CHFI Study Questions
Which Attribute ID does NTFS set as a flag after encrypting a file where the data decryption field (DDF) and data recovery field (DRF) are stored?
0x100
Maximum file system size of ext4
1EiB
How many bytes does a directory entry have allotted for each file and directory in the FAT file system?
32
Number of bytes reserved at the beginning of a CD-ROM for booting?
32,768
Maximum file system size of ext3
32TB
How many bytes are each logical block in an HFS volume?
512
How many bytes is each logical block in GPT?
512
MBR almost always refers to the partition sector of a disk also known as
512-byte boot sector
Size of the partition table structure that stores information about the partitions present on a hard disk
64-byte
Number of allocation blocks restricted by HFS
65,535
What is a machine-readable language used in major digital operations, such as sending and receiving emails?
ASCII
Data structure situated at sector 1 in the volume boot record of a hard disk to explain the physical layout of a disk volume?
BIOS Parameter Block (BPB)
Technique used to distribute malware on the web with tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to get a higher search engine ranking for malware pages?
Blackhat SEO
What UFS file system part is composed of a few blocks in the partition reserved at the beginning?
Boot Blocks
What component of a typical FAT32 file system consists of data that the document framework uses to get to the volume and utilizes the framework parcel to stack the working portion documents?
Boot Sector
EnablePrefetcher value 2
Boot prefetching is enabled
Web application threat that occurs when the application fails to guard memory properly and allows writing beyond maximum size?
Buffer Overflow
What layer of web application architecture is responsible for the core functioning of the system and includes logic and applications, such as .NET, use by developers to build websites according to client requirements?
Business layer
Architectural layer of mobile device environments represents any program that runs on the Android platform
Client Application
What layer of web application architecture includes all the web appliances, such as smartphones and PCs, where interaction with a web application deployed on a web server occurs?
Client layer
Web application threat occurs when an attacker is allowed to gain access as a legitimate user to a web application or data such as account records, credit card numbers, passwords, or other authenticated information?
Cookie Poisoning
What UFS file system part comprises a collection, including a header with statistics and free lists, a number of inodes containing file attributes, and number of data blocks?
Cylinder groups
Phase of EFI that uses the Hand-Off Block List (HOBL) to initialize the entire system physical memory, I/O, and MIMO resources.
DXE
Tool for Mac that recovers files from crashed or virus corrupted HDD
Data Rescue 4
Biggest threat to mobile devices?
Data loss
Which web application threat occurs when attackers exploit HTTP, gain access to unauthorized directories, and execute commands outside the web server's root directory?
Directory Traversal
Tool that undeletes and recovers lost files from hard drives, memory cards and USB Flash drives?
DiskDigger
Where are deleted items stored on Windows Vista and Later versions of Windows?
Drive:\$Recycle.Bin
Where are deleted items stored on Windows 98 and earlier versions of Windows?
Drive:\RECYCLED
Where are deleted items stored on the Windows 2000, XP, and NT versions of Windows?
Drive:\RECYCLER
Developed by Remy Card as an extensible file system for Linux and is the basis for all currently shipping linux distros?
Ext2
Linux file system developed by Stephen Tweedie in 2001 as a journaling file system to improve reliability
Ext3
Which of the two parts of the Linux File system architecture has the memory space where the system supplies all services through an executed system call?
Kernel Space
Which component of the NTFS architecture is the processing mode that permits the executable code to have direct access to all the system components?
Kernel mode
In GUID Partition Table, which Logical Block Address contains the Partition Entry Array?
LBA 2
Which LBA is the first usable sector?
LBA 34
Which of the three different files storing data and logs in SQL servers holds the entire log information associated with the database?
LDF
Commands used to determine running processes in Windows?
Listdlls Tasklist Pslist
3 tiers of log management
Log Generation Log Monitoring Log Analysis and Storage
Which HFS volume structure contains the Master Directory Block (MDB), which defines a wide variety of data about the volume itself?
Logical block 2
Which of the three different files storing data and logs in SQL servers is the starting point of a database and points to other files in the database?
MDF
What was linux's first file system?
MINIX
What information held by the superblock allows the mounting software to verify the superblock for the EXT2 file system?
Magic Number
Who are legitimate authorizers of a search warrant?
Magistrate Court of law Concerned authority
Which component of the NTFS architecture contains executable master boot code that the system BIOS loads into memory?
Master Boot Record (MBR)
In NTFS, this is the relational database consisting of information regarding the files and file attributes.
Master File Table (MFT)
Information held by the superblock that allows the system to determine if the file system needs to be fully checked and increments each time the system places access to the file system?
Mount Count
CAN-SPAM's Main requirements
Must have physical address Honor opt-out requests in 10 days Commercial email must be ID'd as an ad Do not use false or misleading header info Do not use deceptive subjects
Commands to determine logged on users
Net session PsLoggedOn LogonSessions
Architectural layer of mobile device environments that allows a mobile device to communicate with the network operator
Network interface
Which component of the NTFS architecture reads the contents of the Boot.ini file?
Ntldlr.dll
Field type referring to the volume descriptor as a primary
Number 1
Field type referring to the volume descriptor as a partition descriptor
Number 3
Architectural layer of mobile devices environments that offers utilities for scheduling multiple tasks, memory management tasks, synchronization, and priority allocation?
Operating System
Web application threat that occurs when attackers intend to manipulate the communication exchanged between the client and server to make changes in application data.
Parameter Tampering
What is Enterprise Theory of Investigation (ETI)?
Powerful methodology to identify criminals who have escaped prosecution
What must an investigator do in order to offer a good report to a court of law and ease the prosecution?
Preserve the evidence
What partition holds the information regarding the operating system, system area, and other information required for booting?
Primary partition
ISO 9660 compliant portion of a CD that describes the location of contiguous root directory similar to the super block in UNIX
Primary volume descriptor
RAID level that uses byte level data striping across multiple drives and distributes the parity information among all member drives?
RAID 5
RFC for normal email communication
RFC 5322
Federal Rule of Evidence governing proceedings in the courts
Rule 101
Federal Rule of Evidence containing rulings on evidence
Rule 103
The phase of EFI consisting of initializiation code the system executes after powering on the system, manages platform reset events, and sets the system state.
SEC
Types of flash based memory
SLC, MLC, TLC
Act to protect investors from the possibility of fraudulent accounting activities by corporations.
SOX
Which field is the standard identifier set to CD001 for a CD-ROM compliant to ISO 9660?
Second
Inode field that shows when creation occurred and last modification
Timestamp
Tool that recovers lost data from hard drives, RAID, photos, deleted files, iPods and removeable disks connected via FireWire or USB?
Total Recall
web application threat that occurs when attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, or query strings?
Unvalidated input
File system and logical volume manager developed by Sun Microsystems
ZFS
Expert witnesses should conduct themselves while presenting by...
avoiding leaning and developing self-confidence
Web application threat that occurs when attackers identify a flaw, bypass authentication, and compromise the network.
broken access controls
Inode field that determines what the inode describes and the permissions that users have to it
mode
Command to determine the NetBIOS name table cache in windows?
nbtstat
Recover My Files tool
recover files even if emptied from recycle bin perform disk recovery after a crash recover from hdd, camera card, USB, Zip, floppy or other media
CompuServe-generated format from 1987 that uses lossless data compression techniques, maintaining the visual quality of the image?
GIF
Act that requires companies that offer financial products or services to protect customer information against security threats.
GLBA
Architectural layer of mobile devices environments that is responsible for creating menus and sub-menus in designing application.
GUI API
PowerShell command to parse GPTs of both types of hard disks, UEFI or MBR
Get-Boot Sector
Which web application threat arises when a web application is unable to handle technical issues properly and the website returns information, such as database dumps, stack traces, and codes?
Improper Error Handling
Web application threat that occurs when attackers insert malicious code, commands, or scripts into the input gates of web applications, enabling the applications to interpret and run the newly supplied malicious input.
Injection flaws
What is the name of the abstract layer that resides on top of a complete file system, allows client application to access various file systems, and consists of a dispatching layer of numerous caches?
Virtual File System (VFS)
Elements of cyber crime
fast-paced speed anonymity through masquerading volatile evidence