C702 - CHFI
What file format is used by Windows Vista and later versions to store event logs as simple text files in XML format? A. .log B. .txt C. EVTX D. TXTX
C. EVTX Ref: Module 11, page 1069
Which event correlation step compiles repeated events into a single event and avoids the duplication of the same event? A. Event filtering B. Root cause analysis C. Event aggregation D. Event masking
C. Event aggregation Ref: Module 8, page 827
Which connections help determine the physical location of a smartwatch? A. NFC connections B. GPS C. GPS connections D. Bluetooth
C. GPS connections Ref: Module 16, page 1599
Which process does not erase the data present on a disk but wipes its address tables and unlinks all the files in the file system? A. Formatting of a hard drive B. File wiping C. Metadata overwriting D. Disk degaussing
A. Formatting of a hard drive Ref: Module 5, pages 526-527
What is a cloud environment composed of two or more clouds that remain unique entities but are bound together to offer the benefits of multiple deployment models? A. Hybrid cloud B. Community cloud C. Public cloud D. Private cloud
A. Hybrid cloud Ref: Module 12, page 1125
By default, Windows XP and later create hidden administrative shares on a system. A. False B. True
A. False Ref: Module 6, page 620
In the GUID Partition Table, which Logical Block Address contains the Partition Entry Array? A. LBA 1 B. LBA 2 C. LBA 3 D. LBA 0
B. LBA 2 Ref: Module 3, page 235
In which of the following methods do attackers modify the file extension of malicious program files so that such files can go undetected on a system and steal sensitive user data? A. File extension mismatch B. Hiding data in file system structures C. Trail obfuscation D. Steganography
A. File extension mismatch Ref: Module 5, page 508
What is not an impact of cybercrime? A. Huge financial gain B. Loss of customer and stakeholder trust C. Substantial reputational damage D. Theft of sensitive data
A. Huge financial gain Ref: Module 1, page 28
Which directory has the printer log files for macOS? A. /var/log/cups B. /var/printer/log C. /var/log/printer D. /var/log
A. /var/log/cups Ref: Module 7, page 784
Which of the following is a user-created source of potential evidence? A. Address book B. Cookies C. Printer spool D. Log files
A. Address book Ref: Module 1, page 39
Which IDS method detects when an event occurs outside the tolerance threshold of normal traffic? A. Anomaly detection B. Signature-based intrusion detection C. Session recognition D. Protocol anomaly detection
A. Anomaly detection Ref: Module 9, page 961
Which layer of the TCP/IP Model do the application layer, presentation layer, and session layer of the OSI model together form? A. Application layer B. Network access layer C. Transport layer D. Internet layer
A. Application layer Ref: Module 8, page 805
Which is not a method of bypassing/resetting a BIOS password? A. Booting into Master Boot Bypass Mode B. Using a manufacturer's backdoor password to access the BIOS C. Removing the CMOS battery for at least 10 minutes D. Resetting the CMOS using jumpers or solder beads
A. Booting into Master Boot Bypass Mode Ref: Module 5, page 495
What stage of the Linux boot process includes the task of loading the Linux kernel and optional initial RAM disk? A. Bootloader Stage B. BIOS Stage C. POST Stage D. Kernel Stage
A. Bootloader Stage Ref: Module 3, pages 253-254
What is not an IoT architecture layer? A. Bridge layer B. Internet layer C. Access gateway layer D. Edge technology layer
A. Bridge layer Ref: Module 16, page 1562
Which web application threat occurs when the application fails to guard memory properly and allows writing beyond maximum size? A. Buffer overflow B. SQL injection C. Cookie poisoning D. Information leakage
A. Buffer overflow Ref: Module 9, page 930
Which of the following is an example of optical media? A. CD/DVD B. Hard drive C. Flash media D. USB device
A. CD/DVD Ref: Module 3, page 317
In Windows Event Log, what does the account management category of events record? A. Changes to accounts and group membership B. Any changes to the Windows registry C. Events set by the security policy D. Log-ins to the system based on the audit policy
A. Changes to accounts and group membership Ref: Module 6, page 697
What is the first thing to do once the sender's email address has been identified during an email investigation? A. Check whether it is valid. B. Use a scanning tool for information about email address, including the mail exchange records. C. Check the date and time. D. Delete the email.
A. Check whether it is valid. Ref: Module 13, page 1280
When a forensic investigator finds it difficult to perform data acquisition from the device at the software level, they use hardware-level acquisition methods to acquire raw data stored on a memory chip. What method involves removing the memory chip from the device's motherboard and performing physical data acquisition to create image files of the device's memory and can be considered a destructive method because data may be lost, and the removed memory chip cannot be fixed back for reuse. A. Chip-off B. Memdump C. MemChip D. JTAG
A. Chip-off Ref: Module 16, page 1615
Which type of cases involve disputes between two parties? A. Civil B. Administrative C. Investigative D. Criminal
A. Civil Ref: Module 1, page 31
Which of the following is true regarding computer forensics? A. Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them. B. Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and avoid legal action against them. C. Computer forensics deals with the process of finding evidence related to a crime to find the culprits and initiate legal action against them. D. Computer forensics deals with the process of finding evidence related to a digital crime to find the victims and prevent legal action against them.
A. Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them. Ref: Module 1, page 19
Which is a threat to web applications? A. Cookie poisoning B. Secure storage C. Validated input D. Error handling
A. Cookie poisoning Ref: Module 9, pages 929-930
Which web application threat occurs when attackers bypass the client's ID security mechanisms, gain access privileges, and inject malicious scripts into specific fields in web pages? A. Cross-site scripting B. Buffer overflow C. Cookie poisoning D. SQL injection
A. Cross-site scripting Ref: Module 9, page 929
Parsing Spotlight's central repository is of great forensic value. Which details can it not provide? A. Deleted file information B. Associated metadata C. MAC times D. Recently opened files
A. Deleted file information Ref: Module 7, page 787
Which is not a technique used by attackers to minimize footprinting? A. Deleting cookies B. Run OSes from Live CDs/DVDs/USB C. Use virtual machines D. Use of fake or stolen identities
A. Deleting cookies Ref: Module 5, page 536
Which of the following basic partitioning tools displays details about GPT partition tables in Windows OS? A. DiskPart B. Gparted C. Fdisk D. Disk Utility
A. DiskPart Ref: Module 3, page 248
Which of the following is not an objective of computer forensics? A. Document vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack. B. Interpret, document, and present the evidence to be admissible during prosecution. C. Track and prosecute the perpetrators in a court of law. D. Identify, gather, and preserve the evidence of a cybercrime.
A. Document vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack. Ref: Module 1, page 19
What is a common technique used to distribute malware on the web when an attacker exploits flaws in browser software to install malware just by merely visiting a website? A. Drive-by downloads B. Click-jacking C. Blackhat SEO D. Malvertising
A. Drive-by downloads Ref: Module 14, pages 1307-1308
Where are deleted items stored on the Windows 2000, XP, and NT versions of Windows? A. Drive:\RECYCLER B. Drive:\RECYCLED D. Drive:\$Recycle.Bin D. Drive:\Recycle.Bin$
A. Drive:\RECYCLER Ref: Module 5, page 446
What type of malware analysis involves the execution of malware to examine its conduct and impact on system resources and network? A. Dynamic analysis B. Static analysis C. Compressed analysis D. Sandbox analysis
A. Dynamic analysis Ref: Module 14, page 1323
Which is a type of network-based attack? A. Eavesdropping B. Phishing C. Spamming D. Social engineering
A. Eavesdropping Ref: Module 8, page 799
Which of the following should be work area considerations for forensics labs? A. Emergency power and protection for all equipment. B. Additional equipment such as notepads, printers, etc. should be stored elsewhere. C. Physical computer examinations should take place in a separate workspace. D. Multiple examiners should share workspace for efficiency.
A. Emergency power and protection for all equipment. Ref: Module 2, page 119
________ is the standard investigative model used by the FBI when conducting investigations against major criminal organizations. A. Enterprise Theory of Investigation (ETI) B. Entrepreneur Theory of Investigation C. Both Enterprise Theory of Investigation (ETI) and Entrepreneur Theory of Investigation
A. Enterprise Theory of Investigation (ETI) Ref: Module 1, page 34
Which relay provides an entry point to the Tor network? A. Entry/guard relay B. Middle relay C. Exit relay D. Start relay
A. Entry/guard relay Ref: Module 10, page 1026
Which technique is used to assign a new meaning for relating a set of events that occur in a fixed amount of time where few important events are identified among a large number of events? A. Event correlation B. Event masking C. Event filtering D. Root cause analysis
A. Event correlation Ref: Module 8, page 827
Which of the following is not part of the Computer Forensics Investigation Methodology? A. Evidence Destruction B. Evidence Preservation C. Data Analysis D. Search and Seizure
A. Evidence Destruction Ref: Module 2, page 135
First responders can collect or recover data from any computer system or device that holds electronic information. A. False B. True
A. False Ref: Module 2, page 129
Investigators can immediately take action after receiving a report of a security incident. A. False B. True
A. False Ref: Module 2, page 132
What is the master database file that is crucial for the recovery of data and contains various details of deleted files such as their original file name, original file size, date and time of deletion, unique identifying number, and the drive number in which the file was stored? A. INFO2 B. Recycle Bin C. Recycler D. INF0Z
A. INFO2 Ref: Module 5, pages 446-447
What is not one of the measures a system or network administrator should take when responding to an incident. A. Immediately power down the computer if an ongoing attack is detected. B. Document every detail relevant to the incident. C. Transfer copies of system logs onto a clean media. D. Record what is on the screen if the computer is switched on.
A. Immediately power down the computer if an ongoing attack is detected. Ref: Module 2, page 131
Which web application threat arises when a web application is unable to handle technical issues properly and the website returns information, such as database dumps, stack traces, and codes? A. Improper error handling B. SQL injection C. Cookie poisoning D. Buffer overflow
A. Improper error handling Ref: Module 9, page 931
Which web application threat refers to a drawback in a web application where it unintentionally reveals sensitive data to an unauthorized user? A. Information leakage B. SQL injection C. Buffer overflow D. Cookie poisoning
A. Information leakage Ref: Module 9, page 931
Espionage, theft of intellectual property, manipulation of records, and Trojan horse attacks are examples of what? A. Insider attacks or primary threats B. Outsider attacks or secondary threats C. Outsider attacks or primary threats D. Insider attacks or secondary threats
A. Insider attacks or primary threats Ref: Module 1, page 26
Which possible location in a mobile phone where investigators can find evidence includes the flash memory? A. Internal Memory B. External Memory C. SIM Card Memory D. Cloud Storage
A. Internal Memory Ref: Module 15, page 1471
Which is one of the crucial layers within the IoT architecture, as it serves as the main component in communicating between two end points and may also involve backend data sharing? A. Internet layer B. Edge technology layer C. Access gateway layer D. Middleware layer
A. Internet layer Ref: Module 16, page 1562
What is JPEG an acronym of? A. Joint Photographic Experts Group B. Joint Picture Exchange Group C. Joint Picture Experts Group D. Joint Photographic Exchange Group
A. Joint Photographic Experts Group Ref: Module 3, page 348
What operating system was Android based on? A. Linux B. Mac C. Windows D. iOS
A. Linux Ref: Module 15, page 1471
Forensic investigators should use the "netstat -rn" command to view routing table information. In this command, what does the "-n" flag provide? A. Lists numerical addresses B. Lists routing tables C. Lists open ports D. Lists what is connected
A. Lists numerical addresses Ref: Module 7, page 730
Which is one of the most critical layers in the two-way mode and sits in the middle of the application layer and the hardware layer, responsible for data management, device management, data analysis, data aggregation, data filtering, device information discovery, and access control? A. Middleware layer B. Access gateway layer C. Application layer D. Internet layer
A. Middleware layer Ref: Module 16, page 1563
Which command is used to determine open files? A. Net file B. Openfile C. Open files D. PsFiles
A. Net file Ref: Module 6, page 553
Which of the following is not a command used to determine running processes in Windows? A. Netstat B. Listdlls C. Tasklist D. Pslist
A. Netstat Ref: Module 6, pages 559-565
What describes the implementation of sniffing, capturing, and analyzing network traffic and event logs to investigate a network security incident? A. Network forensics B. Vulnerability scanning C. Data acquisition D. Indicators of compromise (IOC)
A. Network forensics Ref: Module 8, page 796
Which component of the NTFS architecture is a computer system file driver for NTFS? A. Ntfs.sys B. Boot sector C. Master Boot Record D. Ntldlr.dll
A. Ntfs.sys Ref: Module 3, page 266
What is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards? A. PCI DSS B. GLBA C. SOX D. FISMA
A. PCI DSS Ref: Module 1, page 96
What cloud service offers a platform for developing applications and services? A. PaaS B. AaaS C. IaaS D. SaaS
A. PaaS Ref: Module 12, page 1122
When obtaining evidence, what action should a forensic investigator take if a computer is switched on and the screen is viewable? A. Photograph the screen. B. Unplug the cable from the wall. C. Remove the battery. D. Move the mouse slowly.
A. Photograph the screen. Ref: Module 2, page 154
In what type of forensic examination do investigators perform an examination of logs to detect something that has already occurred in a network/device and determine what it is? A. Postmortem B. Log file C. Systems D. Real-time
A. Postmortem Ref: Module 8, page 798
Which file storing data and logs in SQL servers is the starting point of a database and points to other files in the database? A. Primary data file (MDF) B. Transaction log data file (LDF) C. SQL data file (PDF) D. Secondary data file (NDF)
A. Primary data file (MDF) Ref: Module 11, page 1051
Which identifies flaws in how vendors deploy the TCP/IP protocols? A. Protocol anomaly detection B. Session recognition C. Anomaly detection D. Signature-based intrusion detection
A. Protocol anomaly detection Ref: Module 9, pages 960-961
Which is a violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act? A. Retransmitting spam messages through a computer to mislead others about the origin of the message B. Taking advantage of open relays or open proxies with permission C. Accessing someone else's computer to send spam mails with permission D. Using legitimate information to register for multiple email accounts or domain names
A. Retransmitting spam messages through a computer to mislead others about the origin of the message Ref: Module 13, page 1295
Which of the following Federal Rules of Evidence contains Rulings on Evidence? A. Rule 103 B. Rule 102 C. Rule 101 D. Rule 105
A. Rule 103 Ref: Module 1, page 46
Which of the following Federal Rules of Evidence states that the court shall restrict the evidence to its proper scope and instruct the jury accordingly? A. Rule 105 B. Rule 102 C. Rule 103 D. Rule 101
A. Rule 105 Ref: Module 1, page 47
Hash value calculations generate a unique numerical value for files, which is often considered a digital footprint that represents the uniqueness of a file or disk drive. What is not a hashing algorithm? A. SHA-56 B. SHA-1 C. MD5 D. CRC-32
A. SHA-56 Ref: Module 4, page 417
What is the act passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations? A. SOX B. PCI DSS C. GLBA D. FISMA
A. SOX Ref: Module 1, pages 96-97
Which type of tool addresses the concern of managing increasing volumes of log data from multiple sources over a centralized platform to mitigate the chances of cyberattacks with real-time incident monitoring analysis? A. Security information and event management (SIEM) B. Honeypot C. Antivirus D. Intrusion detection system (IDS)
A. Security information and event management (SIEM) Ref: Module 8, page 888
Which is not a method an IDS uses to detect intrusions in a network? A. Session recognition B. Signature-based intrusion detection C. Protocol anomaly detection D. Anomaly detection
A. Session recognition Ref: Module 9, pages 960-961
In which attack can attackers use multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks? A. Sybil Attack B. Side Channel Attack C. Remote access using backdoor D. Jamming Attack
A. Sybil Attack Ref: Module 16, page 1582
In Windows Event Log File Internals, the following file is used to store the Databases related to the system: A. System.evtx B. Security.evtx C. Database.evtx D. Application.evtx
A. System.evtx Ref: Module 6, page 706
Which application framework block controls/manages the calls made from the device? A. Telephony Manager B. Resource Manager C. Activity Manager D. Content Provider
A. Telephony Manager Ref: Module 15, page 1453
Which tool recovers lost data from hard drives, RAID, photographs, deleted files, iPods, and removable disks connected via FireWire or USB? A. Total Recall B. DiskDigger C. EaseUS D. Recover My Files
A. Total Recall Ref: Module 5, page 457
Which of the three different files storing data and logs in SQL servers holds the entire log information associated with the database? A. Transaction log data file (LDF) B. Primary data file (MDF) C. SQL data file (PDF) D. Secondary data file (NDF)
A. Transaction log data file (LDF) Ref: Module 11, page 1051
Minimizing the tangible and intangible losses to the organization or an individual is considered an essential computer forensics use. A. True B. False
A. True Ref: Module 1, page 19
Forensic readiness includes technical and non-technical actions that maximize an organization's competence to use digital evidence. A. True B. False
A. True Ref: Module 1, page 64
Written consent from the authority is sufficient to commence search and seizure activity. A. True B. False
A. True Ref: Module 2, page 140
A chain of custody is a critical document in the computer forensics investigation process because the document provides legal validation of appropriate evidence handling. A. True B. False
A. True Ref: Module 2, page 164
Because they are always changing, the information in the registers or the processor cache are the most volatile data. A. True B. False
A. True Ref: Module 4, page 366
Investigators can copy smaller redundant array of independent disks (RAID) systems into a single large disk if large storage disks are available and can be used immediately. A. True B. False
A. True Ref: Module 4, page 415
Intruders attempting to gain remote access to a system try to find the other systems connected to the network and visible to the compromised system. A. True B. False
A. True Ref: Module 6, page 555
Which is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples? A. Volatility Framework B. Volatile Framework C. Volatile Extractor D. Volatility Extractor
A. Volatility Framework Ref: Module 6, page 602
Which of the following describes when the user restarts the system via the operating system? A. Warm booting B. Hot booting C. Cold booting D. Hard booting
A. Warm booting Ref: Module 3, page 238
Where are deleted items stored on Windows Vista and later versions of Windows? A. Drive:\Recycle.Bin$ B. Drive:\RECYCLED C. Drive:\$Recycle.Bin D. Drive:\RECYCLER
C. Drive:\$Recycle.Bin Ref: Module 5, page 446
Which Windows operating system powers on and starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method? A. Windows 8 B. Windows 7 C. Windows Vista D. Windows XP
A. Windows 8 Ref: Module 3, page 240
Investigators can use Linux commands to gather necessary information from the system. Identify the following shell command that is used to display the kernel ring buffer or information about device drivers loaded into the kernel. A. dmesg B. pstree C. Fsck D. Stat
A. dmesg Ref: Module 7, page 745
What is not a date- and time-related command in Linux? A. hostname B. timezone C. uptime D. date
A. hostname Ref: Module 7, pages 723-726
The process of acquiring volatile data from working computers (locked or in sleep condition) that are already powered on is ________. A. live data acquisition B. static data acquisition C. standard data acquisition D. imaging data acquisition
A. live data acquisition Ref: Module 4, page 363
For Forensic Analysis, which of the following MySQL Utility Programs is used to export metadata, data, or both from one or more databases? A. mysqldbexport B. mysqldatabase C. mysqldbmeta D. mysqldbdata
A. mysqldbexport Ref: Module 11, page 1097
Which command will allow investigators to test for the active network connections on the machine and be able to identify whether Tor was used on that machine? A. netstat -ano B. nbtstat -a C. netstat -e D. nbtstat -ano
A. netstat -ano Ref: Module 10, page 1032
What is considered the biggest threat to mobile devices? A. Mobile malware B. Data loss C. Social engineering attack D. Data integrity threat
B. Data loss Ref: Module 15, page 144
In which location are IIS log files stored by default? A. %SystemDrive%\inetpub\LogFiles B. %SystemDrive%\inetpub\logs\LogFiles C. %SystemDrive%\PerfLogs\LogFiles D. %SystemDrive%\PerfLogs\Logs\LogFiles
B. %SystemDrive%\inetpub\logs\LogFiles Ref: Module 9, page 940
Identify which code can be used to obtain the International Mobile Equipment Identifier (IMEI) number on a mobile phone. A. *06# B. *#06# C. #*06# D. #**06**
B. *#06# Ref: Module 15, page 1490
On a Windows machine, the Tor browser uses which port for establishing connections via Tor nodes? A. 9115/9116 B. 9150/9151 C. 1050/1051 D. 9155/9152
B. 9150/9151 Ref: Module 10, page 1032
Who is a legitimate issuer of a search warrant? A. A forensic examiner B. A judge C. A police officer D. A first responder
B. A judge Ref: Module 2, page 145
What is a machine-readable language used in major digital operations, such as sending and receiving emails? A. .NET B. ASCII C. JAVA D. XML
B. ASCII Ref: Module 3, page 342
Which tool scans an entire system for deleted files and folders and recovers them, providing two types of scans: a quick scan and a deep scan? A. EaseUS B. Advanced Disk Recovery C. DiskDigger D. Recover My Files
B. Advanced Disk Recovery Ref: Module 5, page 457
What is a set of techniques that attackers use in order to avert the forensics investigation process and negatively affect the quantity and quality of evidence? A. Discoveries B. Anti-forensics C. Forensics D. Investigations
B. Anti-forensics Ref: Module 5, pages 438-439
What is a common technique used to distribute malware on the web with tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to get higher search-engine ranking for malware pages? A. Click-jacking B. Blackhat SEO C. Drive-by downloads D. Malvertising
B. Blackhat SEO Ref: Module 14, page 1307
In which attack can attackers connect to nearby devices and exploit the Bluetooth protocol vulnerabilities to compromise the device? A. Sybil Attack B. BlueBorne Attack C. Rolling code Attack D. Jamming Attack
B. BlueBorne Attack Ref: Module 16, page 1581
What prefetch does value 3 from the registry entry EnablePrefetcher tell the system to use? A. Application prefetching is enabled. B. Both application and boot prefetching are enabled. C. Boot prefetching is enabled. D. Prefetching is disabled.
B. Both application and boot prefetching are enabled. Ref: Module 6, page 663
Which password-cracking technique requires more processing power compared to other attacks? A. Hash attack B. Brute-forcing attack C. Dictionary attacks D. Rule-based attack
B. Brute-forcing attack Ref: Module 5, page 481
In Windows, where is the default location of the spool folder located? A. C:\Windows\System32\spool B. C:\Windows\Systems32\spool\PRINTERS C. C:\Windows\spool\PRINTERS D. C:\Windows
B. C:\Windows\Systems32\spool\PRINTERS Ref: Module 6, page 571
Which cloud environment is a multi-tenant infrastructure shared among organizations with common computing concerns, such as security, regulatory compliance, performance requirements, and jurisdiction? A. Hybrid cloud B. Community cloud C. Public cloud D. Private cloud
B. Community cloud Ref: Module 12, page 1124
Which of the following answers refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment in such a manner that the discovered evidence is acceptable during a legal and/or administrative proceeding in a court of law? A. Disaster recovery B. Computer forensics C. Incident handling D. Network analysis
B. Computer forensics Ref: Module 1, page 19
Which type of event correlation method is used when different operating systems (OS) and network hardware platforms are used in the network of an organization? A. Bayesian correlation B. Cross-platform correlation C. Normalization D. Same-platform correlation
B. Cross-platform correlation Ref: Module 8, page 829
Which web application threat occurs when an authenticated user is forced to perform certain tasks on the web application chosen by an attacker? A. Buffer overflow B. Cross-site request forgery C. Cookie poisoning D. SQL injection
B. Cross-site request forgery Ref: Module 9, page 930
Which provides anonymity to its users through encryption and is not indexed by search engines? A. Deep web B. Dark web C. Middle web D. Surface web
B. Dark web Ref: Module 10, page 1025
Which tool undeletes and recovers lost files from hard drives, memory cards, and USB flash drives? A. Drive Genius B. DiskDigger C. Quick Recovery D. EaseUS
B. DiskDigger Ref: Module 5, page 456
Where are deleted items stored on Windows 98 and earlier versions of Windows? A. Drive:\Recycle.Bin$ B. Drive:\RECYCLED C. Drive:\$Recycle.Bin D. Drive:\RECYCLER
B. Drive:\RECYCLED Ref: Module 5, page 446
What tool is used for format recovery, unformatting and recovering deleted files emptied from the Recycle Bin, or data lost due to partition loss or damage, software crash, virus infection, or unexpected shutdown and supports hardware RAID? A. FileSalvage B. EaseUS C. Quick Recovery D. DiskDigger
B. EaseUS Ref: Module 5, pages 455-456
In which attack is a malicious script used to exploit poorly patched vulnerabilities in an IoT device? A. Replay Attack B. Exploit Kits C. Remote access using backdoor D. Jamming Attack
B. Exploit Kits Ref: Module 16, pages 1581-1582
Which file system used in Linux was developed by Stephen Tweedie in 2001 as a journaling file system that improves reliability of the system? A. Ext B. Ext3 C. Ext2 D. Ext4
B. Ext3 Ref: Module 3, page 292
Which logical drive holds the information regarding the data and files that are stored in the disk? A. Tertiary partition B. Extended partition C. Primary partition D. Secondary partition
B. Extended partition Ref: Module 3, page 230
The command "fsstat" displays the details associated with an image file. A. True B. False
B. False Displays details associated with a file system Ref: Module 3, page 321
A computer forensic examiner can investigate any crime as long as he or she takes detailed notes and follows the appropriate processes. A. True B. False
B. False Ref: Module 1, page 83
The nmap command can only be used to identify TCP port connections. A. True B. False
B. False Ref: Module 7, page 731
The state of nonvolatile data changes when a machine is turned off. A. True B. False
B. False Ref: Module 7, page 746
The macOS is one of the most widely adopted systems worldwide, and with the increase in its usage, the number of cyberattacks it faces has decreased significantly. A. True B. False
B. False Ref: Module 7, page 779
________ is a 128-bit unique reference number used as an identifier in computer software. A. BIOS Parameter Block (BPB) B. Global Unique Identifier (GUID) C. Unified Extensible Firmware Interface (UEFI) D. Master Boot Record (MBR)
B. Global Unique Identifier (GUID) Ref: Module 3, page 232
Which of the following includes security standards for health information? A. FISMA B. HIPAA C. PCI DSS D. GLBA
B. HIPAA Ref: Module 1, pages 93-94
Which Windows Registry hives are considered nonvolatile with respect to data persistence? A. HKEY_CURRENT_USERS, HKEY_LOCAL_MACHINE B. HKEY_LOCAL_MACHINE, HKEY_USERS C. HKEY_USERS, HKEY_CLASSES_ROOT D. HKEY_LOCAL_MACHINE, HKEY_CURRENT_CONFIG
B. HKEY_LOCAL_MACHINE, HKEY_USERS Ref: Module 6, page 609
When a Tor browser is installed and executed on a Windows machine, the user activity is recorded in which Windows Registry? A. HKEY_\\SOFTWARE\Mozilla\Tor\Launcher B. HKEY_\\SOFTWARE\Mozilla\Firefox\Launcher C. HKEY_\\SOFTWARE\Mozilla\Launcher\LaunchTor D. HKEY_\\SOFTWARE\Mozilla\Firefox\Tor\Launcher
B. HKEY_\\SOFTWARE\Mozilla\Firefox\Launcher Ref: Module 10, page 1032
What is not one of CAN-SPAM's main requirements for senders? A. The commercial email must be identified as an ad. B. Honor recipients' opt-out request within 30 business days. C. The email must have your valid physical postal address. D. Do not use false or misleading header information.
B. Honor recipients' opt-out request within 30 business days. Ref: Module 13, page 1296
Which of the following stakeholders are the first responders for all the security events or occurrences taking place on a cloud? A. IT professionals B. Incident handlers C. Law advisors D. Investigators
B. Incident handlers Ref: Module 12, page 1142
Which web application threat occurs when attackers insert malicious code, commands, or scripts into the input gates of web applications, enabling the applications to interpret and run the newly supplied malicious input? A. Cookie poisoning B. Injection flaws C. SQL injection D. Buffer overflow
B. Injection flaws Ref: Module 9, page 929
Cybercrimes can be classified into the following two types of attacks, based on the line of attack. A. Fraud and spam B. Internal and external C. Phishing and malware
B. Internal and external Ref: Module 1, pages 25-26
Which Microsoft-developed server architecture supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP? A. Web server B. Internet Information Services (IIS) C. Windows Server D. Logs
B. Internet Information Services (IIS) Ref: Module 9, page 938
Which of the following stakeholders is responsible for conducting forensic examinations against allegations made regarding wrongdoings, found vulnerabilities, and attacks over the cloud? A. Incident handlers B. Investigators C. Law advisors D. IT professionals
B. Investigators Ref: Module 12, page 1141
Which of the following stakeholders are responsible to make sure all the forensic activities are within the jurisdiction and not violating any regulations or agreements? A. Investigators B. Law advisors C. Incident handlers D. IT professionals
B. Law advisors Ref: Module 12, page 1142
What is not one of the three tiers a log management infrastructure typically comprises? A. Log analysis and storage B. Log rotation C. Log generation D. Log monitoring
B. Log rotation Ref: Module 8, page 820
Which is not an indication of a web attack? A. Web pages redirected to an unknown website B. Logs found to have no known anomalies C. Network performance being unusually slow D. Access denied to normally available web services
B. Logs found to have no known anomalies Ref: Module 9, page 928
WAFs are designed to protect web applications from a range of web exploits and attacks but do not protect from what kind of attack? A. Cross-site scripting (XSS) B. Man-in-the-middle C. Session fixation attack D. SQL injection
B. Man-in-the-middle Ref: Module 9, page 967
What is the process of permanently deleting or destroying data from storage media? A. Systems capture B. Media sanitization C. Purge D. Disclosure
B. Media sanitization Ref: Module 4, page 383
Which relay is used for the transmission of data in an encrypted format? A. Exit relay B. Middle relay C. Start relay D. Entry/guard relay
B. Middle relay Ref: Module 10, page 1026
Which tool helps collect information about network connections operating in a Windows system? A. Nbtstat B. Netstat C. Ifconfig D. Ipconfig
B. Netstat Ref: Module 6, pages 557-558
Which type of dynamic malware analysis involves monitoring process, examining event logs, looking for connected ports, examining DNS entries, and other forms of monitoring? A. Monitoring host integrity B. Observing runtime behavior C. Monitoring malware processes D. Snapshot testing
B. Observing runtime behavior Ref: Module 14, pages 1360-1361
Which web application threat occurs when attackers intend to manipulate the communication exchanged between the client and server to make changes in application data? A. Cookie poisoning B. Parameter tampering C. Buffer overflow D. SQL injection
B. Parameter tampering Ref: Module 9, page 931
When a USB device is plugged into a Windows machine, what in Windows receives the event and queries the device descriptor in the firmware for device information? A. Registry Updater B. Plug and Play Manager C. USB Manager D. REGEDIT
B. Plug and Play Manager Ref: Module 6, page 632
An email client connects with a POP3 server via which of the following? A. Port 011 B. Port 110 C. Port 101 D. Port 111
B. Port 110 Ref: Module 13, page 1230
What is the simplest RAID level that does not involve any redundancy, and fragments the file into the user-defined stripe size of the array? A. RAID 10 B. RAID 0 C. RAID 5 D. RAID 1
B. RAID 0 Ref: Module 3, page 333
Which information held by the superblock contains major and minor items that allow the mounting code to determine whether or not supported features are available to the file system? A. Mount count B. Revision level C. Magic number D. Block size
B. Revision level Ref: Module 3, page 290
In Event Correlation Approaches, which approach is used to monitor the computers' and computer users' behavior and provide an alert if something anomalous is found? A. Bayesian correlation B. Role-based approach C. Route correlation D. Vulnerability-based approach
B. Role-based approach Ref: Module 8, page 833
In which attack can attackers jam and sniff the signal to obtain the code transferred to the vehicle's receiver and use it to unlock and steal the vehicle? A. Remote access using backdoor B. Rolling Code Attack C. Jamming Attack D. Sybil Attack
B. Rolling Code Attack Ref: Module 16, page 1581
Which kind of attack is used when some information about the password is known? A. Dictionary B. Rule-based C. Brute-forcing D. Hash
B. Rule-based Ref: Module 5, page 482
Which type of network-based evidence provides a summary of a conversation between two network devices and includes an aggregation of metadata from network traffic, such as the destination IP and destination port, source IP and source port, start time of the session, and information exchanged during that session? A. Statistical data B. Session data C. Full content data D. Alert data
B. Session data Ref: Module 8, page 807
What is a common technique used to distribute malware on the web by mimicking legitimate institutions in an attempt to steal passwords, credit cards, and bank account data? A. Malvertising B. Spear phishing sites C. Drive-by downloads D. Blackhat SEO
B. Spear phishing sites Ref: Module 14, page 1307
Which anti-forensics technique is used to hide secret data within ordinary data, thereby hiding the existence of such data? A. Cryptography B. Steganography C. Encryption D. Decryption
B. Steganography Ref: Module 5, pages 508-509
Which of the following should be physical location and structural design considerations for forensics labs? A. Room size should be compact with standard HVAC equipment. B. Sufficient space to place all equipment to include storage. C. Lightweight construction materials need to be used. D. Computer systems should be visible from every angle.
B. Sufficient space to place all equipment to include storage. Ref: Module 2, page 119
How can an attacker exploit a network? A. Through special cables B. Through wired or wireless connections B. Through wireless connections only C. Through wired connections only
B. Through wired or wireless connections Ref: Module 8, pages 799-802
What is the role of an expert witness? A. To testify against the plaintiff B. To educate the jury and court C. To support the defense D. To evaluate the court's decisions
B. To educate the jury and court Ref: Module 2, page 196
External attacks occur when there are inadequate information-security policies and procedures. A. False B. True
B. True Ref: Module 1, page 26
Data duplication includes bit-by-bit copying of original data using a software or hardware tool. A. False B. True
B. True Ref: Module 2, page 177
macOS uses a hierarchical file system. A. False B. True
B. True Ref: Module 3, page 302
Thumbnails of images remain on computers even after files are deleted. A. False B. True
B. True Ref: Module 6, page 588
The CustomDestinations jump list is made of files that are created when a user pins a file or an application to a taskbar. A. False B. True
B. True Ref: Module 6, page 684
Digital files generally have a signature that can be found in the first 20 bytes of the file. A. False B. True
B. True Ref: Module 7, page 760
What is the name of the abstract layer that resides on top of a complete file system, allows client applications to access various file systems, and consists of a dispatching layer and numerous caches? A. User Space B. Virtual File System (VFS) C. GNUC Library (glibc) D. Kernel Space
B. Virtual File System (VFS) Ref: Module 3, page 284
The Apache server generates two types of logs, one that records all the requests processed by the Apache web server and one that contains diagnostic information on errors that the server faced while processing requests. The two types of logs generated are ________. A. apache log and error log B. access log and error log C. error log and server log D. server log and access log
B. access log and error log Ref: Module 9, page 948
Tor is a browser that is used to access the contents of the ________. A. middle web B. dark web C. surface web D. deep web
B. dark web Ref: Module 10, page 1025
What is not a RAW-format-support freeware tool? A. dc3dd B. dcfldc C. dcfldd D. dd
B. dcfldc Ref: Module 4, page 372
________ command is used to display the network configuration of the NICs on the system. A. ipconfig //all B. ipconfig /all C. ipconfig \all D. ipconfig \\all
B. ipconfig /all Ref: Module 6, page 569
In Android devices, the Amazon Alexa application uses two SQLite files. Which file contains currently logged-in users in the Alexa device? A. Webview.db B. map_data_storage.db C. Cache.db D. DataStore.db
B. map_data_storage.db Ref: Module 16, pages 1609-1610
Which command line utility is used to take a backup of the database? A. mysqlbackup B. mysqldump C. mysqldatabase D. mysqldbdump
B. mysqldump Ref: Module 11, page 1096
In Port Monitoring, the following command is used to look for connections established to unknown or suspicious IP addresses. A. netstat -sL B. netstat -an C. netstat -ns D. netstat -sn
B. netstat -an Ref: Module 14, pages 1410-1412
In the File Allocation Table (FAT) file system, what does the OS replace the first letter of a deleted file name with a hex byte code of? A. Eh5 B. He5 C. E5h D. 5Eh
C. E5h Ref: Module 5, page 443
Where is the trash directory located on a macOS? A. %%user.homedir%%/Trash/Bin/ B. /user/lib/trash/ C. %%users.homedir%%/.Trash/ D. /etc/trash/
C. %%users.homedir%%/.Trash/ Ref: Module 7, page 784
In Linux systems, where is local user information saved? A. /var/log/passwd file B. /etc/password file C. /etc/passwd file D. /var/passwd file
C. /etc/passwd file Ref: Module 7, page 748
Which log files in a Linux system cannot be used by forensic investigators? A. /var/log/lpr.log B. /var/log/kern.log C. /var/log/evtx.log D. /var/log/auth.log
C. /var/log/evtx.log Ref: Module 7, page 755
How many bytes are used for the disk signature in the structure of a master boot record (MBR)? A. 24 B. 8 C. 2 D. 64
C. 2 Ref: Module 3, page 229
What prefetch does value 1 from the registry entry EnablePrefetcher tell the system to use? A. Both application and boot prefetching are enabled. B. Prefetching is disabled. C. Application prefetching is enabled. D. Boot prefetching is enabled.
C. Application prefetching is enabled. Ref: Module 6, page 663
What would not be found on a most recently used list? A. Opened documents B. Recently visited web pages C. Bookmarks
C. Bookmarks Ref: Module 6, pages 640-641
What UFS file system part is composed of a few blocks in the partition reserved at the beginning? A. Super block B. Cylinder groups C. Boot blocks D. Data groups
C. Boot blocks Ref: Module 3, page 302
In such scenarios, where the usage of the Tor network is restricted, what helps circumvent the restrictions and allows users to access the Tor network? The usage of these nodes makes it difficult for governments, organizations, and ISPs to censor the usage of the Tor network. A. Tor nodes B. Relay nodes C. Bridge nodes D. Anonymizer nodes
C. Bridge nodes Ref: Module 10, page 1028
Which web application threat refers to the modification of a website's remnant data for bypassing security measures or gaining unauthorized information? A. Information leakage B. SQL injection C. Cookie poisoning D. Buffer overflow
C. Cookie poisoning Ref: Module 9, page 930
In Sector addressing, ________ determines the address of the individual sector on the disk. A. Clusters, Heads, and Series (CHS) B. Clusters, Series, and Heads (CSH) C. Cylinders, Heads, and Sectors (CHS) D. Logical Block Address (LBA)
C. Cylinders, Heads, and Sectors (CHS) Ref: Module 3, page 207
Under which of the following circumstances has a court of law allowed investigators to perform searches without a warrant? A. Delay in obtaining a warrant may lead to the preservation of evidence and expedite the investigation process. B. Expediting the process of obtaining a warrant may lead to a delay in prosecution of a perpetrator. C. Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process. D. Expediting the process of obtaining a warrant may lead to the timely prosecution of a perpetrator.
C. Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process. Ref: Module 2, page 147
Which web application threat occurs when attackers exploit HTTP, gain access to unauthorized directories, and execute commands outside the web server's root directory? A. Cookie poisoning B. SQL injection C. Directory traversal D. Buffer overflow
C. Directory traversal Ref: Module 9, page 931
Which method do attackers use to hide malicious data within hidden areas of a system's hard drive or within other files? A. File extension mismatch B. Trail obfuscation C. Hiding data in file system structures D. Steganography
C. Hiding data in file system structures Ref: Module 5, page 508
Which of the following stakeholders includes professionals—such as cloud security architects, network administrators, security administrators, and ethical hackers—responsible for managing and maintaining all aspects of the cloud? A. Law advisors B. Incident handlers C. IT professionals D. Investigators
C. IT professionals Ref: Module 12, page 1141
What cloud service enables subscribers to use fundamental IT resources—such as computing power, virtualization, data storage, network, etc.—on demand? A. PaaS B. SaaS C. IaaS D. AaaS
C. IaaS Ref: Module 12, page 1121
Where can an investigator find information on the sender and the recipient of an email and on the path taken by an email while in transit? A. In the body of the email B. On the main server C. In the email header D. In SMTP log files
C. In the email header Ref: Module 13, page 1264
Which refers to the network of devices with an IP address that have the capability of sensing, collecting, and sending data using embedded sensors, communication hardware, and processors? A. Gateway layer B. Subnetting C. Internet of Things (IoT) D. Dark web
C. Internet of Things (IoT) Ref: Module 16, page 1561
Which security software or hardware device is used to monitor, detect, and protect networks or systems from malicious activities; it alerts the concerned security personnel immediately upon detecting intrusions? A. Honeypot B. Antivirus C. Intrusion Detection System (IDS) D. Firewall
C. Intrusion Detection System (IDS) Ref: Module 9, page 958
To start the forensic acquisition and analysis process of an Amazon EC2 Instance, what is the first step? A. Provision and launch a forensic workstation. B. Photograph the datacenter. C. Isolate the compromised EC2 instance from the production environment. D. Take a snapshot of the EC2 instance.
C. Isolate the compromised EC2 instance from the production environment. Ref: Module 12, page 1167
Which is true about the transport layer in the TCP/IP model? A. It is the lowest layer in the TCP/IP model. B. It includes protocols with HTTP, FTP, SMTP, and DNS. C. It is the backbone for data flow between two devices in a network. D. It is located between the network access layer and the internet layer.
C. It is the backbone for data flow between two devices in a network. Ref: Module 8, page 805
Which are short ranged wireless connections that help the IoT devices interact with each other without the need for a constant power supply? A. GPS B. Wi-Fi connections C. NFC connections D. Bluetooth
C. NFC connections Ref: Module 16, page 1599
Which layer of the TCP/IP Model do the data link layer and the physical layer of the OSI model together form? A. Transport layer B. Application layer C. Network access layer D. Internet layer
C. Network access layer Ref: Module 8, page 805
What is most likely not an indicator of compromise (IOC) artifact? A. A spike in outbound traffic B. Connections to malicious URLs C. Network traffic traversing on common ports D. Log-in anomalies or unusual log-in activities
C. Network traffic traversing on common ports Ref: Module 8, page 803
Which API manages all nodes that can be connected or disconnected on an Android smartwatch and the connected smart phone receives notifications with the help of this node whenever a new connection is established among the IoT devices? A. Sync API B. Data API C. Node API D. Message API
C. Node API Ref: Module 16, page 1601
Which field type refers to the volume descriptor as a primary? A. Number 2 B. Number 0 C. Number 1 D. Number 3
C. Number 1 Ref: Module 3, page 316
What is the first step an investigator should take to carry out the on-site examination of an email server? A. Seize the computers and email accounts suspected to be involved. B. Conduct a forensics test on the permitted equipment. C. Obtain a search warrant application in the appropriate language. D. Seize the email accounts by changing the existing password of the email account.
C. Obtain a search warrant application in the appropriate language. Ref: Module 13, page 1242
Which tool is a mobile forensic acquisition and analysis tool for cell phones, smartphones, tablets, and GPS devices which supports both logical and physical acquisition of data and also allows one to perform cloud data acquisition from mobile devices. A. XRY Logical B. Oxygen Forensic Extractor C. Paraben's E3 DS D. Cellebrite UFED Logical Analyzer
C. Paraben's E3 DS Ref: Module 15, page 1514
Which of the following is also known as an internal or corporate cloud and is a cloud infrastructure that a single organization operates? A. Community cloud B. Hybrid cloud C. Private cloud D. Public cloud
C. Private cloud Ref: Module 12, page 1123
What tool for Windows shows real-time file system, registry, and process/thread activity and combines the features of two Sysinternals utilities, Filemon and Regmon? A. RegRipper B. FileRegMon + C. Process Monitor D. Windows Service Manager
C. Process Monitor Ref: Module 14, page 1375
Which tool is not a Mac forensic tool? A. Memoryze B. RECON IMAGER C. Process Monitor D. F-Response
C. Process Monitor Ref: Module 7, pages 789-790
What anti-forensics technique uses a program to compress or encrypt executable programs in an effort to hide attack tools from being detected? A. Program Decryptors B. Program Packing C. Program Packers D. Program Encryptors
C. Program Packers Ref: Module 5, page 534
Which of the following is not a digital data storage type? A. Optical storage devices B. Magnetic storage devices C. Quantum storage devices D. Flash memory devices
C. Quantum storage devices Ref: Module 3, page 358
Which tool recovers files that have been lost, deleted, corrupted, or even deteriorated? A. EaseUS B. DiskDigger C. Quick Recovery D. Recover My Files
C. Quick Recovery Ref: Module 5, page 457
Which of the following is not a feature of the Recover My Files tool? A. Recovering from a hard drive, camera card, USB, Zip, floppy disk, or other media B. Recovering files even if emptied from the recycle bin data C. Recovering files from a network drive D. Performing disk recovery after a hard disk crash
C. Recovering files from a network drive Ref: Module 5, page 455
Which event correlation step is the most complex and identifies all devices that became inaccessible due to network failures? A. Event filtering B. Event masking C. Root cause analysis D. Event debugging
C. Root cause analysis Ref: Module 8, page 828
Which of the following Federal Rules of Evidence ensures that the truth may be ascertained and the proceedings justly determined? A. Rule 103 B. Rule 105 C. Rule 102 D. Rule 101
C. Rule 102 Ref: Module 1, page 46
Which possible location in a mobile phone where investigators can find evidence includes personal information, address books, messages, and service-related information? A. External Memory B. Internal Memory C. SIM Card Memory D. Cloud Storage
C. SIM Card Memory Ref: Module 15, page 1471
Which file storing data and logs in SQL servers is optional? A. Primary data file (MDF) B. Transaction log data file (LDF) C. Secondary data file (NDF) D. SQL data file (PDF)
C. Secondary data file (NDF) Ref: Module 11, page 1051
Which type of jailbreak causes the device to boot into a non-jailbroken state after rebooting? A. Tethered Jailbreak B. Semi-tethered Jailbreak C. Semi-untethered Jailbreak D. Untethered Jailbreak
C. Semi-untethered Jailbreak Ref: Module 15, page 1506
Which of the following is an internet protocol that's designed for transmitting emails to a valid email address? A. TCP / IP B. Post Office Protocol Version 3 (POP3) server C. Simple Mail Transfer Protocol (SMTP) D. Internet Message Access Protocol (IMAP) server
C. Simple Mail Transfer Protocol (SMTP) Ref: Module 13, page 1231
What is the space generated between the end of a stored file and the end of the disk cluster called? A. Cluster space B. Sector space C. Slack space D. Unused space
C. Slack space Ref: Module 6, page 585
Which of the following is not part of the Computer Forensics Investigation Methodology? A. Data acquisition B. Data analysis C. Testify as an expert defendant D. Testify as an expert witness
C. Testify as an expert defendant Ref: Module 2, page 135
Which of the following is true of civil crimes? A. A formal investigation report is required. B. The standards of proof need to be very high. C. The initial reporting of the evidence is generally informal. D. Law enforcement agencies are responsible for collecting and analyzing evidence.
C. The initial reporting of the evidence is generally informal. Ref: Module 1, page 31
What is a challenge to performing forensics on containers? A. They use their own memory. B. Logging is disabled by default. C. They have a very short lifecycle. D. Their snapshot features are very complex.
C. They have a very short lifecycle. Ref: Module 12, pages 1216-1217
What is the primary reason for forensic investigators to examine logs? A. To make notes of critical events because logs are not admissible as evidence B. To record their own access to a device C. To correlate the information across multiple log files to understand how an attack was conducted D. To begin collecting information about a crime in progress
C. To correlate the information across multiple log files to understand how an attack was conducted Ref: Module 8, page 814
Which method do attackers use to confuse or deceive forensic investigators by tampering with logs, modifying file headers, and changing timestamps? A. Hiding data in file system structures B. File extension mismatch C. Trail obfuscation D. Steganography
C. Trail obfuscation Ref: Module 5, page 508
What is not volatile information? A. Mounted filesystems information B. Loaded kernel modules C. User accounts D. Network information
C. User accounts Ref: Module 7, page 722
Which mostly monitors HTTP conversations (GET and POST requests) by implementing a set of generic rules for the detection of web-based attacks? A. Firewall B. Honeypot C. Web Application Firewall (WAF) D. IDS
C. Web Application Firewall (WAF) Ref: Module 9, page 967
Under which of the following conditions will duplicate evidence not suffice? A. When original evidence is in possession of a third party B. When original evidence is destroyed in the normal course of business C. When original evidence is in possession of the originator D. When original evidence is destroyed due to fire or flood
C. When original evidence is in possession of the originator Ref: Module 1, page 42
The directory of the 'state' file where the Tor browser is executed is located where? A. \Tor Browser\Browser\TorBrowser\Data\TorBrowser\ B. \TorBrowser\Browser\TorBrowser\Data\Tor\ C. \Tor Browser\Browser\TorBrowser\Data\Tor\ D. \Browser\Tor Browser\Browser\TorBrowser\Data\Tor\
C. \Tor Browser\Browser\TorBrowser\Data\Tor\ Ref: Module 10, page 1032
After establishing a connection to an Android smartwatch, the forensic investigators can perform a logical acquisition on the device using what following command? A. adb devices B. adb connect C. adb pull D. adb shell
C. adb pull Ref: Module 16, pages 1603-1604
The investigator uses which of the following commands to view the ARP table in Windows? A. arp // B. arp .a C. arp -a D. arp /all
C. arp -a Ref: Module 8, page 851
Which command is used to find if TCP and UDP ports have unusual listening? A. netstat -s B. netstat -ns C. netstat -na D. netstat -n
C. netstat -na Ref: Module 9, page 981
A SIEM is composed of two layers, a base layer for log management and an additional layer for security analytics. The activities in both of these layers are distributed between the security information management (SIM) and the ________. A. security intrusion detection management (SIDM) B. security analytics management (SAM) C. security event management (SEM) D. investigative source management (ISM)
C. security event management (SEM) Ref: Module 8, page 889
Investigators need to ensure that an acquisition methodology used is forensically sound. Specifically, the acquisition methodology adopted must be ________. A. verifiable and differentiated B. authenticated and unrepeatable C. verifiable and repeatable D. differentiated and validated
C. verifiable and repeatable Ref: Module 4, page 363
How large is the partition table structure that stores information about the partitions present on the hard disk? A. 32-byte B. 64-bit C. 32-bit D. 64-byte
D. 64-byte Ref: Module 3, page 227
What does macOS store user settings in the form of? A. An uslist file B. A settings file C. A ulist file D. A plist file
D. A plist file Ref: Module 7, page 783
What command is used to determine the NetBIOS name table cache in Windows? A. Netstat B. Ifconfig C. Ipconfig D. Nbtstat
D. Nbtstat Ref: Module 6, pages 555-556
How many bit values does HFS use to address allocation blocks? A. 64 B. 32 C. 8 D. 16
D. 16 Ref: Module 3, page 303
What is the maximum size limit for the Recycle Bin in Windows prior to Windows Vista? A. 0 B. None C. 3.99 MB D. 3.99 GB
D. 3.99 GB Ref: Module 5, page 446
The Tor's hidden service protocol allows users to host websites anonymously with what domains and can only be accessed by users of the Tor network? A. .Tor B. .onion C. .Tornet D. .BIT
D. .BIT Ref: Module 10, page 1027
The Apache web server follows a modular approach and consists of two major components: the Apache core and the ________. A. Apache client B. Apache config C. Apache main D. Apache modules
D. Apache modules Ref: Module 9, page 946
Which architectural layer of mobile device environments provides services including email, File Transfer Protocol, among others? A. Baseband part B. Memory unit C. Connectivity D. Application and CPU
D. Application and CPU Ref: Module 15, page 1449
Which Azure logs record information related to all successful and failed requests made to Azure blobs, Azure queue, and Azure table, can be enabled via the Azure portal and record authenticated as well as anonymous requests? A. Azure Active Directory Reports B. Azure Resource Logs C. Azure Activity Logs D. Azure Storage Analytics Logs
D. Azure Storage Analytics Logs Ref: Module 12, pages 1191-1193
Which type of event correlation approach is an advanced correlation method based on statistics and probability theory that uses prior probabilities of conditions to predict what a hacker might do next after an attack? A. Route correlation B. Open-port-based correlation C. Cross-platform correlation D. Bayesian correlation
D. Bayesian correlation Ref: Module 8, pages 831-833
What prefetch does value 2 from the registry entry EnablePrefetcher tell the system to use? A. Both application and boot prefetching are enabled. B. Application prefetching is enabled. C. Prefetching is disabled. D. Boot prefetching is enabled.
D. Boot prefetching is enabled. Ref: Module 6, page 663
Which web application threat occurs when attackers identify a flaw, bypass authentication, and compromise the network? A. SQL injection B. Buffer overflow C. Cookie poisoning D. Broken access control
D. Broken access control Ref: Module 9, page 930
On a Windows machine, where are the prefetch files located? A. C:\WINDOW\Fetch\Prefetch B. C:\WINDOWS\Fetch C. C:\WINDOWS\Fetch\Prefetch D. C:\WINDOWS\Prefetch
D. C:\WINDOWS\Prefetch Ref: Module 10, page 1033
Identify the following project, which was launched by the National Institute of Standards and Technology (NIST), that establishes a "methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware." A. Computer Forensic Investigation Project (CFIP) B. Computer Forensic Hardware Project (CFHP) C. Enterprise Theory of Investigation (ETI) D. Computer Forensic Tool Testing Project (CFTTP)
D. Computer Forensic Tool Testing Project (CFTTP) Ref: Module 2, page 126
Which tool for Mac recovers files from a crashed or virus-corrupted hard drive and can recover all file types from any HFS/HFS+ formatted drive? A. DiskDigger B. Recover My Files C. EaseUS D. Data Rescue 4
D. Data Rescue 4 Ref: Module 5, page 469
Which attack floods the target with large amounts of invalid traffic exhausting resources available on the target? A. Sniffing B. Man-in-the-middle C. Spoofing D. Denial-of-service
D. Denial-of-service Ref: Module 8, page 799
Which web application threat is a method intended to terminate website or server operations by making resources unavailable to clients? A. SQL injection B. Cookie poisoning C. Buffer overflow D. Denial-of-service
D. Denial-of-service Ref: Module 9, page 931
Which is not the best countermeasure to anti-forensics? A. Use intelligent decompression libraries to defend against compression bombs B. Use latest and updated Computer Forensics Tools (CFTs) and test them for vulnerabilities C. Validate the results of examination using multiple Computer Forensics Tools (CFTs) D. Depend completely on a specific Computer Forensics Tool (CFT)
D. Depend completely on a specific Computer Forensics Tool (CFT) Ref: Module 5, page 540
What is the process of applying a strong magnetic field to a storage device, resulting in a device entirely clean of any previously stored data? A. File wiping B. Metadata overwriting C. Disk formatting D. Disk degaussing
D. Disk degaussing Ref: Module , pages 526-527
Which process involves erasing data from a disk by deleting its links to memory blocks and overwriting the memory contents? A. Metadata overwriting B. Disk degaussing C. File wiping D. Disk wiping
D. Disk wiping Ref: Module 5, pages 526-527
What is not a Windows file system? A. NTFS B. FAT32 C. FAT D. EXT3
D. EXT3 Ref: Module 3, page 256
What component of a typical FAT file system consists of data that the document framework uses to access the volume. A. Reserved Area B. Boot Sector C. Data Area D. FAT Area
D. FAT Area Ref: Module 3, page 259
Where do email archives store received and sent emails? A. In the cache file B. On the mail server C. On the internet D. On the system hard drive
D. On the system hard drive Ref: Module 13, pages 1245-1246
What is a static malware analysis technique that uses unique hash values to help investigators recognize files that are sensitive to tracking and identify similar programs from a database? A. Identifying packing or obfuscation methods B. Performing strings search C. Malware disassembly D. File fingerprinting
D. File fingerprinting Ref: Module 14, page 1328
What does analyzing Shellbags not provide forensic investigators with information about? A. Folders deleted by the user B. Folders opened by user from a mounted external hard drive C. Timestamps and MAC times of the accessed folder D. Folders not opened from an external hard drive after the drive is unmounted.
D. Folders not opened from an external hard drive after the drive is unmounted. Ref: Module 6, pages 675-679
How can forensic investigators obtain data when the attacker or owner of the mobile phone has deleted the call history and/or text messages from the device to wipe out evidence? A. Logical Acquisition B. Jailbreaking the device C. SIM Card Memory D. From the service provider
D. From the service provider Ref: Module 15, page 1478
What type of network-based evidence is gathered by capturing and storing all the packets following through a network without any filtration using a tool like tcpdump or wireshark and can assist investigators perform post-mortem analysis of a security incident? A. Alert Data B Statistical Data C. Session Data D. Full Content Data
D. Full Content Data Ref: Module 8, page 807
What requires companies that offer financial products or services to protect customer information against security threats? A. HIPAA B. FISMA C. PCI DSS D. GLBA
D. GLBA Ref: Module 1, page 92
Which architectural layer of Android OSes provides a standard interface for hardware vendors that expose the device hardware capabilities to higher-level Java API frameworks? A. Communication Layer B. Phone Layer C. GUI Layer D. Hardware Abstraction Layer
D. Hardware Abstraction Layer Ref: Module 15, page 1451
Which of the following is the process of developing a strategy to address the occurrence of any security breach in the system or network? A. Forensic readiness planning B. Best evidence rule C. Security policy D. Incident response
D. Incident response Ref: Module 1, page 70
Which of the following is true of cybercrimes? A. The searching of the devices is based on mutual understanding and provides a wider time frame to hide the evidence. B. Investigators attempt to demonstrate information to the opposite party to support the claims and induce settlement. C. The claimant is responsible for the collection and analysis of the evidence. D. Investigators, with a warrant, have the authority to forcibly seize the computing devices.
D. Investigators, with a warrant, have the authority to forcibly seize the computing devices. Ref: Module 1, page 30
When a forensic investigator finds it difficult to perform data acquisition from the device at the software level, they use hardware-level acquisition methods to acquire raw data sored on a memory chip. What method allows investigators to create memory dumps of the device or perform physical acquisition of the device without removing the memory chips from the device's motherboard? A. Memdump B. Chip-Off C. MemChip D. JTAG
D. JTAG Ref: Module 16, page 1615
Which attack is specific to wireless networks? A. Password-based attacks B. Man-in-the-middle attack C. Denial-of-service D. Jamming signal attack
D. Jamming signal attack Ref: Module 8, page 802
What is the built-in manager that saves credentials for websites, wireless networks, SSH servers, and private keys for macOS? A. BitLocker B. Chaingang C. Password Locker D. Keychain
D. Keychain Ref: Module 7, page 783
What is not a command used to determine logged-on users? A. Net sessions B. PsLoggedOn C. LogonSessions D. LoggedSessions
D. LoggedSessions Ref: Module 6, pages 549-552
What are the unique identification numbers assigned to Windows user accounts for granting user access to particular resources? A. User access numbers B. Windows access number C. Security definitions D. Microsoft security ID
D. Microsoft security ID Ref: Module 6, page 625
What is the proprietary Microsoft Office presentation file extension used in PowerPoint? A. PDF B. TXT C. RTF D. PPT
D. PPT Ref: Module 3, page 355
The value 0 associated with the registry entry EnablePrefetcher tells the system to use which prefetch? A. Boot prefetching is enabled. B. Application prefetching is enabled. C. Both application and boot prefetching are enabled. D. Prefetching is disabled.
D. Prefetching is disabled. Ref: Module 6, page 663
Which of the following is not where potential evidence may be located? A. Smart card B. Digital camera C. Thumb drive D. Processor
D. Processor Ref: Module 1, pages 37-38
Codes of ethics are the principles stated to describe the expected behavior of an investigator while handling a case. Which of the following is not a principle that a computer forensic investigator must follow? A. Act with utmost ethical and moral principles. B. Ensure integrity of the evidence throughout the investigation process. C. Act in accordance with federal statutes, state statutes, and local laws and policies. D. Provide personal or prejudiced opinions.
D. Provide personal or prejudiced opinions. Ref: Module 1, page 83
Which cloud environment allows the provider to make services—such as applications, servers, and data storage—available to the public over the internet? A. Community cloud B. Hybrid cloud C. Private cloud D. Public cloud
D. Public cloud Ref: Module 12, page 1124
Which of the following consists of volatile storage? A. Hard drive B. Compact disc C. ROM D. RAM
D. RAM Ref: Module 4, page 388
Which RFC defines the internet email message format? A. RFC 2525 B. RFC 2050 C. RFC 5422 D. RFC 5322
D. RFC 5322 Ref: Module 13, page 1234
What is a precomputed table that contains word lists in the form of dictionary files and brute-force lists and their hash values? A. Rule-based B. Hash C. Master D. Rainbow
D. Rainbow Ref: Module 5, page 483
What is an ongoing process that returns results simultaneously so that the system or operators can respond to attacks immediately? A. Past-time analysis B. Premortem C. Postmortem D. Real-time analysis
D. Real-time analysis Ref: Module 8, page 798
Which of the following Federal Rules of Evidence governs proceedings in the courts of the United States? A. Rule 102 B. Rule 103 C. Rule 105 D. Rule 101
D. Rule 101 Ref: Module 1, page 45
In forensics laws, "authenticating or identifying evidences" comes under which rule? A. Rule 801 B. Rule 708 C. Rule 608 D. Rule 901
D. Rule 901 Ref: Module 1, page 56
Which logs, when enabled, record information of all requests made to any bucket, including requests such as GET, PUT, and DELETE, which helps investigators to understand the actions that were performed on a bucket object along with the users who performed these actions? A. AWS CloudTrail B. Amazon CloudWatch C. VPC Flow Logs D. S3 Server Access Logs
D. S3 Server Access Logs Ref: Module 12, pages 1161-1164
The information about the system users is stored in which file? A. NTUSER.DAT B. PAT database file C. NTUSER.BAT D. SAM database file
D. SAM database file Ref: Module 6, page 616
Which web application threat occurs when attackers insert commands via input data and are able to tamper with the data? A. Denial-of-service B. Cookie poisoning C. Buffer overflow D. SQL injection
D. SQL injection Ref: Module 9, page 929
What cloud service offers application software to subscribers on demand or over the internet and is charged for by the provider on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users? A. PaaS B. IaaS C. AaaS D. SaaS
D. SaaS Ref: Module 12, page 1122
Which web application threat occurs when information such as account records, credit card numbers, passwords, or other authenticated information generally stored by web applications either in a database or on a file system are exposed? A. Cookie poisoning B. Information leakage C. Buffer overflow D. Sensitive data exposure
D. Sensitive data exposure Ref: Module 9, page 930
What is the most common MAC spoofing detection method in which investigators analyze the sequence number field in the MAC-layer frame header? A. Address spoofing detection B. Frame detection C. Signal strength-based detection D. Sequence number-based detection
D. Sequence number-based detection Ref: Module 8, page 915
Which compares incoming or outgoing network packets with the binary signatures of known attacks by using simple pattern-matching techniques to detect intrusions? A. Session recognition B. Protocol anomaly detection C. Anomaly detection D. Signature-based intrusion detection
D. Signature-based intrusion detection Ref: Module 9, pages 960-961
Which of the following is a computer-created source of potential evidence? A. Spreadsheet B. Bookmarks C. Steganography D. Swap file
D. Swap file Ref: Module 1, page 39
Before conducting forensics investigation on an Android smartwatch, the investigator needs to understand the basic framework of that device. Which of the following is not an Android API? A. Node API B. Data API C. Message API D. Sync API
D. Sync API Ref: Module 16, page 1601
Which Android developer feature can be activated from the Developer Options menu and allows an Android device to establish communication with a computer/workstation that runs Android Software Developer Kit (SDK)? A. Communication API B. Developer Mode C. USB Restriction Mode D. USB Debugging Mode
D. USB Debugging Mode Ref: Module 15, page 1466
Which operating system is macOS based on? A. Windows B. Solaris C. Linux D. Unix
D. Unix Ref: Module 7, page 780
What is not a defense mechanism against alterations to evidence media? A. Setting a hardware jumper to make the disk read-only B. Employing a hard disk write-block tool to protect against disk writes C. Using an operating system and software that cannot write to the disk unless instructed D. Unplugging the cables connected to the drive
D. Unplugging the cables connected to the drive Ref: Module 4, page 395
Which web application threat occurs when attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, or query strings? A. SQL injection B. Cookie poisoning C. Buffer overflow D. Unvalidated input
D. Unvalidated input Ref: Module 9, page 932
Which of the following refers to the data stored in the registries, cache, and RAM of digital devices? A. Registries B. Physical memory C. Systems data D. Volatile information
D. Volatile information Ref: Module 4, page 434
What tool enables you to retrieve information about event logs and publishers in Windows 10? A. Msconfig B. Regedit C. EventViewer D. Wevtutil
D. Wevtutil Ref: Module 6, page 695
Forensic readiness refers to ________. A. having no impact on prospects of successful legal action B. the establishment of specific incident response procedures and designated trained personnel to prevent a breach C. replacing the need to meet all regulatory requirements D. an organization's ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs
D. an organization's ability to make optimal use of digital evidence in a limited time period and with minimal investigation costs Ref: Module 1, page 31
A wireless access point can be termed rogue when it is installed within a trusted network without appropriate ________. A. synchronization B. signal strength C. triangulation D. authorization
D. authorization Ref: Module 8, page 910
Courts call knowledgeable persons to testify to the accuracy of the investigative process. These people who testify are known as the ________. A. judges B. counselors C. character witnesses D. expert witnesses
D. expert witnesses Ref: Module 2, page 194
The elements of the Apache core that address the basic functionalities of the server are http_protocol, http_main, http_request, http_core, alloc, and ________. A. http_alloc B. http_core C. http_manage D. http_config
D. http_config Ref: Module 9, page 947
Which Linux command lists the open files for the user currently logged into a system? A. openfile B. lsopen C. ofopen D. lsof
D. lsof Ref: Module 7, page 736
On-demand ________ is a type of service rendered by cloud service providers that allows provisions for cloud resources such as computing power, storage, network, and so on—always on demand, without the need for human interaction with service providers. A. full service B. a la carte C. catering D. self-service
D. self-service Ref: Module 12, page 1119
The main advantage of RAID is that if a single physical disk fails, ________. A. the system will build another drive B. the operating system will protect the remaining disks C. the system will isolate the defective disk D. the system will continue to function without loss of data
D. the system will continue to function without loss of data Ref: Module 3, page 330