ISA 4350 Exam 3

The Sysinternals Handle utility shows only file system activity, but does not show what processes are using files on the file system T/F

False

The law requires search warrants to contain specific descriptions of what's to be seized. For cloud environments, the property to be seized usually describes physical hardware rather than data, unless the CSP is a suspect. T/F

False

Type 2 hypervisors are typically loaded on servers or workstations with a lot of RAM and storage T/F

False

(True/False) Search and seizure procedures for mobile devices are as important as procedures for computers.​

True

(True/False) The use of smart phones for illicit activities is becoming more prevalent.​

True

(True/False) While travelling internationally with a GSM phone, you can pop in a SIM card for the country you're currently in, rather than get a new phone.

True

In the United State, the Electronic Communications Privacy Act (ECPA) describes 5 mechanisms the government can use to get electronic information from a provider T/F

True

Specially trained system and network administrators are often a CSP's first responders T/F

True

The DomainKey identified Mail service is a way to verity the names of domains a message is flowing through ans was developed as a way to cut down on spam T/F

True

The Internet is the successor to the Advanced Research Projects Agency Network (ARPANET) T/F

True

The Pagefile.sys file on a computer can contain message fragments from instant messaging applications T/F

True

The capability of type 1 hypervisors is limited only by the amount of available RAM, storage, and throughput T/F

True

The honeynet Project was developed to make information widely available in an attempt to thwart internet and network attackers T/F

True

The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of Ubuntu a. 12.04 b. 13.11 c. 14.04 d. 14.11

a. 12.04

Within NIST guidelines for mobile forensics methods, the ______________ method requires physically removing flash memory chips and gathering information at the binary level.​ a. Chip-off b. Logical extraction c. Micro read d. Manual extraction

a. Chip-off

What Windows Registry key contains associations for file extensions a. HKEY_CLASSES_ROOT b. HKEY_USERS c. HKEY_LOCAL_MACHINE d. HKEY_CURRENT_CONFIG

a. HKEY_CLASSES_ROOT

The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and freeware forensics tools a. Kali Linux b. Ubuntu c. OSForensics d. Sleuth Kit

a. Kali Linux

​What type of mobile forensics method listed by NIST guidelines involves looking at a device's content page by page and taking pictures? a. Manual extraction b. Chip-off c. Micro read d. Logical extraction

a. Manual extraction

One of the most noteworthy e-mail scams was 419, otherwise known as the ____ a. Nigerian Scam b. Lake Venture Scam c. Conficker virus d. Iloveyou Scam

a. Nigerian Scam

The ________________ technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and supports transmission speeds of 12 Mbps​ a. WiMAX b. CDMA c. UMB d. MIMO

a. WiMAX

A ____ is written by a judge to compel someone to do or not do something, such as a CSP producing user logon activities a. court order b. temporary restraining order c. warrant d. subpoena

a. court order

What method below is not an effective method for isolating a mobile device from receiving signals? a. placing the device into a plastic evidence bag b. placing the device into a paint can, preferable one previously containing radio-wave blocking paint c. placing the device into airplane mode d. turning the device off

a. placing the device into a plastic evidence bag

What information is not typically included in an e-mail header a. the sender's physical location b. the originating IP address c. the unique ID of the e-mail d. the originating domain

a. the sender's physical location

What kind of files are created by Exchange while converting binary data to readable text in order to prevent loss of data a. .txt b. .tmp c. .exe d. .log

b. .tmp

What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine a. .nvram b. .vmen c. .vmpage d. .vmx

b. .vmen

At what offset is a prefetch file's create date & time located a. 0x88 b. 0x80 c. 0x98 d. 0x90

b. 0x80

Which of the following is not a valid source for cloud forensics training a. Sans Cloud Forensics with F-Response b. A+ Security c. INFOSEC Intitute d. (ISC)2 Certified Cyber Forensics Professional

b. A+ Security

What service below can be used to map an IP address to a domain name, and then find the domain name's point of contact a. iNet b. ARIN c. Google d. ERIN

b. ARIN

What digital network technology was developed during World War II? a. TDMA b. CDMA c. GSM d. iDEN

b. CDMA

Which e-mail recovery program below can recover files from VMware and VirtualPC virtual machines, as well as ISOs and other types of file backups a. Fookes Aid4mail b. DataNumen Outlook Repair c. EnCase Forensics d. AccessData FTK

b. DataNumen Outlook Repair

Which service below does not put log information into /var/log/maillog a. SMTP b. Exchange c. IMAP d. POP

b. Exchange

The ____ tool can be used by bypass a virtual machine's hypervisor, and can by used with OpenStack a. Openforensics b. FROST c. WinHex d. ARC

b. FROST

​What organization is responsible for the creation of the requirements for carriers to be considered 4G? a. IEEE b. ITU-R c. ISO d. TIA

b. ITU-R

​The ___________________ technology is designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports 45 Mbps to 144 Mbps transmission speeds. a. WiMAX b. LTE c. MIMO d. UMB

b. LTE

The ___ is the version of Pcap available for Linux based operating systems a. Wincap b. Libcap c. Tcpcap d. Netcap

b. Libcap

The tcpdump and Wireshark utilities both use what well known packet capture format a. Netcap b. Pcap c. Packetd d. RAW

b. Pcap

GSM refers to mobile phones as "mobile stations" and divides a station into two parts, the __________ and the mobile equipment (ME).​ a. antenna b. SIM card c. radio d. transceiver

b. SIM card

In a ___ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections a. smurf b. SYN flood c. spoof d. ghost

b. SYN flood

The ___ is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to examine a. Tcpdstat b. Tcpslice c. Ngrep d. tcpdump

b. Tcpslice

In what state is sending unsolicited email illegal a. Florida b. Washington c. Maine d. New York

b. Washington

E-mail administrators may make use of ____, which overwrites a log file when it reaches a specified size or at the end of a specified time frame a. log recycling b. circular logging c. log purging d. log cycling

b. circular logging

At what layers of the OSI model do most packet analyzers function a. layer 1 or 2 b. layer 2 or 3 c. layer 3 or 4 d. layer 4 or 5

b. layer 2 or 3

A ____ is a tool with application programming interfaces (APIs) that allow reconfiguring a cloud on the fly; it's accessed through the application's Web interface a. configuration manager b. management plane c. backdoor d. programming language

b. management plane

The ____ utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook a. fixmail.exe b. scanpst.exe c. repairpst.exe d. rebuildpst.exe

b. scanpst.exe

The Google drive file ??? contains a detailed list of a user's cloud transactions a. loggedtransactions.log b. sync_log.log c. transact_user.db d. history.db

b. sync_log.log

Where is the snapshot database created by Google Drive located in Windows a. C:/Program Files/Google/Drive b.C:/Users/username/AppData/Local//Google/Drive c. C:/Users/username/Google/Google drive d. C:/Google/drive

b.C:/Users/username/AppData/Local//Google/Drive

In older versions of exchange, what type of file was responsible for massages formatted with Messaging Application Programming Interface, and served as the database file a. .ost b. edp c. .edb d. .edi

c. .edb

Where does the Postfix UNIX mail server store e-mail a. /home/username/mail b. /var/mail/postfix c. /var/spool/postfix d. /etc/postfix

c. /var/spool/postfix

In VirtualBox, ___ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters a. 2 b. 4 c. 6 d. 8

c. 6

The ____ is an organization that has developed resource documentation for CSPs and their staff. It provides guidance for privacy agreements, security measures, questionnaires, and more a. OpenStack Framework Alliance b. vCluod Security Advisory Panel c. Cloud Security Alliance d. Cloud Architecture Group

c. Cloud Security Alliance

In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters a. Slow-NetworkAdapters b. Query-ipconfig c. Get-VMNetworkAdapter d. Dump-Betconfig

c. Get-VMNetworkAdapter

Which of the NIST guidelines below requires using a modified boot loader to access RAM for analysis? ​a. Chip-off b. Manual extraction c. Hex dumping d. Micro read

c. Hex dumping

What standard introduced sleep mode to enhance battery life, and is used with TDMA?​ a. IS-99 b. IS-140 c. IS-136 d. IS-95

c. IS-136

​​Most Code Division Multiple Access (CDMA) networks conform to ____________ , created by the Telecommunications Industry Association (TIA). a. TS-95 b. 802.11 c. IS-95 d. IS-136

c. IS-95

What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses a. tcpdump b. Argus c. Ngrep d. Tcpslice

c. Ngrep

​Where is the OS stored on a smartphone? a. RAM b. Microprocessor c. ROM d. Read/write flash

c. ROM

What cloud application offers a variety of cloud services, including automation and CRM, cloud application development, and Web site marketing a. Amazon EC2 b. IBM Cloud c. Salesforce d. HP Helion

c. Salesforce

What processor instruction set is required in order to utilize virtualization software a. AMD-VT b. Intel VirtualBit c. Virtual Machine Extensions (VMX) d. Virtual HarwareExtensions (VHX)

c. Virtual Machine Extensions (VMX)

Which of the following is NOT a service level for the cloud a. Platform as a service b. Infrastructure as a service c. Virtualization as a service d. Software as a service

c. Virtualization as a service

What cloud service listed below provides a freeware type 1 hypervisor used for public and private clouds a. HP Helion b. Amazon EC2 c. XenServer and XenCenter Windows Management Console d. Cisco Cloud Computing

c. XenServer and XenCenter Windows Management Console

The ____ Dropbox file stores information on shared directories associated with a Dropbox user account and file transfers between Dropbox and the client's system a. read_filejournal b. filetx.log c. filecache.dbx d. filecache.dll

c. filecache.dbx

The Suni Munshani v. Singal Lake Venture Fund II, LP et al case is an example of a case that involves e-mail ??? a. destruction b. spamming c. spoofing d. theft

c. spoofing

Which is not a valid method of deployment for a cloud a. community b. public c. targeted d. private

c. targeted

The ___ disk image file format is associated with the VirtualBox hypervisor a. .vmdk b. .had c. .vhd d. .vdi

d. .vdi

Which option below is the correct path to the sendmail configuration file a. /var/etc/sendmail.cf b. /var/mail/sendmail.cf c. /usr/local/sendmail.cf d. /etc/mail/sendmail.cf

d. /etc/mail/sendmail.cf

On a UNIX system, where is a user's mail stored by default a. /var/mail b. /var/log/mail c. /username/mail d. /home/username/mail

d. /home/username/mail

Syslog is generally configured to put all e-mail related log information into what file a. /usr/log/mail.log b. /var/log/message c. /proc/mail d. /var/log/maillog

d. /var/log/maillog

In a prefetch file, the application's last access date and time are at offset ____ a. 0x80 b. 0x88 c. 0xD4 d. 0x90

d. 0x90

What frequencies can be used by GSM with the TDMA technique a. 1200 to 1500 MHz b. 2.4 GHz to 5.0 GHZ c. 600 to 1000 MHz d. 800 to 1000 MHZ

d. 800 to 1000 MHZ

The _______________ component is made up of radio transceiver equipment that defines cells and communicates with mobile phones; sometimes referred to as a "cell phone tower". ​a. Vase station controller (BSC) b. Mobile switching center (MSC) c. Base transceiver controller (BTC) d. Base transceiver station (BTS)

d. Base transceiver station (BTS)

Select the folder below that is most likely to contain Dropbox files for a specific user a.C:/User/username/AppData/Dropbox b. C:/Dropbos c. C:/Users/Dropbox d. C:/Users/username/Dropbox

d. C:/Users/username/Dropbox

​What digital network technology is a digital version of the original analog standard for cell phones? a. GSM b. CDMA c. iDEN d. D-AMPS

d. D-AMPS

Select the program below that can be used to analyze mail from Outlook, Thunderbird, and Eudora a. AccessData FTK b. DataNumen c. R-Tools R-Mail d. Fookes Aid4Mail

d. Fookes Aid4Mail

In order to retrieve logs from exchange, the Powershell cmdlet ____ can be used a. GetExchangeLogs.psl b. GetLogInfo.psl c. ShowExchangeHistrory.psl d. GetTransactionLogStats.psl

d. GetTransactionLogStats.psl

​Select below the option that is not a typical feature of smartphones on the market today: a. Microprocessor b. Flash c. ROM d. Hard drive

d. Hard drive

Metadata in a prefetch file contains an application's ____ times in UTC format and a counter of how many times the application has run since the prefect file was created a. startup / access b. log event c. ACL d. MAC

d. MAC

The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three modes a. People b. Technology c. Operations d. Management

d. Management

Exchange uses and Exchange database and is based on the ____, which uses several files in different combinations to provide e-mail service a. Microsoft Mail Storage Engine (MSE) b. Microsoft Stored Mail Extension (SME) c. Microsoft Extended Mail Storage (EMS) d. Microsoft Extensible Storage Engine (ESE)

d. Microsoft Extensible Storage Engine (ESE)

Which component of cell communication is used to route digital packets for the network and relies on a database to support subscribers?​ a. Base station controller (BSC) b. Base transceiver station (BTS) c. Base transceiver controller (BTC) d. Mobile switching center (MSC)

d. Mobile switching center (MSC)

Select below the option that is not common type 1 hypervisor a. VMwar vSphere b. Microsoft Hyper-V c. Citirix XenServer d. Oracle VirtualBox

d. Oracle VirtualBox

Nonvolatile memory on a mobile device can contain OS files and stored user data, such as a __________________ and backed-up files. a. Professional Data Holder b. Personal Assistant Organizer c. Personal Data Manager d. Personal Information Manager

d. Personal Information Manager

Select below the program within the Ps Tools suite that allows you to run processes remotely a. PsService b. PsPasswd c. PsRemote d. PsExec

d. PsExec

Which of the following is not a type of peripheral memory card used in PDAs?​ a. Secure Digital (SD) b. Compact Flash (CF) c. Multimedia Card (MMC) d. RamBus (RB)

d. RamBus (RB)

What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided as shareware? a. KVM b. Parallels c. Microsoft Virtual PC d. VirtualBox

d. VirtualBox

What information blow is not something recorded in Google Drive's snapshot.db file a. modified and created times b. URL pathnames c. file access records d. file SHA values and sizes

d. file SHA values and sizes

What command below could be used on a UNIX system to help locate log directories a. show log b. detail c. search d. find

d. find

​On what mobile device platform does Facebook use a SQLite database containing friends, their ID numbers, and phone numbers as well as files that tracked all uploads, including pictures? a. Android b. Blackberry c. Windows RT d. iPhone

d. iPhone

Select the file below that is used in VirtualBox to create a virtual machine a. .vdi b. .vbox c. .r0 d. ova

d. ova

To reduce the time it takes to start applications, Microsoft has created ____ files, which contain the DLL pathnames and metadata used by application a. temp b. cache c. config d. prefetch

d. prefetch

Which of the following is not one of the five mechanisms the government can use to get electronic information from a provider a. search warrants b. subpoenas c. court orders d. seizure order

d. seizure order

With cloud systems running in a virtual environment, ____ can give you valuable information before, during, and after an incident a. carving b. live acquisition c. RAM d. snapshot

d. snapshot

The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is running, and produce hundreds of thousands of records a. netstat b. ls c. ifconfig d. tcpdump

d. tcpdump

What type of Facebook profile is usually only given to law enforcement with a warrant a. private profile b. advanced profile c. basic profile d.Neoprint profile

d.Neoprint profile

(True/False) Because mobile phones are seized at the time of arrest, a search warrant is not necessary to examine the device for information.​

False

(True/False) Most Code Division Multiple Access networks conform to IS-95. The systems are referred to as CDMAOne, and when they went to 3G service, they became CDMAThree

False

A search warrant can be used in any kind of case, either civil or criminal T/F

False

An Internet e-mail is generally part of a local network, and is maintained and managed by an administrator for internal use by a specific companyT/F

False

Committing crimes with e-mail is uncommon, and investigators are not generally tasked with linking suspects to e-mailT/F

False

Forensics tools can't directly mount VMs as external drives T/F

False

In an e-mail address, everything before the @ symbol represents the domain name T/F

False