FOR500 Practice Exam 2

What does KAPE use to find and copy out files from a source location?

File Masks

Which registry hives structure is shown below? (Question 9)

HKEY_LOCAL_Machine

An examiner discovers the file in the image below (Question 15). What is the file and what does it contain?

Web storage file containing preferences

Under which folder in the eventvwr.exe on a Win2008 system will WLAN-Autoconfig logs be found?

Applications and services

You are responding to an incident. The suspect was using his Windows desktop computer with Firefox and "Private Browsing" enabled. The attack was interrupted when it was detected, and the browser windows are still open. What can you do to capture the most in depth data from the suspects browser session?

Collect the contents of the computers RAM

What information can be deducted by the following artifact? SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

If an interface GUID was used to connect to the internet over 3G

Where would you expect to find the information in the attached screenshot (Question 16)

In the Events Logs, under "Application"

What is the only process that will create valid entries in the Windows Security Event Log?

Isass

Which of the following will identify the mount status and version of a NTFS volume on a Windows system?

MFT Record #3

Examin the screenshot below. What type of network is this workstation connected to? (Question 13)

Private/Home wired

How is the user mapped to the contents of the recycle bin?

SID

The SYSTEM/Select registry key contains 0x03 (hex) in the value named Current. What does this indicate? (Question 22)

SYSTEM/ControlSet003 is the current control set registry path

A forensic examiner is tasked with the analysis of a mobile users laptop. The user was frequently on the road in remote locations where internet access was not available. Which of the following techniques would the examiner use to find emails that were written in Outlook in Windows but not synced with the corporate Exchange server?

Search OST files

An examiner is reviewing the data on a workstation for Firefox artifacts. In addition to the folder C:\Users\<username>\AppData\Local where should they look for Firefox browser data?

The Roaming folder

Which of the following is a characteristic of the FIrefox browser

The application does not write to the registry of a system

What can be inferred by analyzing the contents of the following folder (Question 21).

The file "all-databases.txt" was last opened on 12/14/12

Examin the image below (Question 5). What can be determined from the file properties of the file evidence01.pcap?

The file was downloaded from the interneet

What information would you expect to get from the Windows 7 file shown in the image (Question 7) below.

The filename and path of a recently opened Notepad file

Which information does the internet Explorer Download Manager store?

The referring URL

Which artifact is being shown by the examiner in the image below? (Question 14)

The time the device was removed from the workstation