CHFI 2

Ace your homework & exams now with Quizwiz!

Korey, a data mining specialist in a knowledge processing firm DataHub.com, reported his CISO that he has lost certain sensitive data stored on his laptop. The CISO wants his forensics investigation team to find if the data loss was accident or intentional. In which of the following category this case will fall? Civil Investigation Both Civil and Criminal Investigations Criminal Investigation Administrative Investigation

Administrative Investigation

What is the default IIS log location? SystemDrive\inetpub\LogFiles SystemDrive\logs\LogFiles %SystemDrive\logs\LogFiles %SystemDrive%\inetpub\logs\LogFiles

%SystemDrive%\inetpub\logs\LogFiles

What is the size value of a nibble? 2 bits 0.5 kilo byte 0.5 byte 0.5 bit

0.5 byte

A master boot record (MBR) is the first sector (`sector zero`) of a data storage device. What is the size of MBR? 1048 Bytes 4092 Bytes 512 Bytes Depends on the capacity of the storage device

512 Bytes

Randy has extracted data from an old version of a Windows-based system and discovered info file Dc5.txt in the system recycle bin. What does the file name denote? A text file copied from C drive to D drive in fifth sequential order A text file deleted from C drive in fifth sequential order A text file deleted from C drive in sixth sequential order A text file copied from D drive to C drive in fifth sequential order Question

A text file deleted from C drive in fifth sequential order

What value of the "Boot Record Signature" is used to indicate that the boot-loader exists? 00AA A100 AA55 AA00

AA55

Which of the following tool enables a user to reset his/her lost admin password in a Windows system? Passware Kit Forensic Smartkey Password Recovery Bundle Standard Active@ Password Changer Advanced Office Password Recovery

Active@ Password Changer

Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the_________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack. Adjacent string locations Adjacent buffer locations Adjacent memory locations Adjacent bit blocks

Adjacent memory locations

The process of restarting a computer that is already turned on through the operating system is called? Warm boot Ice boot Cold boot Hot Boot

Warm boot

Which of the following Event Correlation Approach is an advanced correlation method that assumes and predicts what an attacker can do next after the attack by studying the statistics and probability and uses only two variables? Rule-Based Approach Vulnerability-Based Approach Route Correlation Bayesian Correlation

Bayesian Correlation

Which password cracking technique uses every possible combination of character sets? Rule-based attack Brute force attack Dictionary attack Rainbow table attack

Brute force attack

Annie is searching for certain deleted files on a system running Windows XP OS. Where will she find the files if they were not completely deleted from the system? C: \$Recycle.Bin C: $Recycled.Bin C:\RECYCLER C:\$RECYCLER

C: \$Recycle.Bin

A forensic examiner is examining a Windows system seized from a crime scene. During the examination of a suspect file, he discovered that the file is password protected. He tried guessing the password using the suspect's available information but without any success. Which of the following tool can help the investigator to solve this issue? Xplico Recuva Cain & Abel Colasoft's Capsa

Cain & Abel

Which of the following tool can the investigator use to analyze the network to detect Trojan activities? Regshot TRIPWIRE Capsa RAM Computer

Capsa

Which of the following is a MAC-based File Recovery Tool? Cisdem DataRecovery 3 Smart Undeleter VirtualLab GetDataBack

Cisdem DataRecovery 3

How will you categorize a cybercrime that took place within a CSP's cloud environment? Cloud as an Object Cloud as a Subject Cloud as a Tool Cloud as an Audit

Cloud as an Object

During forensics investigations, investigators tend to collect the system time at first and compare it with UTC. What does the abbreviation UTC stand for? Universal Computer Time Coordinated Universal Time Correlated Universal Time Universal Time for Computers

Coordinated Universal Time

What does 254 represent in ICCID 89254021520014515744? Individual Account Identification Number Issuer Identifier Number Country Code Industry Identifier Prefix

Country Code

Which network attack is described by the following statement? "At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries." Buffer Overflow DDoS Man-in-the-Middle Attack Sniffer Attack

DDoS

Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses' testimony during federal legal proceedings? SWGDE & SWGIT Frye IOCE Daubert

Daubert

Which of the following tools will help the investigator to analyze web server logs? XRY LOGICAL LanWhois Deep Log Analyzer Deep Log Monitor

Deep Log Analyzer

Gary is checking for the devices connected to USB ports of a suspect system during an investigation. Select the appropriate tool that will help him document all the connected devices. fsutil Devcon DevScan Reg.exe

Devcon

Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration and critical system files, and to execute commands outside of the web server's root directory? Unvalidated input Security misconfiguration Parameter/form tampering Directory traversal

Directory traversal

Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext, where `x` represents the ___________________. Sequential number Original file name Drive name Original file name's extension

Drive name

Which of the following tool enables data acquisition and duplication? Xplico Wireshark DriveSpy Colasoft's Capsa

DriveSpy

Which of the following data structures stores attributes of a process, as well as pointers to other attributes and data structures? Lsproc RegEdit EProcess DumpChk

EProcess

Charles has accidentally deleted an important file while working on his Mac computer. He wants to recover the deleted file as it contains some of his crucial business secrets. Which of the following tool will help Charles? DriveSpy Colasoft's Capsa Xplico FileSalvage

FileSalvage

Which of the following is NOT a part of pre-investigation phase? Gathering information about the incident Creating an investigation team Building forensics workstation Gathering evidence data

Gathering evidence data

Smith, as a part his forensic investigation assignment, seized a mobile device. He was asked to recover the Subscriber Identity Module (SIM card) data in the mobile device. Smith found that the SIM was protected by a Personal Identification Number (PIN) code, but he was also aware that people generally leave the PIN numbers to the defaults or use easily guessable numbers such as 1234. He made three unsuccessful attempts, which blocked the SIM card. What can Jason do in this scenario to reset the PIN and access SIM data? He should contact the network operator for a Temporary Unlock Code (TUK) He can attempt PIN guesses after 24 hours He should contact the network operator for Personal Unlock Number (PUK) Use system and hardware tools to gain access

He should contact the network operator for Personal Unlock Number (PUK)

Which of the following ISO standard defines file systems and protocol for exchanging data between optical disks? ISO 9060 IEC 3490 ISO/IEC 13940 ISO 9660

ISO 9660

Which of the following is NOT a physical evidence? Removable media Cables Image file on a hard disk Publications

Image file on a hard disk

BMP (Bitmap) is a standard file format for computers running the Windows operating system. BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors). Each bitmap file contains a header, the RGBQUAD array, information header, and image data. Which of the following element specifies the dimensions, compression type, and color format for the bitmap? Header The RGBQUAD array Image data Information header

Information header

Sectors are pie-shaped regions on a hard disk that store data. Which of the following parts of a hard disk do not contribute in determining the addresses of data? Interface Heads Sectors Cylinder

Interface

Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\<USER SID>\ while analyzing a hard disk image for the deleted data. What inferences can he make from the file name? It is a doc file deleted in seventh sequential order It is file deleted from R drive It is a deleted doc file RIYG6VR.doc is the name of the doc file deleted from the system

It is a deleted doc file

Which of the following Registry components include offsets to other cells as well as the LastWrite time for the key? Value cell Value list cell Security descriptor cell Key cell

Key cell

Amber, a black hat hacker, has embedded a malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing? Malvertising Click-jacking Compromising a legitimate site Spearphishing

Malvertising

Which of the following is a database in which information about every file and directory on an NT File System (NTFS) volume is stored? Volume Boot Record Master Boot Record GUID Partition Table Master File Table

Master File Table

Billy, a computer forensics expert, has recovered a large number of DBX files during the forensic investigation of a laptop. Which of the following email clients can he use to analyze the DBX files? Eudora Microsoft Outlook Express Mozilla Thunderbird Microsoft Outlook

Microsoft Outlook Express

Which of the following is a part of a Solid-State Drive (SSD)? Cylinder Spindle NAND-based flash memory Head

NAND-based flash memory

Identify the file system that uses $BitMap file to keep track of all used and unused clusters on a volume. FAT FAT32 NTFS EXT

NTFS

NTFS has reduced slack space than FAT, thus having lesser potential to hide data in the slack space. This is because: FAT does not index files NTFS is a journaling file system NTFS has lower cluster size space FAT is an older and inefficient file system

NTFS has lower cluster size space

Which file is a sequence of bytes organized into blocks understandable by the system's linker? Object file source file executable file

Object file

Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen? Surface Manager OpenGL/ES and SGL WebKit Media framework

OpenGL/ES and SGL

In Steganalysis, which of the following describes a Known-stego attack? During the communication process, active attackers can change cover Only the steganography medium is available for analysis Original and stego-object are available and the steganography algorithm is known The hidden message and the corresponding stego-image are known

Original and stego-object are available and the steganography algorithm is known

An investigator has acquired packed software and needed to analyze it for the presence of malice. Which of the following tools can help in finding the packaging software used? SysAnalyzer Dependency Walker PEiD Comodo Programs Manager

PEiD

Which among the following files provides email header information in the Microsoft Exchange server? PRIV.STM gwcheck.db PRIV.EDB PUB.EDB

PRIV.EDB

Adam, a forensic investigator, is investigating an attack on Microsoft Exchange Server of a large organization. As the first step of the investigation, he examined the PRIV.EDB file and found the source from where the mail originated and the name of the file that disappeared upon execution. Now, he wants to examine the MIME stream content. Which of the following files is he going to examine? gwcheck.db PRIV.STM PRIV.EDB PUB.EDB

PRIV.STM

Which of the following Windows-based tool displays who is logged onto a computer, either locally or remotely? TCPView PSLoggedon Tokenmon Process Monitor

PSLoggedon

mith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use. Windows 8.1 Windows 98 Linux Windows XP

Windows XP

Lynne receives the following email: Dear [email protected]! We are sorry to inform you that your ID has been temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24 You have 24 hours to fix this problem or risk to be closed permanently! To proceed Please Connect >> My Apple ID Thank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon/ What type of attack is this? Mail Bombing Phishing Email Spamming Email Spoofing

Phishing

To which phase of the Computer Forensics Investigation Process does the Planning and Budgeting of a Forensics Lab belong? Pre-investigation Phase Investigation Phase Post-investigation Phase Reporting Phase

Pre-investigation Phase

Richard is extracting volatile data from a system and uses the command doskey/history. What is he trying to extract? Events history Passwords used across the system Previously typed commands History of the browser

Previously typed commands

What must an attorney do first before you are called to testify as an expert? Prove that the tools you used to conduct your examination are perfect Qualify you as an expert witness Engage in damage control Read your curriculum vitae to the jury

Qualify you as an expert witness

Which tool does the investigator use to extract artifacts left by Google Drive on the system? PEBrowse Professional RegScanner Dependency Walker RAM Capturer

RAM Capturer

Smith, a network administrator with a large MNC, was the first to arrive at a suspected crime scene involving criminal use of compromised computers. What should be his first response while maintaining the integrity of evidence? Open the systems, remove the hard disk and secure it Record the system state by taking photographs of physical system and the display Open the systems, remove the hard disk and secure it Perform data acquisition without disturbing the state of the systems

Record the system state by taking photographs of physical system and the display

Which of the following is an iOS Jailbreaking tool? Towelroot Kingo Android ROOT Redsn0w One Click Root

Redsn0w

What is the primary function of the tool CHKDSK in Windows that authenticates the file system reliability of a volume? Check the disk for connectivity errors Check the disk for hardware errors Check the disk for Slack Space Repairs logical file system errors

Repairs logical file system errors

Jacky encrypts her documents using a password. It is known that she uses her daughter's year of birth as part of the password. Which password cracking technique would be optimal to crack her password? Syllable attack Brute force attack Rule-based attack Hybrid attack

Rule-based attack

Smith, an employee of a reputed forensic investigation firm, has been hired by a private organization to investigate a laptop that is suspected to be involved in the hacking of the organization's DC server. Smith wants to find all the values typed into the Run box in the Start menu. Which of the following registry keys will Smith check to find the above information? UserAssist Key TypedURLs key MountedDevices key RunMRU key

RunMRU key

Which among the following is an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations? FISMA HIPAA GLBA SOX

SOX

Which of the following acts as a network intrusion detection system as well as network intrusion prevention system? Snort Nikto Kismet Accunetix

Snort

Report writing is a crucial stage in the outcome of an investigation. Which information should not be included in the report section? Author of the report Purpose of the report Incident summary Speculation or opinion as to the cause of the incident

Speculation or opinion as to the cause of the incident

Shane has started the static analysis of a malware and is using the tool ResourcesExtract to find more details of the malicious program. What part of the analysis is he performing? File obfuscation Strings search Identifying File Dependencies Dynamic analysis

Strings search

An expert witness is a __________________ who is normally appointed by a party to assist the formulation and preparation of a party's claim or defense. Expert law graduate appointed by attorney Subject matter specialist Expert in criminal investigation Witness present at the crime scene

Subject matter specialist

Which of the following files stores information about a local Google Drive installation such as User email ID, Local Sync Root Path, and Client version installed? filecache.db Sync_config.db sigstore.db config.db

Sync_config.db

Which of the following files gives information about the client sync sessions in Google Drive on Windows? sync.log sync_log.log Sync.log Sync_log.log Continue Retake test

Sync_log.log

Which of the following statements is incorrect when preserving digital evidence? Remove the plug from the power router or modem Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals Turn on the computer and extract Windows event viewer log files Verify if the monitor is in on, off, or in sleep mode

Turn on the computer and extract Windows event viewer log files

When a user deletes a file or folder, the system stores complete path including the original filename is a special hidden file called `INFO2` in the Recycled folder. If the INFO2 file is deleted, it is recovered when you ______________________. Reboot Windows Use a recovery tool to undelete the file Download the file from Microsoft website Undo the last action performed on the system

Undo the last action performed on the system

Which of the following reports are delivered under oath to a board of directors/managers/panel of the jury? Written Informal Report Verbal Formal Report Written Formal Report Verbal Informal Report

Verbal Formal Report

Shane, a forensic specialist, is investigating an ongoing attack on a MySQL database server hosted on a Windows machine with SID `WIN-ABCDE12345F.` Which of the following log file will help Shane in tracking all the client connections and activities performed on the database server? WIN-ABCDE12345F-bin.n WIN-ABCDE12345F.err WIN-ABCDE12345F.pid WIN-ABCDE12345F.log

WIN-ABCDE12345F.log

Sheila is a forensics trainee and is searching for hidden image files on a hard disk. She used a forensic investigation tool to view the media in hexadecimal code for simplifying the search process. Which of the following hex codes should she look for to identify image files? 50 41 03 04 25 50 44 46 d0 0f 11 e0 ff d8 ff

ff d8 ff

Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as FF D8 FF E1. What is the file type of the image? bmp png gif jpeg

jpeg

You are assigned a task to examine the log files pertaining to MyISAM storage engine. While examining, you are asked to perform a recovery operation on a MyISAM log file. Which among the following MySQL Utilities allow you to do so? myisamlog mysqldump myisamchk myisamaccess

myisamlog

Andie, a network administrator, suspects unusual network services running on a windows system. Which of the following commands should he use to verify unusual network services started on a Windows system? net start net serv netmgr lusrmgr

net start

Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers? netstat s netstat b netstat r netstat ano

netstat ano


Related study sets

Chapter 05: NCLEX-RN® Examination and the New Graduate

View Set

NCLEX Renal, Urinary, and Reproductive Systems

View Set

American Government Final studyguide (quizzes ch. 1-19)

View Set

MCAT Psych/Soc Class 3: Self-Identity and Social Interactions

View Set