EC Council DFE Practice

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Which of the following is a library and collection of command-line tools that assist in the investigation of disk images?

The Sleuth Kit

Which of the following NTFS system files contains definitions of all system- and user-defined attributes of the volume?

$attrdef

Identify the numeric code that indicates the error condition message in Cisco IOS router logs.

3

Identify the smallest physical storage unit on a hard disk drive that normally stores 512 bytes of data for HDDs and 2048 bytes for CD-ROMs and DVD-ROMs.

Sector

Joselyn, a forensic investigator in an organization, was investigating a cyber-attack. In this process, she found that the attack was performed from within the office premises. To obtain the list of users logged into the office system, she executed a command to extract the login history and system boot time. Identify the command executed by Joselynin theabove scenario.

last -f /var/log/wtmp

Which of the following commands helps investigators retrieve important information such as the MAC times of any file and timestamps of applications in a Mac system?

stat [-FlLnqrsx] [-f format] [-t timefmt] [file ...]

Identify the command that helps forensics investigators check the Linux kernel version on a system.

uname -r

Which of the following log files in a Mac system contains information related to network interface history?

/var/log/daily.out

John, a forensics specialist, was instructed to investigate an email crime. As part of the investigation, John seized a computer, along with the email accounts used in the system. Identify the next step that John needs to follow in the email crime investigation process.

Acquiring the email data

Ronan, a forensic investigator, was tasked with investigating a system based on NTFS. After thoroughly examining the system's hard drive, he discovered that most files were recently deleted from the file system but were recoverable. Ronan employed an automated tool to recover the deleted files from the hard disk. Identify the tool that Ronan used to recover the deleted files from the drive.

Autopsy

Sherin, a forensic investigator, is attempting to recover deleted files and data from a suspected system. To recover the deleted files and data, he used an automated tool that scans the system's hard drive. Which of the following tools was utilized by Sherin in the above scenario?

Autopsy

Brennan, a digital forensics investigator, was appointed by an organization to inspect a system suspected to be involved in cybercrime. In this process, Brennan employed a tool that helped him perform an automated scan of the suspected machine to identify traces of malware presence and its capabilities. Which of the following tools did Brennan employin theabove scenario?

Balbuzard

Which of the following is an advanced correlation approach that predicts what an attacker can do next after an attack based on statistics and probability theory and uses only two variables?

Bayesian correlation

Dillon, a forensics officer, was instructed to examine the memory dumps acquired from a suspected machine. For this purpose, Dillon employed a tool that helped him to process the memory dumps and retrieve useful information such as the browsed URLs, used email IDs, and personally identifiable information entered on websites. Identify the tool employed by Dillon in the above scenario.

Bulk Extractor

Which of the following time standards is used by the IIS server to record IIS logs, helping synchronize servers in multiple time zones?

Coordinated Universal Time (UTC)

In which of the following attacks does the attacker make an authenticated user perform certain tasks on the web application chosen by the attacker?

Cross-site request forgery

Which of the following malware components refers to a software program that conceals the existence of malware and is used by attackers to elude antivirus detection?

Crypter

Which of the following elements of an email header refers to an email authentication method that helps safeguard the senders and recipients of emails from phishing, spoofing, and spamming?

DKIM

Which of the following Windows registry hives contains configuration information related to the applications used to open various system files?

HKEY_CLASSES_ROOT

Which of the following contents of a sector contains the sector number and location, which identify sectors on the disk, as well as status information on the sector?

ID information

Identify the hidden file in Windows that is crucial for the recovery of data and contains various details of deleted files such as their original file names, original file sizes, date and time of deletion, unique identifying number, and the drive number in which the files were stored.

INFO2

Which of the following components of email communication accepts the email messages from the sender and routes them to their destination?

Mail transfer agent

Identify the color code in a Check Point firewall that signifies traffic detected as suspicious but accepted by the firewall.

Orange

Before investigating a cybercrime, Joyce, a forensic investigator, sets up a computer forensics lab, builds a forensics workstation, develops an investigation toolkit, and secures the case perimeter and involved devices. Identify the investigation phase Joyce is currently in.

Pre-investigation phase

Tyler, a forensic officer, was investigating a crime scene. After collecting a suspected laptop from the spot, Tyler started inspecting a specific portion of the drive where the criminal had saved the victim's data while performing a malicious activity. Tyler collected files required for the investigation as well as fragments of deleted data. Which of the following data acquisition methods did Tyler perform in the above scenario?

Sparse Acquisition

Identify the SWGDE standards and criteria stating that the agency must use hardware and software appropriate and effective for the seizure or examination procedure.

Standards and Criteria 1.5

Which of the following commands helps investigators check for the creation of new accounts in the administrator group?

Start -> Run -> lusrmgr.msc -> OK

Which of the following types of attack is performed using a seemingly harmless program containing malicious code that can later gain control and cause damage, such as destruction of the file allocation table on a hard disk?

Trojan horse attack

Which of the following countries implements the cyber law "Regulation of Investigatory Powers Act 2000"?

United Kingdom

Which of the following measures helps security professionals defend against anti-forensics techniques?

Use latest and updated CFTs and test them for vulnerabilities.

Franklin, a forensics investigator, was working on a suspected machine to gather evidence. He employed a forensic tool on the suspected device and quickly extracted volatile data as such data would be erased as soon as the system is powered off. Identify the volatile data Franklin has collected from the suspected machine.

User events

Which of the following strings in an Apache access log entry provides the details of the platform, system, and browser being used by the client while requesting a resource?

\"%{User-agent}i\"

Identify the command used to retrieve file system type, volume ID, last mounted timestamps, and last mounted directory.

fsstat -i <input _filetype> <filename.extension>

Don, a professional hacker, targeted Johana's official email account to steal her project-related files stored in it. In this process, Don tried all the possible combinations of password characters through the trial-and-error method and finally logged into her account. Identify the type of cybercrime demonstrated in the above scenario.

Brute-force attack

Boney, a forensics officer, was tasked with investigating a Windows Server machine suspected of being used for malicious online activities. He initiated the investigation process by executing a built-in Windows tool that helped him analyze NetBIOS over TCP/IP activity. Identify the command used by Boney in the above scenario.

C:\> nbtstat -S

Which of the following mnemonics in Cisco IOS logs is described as "A packet matching the log criteria for the given access list has been detected (TCP or UDP)"?

%SEC-6-IPACCESSLOGP

Colson, a forensic officer, was attempting to track a cybercriminal who had performed an online attack by gaining remote access to a Windows system of an organization. In this process, Colson executed an nbtstat command that displays the contents of the NetBIOS name cache as well as NetBIOS name-to-IP address mappings, which will help him in tracking the perpetrator. Which of the following nbtstat parameters helps Colson view the contents of the NetBIOS name cache?

-c

Given below is the syntax for executing Autorunsc command-line version. autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-vt] [[-z ] | [user]]] Which of the following parameters in the above syntax specifies printing output as tab-delimited values?

-ct

Given below is an example of an Apache access log entry in the common log format: "10.10.10.10 - Jason [17/Aug/2019:00:12:34 +0300] "GET/images/content/bg_body_1.jpg HTTP/1.0" 500 1458" From the above log entry, identify the status code indicating that the response was successful.

500

Moises, a professional hacker, targeted an employee of an organization to steal confidential data. For this purpose, he compelled the employee to attach a malicious USB adapter to one of the host machines in the organization. As a result, the host machine was forced to connect to an unsecured network. Next, Moises collected all the confidential data passing through the unsecured network. Identify the type of attack performed by Moises in the above scenario.

Ad-hoc connection attack

An open-source data acquisition format stores disk images and related metadata, and the objective behind the development of the format was to create an open disk imaging format that provides users an alternative to being locked into a proprietary format. Identify this data acquisition format.

Advanced Forensics Format

Malcolm, a professional hacker, was attempting to intrude into an organization's network. In this process, he obtained the credentials of an employee using packet sniffers. Using the stolen credentials, Malcolm impersonated the employee to intrude into the organization's network. Identify the type of attack performed by Malcolm in the above scenario.

Authentication hijacking

Marshall, a professional hacker, targeted Grace to steal an amount from her banking account. For this purpose, he employed a social engineering technique and prompted Grace to share her credentials. Using those credentials, Marshall impersonated Grace and logged into her account on the concerned banking website to perform illegitimate transactions. Identify the web application threat demonstrated in the above scenario.

Authentication hijacking

Arnold, a crime investigator, wants to retrieve all the deleted files and folders in the suspected media without affecting the original files. For this purpose, he uses a method that involves the creation of a cloned copy of the entire media and prevents the contamination of the original media. Identify the method utilized by Arnold in the above scenario.

Bit-stream imaging

Ryder, a computer user, has a system running on Windows OS with a FAT file system. He encountered a blue screen issue; as a result, he turned off the system without closing the running applications. Ryder employed a Windows built-in utility to check for any bad sectors and lost clusters on his hard disk to overcome this issue. Identify the utility employed by Ryder in the above scenario.

Chkdsk.exe

Aziel, a mobile user, was accessing a secure Wi-Fi network at a coffee shop. As a result of a power outage at the coffee shop, the Wi-Fi router got switched off, and Aziel's mobile device automatically got connected to an attacker-installed hotspot. The attacker was thus able to capture all the Internet traffic originating from Aziel's mobile device. Which of the following attacks is demonstrated in the above scenario?

Client misassociation

Identify the component of SSD serves that acts as a bridge between the flash memory components and the system by executing firmware-level software.

Controller

Jude, a forensic professional in an investigation department, was tasked with analyzing a suspected Windows machine. During the investigation, Jude found that some of the drive's volumes were encrypted and needed to be decrypted for further investigation. Which of the following tools can help Jude in decrypting the drive?

CrypTool

Kevin, a forensics officer, was tasked with investigating a Windows machine reported with abnormal behavior. To investigate the causes for this abnormal behavior, Kevin first wanted to check Windows update information to determine whether new patches are causing this disruption. Which of the following Windows files will provide Kevin with the required information?

DataStore.edb

Bruno, a forensics investigator, was tasked with investigating a recent cyber-attack on an organization. To protect the evidence, Bruno maintained a logbook of the project to record observations related to the evidence, used tagging to uniquely identify any evidence, and created a chain of custody record. In the above scenario, identify the investigation phase Bruno is currently in.

Evidence preservation

Identify the Tor relay that receives the client's data from the middle relay and sends the data to the destination website's server.

Exit relay

Which of the following Tor relays is treated as suspected because it is perceived to be the origin of malicious traffic?

Exit relay

Which of the following versions of the FAT file system uses 4 bytes per cluster within the file allocation table?

FAT32

Which of the following laws was enacted in 1999 and requires financial institutions—companies offering consumers financial products or services such as loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data?

GLBA

Which of the following elements is a 128-bit unique number generated by the Windows OS to identify a specific device, document, database entry, and/or the user?

GUID

Which of the following contents of a hard disk drive sector is used to provide time for the controller to continue the read process?

Gaps

Which of the following registry hives contains file extension association information and programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data?

HKEY_CLASSES_ROOT

Duke, a forensics expert, was investigating a Windows machine suspected to contain a Tor browser instance. As part of the investigation, he navigated to Windows Registry to obtain the path from which the Tor browser was executed. In which of the following paths did Duke discover the Tor browser's existence on the suspected machine?

HKEY_USERS\<SID>\SOFTWARE\Mozilla\Firefox\Launcher

Identify the registry location in which Tor browser artifacts are stored and can provide information on user activities on the dark web.

HKEY_USERS\<SID>\SOFTWARE\Mozilla\Firefox\Launcher

Which of the following commands is used to identify the current system name and examine the logs, DNS, and network traffic?

Hostname

Joshua, a certified forensic expert, built a forensic lab for conducting a computer-based investigation. To make the investigation processes effective, he recruited experienced individuals and experts. Joshua then assigned job roles to each team member. Which of the following considerations is illustrated in the above scenario?

Human resource considerations

Which of the following steps of forensic readiness planning defines the purpose of evidence collection and gathering information to determine evidence sources that can help deal with the crime and design the best methods of collection?

Identify the potential evidence required for an incident

Helen, a shopping freak, lost an amount from her banking account. Immediately, she raised a complaint at the concerned bank. The security teams at the bank started investigating her account and discovered that she had accessed a fake website for shopping. Attackers stole her credentials through the fake website to make illegal transactions. Which of the following crimes is demonstrated in the above scenario?

Identity fraud

Which of the following is a digital forensic artifact that helps investigators detect a security incident that has occurred on a host system and includes logs related to systems, applications, networks, and firewalls?

Indicators of compromise

Which of the following considerations helps investigators create an appropriate testbed for malware analysis?

Installing a virtual machine (VMware, Hyper-V, etc.) on the system

Identify the type of cybercrime that involves the theft of trade secrets, copyrights, or patent rights of an asset or material belonging to individuals or entities, resulting in huge losses to the target organization.

Intellectual property theft

Which of the following is a user-created evidence source that can assist forensic investigators in recording and analyzing whether the victim stored any malicious links or URLs?

Internet bookmarks

In which of the following investigation phases does the forensic officer perform data acquisition, preservation, and analysis of evidentiary data to identify the source of a crime and the culprit?

Investigation phase

Richin, a forensics investigator, was tasked with investigating a Linux machine that was used as a remote controller for performing malicious online activities. As part of the investigation, Richin employed a forensic tool that performs RAM dumps so that he can view all running processes in the memory and recently executed commands. Which of the following tools was utilized by Richin in the above scenario?

LiME

Hudson, a forensic expert, was investigating an active computer that was executing various processes. Hudson wanted to check whether this system was used in an incident that occurred earlier. He started inspecting and gathering the contents of RAM, cache, and DLLs to identify incident signatures. Which of the following data acquisition methods has Hudson initiated in the above scenario?

Live Data Acquisition

In which of the following attacks does the attacker connect to a port on a switch and flood its interface by sending a large volume of Ethernet frames from various fake hardware addresses?

MAC flooding

Williams, a forensic expert, was performing an investigation on a system that was suspected to be involved in spreading adult content over the Internet. The attacker accessed various adult sites using the Mozilla Firefox browser and shared associated links with other individuals. Williams employed a forensic tool that helped him extract the list of websites accessed from the system to confirm this suspicion. Which of the following tools has Williams employed in the above scenario?

MZHistoryView

Which of the following is a high-speed serial expansion card integrating flash directly into the motherboard and is connected to the host machine through its own serial link by eliminating the need to share a bus, reducing latency, and enhancing the data transfer speeds between a server and storage?

PCIe SSD

Identify the approach that assists forensic officers in correlating specific packets with other packets and comparing them with attack signatures to list new potential attacks on the network.

Payload correlation

Lincoln, a forensic investigator, collected evidence from a crime scene. He used some hardware and software tools to complete the investigation process. Lincoln then created a report and documented all the actions performed during the investigation. Identify the investigation phase Lincoln is currently in.

Post-investigation phase

Which of the following phases of the forensics investigation process involves reporting and documenting all actions undertaken and the findings obtained during the investigation?

Post-investigation phase

Xavier, a security specialist, was appointed to investigate a crime scene at an organization. He completed the investigation process successfully and created a document that includes all the individual tasks performed in resolving the case. Which of the following forensics investigation phases is Xavier currently in?

Post-investigation phase

Calvin, a forensic crime investigator, retrieved evidence from a device that consists of usage logs, time and date information, network identity information, and ink cartridges. Identify the device from which Calvin obtained the evidence.

Printer

Benjamin, a professional hacker, joined as an intern in an organization and obtained some permissions to access the resources related to his job. Soon after gaining trust in the organization, he obtained elevated permissions to access restricted parts of the network. Thus, he gained access to confidential data of the organization. Identify the type of attack performed by Benjamin in the above scenario.

Privilege escalation attack

Which of the following can be classified as the most volatile type of data that persists only for nanoseconds?

Processor cache

Which of the following is an open-source tool, written in Perl, for extracting/parsing information, i.e., keys, values, and data from the registry and presenting it for analysis?

RegRipper

Identify the tool that helps simulate all network types and technologies, including VoIP, TCP, OSPFv3, MPLS, LTE, WLAN, IoT protocols, and IPv6, to analyze and compare the impacts of different technology designs on end-to-end behavior.

Riverbed Modeler

Raphael, a forensics expert at an organization, was asked to analyze an issue that blocked devices from accessing the organization's network. In this process, Raphael employed a network behavior monitoring tool to identify and categorize different events and determine the events that caused the issue. In which of the following event correlation steps did Raphael identify the reason behind the issue?

Root cause analysis

Which of the following email header fields prevents sender address forgery and allows organizations to designate servers that can send emails on behalf of their domains?

SPF

Which of the following types of cybercrime involves taking advantage of unsanitized input vulnerabilities to pass commands through a web application and thereby retrieve information from the target database?

SQL-Injection Attack

While preparing testbeds for malware analysis, which of the following techniques is used to perform dynamic analysis manually?

Sandbox

Which of the following measures helps security professionals defend against anti-forensics techniques?

Save data in secure locations.

Austin, a forensic investigator, was tasked with examining a crime scene. In this process, he identified a few devices that were affected during the attack process. Austin secured all these devices in a lawful manner for further investigation. Identify the investigation phase Austin is currently performing in the above scenario.

Search and seizure

Identify the smallest physical storage unit on a hard-disk platter that is a mathematical term denoting a pie-shaped part of a circle and is enclosed by the perimeter of the circle and two radii.

Sector

Which of the following characteristics of a hard disk represents the time taken by a hard-disk controller to identify a particular piece of data?

Seek time

Identify the process of extracting and gathering the data in an unaltered manner from storage media such as DVD-ROMs, USB drives, flash cards, and word processor documents.

Static Acquisition

Which of the following types of cells in the Windows Registry structure comprises a series of indexes pointing to the parent key cell?

Subkey list cell

Identify the portable executable information that shows whether the program is a command-line or GUI application.

Subsystem

Identify the web that forms the topmost layer and stores content that can be accessed as well as indexed by search engines such as Google, Yahoo, and Bing.

Surface web

Which of the following layers of the Internet is the visible part of the web, where contents are indexed by search engines such as Google, Yahoo, and Bing?

Surface web

Which of the following tools can an investigator use to investigate disk images as well as analyze a volume and file-system data?

The Sleuth Kit

In which of the following anti-forensics techniques do attackers mislead investigators via log tampering, false e-mail header generation, timestamp modification, and the modification of various file headers?

Trail obfuscation

Identify the packet sniffing tool that assists forensic specialists in browsing data packets from a live network traffic interactively.

Wireshark

Which of the following is a networking DLL that helps connect to a network or perform network-related tasks?

Ws2_32.dll

The following regular expression can be used to detect an "<img src" XSS attack: /((\%3c)|<) ((\%69) |I| (\%49)) ((\%6D) |m| (\%4D)) ((\%67) |g| (\%47)) [^\n] + ((\%3E) |>) /I Identify the signature in the above expression that searches for any character other than a new line?

[^\n]+

In which of the following URLs did attackers double-encode the input to perform an SQL injection attack?

http://ww.bank.com/accounts.php?id=1%252f%252a*/union%252f%252a/select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--

Which of the following elements of Apache core handles server startups and timeouts?

http_main

Which of the following elements of Apache core is responsible for managing the routines and interacts with the client and handles all the data exchange and socket connections between the client and the server?

http_protocol

Which of the following elements of Apache core controls the stepwise procedure followed among modules to complete a client request and is responsible for error handling?

http_request

Which of the following commands is used to retrieve the metadata of a file, such as MAC times, file size, and file access permissions?

istat -f <fstype> -i <imgtype> <imagefile_name> <inode_number>

Which of the following commands helps forensic investigators retrieve information about all active processes and open files?

lsof

Which of the following commands is used to collect information about the files opened by an intruder using remote login?

net file [ID [/close]]

Which of the following commands is used to extract the content of the macro stream from a suspicious Word document?

oledump.py -s <stream number> <path to the suspect document>

Jayden, a forensic investigator, was appointed to investigate a powered-off system recovered from a crime scene. He found many locked files in that computer and suspected that those files might contain information useful to identify the criminals. Which of the following evidence sources provided Jayden with useful information during the investigation?

password-protected files

John, a security specialist, was investigating a criminal case. He extracted all the possible evidence from a suspected laptop, created an exact copy of the evidence, and submitted the evidence as is to the jury members without any intermediary tampering. Identify the evidence rule demonstrated in the above scenario.

reliable

Identify the AFF4 object that stores segments that are indivisible blocks of data.

volume

Frank, a forensics specialist, was tasked with examining an attack on a website hosted on Windows Server 2016. In this process, Frank extracted the following IIS log entry: "2019-12-12 06:11:41 192.168.0.10 GET /images/content/bg_body_1.jpg - 80 - 192.168.0.27 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome /48.0.2564.103+Safari/537.36 http://www.moviescope.com/css/style.css 200 0 0 365" Which of the following fields in the above IIS log entry indicates that the user was anonymous?

-

Given below is the syntax of a netstat command. netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] Identify the netstat parameter that is used to display all active TCP connections on which the computer is listening.

-n

Identify the PsLoggedOn parameter that forces the associated command to not show logon times while displaying logged-in users' details.

-x

Which of the following PsList parameters displays processes, memory information, and threads?

-x

Which of the following tasklist parameters specifies the types of process(es) to include in or exclude from the main query?

/fi FilterName

Identify the evidence source that contains the least volatile data as the digital information in such data sources does not automatically change, unless it is damaged under physical force.

Archival Media

Which of the following is a set of techniques that attackers use to avert or sidetrack the forensics investigation process or increase its difficulty?

Anti-forensics

Nasir, a forensics expert, was investigating a live machine recovered from a crime scene. He used an automated tool to extract the volatile memory from the system in the ".mem" format, which can be later used to extract information such as running processes from the memory. Identify the tool employed by Nasir in the above scenario.

AccessData FTK Imager

Which of the following tools helps forensic investigators acquire a memory dump from the RAM of the suspect machine?

AccessData FTK Imager

Which of the following data acquisition formats is created by Michael Cohen, Simson Garfinkel, and Bradly Schatz and is designed to support storage media with large capacities?

Advanced Forensic Framework 4

Waylon, a security professional, was inspecting an active machine to track down any malicious running programs. In this process, he inspected the DVD-ROM in the machine and identified suspicious programs stored in it. He immediately detached it from the machine because it contained data that cannot be eliminated even after the system is shut down. Identify the evidence source from which Waylon collected the evidence.

Archival Media

Which of the following will be present in the "Supporting Files" section of a forensics investigation report?

Attachments and appendices

Charles, a forensics team member familiar with all the applicable laws, participated in a crime investigation process. The role of Charles in the team was to assist the forensic investigators by providing legal advice on how to conduct the investigation and address the legal issues involved in various tasks. Which of the following roles did Charles play in the above scenario?

Attorney

Which of the following tools retrieves information about the process that opened the port, including the process name, the full path of the process, version information of the process, the process creation time, and the user who created it?

Currports

Identify the crime in which attackers harass an individual, a group, or an organization using emails or IMs.

Cyberstalking

Which of the following layers of TCP/IP is responsible for selecting the best path through the network for data flow between the source and destination?

Internet layer

Which of the following commands is used to find any unusual listening on TCP and UDP ports?Which of the following commands is used to find any unusual listening on TCP and UDP ports?

C:\> netstat -na

Which of the following commands is used by investigators to find scheduled and unscheduled tasks on localhost?

C:\> schtasks.exe

In which of the following Windows system locations will Mozilla Firefox store the history file?

C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXXXX.default\places.sqlite

Which of the following tasks is NOT the responsibility of a forensic investigator?

Configure network components

Identify the technique that includes the disintegration, incineration, pulverizing, shredding, and melting of digital media to make evidentiary data unavailable to forensics investigators.

Disk destruction

In which of the following phases of the computer forensics investigation methodology must the investigator take a photograph of the computer monitor's screen and note down what was observed on the screen?

Documentation of the electronic crime scene

Which of the following malware distribution techniques involves the exploitation of flaws in browser software to install malware upon a simple visit to a web page?

Drive-by downloads

Sam, a forensic specialist, was investigating a Windows 10 system based on NTFS. While analyzing the data, Sam discovered that some important files were deleted from the file system but can be recovered from Recycle Bin. Identify the location of Recycle Bin in the Windows 10 system.

Drive:\$Recycle.Bin\<SID>

Which of the following components of EFS uses CryptoAPI to extract the file encryption key (FEK) for a data file and uses it to encode the FEK to produce the DDF?

EFS Service

Stetson, a professional hacker, targeted an organization to secretly listen to a client's conversation with a development team. In this process, he secretly installed a sniffing device in the organization's network, which allowed him to listen to voice messages actively. Identify the type of attack performed by Stetson in the above scenario.

Eavesdropping

Renit, a professional hacker, is attempting to obtain sensitive information from a target network. In this process, he employs a technique to collect information such as network topology, live hosts, and potential vulnerabilities in host systems. Identify the technique employed by Renitin theabove scenario.

Enumeration

Medicing Inc. targeted their competitor organization to steal information about their product that gained immense popularity within a brief period. For this purpose, Medicing Inc. employed Don, a professional hacker. Don performed open-source intelligence gathering and analyzed the target product's details. Using the obtained information, Medicing Inc. created a similar product and launched it with a lower price. Identify the cybercrime demonstrated in the above scenario.

Espionage

Williams, a forensic investigator, was tasked with analyzing an image file. In this process, he identified that the metadata of the image file was deleted; therefore, he could only recover the files using the file header signature, which is a constant numeric or text value. Which of the following tools can help Williams identify and recover the files using the file header signatures?

Hex Editor Neo

While verifying the file format of evidence files, Patrick, a forensic investigator, detected that the suspect had changed the file extensions of some files from .jpg to .dll. Patrick used an automated tool to verify the file formats. Identify the tool employed by Patrick in the above scenario.

Hexinator

Which of the following practices is NOT a countermeasure to defend against anti-forensic techniques?

Impose strict laws against legal use of anti-forensics tools

Which of the following is a quality that makes one a good computer forensics investigator?

Knowledge of the laws relevant to the case

Which of the following methods includes the dismantling of a given executable into the binary format to study its functionalities and features?

Malware disassembly

Simon, a forensics investigator, was attempting to extract various Tor browser artifacts to reconstruct a recent crime incident. He employed a technique that can examine the RAM dump to extract various Tor browser artifacts. Which of the following techniques was utilized by Simonin theabove scenario?

Memory acquisition

Caiden, a forensics expert, was tasked with investigating fraud that occurred in an organization. An employee of the organization accessed a restricted file from the organization's server and modified some crucial word documents. To initiate an investigation, Caiden employed an online tool that reveals the last user who accessed the file and how many times the file has been edited. Which of the following tools did Caiden employ in the above scenario?

Metashield Analyzer

Identify the Tor relay used for data transmission in an encrypted format, receiving the client's data from the entry relay, and passing the client's data to the exit relay.

Middle relay

Identify the information in the superblock of ext2 that allows the system to determine whether it needs to check the file system fully.

Mount count and maximum mount count

Melvin, an attacker, started sending spam emails to target users carrying a file attachment in the .PPSX extension. Nova, a target user, opened the spam email and moved his mouse pointer over the hyperlinked malicious attachment; as a result, malware was executed automatically on Nova's system. Identify the technique employed by Melvin to distribute malware in the above scenario.

Mouse hovering

Which of the following is a search and seizure step that involves seeking consent, obtaining witness signatures, obtaining a warrant for search and seizure, and collecting incident information?

Planning of the search and seizure

Given below is the syntax for executing Autorunsc command-line version. autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-r] [-vt] [[-z ] | [user]]] Which of the following parameters in the above syntax specifies the LSA security providers to scan?

R

A data acquisition format creates a bit-by-bit copy of the suspected drive, and images in this format are usually obtained using the dd command. Identify this data acquisition format.

Raw format

Which of the following results of an email exchange means that the sender's IP address is neither authorized nor restricted from sending emails on behalf of the organization's domain?

Received-SPF: Neutral

Which of the following results of an email exchange indicates a possibility of IP addresses having or not having the authorization to send emails on behalf of the domain mentioned?

Received-SPF: Softfail

Which of the following tools allows forensic investigators to analyze memory, detect malicious activities that occurred on the system, and construct the timeline and scope of a cybercrime incident?

Redline

Serin, a forensics investigator, wants to investigate the overall profile of network traffic in his organization. For this purpose, he used network-based evidence, which provided him with the summary of a conversation between two network devices. Identify the type of data utilized by Serin in the above scenario.

Session data

Which of the following sections of an email contains additional information including the name and contact details of the email sender?

Signature

Identify the subkey of the HKEY_LOCAL_MACHINE registry that stores information on the configuration settings of hardware drivers and services.

System

Identify the type of analysis that involves monitoring the changes on operating system resources upon malware execution.

System behavior analysis

Which of the following refers to non-volatile data that do not change when the machine is powered off?

System logs

Identify the mandatory requirement for every tool used for the disk imaging process.

The tool must be able to compare the source and destination and alert the user if the destination is smaller than the source.

Which of the following features of Mac OS includes a BackupAlias file containing binary information related to the hard disk used to store backups?

Time Machine

Which of the following tools helps a perpetrator delete and modify the metadata of files to confuse forensic investigators?

Timestomp

Which of the following titles of ECPA addresses the privacy of the contents of files stored by service providers and records held about the subscriber by service providers, such as subscriber name, billing records, and IP addresses?

Title II

Which of the following qualities is required for a good computer forensics investigator?

Well-versed in more than one computer platform

Marcel, a professional hacker, targeted the CFO of a multinational company. He sent a well-crafted email with a carefully designed website link to the CFO and lured him to reveal critical corporate financial data. Identify the type of crime performed by Marcel in the above scenario.

Whaling

Which of the following tools is mainly used to inspect and edit all types of files as well as to recover deleted files or lost data from hard drives with corrupt file systems or from memory cards of digital cameras?

WinHex

Identify the AFF4 object that includes collections of RDF statements.

graphs

Grayson, a forensic investigator, was able to retrieve evidence from a device by authenticating with the information of a card and the user through the level of access, configurations, and permissions. Identify the device utilized by Grayson to obtain the evidence.

biometric scanner

Which of the following fields in the IIS log entry indicates that the user wanted to download a file from a folder?

cs-uri-stem

Which of the following types of cybercrime is an offensive activity in which a computer connected to the web is employed as a source point to damage an organization's reputation?

cyber defamation

Which of the following commands is executed by forensic investigators to calculate the epoch time of a suspected machine?

date +%s

Kayden, a forensic team member, was instructed to handle an infected system. He was assigned the responsibility of analyzing and extracting all the possible data from the suspected Linux machine without altering the original data on the system. Kayden carefully analyzed the suspected machine and executed a Linux command to create a backup and restore MBR. Which of the following commands did Kayden execute in the above scenario?

dd command

Asher, a forensics specialist, was able to retrieve evidence from a device through its address book, notes, appointment calendars, phone numbers, email, etc. Which of the following devices did Asher acquire the evidence from?

digital watch

George, a forensic expert, was investigating a cybercrime. As part of the investigation, he examined a system running Windows OS based on NTFS to discover any malicious events. George accessed and analyzed the file system's metadata files stored in the root directory; the metadata files contain a record for every file in the file system. Which of the following system files has George accessed in the above scenario?

$mft

The following regular expression can be used to detect simple XSS attacks: /((\%3C)|<)((\%2F)|\/)*[a-ZA-Z0-9\%]+((\%3E)|(\%253E)|>)/ix Identify the signature in the above expression that searches for an opening angle bracket or its hex equivalent.

(\%3C)|<)

Given below is the syntax of a netstat command. netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] Identify the netstat parameter that is used to display all active TCP connections as well as the TCP and UDP ports on which the computer is listening.

-a

Which of the following netstat parameters displays all active TCP connections as well as UDP ports on which the computer is listening?

-a

Jaylen, a forensic investigator, was inspecting a suspected system and wanted to gather the details of all the users who logged in to the suspected system. For this purpose, he executed a PsLoggedOn command to obtain information about locally logged-in users. Identify the PsLoggedOn parameter that helps Jaylen retrieve the details of locally logged-in users.

-l

Identify the netstat parameter that displays the active TCP connections and retrieves the process ID for each connection.

-o

Given below is the syntax of a netstat command. netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] Identify the netstat parameter that is used to display the contents of the IP routing table.

-r

Santino, a forensic expert, was investigating a victim's Ubuntu system, which had been accessed by an attacker from a remote location. He collected network-related information from the system and executed a netstat command to extract the details of the routing table from the system. Identify the netstat parameter that helps Santino extract the routing table information.

-rn

Given below is the syntax for executing the command-line version of Autorunsc. autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-vt] [[-z ] | [user]]] Which of the following parameters in the above syntax commands the offline Windows system to scan?

-z

Which of the following regular expressions is used by investigators to detect an "<img src" XSS attack on a dynamic web page?

/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I

Identify the regular expression that is used to detect meta-characters in an SQL injection attack.

/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i

Identify the anti-forensics command that deletes a file from a Linux machine but retains the file on the disk until it is overwritten with new data.

/bin/rm/

Jayce, a forensic specialist, was inspecting a suspected Linux system with an FHS file system. John initiated the investigation process by checking the file system. In this process, he extracted essential device files from the system, which served as potential evidence to track down the culprits. In which of the following directories of FHS did Jayce identify the essential device files?

/dev

Jonas, a forensics professional, was tasked with investigating an application hosted on an Apache server running on an Ubuntu machine. As the first step of the investigation, Jonas navigated to the storage location of the log files to view all the access and error logs. Identify the storage location of the log files in Ubuntu where Jonas could find useful information for the investigation.

/etc/apache2/apache2.conf

Gavin, a forensic expert, was analyzing a Linux system with an FHS file system that was affected by a security incident. Gavin suspected that an unauthorized removable storage device is plugged into the system, providing remote access to the system. Which of the following FHS directories can help Gavin in identifying mount points for removable storage devices?

/media

Rhett, a forensic expert, was inspecting a suspected Linux system with an FHS file system. In this process, he listed all the binary files present in the system and extracted these binary files from the root directory of the system. In which of the following directories of FHS did Rhett identify the binary files?

/sbin

Which of the following tasklist parameters lists all the service information for each process without truncation?

/svc

Identify the location of the logs on a Linux system that record details about the running services, such as squid and ntpd.

/var/log/daemon.log

Damon, a forensics specialist, was solving a case at an organization. He started collecting information from different log files of a victim system running Linux to locate potential evidence generated the security incident. In this process, he obtained printer logs from the victim system to track evidence. Identify the location of printer logs on a Linux system.

/var/log/lpr.log

Which of the following values of EnablePrefetcher corresponds to "Application prefetching is enabled"?

1

Given below are the various steps involved in analyzing suspicious MS Office documents. 1. Finding suspicious components 2. Dumping macro streams 3. Identifying suspicious VBA keywords 4. Finding macro streams What is the correct sequence of steps involved in analyzing suspicious MS Office documents?

1 -> 4 -> 2 -> 3

Given below are the different phases involved in the UEFI boot process: 1. Security phase 2. Boot Device Selection phase 3. Driver Execution Environment phase 4. Pre-EFI initialization phase 5. Runtime phase What is the correct sequence of phases involved in the UEFI boot process?

1 -> 4 -> 3 -> 2 -> 5

Given below are the various steps involved in retrieving an email header from Microsoft Outlook. 1. Launch the Microsoft Outlook desktop application. 2. When the Properties window opens, select the message header text from the Internet headers box. 3. Click the File button located on the top-left and then the Properties icon. 4. Copy and paste the text in any text editor and save the file. 5. Review all email messages of the suspect's email account and double-click on the email message to be saved. What is the correct sequence of steps involved in retrieving an email header from Microsoft Outlook?

1 -> 5 -> 3 -> 2 -> 4

Corey, a network forensics analyst, was tasked with investigating a malware attack that infected a host system in an organization. Corey collected the network packets and identified that a malicious port used by the njRAT Trojan is active in the system. Which of the following ports is used by the njRAT Trojan?

1177

Given below are various activities involved in the computer forensics investigation methodology. 1. Evidence preservation 2. Documentation of the electronic crime scene 3. Search and seizure 4. Case analysis 5. Reporting 6. Data analysis 7. Testimony as an expert witness 8. Data acquisition What is the correct sequence of activities involved in the computer forensics investigation methodology?

2 -> 3 -> 1 -> 8 -> 6 -> 4 -> 5 -> 7

Given below are the steps involved in preparing a testbed for dynamic malware analysis. 1. Install the tools that will be used to capture the changes performed by the malware to the network properties and other system resources. 2. Create a fresh baseline of both Windows and Linux workstations. 3. Generate hash values of the OSes and tools used. 4. This baseline state can be compared with the system's state after executing the malware. 5. Run the malware that has been collected from the suspect machines on the forensic workstations and begin monitoring. 6. List all device drivers, Windows services, and startup programs. Identify the correct procedure for preparing a testbed for dynamic malware analysis.

2 -> 4 -> 6 -> 1 -> 3 -> 5

Given below are the various steps involved in the data acquisition methodology. 1. Enabling write protection on the evidence media 2. Determining the data acquisition method 3. Validating data acquisition 4. Acquiring non-volatile data 5. Acquiring volatile data 6. Sanitizing the target media 7. Determining the data acquisition tool 8. Planning for contingency What is the correct sequence of steps involved in the data acquisition methodology?

2 -> 7 -> 6 -> 5 -> 1 -> 4 -> 8 -> 3

Jaxton, a forensics expert, was analyzing the IIS logs in a Windows-based server that was compromised earlier. He initiated the investigation process by extracting the IIS log entries and monitored the "sc-status" field to identify how the attacker's request was fulfilled without error. Which of the following codes represents the "sc-status" in the IIS log entry?

200

Given below are different steps involved in forensic readiness planning. 1. Determine the sources of evidence. 2. Establish a legal advisory board to guide the investigation process. 3. Establish a policy for securely handling and storing the collected evidence. 4. Identify the potential evidence required for an incident. 5. Keep an incident response team ready to review the incident and preserve the evidence. 6. Identify if the incident requires full or formal investigation. 7. Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption. 8. Create a process for documenting the procedure. What is the correct sequence of steps involved in forensic readiness planning?

4 -> 1 -> 7 -> 3 -> 6 -> 8 -> 2 -> 5

Given below are the various steps involved in the dead acquisition process. 1. Run any forensic acquisition tool suitable for acquiring/collecting data. 2. Write-block the hard disk to ensure that it provides only read-only access to the hard drive and prevents any modification or tampering of its contents. 3. Connect the hard drive to a forensic workstation to perform the acquisition. 4. Remove the hard drive from the suspected drive. Identify the correct sequence of steps involved in the dead acquisition process.

4 -> 3 -> 2 -> 1

Given below are the different steps involved in the email investigation process. 1. Examining email messages 2. Analyzing email headers 3. Recovering deleted email messages 4. Acquiring the email data 5. Retrieving email headers 6. Seizing the computer and email accounts Identify the correct sequence of steps involved in the email investigation process.

6 -> 4 -> 1 -> 5 -> 2 -> 3

Which of the following types of data is triggered by tools such as Snort IDS and Suricata that inspect network traffic flow and report potential security events as alerts?

Alert data

Which of the following information will be present in the "Investigation process" section of the forensics investigation report?

Allotted investigators

Which of the following measures is defined as the number of bits per square inch on a platter?

Areal density

Johnson, a newly appointed crime investigator, needed clarifications for some doubts before performing an investigation. For this purpose, he approached a team member responsible for providing legal advice about how to conduct the investigation and address the legal issues involved in the forensics investigation process. Identify the individual Johnson approached before performing the investigation.

Attorney

Graham, a forensic expert, was analyzing raw data extracted from a suspected Windows system. In this process, he employed an automated tool to extract and analyze the deleted files. Which of the following tools did Graham employ in the above scenario?

Autopsy

In which of the following data acquisition techniques can the geometry of the target disk, including its head, cylinder, and track configuration, be modified to align with the suspected drive?

Bit-stream disk-to-disk

George, a forensics specialist, was investigating a suspected machine found at a crime scene. He started inspecting the storage media of the device by creating a bit-by-bit copy of it but failed to do so as the suspected drive was very old and incompatible with the imaging software he was using. Which of the following data acquisition methods failed in the above scenario because the suspect system drive was old?

Bit-stream disk-to-image file

Lennox, a security specialist, was attempting to recover the data from an encrypted drive of a compromised system. Lennox suspected that the system might contain potential evidence related to the attack. For this purpose, he employed a technique using which he tried every possible key to recover the data and files stored in the drive. Identify the technique employed by Lennox to recover the encrypted drive.

Brute-force attack

Which of the following techniques uses a program that attempts every combination of characters until the correct password is discovered?

Brute-forcing attack

Which of the following commands helps investigators analyze NetBIOS over TCP/IP activity in a Windows system?

C:\> nbtstat -S

Which of the following is a volatile form of memory, requires power to retain data, and is included in an SSD to increase its read/write performance?

DRAM

Which of the following functionalities of Autopsy recovers deleted files from unallocated space using PhotoRec?

Data carving

In which of the following steps of forensic readiness planning do investigators devise a strategy to ensure the collection of evidence from all relevant sources and ensure its preservation in a legally sound manner while causing minimal disruption to work?

Define a policy that determines the pathway to legally extract electronic evidence

Kasen, a professional hacker, performed an attack against a company's web server by flooding it with large amounts of invalid traffic; thereafter, the webserver stopped responding to legitimate incoming requests. Identify the type of attack performed by Kasen in the above scenario.

Denial-of-service attack

Identify the tool that lists all the related modules within an executable file and builds a hierarchical tree diagram as well as records all the functions exported and called by each module.

Dependency Walker

In which of the following steps of forensic readiness planning does an investigator determine what currently happens to the potential evidence data and its impact on the business while retrieving the information?

Determine the sources of evidence

Harry, a professional hacker, targeted Johana's official email to gain access and view her banking transactions. To crack the password, Harry used a text file that contained several predetermined character combinations, which allowed him to log into her account. Which of the following techniques was employed by Harry in the above scenario?

Dictionary attack

Which of the following is a process by which a strong magnetic field is applied to a storage device, resulting in a device devoid of any previously stored data?

Disk degaussing

To solve a case, Steve, a digital forensics investigator, was inspecting a disk from which the attacker wiped all the data using a technique that deletes only address tables and unlinks all the files in the file system. Steve used an automated tool to recover the erased data from the disk. Identify the artifact wiping technique employed by the attacker in the above scenario.

Disk formatting

Jude, a forensics expert, was inspecting a Cisco router as part of an investigation process. During analysis, Jude frequently received syslog messages describing the system unusable message on the Cisco router with number code 0. Identify the severity level of the syslog message in the above scenario.

Emergency

Identify HIPAA's administrative statute and rules that require employers to have standard national numbers that identify them on standard transactions.

Employer Identifier Standard

Identify the benefit an incident response team offers an organization if the team is forensically ready.

Ensures that the investigation meets all regulatory requirements

Which of the following tasks is the responsibility of a forensic investigator?

Evaluate the damage due to a security breach

Identify the technique that refers to missing events related to systems downstream from a failed system and avoids events that can cause the system to crash.

Event masking

Easton, a forensics investigation team member, accumulated information from each person involved in the forensics process and developed a report of it in an orderly fashion, from the incident occurrence to the end of the investigation. Identify the role played by Easton in the investigation team.

Evidence documenter

Identify the forensics investigation report section that includes investigative techniques used during the investigation process.

Evidence information

Identify the forensics investigation report section that includes the tools and techniques used for collecting the evidence during the investigation process.

Evidence information

Russell, a forensics expert, was tasked with investigating a system found at a crime scene. During the investigation, Russell discovered some .jpeg images in a locked folder that were suspected to be loaded by the attacker. Russell employed a tool to extract the metadata associated with those images for further investigation. Which of the following tools assisted Russell in the above scenario?

ExifTool

Identify the member in the forensics investigation team who offers a formal opinion in the form of a testimony in a court of law.

Expert witness

Henry, a professional hacker, targeted an organization to gain illegitimate access to its server. He launched an SQL injection attack from a remote location on the target server to obtain users' credentials. Which of the following types of attack has Henry performed in the above scenario?

External Attack

Which of the following tools is built upon the MD5 algorithm and is used to check the integrity of a file?

FastSum

Which of the following is the default Mac application that helps retrieve specific files and folders and sort them in the required order?

Finder

Identify the approach that helps users identify whether a system serves as a relay to a hacker and aids in gathering a series of data sets from forensic event data.

Fingerprint-based approach

Serah, a forensic investigator, was tasked with analyzing the disk layout with details such as locations of the partition area as well as the partition table and its backup copies. In this process, she executed a command to parse the GPTs of both types of hard disks and analyzed the first sector of the hard drive, determined the formatting type used, and then parsed the GPT. Identify the cmdlet utilized by Serah in the above scenario.

Get-BootSector

Bryson, a forensic investigator, was tasked with analyzing a hard disk containing Windows OS. As details about the hard disk were scarcely available, Bryson extracted the GUID partition table and its backup copies to analyze the hard disk layout through Windows PowerShell. Identify the cmdlet used by Bryson in the above scenario.

Get-GPT

Which of the following file systems is developed by Apple Computer, Inc. to support Mac OS in its proprietary Macintosh system and as a replacement for the Macintosh File System (MFS)?

Hierarchical File System

Robert, a forensics team member, was tasked with investigating an attack on a system. He investigated the attack based on the evidence, identified its type, determined how it affected the system, and identified other threats and vulnerabilities associated with the target system.

Incident analyzer

Jack, a disgruntled employee of an organization, gained access to the organization's database server. He manipulated client records stored on the database server to damage the reputation of the organization and to make the organization face legal consequences for losing integrity. Identify the type of attack performed by Jack in the above scenario.

Internal Attack

Which of the following layers of the TCP/IP model handles the movement of a data packet over a network, from the source to the destination, using protocols such as IP, ICMP, and ARP?

Internet layer

Alexis, a professional hacker, performed an attack against an organization's WLAN. In this process, he used a specially designed radio transmitter to transmit signals that can overwhelm and deny the use of the access point by legitimate clients. Which of the following types of attack is performed by Alexis in the above scenario?

Jamming attack

Bruce, an attacker, targeted a Wi-Fi zone to temporarily block users from accessing the Wi-Fi network. To achieve this, Bruce used a specially designed radio transmitter that emits radio signals to overwhelm the access point. Which of the following types of attack has Bruce performed in the above scenario?

Jamming attack

Cyril, a forensic investigator, was appointed to prepare strategies to lure attackers and extract their whereabouts. For this purpose, he employed a honeypot machine, which is a dummy system used to trick attackers into connecting to it. Soon after attackers connect to the system, it provides log details, along with their source IP, session ID, and a message with other useful information about the attackers. Identify the honeypot employed by Cyrilin theabove scenario.

Kippo

Which of the following practices is NOT a good quality of a computer forensics investigator?

Lack of patience and willingness to work long hours

Gael, a forensic expert, was working on a case related to fake email broadcasting. Gael extracted the data from the victim system to investigate and find the source of the email server. In this process, Gael extracted only ".ost" files from the system as they can provide potential information about the incident. Which of the following types of data acquisition has Gael performed in the above scenario?

Logical Acquisition

Which of the following structures of the HFS volume keeps track of the allocation blocks in use and those that are free?

Logical block 3

Identify the attack that refers to the process of repeatedly sending an email message to a particular address at a specific victim's site.

Mail bombing

Which of the following components of email communication is an email client/desktop application for reading, sending, and organizing emails?

Mail user agent

A command, when executed, changes the modification time and date of a file but retains its creation time and date in the NTFS file system. Identify this command.

Move sample.txt from E:\ to E:\subdir on the NTFS file system

The system administrator of an organization identified that an attacker gained access to a system from a remote location and performed malicious activities. The administrator thoroughly analyzed the compromised system to determine whether the attacker is still accessing the system. Which of the following tools can help the administrator view active TCP and UDP connections in the system?

Netstat

Which of the following components of NFTS acts as a boot loader and accesses the file system to load the contents of the boot.ini file?

Ntldlr.dll

Which of the following is a program that conceals the malicious code of malware via various techniques, making it difficult for security mechanisms to detect or remove the malware?

Obfuscator

Which of the following techniques involves live monitoring of the activity of the chosen malware that is currently operating on the system?

Observation of runtime behavior

Which of the following is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards?

PCI DSS

Gatlin, a forensics expert, was analyzing malware executable samples found in a victim's system. After a thorough analysis, he discovered that the malware was packed. Therefore, Gatlin employed a tool to scan and detect the packers used in those samples. Identify the tool employed by Gatlin in the above scenario.

PEiD

Which of the following is a program that allows bundling all files together into a single executable file via compression to bypass security software detection?

Packer

Which of the following attacks involves the capture of traffic flowing through a network to obtain sensitive information such as usernames and passwords?

Packet Sniffing

Which of the following tools can recover deleted email messages depending on how soon the recovery is attempted?

Paraben's (E3)

Reid, an attacker, targeted an online COVID survey website, where citizens provide their personal and health-related details. He took advantage of a vulnerability present in the web application and manipulated the communication between the users and the server to make changes to the application data. Identify the type of attack performed by Reid in the above scenario.

Parameter/form tampering

Identify the type of password that is a signature of the original password generated using a one-way algorithm such as MD5.

Password hashes

Identify the social engineering technique in which an attacker executes malicious programs on a victim's computer and automatically redirects the victim's traffic to a website controlled by the attacker when the victim enters any URL?

Pharming

Identify the social engineering technique in which an attacker executes malicious programs on a victim's computer or server.

Pharming

Brendan, a professional hacker, drafted an email that appears legitimate and attached malicious links to lure victims into revealing private information such as account numbers. Identify the type of attack Brendan has performed in the above scenario.

Phishing

James, a newly recruited employee of an organization, received an email containing a fake appointment letter. The letter claims to have been sent by the real organization. James failed to identify the legitimacy of the letter and downloaded it. Consequently, malicious software was installed on his system, and it provided remote access to the attacker. Identity the type of cybercrime performed by James in the above scenario.

Phishing Attack

Allen, a forensics expert, was analyzing a forensically extracted memory dump from an Ubuntu machine. While attempting to extract lost files from the dump, Allen employed an open-source tool that uses data carving techniques to recover deleted files or lost data. Which of the following tools did Allen employ in the above scenario?

PhotoRec

Identify the consideration that recommends maintaining a log register at the entrance of a lab to record visitor data such as the address and name of the visitor, date, time, and purpose of the visit, and name of the contact person.

Physical security considerations

Which of the following refers to an analysis of logs performed to detect and study an incident that may have already occurred in a network or device, to determine what exactly occurred, and to identify the source of the event?

Postmortem

Which of the following phases of the forensics investigation process involves setting up a computer forensics lab, building a forensics workstation, developing an investigation toolkit, building an investigation team, and obtaining approval from the relevant authority?

Pre-investigation phase

Which of the following artifacts can help investigators explore the Tor browser when it is uninstalled from a machine or installed in a location other than the Windows desktop?

Prefetch files

Identify the tool that displays basic information about the running processes on a system, including the amount of time each process has been running for in both kernel and user modes.

PsList

Which of the following Federal Rules of Evidence states, "rules should be construed so as to administer every proceeding fairly, eliminating unjustifiable expense and delay, and promoting the development of evidence law, to the end of ascertaining the truth and securing a just determination"?

Rule 102: Purpose

In which of the following phases of the UEFI boot process does the system clear the UEFI program from memory and transfer it to the OS?

Runtime phase

Identify the standard for sanitizing target media that is a wiping method that writes zeros in the first pass and random bytes in the next pass.

Russian Standard, GOST P50739-95 (6 passes)

Which of the following types of disk interface is a set of ANSI standard electronic interfaces that allow personal computers to communicate with peripheral hardware such as disk drives, tape drives, CD-ROM drives, printers, and scanners?

SCSI

Identify the component of email communication that allows users to receive emails only in conjunction with other email communication components such as POP or IMAP.

SMTP server

Which of the following acts was passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations?

SOX

Identify the term that refers to the portions of a hard drive that may contain either data from a previously deleted file or space unused by the currently allocated file.

Slack space

Which of the following is the wasted area of a disk cluster lying between the end of a file and the end of the cluster and is created when the file system allocates a full cluster to a file smaller than the cluster size?

Slack space

Eliana, a forensics expert, was inspecting a suspected machine and aimed to gather and record all the criminal evidence from the machine. She initiated the task by activating a screen recording tool that records all the activities by quickly capturing the screens and adding additional context, as well as saves all the data on a disk after the completion of recording. Identify the tool used by Eliana in the above scenario.

Snagit

Which of the following features of Mac OS is an integrated search feature that indexes files by type, making it easy for forensic investigators to trace suspicious files and applications on a system?

Spotlight

Identify the SWGDE standards and criteria stating that the agency must maintain written copies of appropriate technical procedures.

Standards and Criteria 1.4

Identify the SWGDE standards and criteria insisting that all the activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and made available for review and testimony.

Standards and Criteria 1.6

Which of the following techniques is referred to as the art of hiding data or a message "behind" other data without the target's knowledge, thereby hiding the existence of the message itself?

Steganography

Alden, who works in the HR department of an organization, was tasked with selecting suitable candidates for a new project. He went through all the candidates' profiles on a job portal, interviewed them, and prepared an excel sheet shortlisting candidates. Alden then used the company's email client to share the excel sheet with his superior, Chris. Identify the field in the email message header where Alden must add Chris's email address.

To

Wilson, a forensics analyst, was extracting artifacts related to the Tor browser from a memory dump obtained from a victim's system. In this process, he identified that the dump contains the maximum possible number of artifacts as evidence. Which of the following conditions provided Wilson with the maximum possible number of artifacts?

Tor browser opened

Marcelo, a forensics analyst, was extracting artifacts related to the Tor browser from a memory dump obtained from a victim's system. In this process, he employed a forensic tool that extracted the information and identified that the dump contains the least possible number of artifacts as evidence. Which of the following conditions provided Marcelo with the least possible number of artifacts?

Tor browser uninstalled

Which of the following is a tool for assessing IT configurations as well as detecting, analyzing, and reporting any change activity across IT infrastructure?

Tripwire Enterprise

Tanner, a professional hacker, sent a fake email to Killian describing new offers on his credit card. Killian, without verifying the legitimacy of the email, clicked on the malicious link in the email. As a result, a malicious script was executed on Killian's system, granting backdoor access to Tanner. Identify the type of attack performed by Tanner in the above scenario.

Unvalidated redirects and forwards

Which of the following steps of the forensic data acquisition methodology involves calculating the target media's hash value and comparing it with the forensic counterpart to ensure that the data have been completely acquired?

Validating data acquisition

Identify the tool that provides the pslist plugin to retrieve information on all the processes executing on the system when the memory dump was collected.

Volatility Framework

Identify the functionality of Autopsy, which extracts history, bookmarks, and cookies from Firefox, Chrome, and Internet Explorer.

Web artifacts

Agnes, a forensics investigator, was exploring the Tor browser installed on a suspect machine. In this process, she used an automated tool to obtain metadata related to the browser, which includes browser-created timestamps, last-run timestamps of the browser, number of times the browser was executed, browser execution directory, filename, and file size. Identify the tool employed by Agnes in the above scenario.

WinPrefetchView

Which of the following rules of evidence states that investigators must provide supporting documents regarding the legitimacy of the evidence, with details such as the source of the evidence and its relevance to the case?

authentic

Williams, a forensic specialist, was appointed to perform data acquisition on a victim system that was involved in cybercrime related to a phishing campaign. As the system was in a powered-off state, Williams extracted static data from the hard disk. Identify the static data recovered by Williams in the above scenario.

cookies

Erick, a forensics expert, was tasked with investigating a compromised machine that had been involved in various online attacks. In this process, Erick identified a corrupted file in the system. He scanned the Recycle Bin folder for the metadata of that file, but it was deleted from that location. Subsequently, he used a command to recover the deleted file. Identify the command that Erick used to recover the deleted file.

copy <$R

Aiden, an investigation officer, was investigating a suspected system from which a critical document was sent without permission. In this process, he discovered potential evidence from documents, film cartridges, and phone numbers to which the document was sent. Identify the source of potential evidence from which Aiden gathered the above information.

fax machine

Williams, a forensics investigator, was performing forensics analysis on a suspected Linux system. In this process, Williams used a command from The Sleuth Kit to extract the details of the file system from the evidence image. Identify the command executed by Williams in the above scenario.

fsstat

Which of the following display filters helps administrators in monitoring all the unsuccessful login attempts on an FTP server?

ftp.response.code == 530

Eric, a forensic investigator in an organization, was continuously monitoring the network activity of the organization's employees. In this process, he used a command to detect the systems running in the promiscuous mode to maliciously capture all incoming packets. Identify the command used by Ericin theabove scenario.

ifconfig <interface>

While inspecting a suspected machine, Kaison, a forensics investigator, discovered that a malicious file was uploaded on the system that caused disruptions in the system's functionality. Kaison wanted to view the metadata of the file, such as MAC times, file size, and file access permissions. Which of the following commands will help Kaison retrieve the metadata of the file?

istat

David, a forensics investigator, analyzed a RAM dump extracted from a suspected Linux system. He used the Volatility Framework to extract information from the dump file. In this process, David employed a plugin to extract the parent and child processes to determine whether any malicious processes are running on it. Identify the plugin used by David in the above scenario.

linux_pstree

Identify the Volatility Framework plugin that helps forensic investigators detect hidden or injected files, which are generally DLL files, in the memory.

malfind

Harrison, a forensic investigator, was working on a criminal case in which he had to extract all the possible data related to criminal activity on a device running Windows OS. For this purpose, Harrison wanted to view the detailed partition layout for the GPT disk, along with the MBR details. Which of the following commands will help Harrison in the above scenario?

mmls

Eduardo, a forensic investigator, wants to collect network information such as session information, network packets, port scan results, IDS/IPS, firewall, server, and application log data. For this purpose, he executes a command that can troubleshoot NetBIOS name resolution problems and collect network information. Which of the following commands is executed by Eduardoin theabove scenario?

nbtstat [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval]

Identify the command used for managing computer connections that displays information about all the logged-in sessions of the local computer when used without parameters.

net sessions [\\<ComputerName>] [/delete] [/list]

Peyton, a forensic investigator, was inspecting a suspected machine to gather details of malicious activities related to a security incident. In this process, he employed a tool to collect information related to all open TCP and UDP ports, routing tables, multicast memberships, interference statistics, and masquerade connections. Identify the tool employed by Peyton in the above scenario.

netstat

Isaac, a forensics expert, was inspecting a suspected machine. He initiated the process by testing active network connections on the machine to identify whether the Tor browser was used to launch malicious activities. Which of the following commands can help Isaac determine whether the Tor browser was used on the suspected machine?

netstat -ano

Zayn, a forensic expert, was tasked with investigating an incident that occurred on a Windows machine. Zayn wanted to check whether the attacker was still active on the network and spreading the infection. In this process, Zayn executed a netstat command that helped him view the TCP and UDP network connections, listening ports, and identifiers of the processes. Identify the command executed by Zayn in the above scenario.

netstat -ano

Which of the following netstat commands allows forensic investigators to view the list of network interfaces on a system?

netstat -i

While investigating a cyber incident, Edwin, a forensics specialist, inspected an affected system. In this process, Edwin retrieved the routing table and checked if any persistent routes were enabled in that system. Identify the command that Edwin used to retrieve the required information.

netstat [-a] [-e] [-n] [-o] [-p <Protocol>] [-r] [-s] [<Interval>]

Kylo, a forensics investigator, was tasked with investigating a security incident in an organization. In this process, Kylo employed a network scanning tool to identify open ports that allowed attackers to install malicious services on the target system. Identify the tool employed by Kylo in the above scenario.

nmap

Which of the following commands helps forensic investigators identify open TCP ports on a system and obtain information on them?

nmap -sT localhost

Identify the Wireshark filter that is used to detect a SYN-FIN flood DoS attack.

tcp.flags==0X003

Identify the rule of evidence stating that investigators and prosecutors must present evidence in a clear and comprehensible manner to the members of the jury.

understandable

Which of the following types of digital evidence in a computer system will be lost as soon as the system is powered off?

volatile data

Which of the following types of digital evidence is temporary information on a digital device that requires constant power supply to retain and is deleted if the power supply is interrupted?

volatile data

Steve, a professional hacker, performed malicious activities using a compromised system of an organization. To maintain persistence and hide the traces of attack, he employed an anti-forensics tool that helped him keep his malicious files or code untraceable. Identify the tool employed by Steve in the above scenario.

wbStego

Which of the following is an anti-forensics tool that helps attackers destroy or hide traces of illegal activities, hindering the forensics investigation process?

wbStego


Set pelajaran terkait

Econ 302 Study for Finals GDP, Money, AD/ AS

View Set

PSY350 Module 6: Dissociative Disorders

View Set

WORLD HISTORY 1001: THE BEGINNINGS OF HUMAN SOCIETY Test Study Guide

View Set

caring for a child with a cardiovascular condition - chapter 27

View Set

Chapter 44 Pilliterri Family Final HEME

View Set

12. Entorno turístico lección 11: "Un viaje por carretera" (pg. 86 a 89)

View Set

'What is the Horror Genre?' Study Guide

View Set

Module 1, Unit 4 - Incident Response

View Set

BA 325 Final Exam Homework questions

View Set

NS ch 38 the solar system review questions

View Set