C702 Ud 2/3
An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet. A. optical B. logical C. magnetic D. anti-magnetic
A
An employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the employees computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the employee before he leaves the building and recover the floppy disk and secure his computer. Will you be able to break the encryption so that you can verify that the employee was in possession of the proprietary information? A. When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information. B. EFSuses a 128-bit key that cannot be cracked, so you will not be able to recover the information. C. When the encrypted file was copied to the floppy disk, the EFS private key was also copied to the floppy disk, so you can recover the information. D. The EFS Revoked Key Agent can be used on the computer to recover the information.
A
An expert witness may give an opinion if: A. the opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay jurors B. to deter the witness from expanding the scope of his or her investigation beyond the requirements of the case C. to stimulate discussion between the consulting expert and the expert witness D. to define the issues of the case for determination by the finder of fact
A
E-mail logs contain all but which of the following information to help you in your investigation? A. attachments sent with the e-mail message B. contents of the e-mail message C. date and time the message was sent D. user account that was used to send the message E. unique message identifier
A
If you discover a criminal act while investigating a corporate policy abuse, it becomes a public- sector investigation and should be referred to law enforcement? A. True B. False
A
Jason needs to review file shares on the server. He knows that he can use this command to review file shares and ensure their purpose. net view net use net session msconfig fls
A
Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called? A. Globally Unique ID B. Personal Application Protocol C. Individual ASCII String D. Microsoft Virtual Machine Identifier
A
Roberta is an investigator with DHS. She is at the scene and needs to locate and recover files deleted from an NTFS-formatted volume. What should she use? Pandora Recovery Active@ File Recovery Stellar Phoenix R-Studio
A
Roberta suspects the company's network has been compromised. How can she look for unusual network services running? net start net service net run net process
A
What does mactime, an essential part of the coroner's toolkit do? A. It traverses the file system and produces a listing of all files based on the modification, access and change timestamps B. It is a tool specific to the MAC OS and forms a core component of the toolkit C. The toolsscans for i-node information, which is used by other tools in the tool kit D. It can recover deleted file space and search it for data. However, it does not allow the investigator to preview them
A
What should you do when approached by a reporter about a case that you are working on or have worked on? A. refer the reporter to the attorney that retained you B. say, "no comment" C. answer only the questions that help your case D. answer all the reporters questions as completely as possible
A
What will the following command produce on a website login page? SELECT email, passwd, login_id, full_name FROM members WHERE email = '[email protected]'; DROP TABLE members; --' A. Deletes the entire members table B. Inserts the Error! Reference source not found.email address into the members table C. Retrieves the password for the first user in the members table D. This command will not produce anything since the syntax is incorrect
A
When cataloging digital evidence, the primary goal is to A. preserve evidence integrity B. notremove the evidence from the scene C. make bit-stream images of all hard drives D. not allow the computer to be turned off
A
When conducting computer forensic analysis, you must guard against _________ so that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected. A. scope creep B. unauthorized expenses C. hard drive failure D. overzealous marketing
A
Windows identifies which application to open a file with by examining which of the following? A. The file extension B. The file signature at the beginning of the file C. The file attributes D. The file signature at the end of the file
A
You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question wheather evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab? A. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab B. there is no reason to worry about this possible claim because state labs are certifiedC. sign a statement attesting that the evidence is the same as it was when it entered the labD. make an MD5 hash of the evidence and compare it to the standard database developed by NIST
A
You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacturer. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO? A. the attorney-work-product rule B. Good manners C. ISO 17799 D. Trade secrets
A
You can check for the creation of new accounts in the administrator group with the ____ command. lusrmgr.msc check lusmgr.msc check admin.exe lusrmgr.exe
A
You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data from other offices like it is for your main office. You suspect that firewall changes are to blame. What ports should you open for SNMP to work through Firewalls (Select 2) A. 162 & 161 B. 161 & 160 C. 163 & 161 D. 160 & 162
A
David needs a tool that contains an ISO image. He knows that ______ offers this. DiskDigger Active@ File Recovery EaseUS Recuva
B
During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore you report this evidence. This type of evidence is known as: A. Mandatory evidence B. Exculpatory evidence C. Inculpatory evidence D. Terrible evidence
B
How can you find scheduled and unscheduled tasks on the local host? net local.host schtasks.exe find schtasks.exe use schtasks.exe
B
If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive. A. Boot.sys B. CMOS C. deltree command D. Scandisk utility
B
Johnny wants to use the tool that offers thumbnail previews. He should choose: R-Studio DiskDigger File Salvage Pandora Recovery
B
Jose is an investigator with CyberNet, Inc and is investigating an incident. How does he check to see if sessions have been opened with other systems? net analysis net use net view net session
B
Lance wants to place a honeypot on his network. Which of the following would be your recommendations? A. Use a system that is not directlyinteracing with the router B. Use it on a system in an external DMZ in front of the firewall C. Itdoesnt matter as all replies are faked D. Use a system that has a dynamic addressing on the network
B
Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool? A. A disk imaging tool would check for CRC32s for internal self checking and validation and have MD5 checksum B. A simple DOS copy will not include deleted files, file slack and other information C. There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector D. Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file
B
The use of warning banners helps a company avoid litigation by overcoming an employees assumed ___________________ when connecting to the companys intranet, network, or virtual private network (VPN) and will allow the companys investigators to monitor, search, and retrieve information stored within the network. A. right to Internet access B. right of privacy C. right to work D. right of free speech
B
This tool can be used to recover lost data from RAID and hard drives: File Salvage Total Recall DiskDigger EaseUS
B
What type of file is represented by a colon (:) with a name following it in the Master File Table (MFT) of an NTFS disk? A. an encrypted file B. a data streamfile C. a reserved file D. a compressed file
B
When a file is deleted in FAT, the first letter of the deleted filename is changed to: ESH E5H H5H ESE
B
When conducting computer forensic analysis, you must guard against _________ so that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected. A. hard drive failure B. scope creep C. unauthorized expenses D. overzealous marketing
B
When investigating a potential e-mail crime, what is your first step in the investigation? A. Determine whether a crime was actually committed B. Trace the IP address to its origin C. Recover the evidence D. Write a report
B
When reviewing web logs, you see an entry for resource not found in the HTTP status code field. What is the actual error code that you would see in the log for resource not found? A. 606 B. 404 C. 202 D. 909
B
When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used? A. Passive IDS B. Active IDS C. Progressive IDS D. NIPS
B
Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime? A. bench warrant B. search warrant C. wire tap D. subpoena
B
Which of following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file? A. Sector B. Slack Space C. Metadata D. MFT
B
Why should you note all cable connections for a computer you want to seize as evidence? A. to document the evidence B. to know what cable connections existed C. to know what hardware existed D. to prepare for shutting down the computer
B
You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacturer. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO? A. Trade secrets B. the attorney-work-product rule C. Good manners D. ISO 17799
B
You are working as computer forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firms employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do? A. inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies B. inform the owner that conducting an investigation without a policy is a violation of the employees expectation of privacy C. inform the owner that conducting an investigation without a policy is a violation of the 4th Amendment D. inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned
B
A network administrator, with over 10 years of experience in Cisco systems, is trying to see if any TCP or UDP ports have unusual listening. What command is she using? netstat -tu net tcp/udp_use netstat -na net tcp_udp
C
A(n) _____________________ is one thats performed by a computer program rather than the attacker manually performing the steps in the attack sequence. A. central processing attack B. blackout attack C. automated attack D. distributed attack
C
Before you are called to testify as an expert, what must an attorney do first? A. read your curriculum vitae to the jury B. engage in damage control C. qualify you as an expert witness D. prove that the tools you used to conduct your examination are perfect
C
In conducting a computer abuse investigation you become aware that the suspect of the investigation is using ABC Company as his Internet Service Provider (ISP). You contact the ISP and request that they provide you assistance with your investigation. What assistance can the ISP provide? A. the ISP cannot conduct any type of investigations on anyone and therefore cannot assist you B. ISPs never maintain log files so they would be of no use to your investigation C. the ISP can investigate computer abuse committed by their employees, but must preserve the privacy of their customers and therefore cannot assist you without a warrant D. the ISP can investigate anyone using their service and can provide you with assistance
C
Jason is the security administrator of ACMA metal Corporation. One day he notices that the company's Oracle database server has been compromised and the customer information along with financial data has been stolen. The financial loss will be in millions of dollars if the database gets into the hands of the competitors. Jason wants to report this crime to the law enforcement agencies immediately. Which organization coordinates computer crimes investigations throughout the United States? A. CERT Coordination Center B. Internet Fraud Complaint Center C. National Infrastructure Protection Center D. Local or national office of the U.S. Secret Service
C
Lance wants to place a honeypot on his network. Which of the following would be your recommendations? A. It doesn't matter as all replies are faked B. Use a system that has a dynamic addressing on the network C. Use it on a system in an external DMZ in front of the firewall D. Use a system that is not directly interacing with the router
C
Sally needs a tool that can support large hard disks. What should she use? Active@ File Recovery Recuva EaseUS Undelete Plus
C
Sara is investigating an incident and needs to display information about all logged in sessions on a local Windows computer. Which command should she use? net use net view net session net log
C
Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here? A. Send DOS commands to crash the DNS servers B. Perform DNS poisoning C. Perform a zone transfer D. Enumerate all the users in the domain
C
The insider threat caused a lot of chaos. Sally, the digital forensic investigator, needs a tool that can repair and recover disk bad sectors. Which tool should she use? jv16 SysAnalyzer Quick Recovery Total Recall
C
This tool can recover files from a scratched CD (choose the best answer): Total Recall Data Recovery Pro File Salvage DiskDigger
C
This tool offers an "Advanced Deep Scan" mode, that scours a drive to find any traces of files that have been deleted. Active@ File Recovery EaseUS Recuva OnTrack Easy Recovery
C
This tool offers the ability to "preview data on the fly" and allows you to recover data even if Windows has been reinstalled. Recuva EaseUS Recover My Files OnTrack Easy Recovery
C
What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer? A. key escrow B. rootkit C. steganography D. offset
C
When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk? A. a protocol analyzer B. a disk editor C. a write-blocker D. a firewall
C
With regard to using an antivirus scanner during a computer forensics investigation, you should: A. scan your forensics workstation at intervals of no more than once every five minutes during an investigation B. scan the suspect hard drive before beginning an investigation C. scan your forensics workstation before beginning an investigation D. neverrun a scan on your forensics workstation because it could change your systems
C
You are assisting in the investigation of a possible Web Server hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a pornographic web site. The company checked the web server and nothing appears wrong. When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site? A. IP Spoofing B. ARP Poisoning C. DNS Poisoning D. HTTP redirect attack
C
You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case? A. All forms should be placed in the report file because they are now primary evidence in the case. B. The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file. C. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container. D. All forms should be placed in an approved secure container because they are now primary evidence in the case.
C
A state department site was recently attacked and all the servers had their hard disks erased. The incident response team sealed the area and commenced investigation. During evidence collection, they came across a zip disk that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong? A. They examined the actual evidence on an unrelated system B. They called in the FBI without correlating with the fingerprint data C. They attempted to implicate personnel without proof D. They tampered with the evidence by using it
D
A(n) _____________________ is one that's performed by a computer program rather than the attacker manually performing the steps in the attack sequence. A. distributed attack B. blackout attack C. central processing attack D. automated attack
D
An expert witness may give an opinion if: A. to stimulate discussion between the consulting expert and the expert witness B. to define the issues of the case for determination by the finder of fact C. to deter the witness from expanding the scope of his or her investigation beyond the requirements of the case D. the opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay jurors
D
During the course of a corporate investigation, you find that an employee is committing a crime. Can the employer file a criminal complain with the police? A. no, because the investigation was conducted without following standard police procedures B. no, because the investigation was conducted without a warrant C. yes, but only if you turn the evidence over to a federal law enforcement agencyD. yes, and all evidence can be turned over to the police
D
How many characters long is the fixed-length MD5 algorithm checksum of a critical system file? A. 48 B. 64 C. 16 D. 32
D
In general, _________________ involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the data. A. data recovery B. network forensics C. disaster recovery D. computer forensics
D
In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case? A. evidence in a civil case must be secured more tightly than in a criminal case B. evidence in a criminal case must be secured more tightly than in a civil case C. evidence procedures are not important unless you work for a law enforcement agencyD. evidence must be handled in the same way regardless of the type of case
D
Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool? A. Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file B. A disk imaging tool would check for CRC32s for internal self checking and validation and have MD5 checksum C. There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector D. A simple DOS copy will not include deleted files, file slack and other information
D
One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a .jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension? A. the File Allocation Table B. the sector map C. the file footer D. the file header
D
Sally is an investigator working for Diamond Corp. She needs to restore lost emails and their attachments. Which tool should she use (choose the best answer)? File Salvage Data Rescue 4 DiskDigger Data Recovery Pro
D
Tanisha wants to recover files with their original file name. She should use which of the following tools to accomplish this (choose the best answer)? Data Rescue 4 Total Recall Quick Recovery Stellar Phoenix
D
The nbtstat command can be used for (choose the best answer): malware execution NBT servers Linux servers NetBIOS
D
This tool can scan and recover encrypted and password-protected files. Pandora Recovery DiskDigger R-Studio Quick Recovery
D
This tool offers a secure overwrite feature that meets military standards. EaseUS Recover My Files Data Rescue 4 Recuva
D
This tool recovers data and also protects it. Undelete Plus Advanced Disk Recovery EaseUS OnTrack Easy Recovery
D
This tool supports RAW recovery on lost volumes. DiskDigger Quick Recovery Capsa Stellar Phoenix
D
When examining a hard disk without a write-blocker, you should not start Windows because Windows will write data to the: A. Case files B. BIOS C. MSDOS.SYS D. Recycle Bin
D
Which of the following is NOT a graphics file? A. Picture2.bmp B. Picture1.tga C. Picture4.psd D. Picture3.nfo
D
William needs a tool that can allow him to specify a specific file type for precise search results. What tool is this? Undelete Plus File Salvage R-Studio EaseUS
D
You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case? A. The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file. B. All forms should be placed in the report file because they are now primary evidence in the case. C. All forms should be placed in an approved secure container because they are now primary evidence in the case. D. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.
D
You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the wording in the graphic being different. What area of the law is the employee violating? A. trademark law B. patent law C. IP Law D. copyright law
D
You have used a newly released forensic investigation tool, which doesnt meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case? A. You are not certified for using the tool B. Only the local law enforcement should use the tool C. The toolhasnt been tested by the International Standards Organization (ISO) D. The tool has not been reviewed and accepted by your peers
D
