 7680

C. 9150/9151

Item 2If you come across a sheepdip machine at your client site, what would you infer? A. A sheepdip coordinates several honeypots B. A sheepdip computer is another name for a honeypot C. A sheepdip computer is used only for virus-checking. D. A sheepdip computer defers a denial of service attack

C. A sheepdip computer is used only for virus-checking.

Simona has written a regular expression for the detection of web application-specific attack attempt that reads as /((\%3C)|<)((\%2F)| V)*[a-z0-9\%]+((\%3E)|>)/ix.Which of the following does the part ((\%3E)|>) look for? A. Forward slash for a closing tag or its hex equivalent B. Alphanumeric string or its hex equivalent C. Closing angle bracket or its hex equivalent D. Opening angle bracket or its hex equivalent

C. Closing angle bracket or its hex equivalent

When investigating a system, the forensics analyst discovers that malicious scripts were injected into benign and trusted websites. The attacker used a web application to send malicious code, in the form of a browser side script, to a different end-user. What attack was performed here? A. SQL injection attack B. Cookie poisoning attack C. Cross-site scripting attack D. Brute-force attack

C. Cross-site scripting attack

Which of the following statements is true with respect to SSDs (solid-state drives)? A. Like HDDs, SSDs also have moving parts B. SSDs contain tracks, clusters, and sectors to store data C. Faster data access, lower power usage, and higher reliability are some of the major advantages of SSDs over HDDs D. SSDs cannot store non-volatile data

C. Faster data access, lower power usage, and higher reliability are some of the major advantages of SSDs over HDDs

This is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted.Which among the following is suitable for the above statement? A. Rule 1001 B. Testimony by the accused C. Hearsay rule D. Limited admissibility

C. Hearsay rule

investigator should evaluate the content of the: A. GRUB B. UEFI C. MBR D. BIOS

C. MBR

Place the following in order of volatility from most volatile to the least volatile. A. Archival media, temporary file systems, disk storage, archival media, register and cache B. Register and cache, temporary file systems, routing tables, disk storage, archival media C. Registers and cache, routing tables, temporary file systems, disk storage, archival media D. Registers and cache, routing tables, temporary file systems, archival media, disk storage

C. Registers and cache, routing tables, temporary file systems, disk storage, archival media

Lance wants to place a honeypot on his network. Which of the following would be your recommendations? A. Use a system that has a dynamic addressing on the network B. Use a system that is not directly interacting with the router C. Use it on a system in an external DMZ in front of the firewall D. It doesn't matter as all replies are faked

C. Use it on a system in an external DMZ in front of the firewall

In the context of file deletion process, which of the following statement holds true? A. When files are deleted, the data is overwritten and the cluster marked as available B. The longer a disk is in use, the less likely it is that deleted files will be overwritten C. While booting, the machine may create temporary files that can delete evidence D. Secure delete programs work by completely overwriting the file in one go

C. While booting, the machine may create temporary files that can delete evidence

An investigator needs to perform data acquisition from a storage media without altering its contents to maintain the integrity of the content. The approach adopted by the investigator relies upon the capacity of enabling read-only access to the storage media. Which tool should the investigator integrate into his/her procedures to accomplish this task? A. Data duplication tool B. BitLocker C. Write blocker D. Backup tool

C. Write blocker

In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court? A. rules of evidence B. law of probability C. chain of custody D. policy of separation

C. chain of custody

You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data.What method would be most efficient for you to acquire digital evidence from this network? A. create a compressed copy of the file with DoubleSpace B. create a sparse data copy of a folder or file C. make a bit-stream disk-to-image file D. make a bit-stream disk-to-disk file

C. make a bit-stream disk-to-image file

It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner? A. by law, three B. quite a few C. only one D. at least two

C. only one

Choose the layer in iOS architecture that provides frameworks for iOS app development? A. Core OS B. Core services C. Media services D. Cocoa Touch

D. Cocoa Touch

Jacob, a cybercrime investigator, joined a forensics team to participate in a criminal case involving digital evidence. After the investigator collected all the evidence and presents it to the court, the judge dropped the case and the defense attorney pressed charges against Jacob and the rest of the forensics team for unlawful search and seizure. What forensics privacy issue was not addressed prior to collecting the evidence? A. Compliance with the Third Amendment of the U.S. Constitution B. None of these C. Compliance with the Second Amendment of the U.S. Constitution D. Compliance with the Fourth Amendment of the U.S. Constitution

D. Compliance with the Fourth Amendment of the U.S. Constitution

Which set of anti-forensic tools/techniques allows a program to compress and/or encrypt an executable file to hide attack tools from being detected by reverse- engineering or scanning? A. Emulators B. Botnets C. Password crackers D. Packers

D. Packers

Frank, a cloud administrator in his company, needs to take backup of the OS disks of two Azure VMs that store business-critical data. Which type of Azure blob storage can he use for this purpose? A. Append blob B. Medium blob C. Block blob D. Page blob

D. Page blob

Consider a scenario where the perpetrator of a dark web crime has uninstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can investigate it for artifacts of Tor browser usage. Which of the following should the investigators examine to establish the use of Tor browser on the suspect machine? A. Swap files B. Security logs C. Files in Recycle Bin D. Prefetch files

D. Prefetch files

An investigator is examining a file to identify any potentially malicious content. To avoid code execution and still be able to uncover hidden indicators of compromise (IOC), which type of examination should the investigator perform: A. Dynamic analysis B. Threat hunting C. Threat analysis D. Static analysis

D. Static analysis

Which following forensic tool allows investigator to detect and extract hidden streams on NTFS drive? A. Autopsy B. TimeStomp C. analyzeMFT D. Stream Detector

D. Stream Detector

Which of the following Windows event logs record events related to device drives and hardware changes? A. Application log B. Security log C. Forwarded events log D. System log

D. System log

What happens to the header of the file once it is deleted from the Windows OS file systems? A. The OS replaces the entire hex byte coding of the file B. The hex byte coding of the file remains the same, but the file location differs C. The OS replaces the second letter of a deleted file name with a hex byte code: Eh5 D. The OS replaces the first letter of a deleted file name with a hex byte code: E5h

D. The OS replaces the first letter of a deleted file name with a hex byte code: E5h

Jeff is a forensics investigator for a government agency's cyber security office. Jeff is tasked with acquiring a memory dump of a Windows 10 computer that was involved in a DDoS attack on the government agency's web application. Jeff is onsite to collect the memory. What tool could Jeff use? A. Memcheck B. RAMMapper C. Autopsy D. Volatility

D. Volatility

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze? A. one who has NTFS 4 or 5 partitions B. one who uses dynamic swap file capability C. one who uses hard disk writes on IRQ 13 and 21 D. one who has lots of allocation units per block or cluster

D. one who has lots of allocation units per block or cluster

An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet. A. logical B. anti-magnetic C. magnetic D. optical

D. optical

Before you are called to testify as an expert, what must an attorney do first? A. engage in damage control B. prove that the tools you used to conduct your examination are perfect C. read your curriculum vitae to the jury D. qualify you as an expert witness

D. qualify you as an expert witness

Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime? A. bench warrant B. wire tap C. subpoena D. search warrant

D. search warrant

The MD5 program is used to: A. wipe magnetic media before recycling it B. make directories on an evidence disk C. view graphics files on an evidence drive D. verify that a disk is not altered when you examine it

D. verify that a disk is not altered when you examine it

Which is a standard procedure to perform during all computer forensics investigations? A. with the hard drive removed from the suspect PC, check the date and time in the system's CMOS B. with the hard drive in the suspect PC, check the date and time in the File Allocation Table C. with the hard drive removed from the suspect PC, check the date and time in the system's RAM D. with the hard drive in the suspect PC, check the date and time in the system's CMOS

D. with the hard drive in the suspect PC, check the date and time in the system's CMOS