601 - 700`
Hex encoding
53cscript%3ealert("XXXXXXXX")%3c/script%3e, a script obtained from a XSS attack has ___________ encoding employed
file fingerprinting
A forensics executive suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. A _____ test would confirm his claim.
PUB.STM
After suspecting a change in MS-Exchange Server storage archive, the investigator has analyzed it. _____ is not an actual part of the archive.
cloud as a subject
An attacker has compromised a cloud environment of a company and used the employee information to perform an identity theft attack. What type of an attack is this?
Electronic Serial Number (ESN)
An investigator has found certain details after analysis of a mobile device. What can reveal the manufacturer information?
no deceptive subject lines to be used
CAN-SPAM act requires
unlimited
Capacity of recycle bin in a system running on windows vista
file header
Check the _______ to verify that a file has the correct extension
ESE Database
Contains Edge browsers browsing records, including history, cache and cookies.
checking for forward slash used in HTML closing tags, its hex or double-encoded hex equivalent
During an investigation of an XSS attack, the investigator comes across the term "[a-Za-z0-9\%]+" in analyzed evidence details. This expression is used for
it will always be different.
In which implementation of RAID will the image of a hardware RAID volume be different from the image taken separately from the disks?
model.ldf
Joshua is analyzing a MSSQL database for finding the attack evidence and other details; he should look into the ______ for the database logs
Messaging Application Programming Interface (MAPI)
Microsoft Exchange Email server uses _____ for collaboration of various email applications
checksum
NTFS sets a flag for the file once you encrypt it and creates an EFS attribute where it stores Data Decryption Field (DDF) and Data Recovery Field (DRF). ________ is not a part of DDF.
HKLM
Stores microsoft security IDs
GUID Partition Table (GPT)
UEFI, a specification that defines a software interface between an OS and platform firmware, stores information about files present on a disk in the
GLBA
US Law that requires financial institutions to protect their customers information against security threats.
list of connections made to other systems
What can be obtained from the NetBIOS name table cache?
Windows 7
Which OS does not use an UEFI based interface?
/proc
Which directory in a linux system should the investigators look for its current state data if the system is in powered on state?
NTFS
Which file system uses a MFT database to store information about every file and directory on a volume?
Electronic Storage Device Search Warrant
allows the first responder to search and seize the victim's computer components such as hardware, software, storage devices and documentation.
passware kit forensic
application password cracking tool which can discover all password protected items on a computer and decrypt them.
configuration information of a specific event log
c:\>wevtutil gl <log name>
.ibl
centralized binary logging is a process in which many websites write binary and unformatted log data into a single log file. Extension of such a log file is
dir /o:d
command displays info about date and time of installation of the OS along with the service packs, patches and sub directories
netstat
command line tool used to determine active network connections
WIN-CQQMK62867E is the name of the SQL server.
command sqlcmd -S WIN-CQQMK62867E -e -s"," -E -
net sessions
command that shows the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system.
running processes
data that a virtual memory would store in a windows based system.
product description
device descriptor for a 1gb thumb drive: Disk&Ven_Best_Buy%Prod_Geek_Squad_U3&Rev_6.15. "Greek_Squad" represents
capsa
device monitoring tool
volume density
does not describe the type of data density on a hard disk.
Limited admissibility
during the trial an investigator observes that one of the principal witnesses is severely ill and cannot be represented for the hearing. He decides to record the evidence and present it to the court. Under which rule should he present such evidence.
Generic Forensic Zip (gfzip)
file format that allows the user to compress the acquired data as well as keep it randomly accessible
ParentIDPrefix
found within the unique instance ID key and helps investigators to map the entry from USBSTOR key to the MountedDevices key.
Cocoa Touch
framework used for application development for iOS based mobile devices.
cross platform correlation
help an organization correlate events across a set of servers, systems, routers and network.
tools used to bypass iPhone passcode
iPhoneBrowser, iFunBox, OpenSSHSSH, iMazing
MFT
is a non-zero data that an application allocates on a hard disk cluster in systems running on windows OS.
windows password recovery bootdisk
is a tool to reset windows admin password.
FISMA
law emphasizes the need for each Federal agency to develop, document and implement an organization-wide program to provide infosec for the information systems that support its operations and assets.
core OS
layer of iOS architecture a forensic investigator evaluates to analyze services such as threading, file access, preferences, networking and high-level features
Last -F
login and logout times and dates of the system
jv16
malware analysis operation tool that can be used for registry analysis/monitoring.
MRU
most recent actions performed by a windows user
F-Responder Imager
not a data acquisition hardware tool
Slacker
part of Metasploit framework that helps users to hide the data related to a previously deleted file or currently unused by the allocated file.
lspi.pl
perl script that help to get access to the executable image of a process.
disk degaussing
process in which an attacker uses magnetic field over the digital media device to delete any previously stored data.
cross examination
process of providing the opposing side in a trial the opportunity to question a witness
process monitoring
process that is part of dynamic malware analysis
MIME
protocol that allows non-ASCII files such as video, graphics and audio to be sent through the email messages.
lsmod
provide details of all the loaded modules on a Linux based system.
avoid detection by security mechanisms
purpose of Obfuscator in malware
HKEY_CLASSES_ROOT
registry hive that gives the configuration information about which application was used to open various files on the system
sparse or logical acquisition
retrieving only the data relevant to the investigation.
system CheckPoints required for restoring
rp.log file in windows 10
a virtual system with network simulation for internet connection
setup a tester should choose to analyze malware behavior.
statement under belief of impending death
statement does not belong to the rule 804 Hearsay Exceptions; Declarant Unavailable.
artifact wiping
technique that deletes files permanently
Dependency walker
tool appropriate for examining the dynamically linked libraries of an application or malware.
IDA Pro
tool that can reverse machine code to assembly language
SmartWhois
tool used to locate IP addresses
DCT
used by JPEG for compression
file origin and modification
when a user deletes a file, the systems creates a $l file to store its details. What does this file contain?
list of services installed
wmic service list brief | more
