CHFI v9
What is the size value of a nibble A. 0.5 bit B. 2 bits C. 0.5 byte D. 0.5 kilo byte
.5 byte
Which rule requires an original recording to be provided to prove the content of a recording? A. 1005 B. 1004 C. 1002 D. 1003
1002
Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame. A. 16-bit B. 32-bit C. 8-bit D. 24-bit
8-bit
What does the part of the log, "%SEC-6-IPACCESSLOGP," extracted from a Cisco router represent? A. A packet matching the log criteria for the given access list has been detected (TCP or UDP) B. Immediate action required messages C. Some packet-matching logs were missed because the access list log messages were rate limited, or no access list log buffers were available. D. The system was not able to process the packet because there was not enough room for all of the desired IP header options.
A packet matching the log criteria for the given access list has been detected (TCP or UDP)
Randy has extracted data from an old version of a Windows-based system and discovered info file Dc5.txt in the system recycle bin. What does the file name denote? A. %SystemDrive\logs\LogFiles B. SystemDrive\logs\LogFiles C. SystemDrive\inetpub\LogFiles D. %SystemDrive%\inetpub\logs\LogFiles
A text file deleted from C drive in fifth sequential order
What is cold boot (hard boot)? A. It is the process of shutting down a computer from a powered-on or on state B. It is the process of restarting a computer that is already in sleep mode C. It is the process of restarting a computer that is already turned on through the operating system D. It is the process of starting a computer from a powered-down or off state
A) It is the process of starting a computer from a powered-down or off state
What value of the "Boot Record Signature" is used to indicate that the boot-loader exists? A. AA00 B. A100 C. AA55 D. 00AA
AA55
Which of the following tool enables a user to reset his/her lost admin password in a Windows system? A. SmartKey Password Recovery Bundle Standard B. Active@ Password Changer C. Advanced Office Password Recovery D. Passware Kit Forensic
Active@ Password Changer
Buffer overflow vulnerability of web applications occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites ______. There are multiple forms of buffer overflow., including Heap Buffer Overflow and a Format String Attack. A. Adjacent bit blocks B. Adjacent memory locations C. Adjacent string locations D. Adjacent string locations
Adjacent Memory Locations
Jacob is a computer forensics investigator with over 10 years of experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob's testimony in this case? A. Certification B. Justification C. Authentication D. Reiteration
Authentication
Which of the following Event Correlation Approach checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields? A. Automated Field Correlation B. Graph-Based Approach C. Rule-Based Approach D. Field-Based Approach
Automated Field Correlation
What is the purpose of using an obfuscator in malware? A. To convert the malware to a media file B. Execute malicious code in the system C. Propagate malware to other connected devices D. Avoid detection by security mechanisms
Avoid detection by security mechanisms
Which MySQL log file contains information on server start and stop? A. General query log file B. Binary log C. Slow query log file D. Error log file
Binary log
Which of the following technique creates a replica of an evidence media? A. Data Deduplication B. Data Extraction C. Backup D. Bit Stream Imaging
Bit Stream Imaging
You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a "simple backup copy" of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a "simple backup copy" will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding? A. Bit-stream copy B. Robust copy C. Full backup copy D. Incremental backup copy
Bit-stream copy
Linux operating system has two types of typical bootloaders namely LILO (Linux Loader) and GRUB (Grand Unified Bootloader). In which stage of the booting process do the bootloaders become active? A. Bootloader Stage B. BIOS Stage C. Kernel Stage D. BootROM Stage
Bootloader Stage
Gary a computer technician is facing allegations of abusing children online by befriending them and sending them illicit adult images from his office computer. What type of investigation is this. A. Criminal Investigation B. Administrative Investigation C. Civil Investigation D. Both Criminal and Administrative Investigation
Both criminal and investigation
Which password cracking technique uses every possible combination of character sets? A. Brute force attack B. Dictionary attack C. Rule-based attack D. Rainbow table attack
Brute force attack
A forensic examiner is examining a Windows system seized from a crime scene. During the examination of a suspect file, he discovered that the file is password protected. He tried guessing the password using the suspect's available information but without any success. Which of the following tool can help the investigator to solve this issue? A. Cain & Abel B. Xplico C. Colasoft's Capsa D. Recuva
Cain & Abel
Wireless access control attacks aim to penetrate a network by evading WLAN access control measures such as AP MAC filters and Wi-Fi port access controls. Which of the following wireless access control attacks allow the attacker to set up a rogue access point outside the corporate perimeter and then lure the employees of the organization to connect to it? A. Rogue access points B. Client mis-association C. Ad hoc associations D. MAC spoofing
Client mis-association
Rusty, a computer forensics apprentice, uses the command nbtstat -c while analyzing the network information in a suspect system. What information is he looking for? A. Contents of the network routing table B. Contents of the NetBIOS name cache C. Network connections D. Status of the network carrier
Contents of the NetBIOS name cache
Which of the following are small pieces of data sent from a website and stored on the user's computer by the user's web browser to track, validate, and maintain specific user information? A. Temporary Files B. Web Browser Cache C. Cookies D. Open files
Cookies
During forensics investigations, investigators tend to collect the system time at first and compare it with UTC. What does the abbreviation UTC stand for? A. Coordinated Universal Time B. Universal Computer Time C. Universal Time Coordination D. Universal Time for Computers
Coordinated Universal Time
What does 254 represent in ICCID 89254021520014515744 A. Issuer Identifier Number B. Industry Identifier Prefix C. Individual Account Identification Number D. Country Code
Country Code
Which of the following examinations refers to the process of providing the opposing side in a trial the opportunity to question a witness? A. Witness Examination B. Indirect Examination C. Cross Examination D. Direct Examination
Cross Examination
Event correlation is a procedure that is assigned with a new meaning for a set of events that occur in a predefined interval of time. Which type of correlation will you use if your organization wants to use different OS and network hardware platforms throughout the network? A. Multiple-platform correlation B. Cross-platform correlation C. Network-platform correlation D. Same-platform correlation
Cross-platform correlation
Which network attack is described by the following statement? "At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries." A. Man-in-the-Middle Attack B. DDoS C. Sniffer Attack D. Buffer Overflow
DDoS
Which of the following is NOT an anti-forensics technique? A. Data Deduplication B. Steganography C. Password Protection D. Encryption
Data Deduplication
Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses' testimony during federal legal proceedings? A. SWGDE & SWGIT B. Frye C. IOCE D. Daubert
Daubert
Which of the following tools will help the investigator to analyze web server logs? A. Towelroot B. LanWhoIs C. Deep Log Analyzer D. XRY LOGICAL
Deep Log Analyzer
Select the tool appropriate for finding dynamically linked lists off an application or malware. A. SysAnalyzer B. PEiD C. DependencyWalker D. ResourcesExtract
DependencyWalker
What does the 63.78.199.4(161) denotes in a Cisco router log? Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) -> 63.78.199.4(161), 1 packet A. Destination IP address B. Login IP address C. Source IP address D. None of the above
Destination IP address
Gary is checking for the devices connected to USB ports of a suspect system during an investigation. Select the appropriate tool that will help him document all the connected devices. A. Drivespy B. fsutil C. Devcon D. Reg.exe
Devcon
Company ABC has employed a firewall, IDS, Antivirus, Domain Controller, and SIEM. The company's domain controller goes down. From which system would you begin your investigation? A. Firewall B. IDS C. Domain Controller D. SIEM
Domain Controller
Which among the following search warrants allow the first responder to search and seize the victims computer components such as hardware, software, storage devices and documentation A. Service Provider Search Warrant B. Citizen Informant Search Warrant C. John Doe Search Warrant D. Electronic Storage Device Search Warrant
Electronic Storage Device Search Warrant
Adam, a forensic analyst, is preparing VMs for analyzing a malware. Which of the following is NOT a best practice? A. Installing malware analysis tools B. Enabling shared folders C. Using network simulation tools D. Isolating the host device
Enabling shared folders
Which of the following email headers specifies an address for mailer-generated errors, like "no such user" bounce messages, to go to (instead of the sender's address)? A. Content-Type header B. Errors-To header C. Mime-Version header D. Content-Transfer-Encoding header
Errors-To header
An expert witness is an ____________ who is normally appointed by a party to assist the formulation and preparation of a party's claim or defense A. Crime scene spectator B. Ex criminal C. Government officer D. Expert advisor
Expert advisor
Which among the following U.S. laws requires financial institutions—companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance—to protect their customers' information against security threats? A. FISMA B. GLBA C. SOX D. HIPAA
GLBA
Which of the following registry hive gives the configuration information about which application was used to open various files on the system? A. HKEY_USERS B. HKEY_CURRENT_CONFIG C. HKEY_LOCAL_MACHINE D. HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is: A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \ProfileList B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\setup D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \NetworkList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \ProfileList B.
Pagefile.sys is a virtual memory file used to expand the physical memory of a computer. Select the registry path for the page file: A. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management B. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management \PrefetchParameters C. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\System Management D. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Device Management
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Jacky encrypts her documents using a password. It is known that she uses her daughter's year of birth as part of the password. Which password cracking technique would be optimal to crack her password? A. Brute force attack B. Hybrid attack C. Rule-based attack D. Syllable attack
Hybrid attack
BMP (Bitmap) is a standard file format for computers running the Windows operating system. BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors). Each bitmap file contains a header, the RBGQUAD array, information header, and image data. Which of the following element specifies the dimensions, the compression type, and color format for the bitmap. A. Information header B. The RGBQUAD array C. Header D. Image data
Information Header
As part of extracting the system data, Jenifer has used the netstat command. What does this reveal? A. Status of network hardware B. Net status of computer usage C. Information about network connections D. Information about netbios connections
Information about network connections
Sectors are pie-shaped regions on a hard disk that store data. Which of the following parts of a hard disk do not contribute in determining the addresses of data? A. Interface B. Sectors C. Heads D. Cylinder
Interface
Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\<USER SID>\ while analyzing a hard disk image for the deleted data. What inferences can he make from the file name? A. RIYG6VR.doc is the name of the doc file deleted from the system B. It is file deleted from R drive C. It is a deleted doc file D. It is a doc file deleted in seventh sequential order
It is a deleted doc file
Data compression involves encoding the data to take up less storage space and less bandwidth for transmission. It helps in saving cost and high data manipulation in many business applications. Which data compression technique maintains data integrity? A. Lossy compression B. Lossless compression C. Speech encoding compression D. Lossy video compression
Lossless compression
Which of the following is a record of the characteristics of a file system, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups? A. Mount Count B. Superblock C. Master Boot Record (MBR) D. Inode table
Master Boot Record (MBR)
Which of the following is a database in which information about every file and directory on an NT File System (NTFS) volume is stored? A. GUID Partition Table B. Master File Table C. Volume Boot Record D. Master Boot Record
Master File Table
Billy, a computer forensics expert, has recovered a large number of DBX files during the forensic investigation of a laptop. Which of the following email clients can he use to analyze the DBX files? A. Microsoft Outlook B. Microsoft Outlook Express C. Mozilla Thunderbird D. Eudora
Microsoft Outlook Express
Which of the following is a list of recently used programs or opened files? A. Most Recently Used (MRU) B. GUID Partition Table (GPT) C. Recently Used Programs (RUP) D. Master File Table (MFT)
Most Recently Used (MRU)
Which of the following is a part of a Solid-State Drive (SSD)? A. Spindle B. Cylinder C. Head D. NAND-based flash memory
NAND-based flash memory
Identify the file system that uses $BitMap file to keep track of all used and unused clusters on a volume A. FAT B. NTFS C. FAT32 D. EXT
NTFS
NTFS has reduced slack space than FAT, thus having lesser potential to hide data in the slack space. This is because: A. NTFS is a journaling file system B. FAT does not index files C. NTFS has lower cluster size space D. FAT is an older and inefficient file system
NTFS has lower cluster size space
Which of the following commands shows you the names of all open shared files on a server and the number of file locks on each file? A. Net sessions B. Net share C. Net file D. Net config
Net file
You have been given the task to investigate web attacks on a Windows-based server. Which of the following commands will you use to look at the sessions the machine has opened with other systems? A. Net config B. Net use C. Net share D. Net sessions
Net sessions
Bob works as information security analyst for a big finance company. One day, the anomaly-based intrusion detection system alerted that a volumetric DDOS targeting the main IP of the main web server was occurring. What kind of attack is it? A. APT B. Web application attack C. Network attack D. IDS attack
Network attack
Who is responsible for the following tasks? * Secure the scene and ensure that it is maintained in a secure state until the Forensic Team advises * Make notes about the scene that will eventually be handed over to the Forensic Team A. Local managers or other non-forensic staff B. Lawyers C. Non-forensics staff D. System administrators
Non-forensics staff
Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen? A. OpenGL/ES and SGL B. WebKit C. Surface Manager D. Media framework
OpenGL/ES and SGL
Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration and critical system files, and to execute commands outside of the web server's root directory? A. Security misconfiguration B. Unvalidated input C. Parameter/form tampering D. Directory traversal
Parameter/form tampering
Lynne receives the following email: Dear [email protected]! We are sorry to inform you that your ID has been temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24 You have 24 hours to fix this problem or risk to be closed permanently! To proceed Please Connect >> My Apple ID Thank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon/ What type of attack is this? A. Email Spoofing B. Mail Bombing C. Email Spamming D. Phishing
Phishing
Which of the following files DOES NOT use Object Linking and Embedding (OLE) technology to embed and link to other objects? A. MS-office Word Document B. MS-office Word PowerPoint C. Portable Document Format D. MS-office Word OneNote
Portable Document Format (PDF)
An executive had leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system? A. Packet Analysis B. Real-Time Analysis C. Postmortem Analysis D. Malware Analysis
Postmortem Analysis
To which phase of the Computer Forensics Investigation Process does the Planning and Budgeting of a Forensics Lab belong? A. Post-investigation Phase B. Reporting Phase C. Investigation Phase D. Pre-investigation Phase
Pre-investigation Phase
Richard is extracting volatile data from a system and uses the command doskey/history. What is he trying to extract? A. History of the browser B. Passwords used across the system C. Events history D. Previously typed commands
Previously typed commands
Data is striped at a byte level across multiple drives, and parity information is distributed among all member drives. A. RAID Level 0 B. RAID Level 5 C. RAID Level 1 D. RAID Level 3
RAID Level 5
Which tool does the investigator use to extract artifacts left by Google Drive on the system? A. RAM Capturer B. WebBrowserPassView C. Deep Log Analyzer D. VirusTotal
RAM Capturer
Which of the following is an iOS Jailbreaking tool? A. Towelroot B. One Click Root C. Kingo Android ROOT D. Redsn0w
Redsn0w
When a file or folder is deleted, the complete path, including the original file name, is stored in a special hidden file called "INFO2" in the Recycled folder. If the INFO2 file is deleted, it is re-created when you ________. A. Restart Windows B. Run the antivirus tool on the system C. Run the anti-spyware tool on the system D. Kill the running processes in Windows task manager
Restart Windows
Which password cracking technique uses details such as length of password, character sets used to construct the password, etc.? A. Man in the middle attack B. Rule-based attack C. Dictionary attack D. Brute force attack
Rule-based attack
Smith, an employee of a reputed forensic investigation firm, has been hired by a private organization to investigate a laptop that is suspected to be involved in the hacking of the organization's DC server. Smith wants to find all the values typed into the Run box in the Start menu. Which of the following registry keys will Smith check to find the above information? A. MountedDevices key B. TypedURLs key C. RunMRU key D. UserAssist Key
RunMRU key
Which among the following is an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations? A. SOX B. HIPAA C. FISMA D. GLBA
SOX
Which among the following search warrants allows the first responder to get the victim's computer information such as service records, billing records, and subscriber information from the service provider? A. Electronic Storage Device Search Warrant B. Service Provider Search Warrant C. Citizen Informant Search Warrant D. John Doe Search Warrant
Service Provider Search Warrant
Which of the following file contains the traces of the applications installed, run, or uninstalled from a system? A. Prefetch Files B. Virtual files C. Image Files D. Shortcut Files
Shortcut Files
Raw data acquisition format creates _________ of a data set or suspect drive. A. Segmented image files B. Compressed image files C. Simple sequential flat files D. Segmented files
Simple sequential flat files
If the partition size is 4 GB, each cluster will be 32 K. Even if a file needs only 10 K, the entire 32 K will be allocated, resulting in 22 K of ________. A. Deleted space B. Cluster space C. Sector space D. Slack space
Slack space
Which of the following tool is used to locate IP addresses? A. XRY LOGICAL B. SmartWhois C. Towelroot D. Deep Log Analyzer
SmartWhois
Which of the following acts as a network intrusion detection system as well as network intrusion prevention system? A. Nikto B. Kismet C. Snort D. Accunetix
Snort
Report writing is a crucial stage in the outcome of an investigation. Which information should not be included in the report section? A. Incident summary B. Author of the report C. Speculation or opinion as to the cause of the incident D. Purpose of the report
Speculation or opinion as to the cause of the incident
Which of the following techniques can be used to beat steganography? A. Encryption B. Decryption C. Steganalysis D. Cryptanalysis
Steganalysis
Ivanovich, a forensics investigator, is trying to extract complete information about running processes from a system. Where should he look apart from the RAM and virtual memory? A. Swap space B. Application data C. Files and documents D. Slack space
Swap space
Which of the following files stores information about a local Google Drive installation such as User email ID, Local Sync Root Path, and Client version installed? A. sigstore.db B. filecache.db C. Sync_config.db D. config.db
Sync_config.db
Which of the following files gives information about the client sync sessions in Google Drive on Windows? A. Sync_log.log B. Sync.log C. sync_log.log D. sync.log
Sync_log.log
Which of the following is a command line packet sniffer that runs on Linux and UNIX systems? A. WinDump B. CmosPwd C. TCPDump D. RemPass
TCPDump
Madison is on trial for allegedly breaking into her university's internal network. The police raided her dorm room and seized all of her computer equipment. Madison's lawyer is trying to convince the judge that the seizure was unfounded and baseless. Under which US Amendment is Madison's lawyer trying to prove the police violated? A. The 4th Amendment B. The 1st Amendment C. The 5th Amendment D. The 10th Amendment
The 4th Amendment
In Steganalysis, which of the following describes a Known-stego attack? A. During the communication process, active attackers can change cover B. Only the steganography medium is available for analysis C. The hidden message and the corresponding stego-image are known D. Original and stego-object are available and the steganography algorithm is known
The hidden message and the corresponding stego-image are known
When marking evidence that has been collected with the "aaa/ddmmyy/nnnn/zz" format, what does the "nnnn" denote? A. The sequential number of the exhibits seized by the analyst B. The year the evidence was taken C. The sequence number for the parts of the same exhibit D. The initials of the forensics analyst
The sequential number of the exhibits seized by the analyst
A state department site was recently attacked, and all the servers had their hard disks erased. The incident response team sealed the area and commenced investigation. During evidence collection, they came across a USB flash drive that did not have the standard labeling on it. The incident team inserted the flash drive into an isolated system and found that the system disk was accidently erased. They decided to call in the FBI for further investigation. Meanwhile, they shortlisted possible suspects including three summer interns. Where did the incident team go wrong? A. Data Deduplication B. Data Extraction C. Backup D. Bit Stream Imaging
They tampered with the evidence by using it
Which of the following statements is incorrect when preserving digital evidence? A. Remove the plug from the power router or modem B. Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals C. Turn on the computer and extract Windows event viewer log files D. Verify if the monitor is in on, off, or in sleep mode
Turn on the computer and extract Windows event viewer log files
Which of the following reports are delivered under oath to a board of directors/managers/panel of the jury? A. Verbal Informal Report B. Written Informal Report C. Written Formal Report D. Verbal Formal Report
Verbal Formal Report
The process of restarting a computer that is already turned on through the operating system is called? A. Hot Boot B. Warm boot C. Cold boot D. Ice boot
Warm boot
Smith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use. A. Windows 8.1 B. Windows 98 C. Windows XP D. Linux
Windows 8.1
The Apache server saves diagnostic information and error messages that it encounters while processing requests. The default path of this file is usr/local/apache/logs/error.log in Linux. Identify the Apache error log from the following logs A. [Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/home/ live/ap/htdocs/test B. http://victim.com/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..% c0%af../winnt/system32/cmd.exe?/c+dir+C:\Winnt\system32\Logfiles\W3SVC1 C. 127.0.0.1 - - [10/Apr/2007:10:39:11 +0300] ] [error] "GET /apache_pb.gif HTTP/1.0" 200 2326 D. 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700]"GET /apache_pb.gif HTTP/1.0" 200 2326 D. 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700]"GET /apache_pb.gif HTTP/1.0" 200 2326
[Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/home/ live/ap/htdocs/test
Which of the following built-in Linux commands can be used by forensic investigators to copy data from a disk drive? A. lprm B. expr C. diff D. dd and dcfldd
dd and dcfldd
Sheila is a forensics trainee and is searching for hidden image files on a hard disk. She used a forensic investigation tool to view the media in hexadecimal code for simplifying the search process. Which of the following hex codes should she look for to identify image files? A. ff d8ff B. 50 4b 03 04 C. 25 50 44 46 D. d0 0f 11 e0
ff d8ff
Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as FF D8 FF E1. What is the file type of the image? A. gif B. bmp C. jpeg D. png
jpeg
Which command line tool is used to determine active network connections? A. ARP B. ps C. Isof D. netstat
netstat
Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers A. netstat - ano B. netstat - r C. netstat - b D. netstat - s
netstat - ano
Which US law does the interstate or international transportation and receiving of child pornography fall under? A. § 18 U.S.C. 252 B. §18U.S.C. 2252 C. § 18 U.S.C. 146A D. § 18 U.S.C. 1466A
§18U.S.C. 2252