CHFIv9

Annie is searching for certain deleted files on a system running Windows XP OS. Where will she find the files if they were not completely deleted from the system?

C: \$Recycle.Bin

During an investigation, an employee was found to have deleted harassing emails that were sent to someone else. The company was using Microsoft Exchange and had message tracking enabled. Where could the investigator search to find the message tracking log file on the Exchange server?

C:\Program Files\Exchsrvr\servername.log

Which U.S. law sets the rules for sending emails for commercial purposes, establishes the minimum requirements for commercial messaging, gives the recipients of emails the right to ask the senders to stop emailing them, and spells out the penalties in case the above said rules are violated?

CAN-SPAM Act

Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank to assess its network security through scanning, pen tests, and vulnerability assessments. After discovering numerous known vulnerabilities detected by a temporary IDS he set up, he notices a number of items that show up as unknown but Questionable in the logs. He looks up the behavior on the Internet, but cannot find anything related. What organization should Frank submit the log to find out if it is a new vulnerability or not?

CVE

Which of the following tool can the investigator use to analyze the network to detect Trojan activities?

Capsa

Your company uses Cisco routers exclusively throughout the network. After securing the routers to the best of your knowledge, an outside security firm is brought in to assess the network security.Although they found very few issues, they were able to enumerate the model, OS version, and capabilities for all your Cisco routers with very little effort. Which feature will you disable to eliminate the ability to enumerate this information on your Cisco routers?

Cisco Discovery Protocol

Cisco Discovery Protocol

Cisco Discovery Protocol (formerly known as CDP) is a Layer 2, media-independent, and network-independent protocol that runs on Cisco devices and enables networking applications to learn about directly connected devices nearby. This protocol facilitates the management of Cisco devices by discovering these devices, determining how they are configured, and allowing systems using different network-layer protocols to learn about each other.

Which of the following is a MAC-based File Recovery Tool?

Cisdem DataRecovery 3

How will you categorize a cybercrime that took place within a CSP's cloud environment?

Cloud as an Object

In Microsoft file structures, sectors are grouped together to form:

Clusters

____________________ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.

Computer Forensics

How often must a company keep log files for them to be admissible in a court of law?

Continuously

NAT compatible IPSec with UDP

Conventional NAT breaks VPN. Network address translation (NAT) allows you to hide your unregistered private IP addresses behind a set of registered IP addresses. This helps to protect your internal network from outside networks. NAT also helps to alleviate the IP address depletion problem, since many private addresses can be represented by a small set of registered addresses. Unfortunately, conventional NAT does not work on IPSec packets because when the packet goes through a NAT device, the source address in the packet changes, thereby invalidating the packet. When this happens, the receiving end of the VPN connection discards the packet and the VPN connection negotiations fail.

Which of the following are small pieces of data sent from a website and stored on the user's computer by the user's web browser to track, validate, and maintain specific user information?

Cookies

Which layer of iOS architecture should a forensics investigator evaluate to analyze services such as Threading, File Access, Preferences, Networking and high-level features?

Core OS

What does 254 represent in ICCID 89254021520014515744?

Country Code

Gary, a computer technician, is facing allegations of abusing children online by befriending them and sending them illicit adult images from his office computer. What type of investigation does this case require?

Criminal Investigation

logonsessions.exe

Currently active logon sessions

Which network attack is described by the following statement?"At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in30 countries."

DDoS

You are assisting in the investigation of a possible Web Server Hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a porno graphic web site. The company checked the web server and nothing appears wrong.When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site?

DNS Poisoning

Software firewalls work at which layer of the OSI model?

Data Link

Data Files contain Multiple Data Pages, which are further divided into Page Header, Data Rows, and Offset Table. Which of the following is true for Data Rows?

Data Rows present Page type. Page ID, and so on

Which of the following standard represents a legal precedent sent in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses' testimony during federal legal proceedings?

Daubert

Which of the following tools will help the investigator to analyze web server logs?

Deep Log Analyzer

Select the tool appropriate for finding the dynamically linked lists of an application or malware.

Dependency Walker

Select the tool appropriate for examining the dynamically linked libraries of an application or malware.

DependencyWalker

What does the 63.78.199.4(161) denotes in a Cisco router log? Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) -> 63.78.199.4(161), 1 packet

Destination IP address

Which of the following information is displayed when Netstat is used with -ano switch

Details of TCP and UDP connections

Gill is a computer forensics investigator who has been called upon to examine a seized computer. This computer, according to the police, was used by a hacker who gained access to numerous banking institutions to steal customer information. After preliminary investigations, Gill finds in the computer's log files that the hacker was able to gain access to these banks through the use of Trojan horses. The hacker then used these Trojan horses to obtain remote access to the companies' domain controllers. From this point, Gill found that the hacker pulled off the SAM files from the domain controllers to then attempt and crack network passwords. What is the most likely password cracking technique used by this hacker to break the user passwords from the SAM files?

Dictionary attack

Directory traversal

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

The efforts to obtain information before a trail by demanding documents, depositions, questioned and answers written under oath, written requests for admissions of fact and examination of the scene is a description of what legal term?

Discovery

Which of the following tool enables data acquisition and duplication?

DriveSpy

FTP Put File

During run time, the FTP Put File activity takes data from variables of the orchestration, places the data into a file, and connects to an FTP Server and places the file in the specified directory location. activity transfers a file from the Integration Appliance to an FTP server and the transfer of the file is interrupted because the Integration Appliance is rebooted, it is not guaranteed that the entire file is transferred.

Which of the following data structures stores attributes of a process, as well as pointers to other attributes and data structures?

EProcess

Where should the investigator look for the Edge browser's browsing records, including history, cache, and cookies?

ESE Database

You are a computer forensics investigator working with local police department and you are called to assist in an investigation of threatening emails. The complainant has printer out 27 email messages from the suspect and gives the printouts to you. You inform her that you will need to examine her computer because you need access to the _________________________ in order to track the emails back to the suspect.

Email Header

Adam, a forensic analyst, is preparing VMs for analyzing a malware. Which of the following is NOT a best practice?

Enabling shared folders

What technique used by Encase makes it virtually impossible to tamper with evidence once it has been acquired?

Every byte of the file(s) is verified using 32-bit CRC

exculpatory evidence

Evidence, such as a statement, tending to excuse, justify, or absolve the alleged fault or guilt of a defendant

exculpatory evidence

Evidence, such as a statement, tending to excuse, justify, or absolve the alleged fault or guilt of a defendant.

During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore, you report this evidence. This type of evidence is known as:

Exculpatory evidence

James is dealing with a case regarding a cybercrime that has taken place in Arizona, USA.James needs to lawfully seize the evidence from an electronic device without affecting the user's anonymity. Which of the following law should he comply with, before retrieving the evidence?

Fifth Amendment of the U.S. Constitution

This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

File Allocation Table (FAT)

Firewalk

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.Firewalk attempts to determine which protocols a router or firewall will block and which they will pass on to downstream hosts. It operates on an IP expiry technique, much like the commonly used Traceroute program. The IP expiry technique involves manipulating the time to live (TTL) field of the IP header to map out all intermediate routers or hops between a scanning host and the target host. In Firewalk, scans are then sent with a TTL value one hop higher than that of the target host. If the scan packets are blocked by an ACL or firewall, they are dropped or rejected. If allowed to pass through, they will expire and elicit an ICMP time exceeded message. Based upon the results of the scans, Firewalk can identify which ports are open.

John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of the traffic produced by Firewalk. Why is that?

Firewalk sets all packets with a TTL of one

What type of attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the IP broadcast address of a large network?

Fraggle

18 U.S.C. 1029

Fraud and related activity in connection with access devices. knowingly and with intent to defraud produces, uses, or traffics in one or more counterfeit access devices; https://www.law.cornell.edu/uscode/text/18/1029#tab_default_2

Which of the following standard represents a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases

Frye

Which of the following is a federal law enacted in the US to control the ways that financial institutions deal with the private information of individuals?

GLBA

A packet is sent to a router that does not have the packet destination address in its route table.How will the packet get to its proper destination?

Gateway of last resort

Which of the following is NOT a part of pre-investigation phase?

Gathering evidence data

Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?

Globally unique ID

Heather, a computer forensics investigator, is assisting a group of investigators working on a large computer fraud case involving over 20 people. These 20 people, working in different offices, allegedly siphoned off money from many different client accounts. Heather responsibility is to find out how the accused people communicated between each other. She has searched their email and their computers and has not found any useful evidence. Heather then finds some possibly useful evidence under the desk of one of the accused.In an envelope she finds a piece of plastic with numerous holes cut out of it. Heather then finds the same exact piece of plastic with holes at many of the other accused peoples desks. Heather believes that the 20 people involved in the case were using a cipher to send secret messages in between each other. What type of cipher was used by the accused in this case?

Grill cipher

Which part of the Windows Registry contains the user's password file?

HKEY_LOCAL_MACHINE

Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run

Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

HTTP protocol does not maintain session

Smith, as a part his forensic investigation assignment, seized a mobile device. He was asked to recover the Subscriber Identity Module (SIM card) data in the mobile device. Smith found that the SIM was protected by a Personal Identification Number (PIN) code, but he was also aware that people generally leave the PIN numbers to the defaults or use easily guessable numbers such as 1234. He made three unsuccessful attempts, which blocked the SIM card. What can Jason do in this scenario to reset the PIN and access SIM data?

He should contact the network operator for Personal Unlock Number (PUK)

John is working as a computer forensics investigator for a consulting firm in Canada. He is called to seize a computer at a local web caf purportedly used as a botnet server. John thoroughly scans the computer and finds nothing that would lead him to think the computer was a botnet server. John decides to scan the virtual memory of the computer to possibly find something he had missed. What information will the virtual memory scan produce?

Hidden running processes

Which of the following ISO standard defines file systems and protocol for exchanging data between optical disks?

ISO 9660

What stage of the incident handling process involves reporting events?

Identification

When is it appropriate to use computer forensics?

If copyright and intellectual property theft/misuse has occurred

During an investigation, Noel found the following SIM card from the suspect's mobile. What does the code 8944 represent?

Industry Identifier and Country code

18 U.S. Code § 2511

Interception and disclosure of wire, oral, or electronic communications prohibited

Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\<USER SID>\ while analyzing a hard disk image for the deleted dat a. What inferences can he make from the file name?

It is a deleted doc file

Cloud as a subject

It refers to a crime in which the attackers try to compromise the security of a cloud environment to steal data or inject a malware

If a PDA is seized in an investigation while the device is turned on, what would be the proper procedure?

Keep the device powered on

Before performing a logical or physical search of a drive in Encase, what must be added to the program?

Keywords

You just passed your ECSA exam and are about to start your first consulting job running security audits for a financial institution in Los Angeles. The IT manager of the company you will be working for tries to see if you remember your ECSA class. He asks about the methodology you will be using to test the company's network. How would you answer?

LPT Methodology

You work as a penetration tester for Hammond Security Consultants. You are currently working on a contract for the state government of California. Your next step is to initiate a DoS attack on their network. Why would you want to initiate a DoS attack on a system you are testing?

List weak points on their network

In Windows Security Event Log, what does an event id of 530 imply?

Logon Failure - Account logon time restriction violation

When operating systems mark a cluster as used but not allocated, the cluster is considered as _________

Lost

Which of the following Perl scripts will help an investigator to access the executable image of a process?

Lspi.pl

What binary coding is used most often for e-mail purposes?

MIME

To preserve digital evidence, an investigator should ____________________.

Make two copies of each evidence item using different imaging tools

You are working as a Computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact law enforcement and provide them with the evidence that you have found. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subject's computer. You inform the officer that you will not be able to comply with that request because doing so would:

Make you an agent of law enforcement

Amber, a black hat hacker, has embedded a malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?

Malvertising

When investigating a computer forensics case where Microsoft Exchange and Blackberry Enterprise server are used, where would investigator need to search to find email sent from a Blackberry device?

Microsoft Exchange server

Joshua is analyzing an MSSQL database for finding the attack evidence and other details, where should he look for the database logs?

Model.ldf

Which of the following is a part of a Solid-State Drive

NAND-based flash memory

After passing her CEH exam, Carol wants to ensure that her network is completely secure. She implements a DMZ, stateful firewall, NAT, IPSEC, and a packet filtering firewall. Since all security measures were taken, none of the hosts on her network can reach the Internet. Why is that?

NAT does not work with IPSEC

NTFS has reduced slack space than FAT, thus having lesser potential to hide data in the slack space. This is because:

NTFS has lower cluster size space

George is performing security analysis for Hammond and Sons LLC. He is testing security vulnerabilities of their wireless network. He plans on remaining as "stealthy" as possible during the scan. Why would a scanner like Nessus is not recommended in this situation?

Nessus is too loud

You have been called in to help with an investigation of an alleged network intrusion. After questioning the members of the company IT department, you search through the server log files to find any trace of the intrusion. After that you decide to telnet into one of the company routers to see if there is any evidence to be found. While connected to the router, you see some unusual activity and believe that the attackers are currently connected to that router. You start up an ethereal session to begin capturing traffic on the router that could be used in the investigation. At what layer of the OSI model are you monitoring while watching traffic to and from the router?

Network

The MAC attributes are timestamps that refer to a time at which the file was last modified or last accessed or originally created. Which of the following file systems store MAC attributes in Coordinated Universal Time (UTC) format?

New Technology File System (NTFS)

Who is responsible for the following tasks?

Non-forensics staff

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

Nothing in particular as these can be operational files

Kimberly is studying to be an IT security analyst at a vocational school in her town. The school offers many different programming as well as networking languages. What networking protocol language should she learn that routers utilize?

OSPF

OSPF

Open Shortest Path First (OSPF) is a routing protocol; It uses a link state routing algorithm and falls into the group of interior gateway protocols, operating within a single autonomous system

ill is the accounting manager for Grummon and Sons LLC in Chicago. On a regular basis, he needs to send PDF documents containing sensitive information through E-mail to his customers.Bill protects the PDF documents with a password and sends them to their intended recipients.Why PDF passwords do not offer maximum protection?

PDF passwords can easily be cracked by software brute force tools

What will the following command accomplish in Linux? fdisk /dev/hda

Partition the hard drive

Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?

Perform a zone transfer

Lynne receives the following email:Dear [email protected]! We are sorry to inform you that your ID has been temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24 You have 24 hours to fix this problem or risk to be closed permanently!To proceed Please Connect >> My Apple IDThank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon/ What type of attack is this?

Phishing

Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?

Physical

Model.ldf

Physical Properties of model; Primary datamodeldevmodel.mdfAutogrow by 64 MB until the disk is full

Which of the following files DOES NOT use Object Linking and Embedding (OLE) technology to embed and link to other objects?

Portable Document Format

An executive has leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system?

Postmortem Analysis

What does the acronym POST mean as it relates to a PC?

PowerOn Self Test

Richard is extracting volatile data from a system and uses the command doskey/history. What is he trying to extract?

Previously typed commands

A law enforcement officer may only search for and seize criminal evidence with _______________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searched.

Probable cause

An investigator has extracted the device descriptor for a 1GB thumb drive that looks like: Disk&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15. What does the "Geek_Squad" part represent?

Product description

What must an attorney do first before you are called to testify as an expert?

Qualify you as an expert witness

Which tool does the investigator use to extract artifacts left by Google Drive on the system?

RAM Capturer

George is a senior security analyst working for a state agency in Florid a. His state's congress just passed a bill mandating every state agency to undergo a security audit annually. After learning what will be required, George needs to implement an IDS as soon as possible before the first audit occurs. The state bill requires that an IDS with a "time-based induction machine" be used.What IDS feature must George implement to meet this requirement?

Real-time anomaly detection

Julia is a senior security analyst for Berber Consulting group. She is currently working on a contract for a small accounting firm in Florid a. They have given her permission to perform social engineering attacks on the company to see if their in-house training did any good. Julia calls the main number for the accounting firm and talks to the receptionist. Julia says that she is an IT technician from the company's main office in Iowa. She states that she needs the receptionist's network username and password to troubleshoot a problem they are having. Julia says that Bill Hammond, the CEO of the company, requested this information. After hearing the name of the CEO, the receptionist gave Julia all the information she asked for. What principal of social engineering did Julia use?

Reciprocation

Bob has encountered a system crash and has lost vital data stored on the hard drive of his Windows computer.He has no cloud storage or backup hard drives. He wants to recover all the data, which includes his personal photos, music, documents, videos, official emails, etc. Which of the following tools shall resolve Bob's purpose?

Recuva

What should you do when approached by a reporter about a case that you are working on or have worked on?

Refer the reporter to the attorney that retained you

Which among the following tools can help a forensic investigator to access the registry files during postmortem analysis

RegRipper

What is the primary function of the tool CHKDSK in Windows that authenticates the file system reliability of a volume?

Repairs logical file system errors

The use of warning banners helps a company avoid litigation by overcoming an employee assumed__________________________. When connecting to the company's intranet, network or Virtual Private Network(VPN) and will allow the company's investigators to monitor, search and retrieve information stored within the network.

Right of Privacy

While looking through the IIS log file of a web server, you find the following entries: What is evident from this log file?

SQL injection is possible

When conducting computer forensic analysis, you must guard against ______________ So that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected.

Scope Creep

What must be obtained before an investigation is carried out at a location?

Search warrant

What is the smallest physical storage unit on a hard drive?

Sector

What is kept in the following directory? HKLM\SECURITY\Policy\Secrets

Service account passwords in plain text

The ____________________ refers to handing over the results of private investigations to the authorities because of indications of criminal activity.

Silver-Platter Doctrine

Raw data acquisition format creates _________ of a data set or suspect drive

Simple sequential flat files

Raw data acquisition format creates _________ of a data set or suspect drive.

Simple sequential flat files

Which of the following tool is used to locate IP addresses?

SmartWhois

Brian needs to acquire data from RAID storage. Which of the following acquisition methods is recommended to retrieve only the data relevant to the investigation?

Sparse or Logical Acquisition

Which of the following techniques can be used to beat steganography?

Steganalysis

Shane has started the static analysis of a malware and is using the tool ResourcesExtract to find more details of the malicious program. What part of the analysis is he performing?

Strings search

An expert witness is a __________________ who is normally appointed by a party to assist the formulation and preparation of a party's claim or defense.

Subject matter specialist

What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?

TCP header field

Paul's company is in the process of undergoing a complete security audit including logical and physical security testing. After all logical tests were performed; it is now time for the physical round to begin. None of the employees are made aware of this round of testing. The security-auditing firm sends in a technician dressed as an electrician. He waits outside in the lobby for some employees to get to work and follows behind them when they access the restricted areas. After entering the main office, he is able to get into the server room telling the IT manager that there is a problem with the outlets in that room. What type of attack has the technician performed?

Tailgating

Madison is on trial for allegedly breaking into her university's internal network. The police raided her dorm room and seized all of her computer equipment. Madison's lawyer is trying to convince the judge that the seizure was unfounded and baseless. Under which US Amendment is Madison's lawyer trying to prove the police violated?

The 4th Amendment

Which of the following stand true for BIOS Parameter Block?

The BIOS Partition Block describes the physical layout of a data storage volume

You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?

The E-mail Header

GLBA

The Gramm-Leach-Bliley Act; United States federal law that requires financial institutions to explain how they share and protect their customers' private information

RestrictAnonymous

The RestrictAnonymous registry key controls the level of enumeration granted to an anonymous user. This key can be set to any of the following values: 0 - None. Rely on default permissions 1 - Do not allow enumeration of SAM accounts and names 2 - No access without explicit anonymous permissions (not available on Windows NT 4.

Smurf Attack

The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address

Electronic Storage Device Search Warrant

The U.S. Supreme Court recently eliminated one important exception when it held that a digital device may not be searched incident to arrest. Thus, a search warrant will often be necessary to search a suspect's digital devices.

As a security analyst, you setup a false survey website that will require users to create a username and a strong password. You send the link to all the employees of the company. What information will you be able to gather?

The employees network usernames and passwords

A forensics investigator is searching the hard drive of a computer for files that were recently moved to the Recycle Bin. He searches for files in C:\RECYCLED using a command line tool but does not find anything. What is the reason for this?

The files are hidden and he must use switch to view them

Why would you need to find out the gateway of a device when investigating a wireless attack?

The gateway will be the IP used to manage the access point

Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their various activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident?

The logic, formatting and elegance of the code used in the attack

When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.

The lowercase Greek Letter Sigma (s)

You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation.Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?

The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.

net start

The net start command is used to start a network service or list running network services. Use the net statistics command to show the network statistics log for the Server or Workstation service. The net stop command is used to stop a network service.

You have been asked to investigate the possibility of computer fraud in the finance department of a company.It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

The swap file

Jack Smith is a forensics investigator who works for Mason Computer Investigation Services. He is investigating a computer that was infected by Ramen Virus. He runs the netstat command on the machine to see its current connections. In the following screenshot, what do the 0.0.0.0 IP addresses signify?

Those connections are in listening mode

Restrict Anonymous Users

To restrict anonymous connections from accessing this system information, change the RestrictAnonymous security settings. You can do this through the Security Configuration Manager snap-in (setting is defined in the Local Policies portion of the default security templates), or through a registry editor. You can change the registry setting from 0 to 1 in Microsoft Windows NT 4.0, or from 0 to 1 or 2 in Windows 2000: 0 - None. Rely on default permissions 1 - Do not allow enumeration of Security Accounts Manager (SAM) accounts and names 2 - No access without explicit anonymous permissions (not available on Windows NT 4.0)

When investigating a potential e-mail crime, what is your first step in the investigation?

Trace the IP address to its origin

Which of the following statements is incorrect when preserving digital evidence?

Turn on the computer and extract Windows event viewer log files

What is the capacity of Recycle bin in a system running on Windows Vista?

Unlimited

A picture file is recovered from a computer under investigation. During the investigation process, the file is enlarged 500% to get a better view of its contents. The picture quality is not degraded at all from this process. What kind of picture is this file. What kind of picture is this file?

Vector image

Which of the following does not describe the type of data density on a hard disk?

Volume density

Shane, a forensic specialist, is investigating an ongoing attack on a MySQL database server hosted on a Windows machine with SID "WIN-ABCDE12345F." Which of the following log file will help Shane in tracking all the client connections and activities performed on the database server?

WIN-ABCDE12345F.log

Why should you never power on a computer that you need to acquire digital evidence from?

When the computer boots up, files are written to the computer rendering the data unclean

mployee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the Employees Computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the Employee before he leaves the building and recover the floppy disks and secure his computer. Will you be able to break the encryption so that you can verify that that the employee was in possession of the proprietary information?

When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information.

In the context of file deletion process, which of the following statement holds true?

While booting, the machine may create temporary files that can delete evidence

While analyzing a hard disk, the investigator finds that the file system does not use UEFI-based interface. Which of the following operating systems is present on the hard disk?

Windows 7

Smith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use.

Windows XP

EProcess

Windows kernel opaque structures; The EPROCESS structure is an opaque structure that serves as the process object for a process.

Xplico

Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng

The Apache server saves diagnostic information and error messages that it encounters while processing requests. The default path of this file is usr/local/apache/logs/error.log in Linux. Identify the Apache error log from the following logs.

[Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/home/live/ap/htdocs/test

ISO 9660

a file system for optical disc media. Being sold by the International Organization for Standardization the file system is considered an international technical standard

Capsa

a portable network analyzer application for both LANs and WLANs which performs real-time packet capturing capability

postmortem analysis

a process in which you summarize what went wrong (and should be fixed) in a project, as well as what went well and should be repeated. The analysis also produces action items and who is responsible for each

You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet.What search string will you use to locate them?

allinurl:"exchange/logon.asp"

Silver-Platter Doctrine

allowed evidence that state and local police had unconstitutionally seized to be handed over for use in federal criminal trials, when the police acted independently of federal agents.

32-bit crc

an error-detecting code commonly used in digital networks

postmortem

analysis of logs conducted to investigate an incident that has already happened

real time analysis

conducted to detect and examine an ongoing attack

In a computer that has Dropbox client installed, which of the following files related to the Dropbox client store information about local Dropbox installation and the Dropbox user account, along with email IDs linked with the account?

config.db

The given image displays information about date and time of installation of the OS along with service packs, patches, and sub-directories. What command or tool did the investigator use to view this output?

dir /o:d

Which of the following options will help users to enable or disable the last access time on a system running Windows 10 OS?

fsutil

fsutil

fsutil objectid, Manages object identifiers, which are used by the Windows operating system to track objects such as files and directories.

You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?

grep

Grille cipher

grille cipher was a technique for encrypting a plaintext by writing it onto a sheet of paper through a pierced sheet

grille cipher

grille cipher was a technique for encrypting a plaintext by writing it onto a sheet of paper through a pierced sheet

.ibl

holds all the data necessary for browsing the collection and performing the lighting setup in a 3d application. It's the . ibl file, that smartens up a set of images, and turns them into a clearly defined lighting situation.

To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the bank web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement

if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then permit

Lspi.pl

is a Perl script that takes the same arguments as lspd.pl and lspm.pl and locates the beginning of the executable image for that process.

dir /o:d

list directory /o:d (sort order with :d by date/time, oldest first

You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question whether evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab?

make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab

dir /o[[:]

n - Alphabetically by name e - Alphabetically by extension g - Group directories first s - By size, smallest first d - By date/time, oldest first Use the - prefix to reverse the sort order

Bayesian Correlation

one alternative for estimating correlation coefficients in which knowledge from previous studies is incorporated to improve estimation. The purpose of this paper is to illustrate the utility of the Bayesian approach for estimating correlations using prior knowledge

An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet.

optical

fdisk /dev/hda

partition disk HDD

LPT Methodology

proprietary EC-Council penetration testing methodologies. Write exploit codes to gain access to a vulnerable system or application. Exploit vulnerabilities in Operating systems such as Windows, Linux. Perform privilege escalation to gain root access to a system.

Which of the following should a computer forensics lab used for investigations have?

restricted access

Tasklist command displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer. Which of the following tasklist commands provides information about the listed processes, including the image name, PID, name, and number of the session for the process?

tasklist /v

You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacture. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO?

the attorney-work-product rule

Strings search

the combination of all text, numbers and symbols entered by a user into a search engine to find desired result

Corporate investigations are typically easier than public investigations because:

the investigator does not have to get a warrant

When examining the log files from a Windows IIS Web Server, how often is a new log file created?

the same log is used at all times

Dynamic analysis

the testing and evaluation of a program by executing data in real-time. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline.

Cloud as an object

when the attacker uses the cloud to commit a crime targeted towards the CSP

Which of the following information is displayed when Netstat is used with -ano switch?

. Details of TCP and UDP connections

What is the location of the binary files required for the functioning of the OS in a Linux system?

/bin

A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state?

/proc

With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________.

0

You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data from other offices like it is for your main office. You suspect that firewall changes are to blame. What ports should you open for SNMP to work through Firewalls? (Choose two.)

161, 162

Which federal computer crime law specifically refers to fraud and related activity in connection with access devices like routers?

18 U.S.C. 1029

You are working in the security Department of law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the company SMTP server?

25

You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics lab. How many law-enforcement computer investigators should you request to staff the lab?

4

When reviewing web logs, you see an entry for resource not found in the HTTP status code field.What is the actual error code that you would see in the log for resource not found?

404

A master boot record (MBR) is the first sector ("sector zero") of a data storage device. What is the size of MBR?

512 Bytes

0.0.0.0 address

A 0.0. 0.0 address indicates the client isn't connected to a TCP/IP network, and a device may give itself a 0.0. 0.0 address when it is offline.

Fraggle Attack

A DDoS attack type on a computer that floods the target system with a large amount of UDP echo traffic to IP broadcast addresses.

Gateway of last resort

A Gateway of Last Resort or Default gateway is a route used by the router when no other known route exists to transmit the IP packet. Known routes are present in the routing table. Hence, any route not known by the routing table is forwarded to the default route.

Analyze the hex representation of mysql-bin.000013 file in the screenshot below. Which of the following will be an inference from this analysis?

A WordPress user has been created with the username bad_guy

Which of the following setups should a tester choose to analyze malware behavior?

A virtual system with network simulation for internet connection

axfr and ixfr commands

AXFR zone-transfer request from a secondary server is as simple as using the following dig commands, where zonetransfer.me is the domain that we want to initiate a zone transfer for. First, we need to get the list of DNS servers for the domain:

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

Active IDS

adjacent memory locations

Always, contiguous(adjacent) memory locations are used to store structure members in memory.

PEiD

An application that is used to detect such packed or encrypted malware

Application-level proxy firewall

An application-proxy firewall is a server program that understands the type of information being transmitted—for example, HTTP or FTP. It functions at a higher level in the protocol stack than do packet-filtering firewalls, thus providing more opportunities for the monitoring and control of accessibility.

Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. He knows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT. Which firewall would be most appropriate for Harold? needs?

Application-level proxy firewall

attorney-work-product rule

Attorney work product privilege permits attorneys to withhold from production documents and other tangible things prepared in anticipation of litigation by or for another party or its representative.

Which of the following Event Correlation Approach is an advanced correlation method that assumes and predicts what an attacker can do next after the attack by studying the statistics and probability and uses only two variables?

Bayesian Correlation

You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a "simple backup copy" of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a "simple backup copy" will not provide deleted files or recover file fragments.What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding

Bit-stream Copy

You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a "simple backup copy" of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a "simple backup copy" will not provide deleted files or recover file fragments.What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?

Bit-stream Copy

If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive.

Boot.sys

Linux operating system has two types of typical bootloaders namely LILO (Linux Loader) and GRUB (Grand Unified Bootloader). In which stage of the booting process do the bootloaders become active?

Bootloader Stage

While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense?

Bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge

Which password cracking technique uses every possible combination of character sets?

Brute force attack