March Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

ECCouncil 312-49v10 Computer Hacking Forensic Investigator (CHFI-v10) Exam Practice Test

Demo: 105 questions
Total 704 questions

Computer Hacking Forensic Investigator (CHFI-v10) Questions and Answers

Question 1

A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation?

Options:

A.

Image the disk and try to recover deleted files

B.

Seek the help of co-workers who are eye-witnesses

C.

Check the Windows registry for connection data (you may or may not recover)

D.

Approach the websites for evidence

Question 2

Jason has set up a honeypot environment by creating a DMZ that has no physical or logical access to his production network. In this honeypot, he has placed a server running Windows Active Directory. He has also placed a Web server in the DMZ that services a number of web pages that offer visitors a chance to download sensitive information by clicking on a button. A week later, Jason finds in his network logs how an intruder accessed the honeypot and downloaded sensitive information. Jason uses the logs to try and prosecute the intruder for stealing sensitive corporate information. Why will this not be viable?

Options:

A.

Entrapment

B.

Enticement

C.

Intruding into a honeypot is not illegal

D.

Intruding into a DMZ is not illegal

Question 3

This organization maintains a database of hash signatures for known software.

Options:

A.

International Standards Organization

B.

Institute of Electrical and Electronics Engineers

C.

National Software Reference Library

D.

American National standards Institute

Question 4

When examining a file with a Hex Editor, what space does the file header occupy?

Options:

A.

the last several bytes of the file

B.

the first several bytes of the file

C.

none, file headers are contained in the FAT

D.

one byte at the beginning of the file

Question 5

Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

Options:

A.

Use a system that has a dynamic addressing on the network

B.

Use a system that is not directly interacting with the router

C.

Use it on a system in an external DMZ in front of the firewall

D.

It doesn't matter as all replies are faked

Question 6

As a CHFI professional, which of the following is the most important to your professional reputation?

Options:

A.

Your Certifications

B.

The correct, successful management of each and every case

C.

The free that you charge

D.

The friendship of local law enforcement officers

Question 7

You are the security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the bank security defenses are very strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoring some of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic and extract usernames and passwords. What tool could you use to get this information?

Options:

A.

Airsnort

B.

Snort

C.

Ettercap

D.

RaidSniff

Question 8

You are running through a series of tests on your network to check for any security vulnerabilities.

After normal working hours, you initiate a DoS attack against your external firewall. The firewall Quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?

Options:

A.

The firewall failed-bypass

B.

The firewall failed-closed

C.

The firewall ACL has been purged

D.

The firewall failed-open

Question 9

The objective of this act was to protect consumers’ personal financial information held by financial institutions and their service providers.

Options:

A.

Gramm-Leach-Bliley Act

B.

Sarbanes-Oxley 2002

C.

California SB 1386

D.

HIPAA

Question 10

When reviewing web logs, you see an entry for resource not found in the HTTP status code filed.

What is the actual error code that you would see in the log for resource not found?

Options:

A.

202

B.

404

C.

505

D.

909

Question 11

When investigating a Windows System, it is important to view the contents of the page or swap file because:

Options:

A.

Windows stores all of the systems configuration information in this file

B.

This is file that windows use to communicate directly with Registry

C.

A Large volume of data can exist within the swap file of which the computer user has no knowledge

D.

This is the file that windows use to store the history of the last 100 commands that were run from the command line

Question 12

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

Options:

A.

Use VMware to be able to capture the data in memory and examine it

B.

Give the Operating System a minimal amount of memory, forcing it to use a swap file

C.

Create a Separate partition of several hundred megabytes and place the swap file there

D.

Use intrusion forensic techniques to study memory resident infections

Question 13

Microsoft Outlook maintains email messages in a proprietary format in what type of file?

Options:

A.

.email

B.

.mail

C.

.pst

D.

.doc

Question 14

You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics lab. How many law-enforcement computer investigators should you request to staff the lab?

Options:

A.

8

B.

1

C.

4

D.

2

Question 15

A(n) _____________________ is one that's performed by a computer program rather than the attacker manually performing the steps in the attack sequence.

Options:

A.

blackout attack

B.

automated attack

C.

distributed attack

D.

central processing attack

Question 16

What operating system would respond to the following command?

Options:

A.

Windows 95

B.

FreeBSD

C.

Windows XP

D.

Mac OS X

Question 17

Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?

Options:

A.

Sector

B.

Metadata

C.

MFT

D.

Slack Space

Question 18

In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

Options:

A.

evidence must be handled in the same way regardless of the type of case

B.

evidence procedures are not important unless you work for a law enforcement agency

C.

evidence in a criminal case must be secured more tightly than in a civil case

D.

evidence in a civil case must be secured more tightly than in a criminal case

Question 19

When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.

Options:

A.

A Capital X

B.

A Blank Space

C.

The Underscore Symbol

D.

The lowercase Greek Letter Sigma (s)

Question 20

You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacture. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO?

Options:

A.

the attorney-work-product rule

B.

Good manners

C.

Trade secrets

D.

ISO 17799

Question 21

The use of warning banners helps a company avoid litigation by overcoming an employee assumed __________________________. When connecting to the company's intranet, network or Virtual Private Network(VPN) and will allow the company's investigators to monitor, search and retrieve information stored within the network.

Options:

A.

Right to work

B.

Right of free speech

C.

Right to Internet Access

D.

Right of Privacy

Question 22

Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called?

Options:

A.

the Microsoft Virtual Machine Identifier

B.

the Personal Application Protocol

C.

the Globally Unique ID

D.

the Individual ASCII String

Question 23

You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protected. What are two common methods used by password cracking software that you can use to obtain the password?

Options:

A.

Limited force and library attack

B.

Brute Force and dictionary Attack

C.

Maximum force and thesaurus Attack

D.

Minimum force and appendix Attack

Question 24

How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?

Options:

A.

128

B.

64

C.

32

D.

16

Question 25

When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?

Options:

A.

Universal Time Set

B.

Network Time Protocol

C.

SyncTime Service

D.

Time-Sync Protocol

Question 26

After undergoing an external IT audit, George realizes his network is vulnerable to DDoS attacks.

What countermeasures could he take to prevent DDoS attacks?

Options:

A.

Enable direct broadcasts

B.

Disable direct broadcasts

C.

Disable BGP

D.

Enable BGP

Question 27

If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive.

Options:

A.

deltree command

B.

CMOS

C.

Boot.sys

D.

Scandisk utility

Question 28

While analyzing a hard disk, the investigator finds that the file system does not use UEFI-based interface. Which of the following operating systems is present on the hard disk?

Options:

A.

Windows 10

B.

Windows 8

C.

Windows 7

D.

Windows 8.1

Question 29

NTFS sets a flag for the file once you encrypt it and creates an EFS attribute where it stores Data Decryption Field (DDF) and Data Recovery Field (DDR). Which of the following is not a part of DDF?

Options:

A.

Encrypted FEK

B.

Checksum

C.

EFS Certificate Hash

D.

Container Name

Question 30

Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system?

Options:

A.

Net config

B.

Net sessions

C.

Net share

D.

Net stat

Question 31

Which component in the hard disk moves over the platter to read and write information?

Options:

A.

Actuator

B.

Spindle

C.

Actuator Axis

D.

Head

Question 32

Which of the following tool can reverse machine code to assembly language?

Options:

A.

PEiD

B.

RAM Capturer

C.

IDA Pro

D.

Deep Log Analyzer

Question 33

The given image displays information about date and time of installation of the OS along with service packs, patches, and sub-directories. What command or tool did the investigator use to view this output?

Options:

A.

dir /o:d

B.

dir /o:s

C.

dir /o:e

D.

dir /o:n

Question 34

Which part of Metasploit framework helps users to hide the data related to a previously deleted file or currently unused by the allocated file.

Options:

A.

Waffen FS

B.

RuneFS

C.

FragFS

D.

Slacker

Question 35

What is the capacity of Recycle bin in a system running on Windows Vista?

Options:

A.

2.99GB

B.

3.99GB

C.

Unlimited

D.

10% of the partition space

Question 36

Which of the following setups should a tester choose to analyze malware behavior?

Options:

A.

A virtual system with internet connection

B.

A normal system without internet connect

C.

A normal system with internet connection

D.

A virtual system with network simulation for internet connection

Question 37

Brian needs to acquire data from RAID storage. Which of the following acquisition methods is recommended to retrieve only the data relevant to the investigation?

Options:

A.

Static Acquisition

B.

Sparse or Logical Acquisition

C.

Bit-stream disk-to-disk Acquisition

D.

Bit-by-bit Acquisition

Question 38

CAN-SPAM act requires that you:

Options:

A.

Don’t use deceptive subject lines

B.

Don’t tell the recipients where you are located

C.

Don’t identify the message as an ad

D.

Don’t use true header information

Question 39

Which of the following statements is TRUE with respect to the Registry settings in the user start-up folder HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\.

Options:

A.

All the values in this subkey run when specific user logs on, as this setting is user-specific

B.

The string specified in the value run executes when user logs on

C.

All the values in this key are executed at system start-up

D.

All values in this subkey run when specific user logs on and then the values are deleted

Question 40

Sheila is a forensics trainee and is searching for hidden image files on a hard disk. She used a forensic investigation tool to view the media in hexadecimal code for simplifying the search process. Which of the following hex codes should she look for to identify image files?

Options:

A.

ff d8 ff

B.

25 50 44 46

C.

d0 0f 11 e0

D.

50 41 03 04

Question 41

Which of the following registry hive gives the configuration information about which application was used to open various files on the system?

Options:

A.

HKEY_CLASSES_ROOT

B.

HKEY_CURRENT_CONFIG

C.

HKEY_LOCAL_MACHINE

D.

HKEY_USERS

Question 42

Which of the following information is displayed when Netstat is used with -ano switch?

Options:

A.

Ethernet statistics

B.

Contents of IP routing table

C.

Details of routing table

D.

Details of TCP and UDP connections

Question 43

Which one of the following is not a first response procedure?

Options:

A.

Preserve volatile data

B.

Fill forms

C.

Crack passwords

D.

Take photos

Question 44

The Apache server saves diagnostic information and error messages that it encounters while processing requests. The default path of this file is usr/local/apache/logs/error.log in Linux. Identify the Apache error log from the following logs.

Options:

A.

http://victim.com/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..% c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Winnt\system32\Logfiles\W3SVC1

B.

[Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/home/live/ap/htdocs/test

C.

127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700]"GET /apache_pb.gif HTTP/1.0" 200 2326

D.

127.0.0.1 - - [10/Apr/2007:10:39:11 +0300] ] [error] "GET /apache_pb.gif HTTP/1.0" 200 2326

Question 45

Which ISO Standard enables laboratories to demonstrate that they comply with quality assurance and provide valid results?

Options:

A.

ISO/IEC 16025

B.

ISO/IEC 18025

C.

ISO/IEC 19025

D.

ISO/IEC 17025

Question 46

An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s"," -E as part of collecting the primary data file and logs from a database. What does the "WIN-CQQMK62867E” represent?

Options:

A.

Name of the Database

B.

Name of SQL Server

C.

Operating system of the system

D.

Network credentials of the database

Question 47

Which of the following statements is true regarding SMTP Server?

Options:

A.

SMTP Server breaks the recipient’s address into Recipient’s name and his/her designation before passing it to the DNS Server

B.

SMTP Server breaks the recipient's address into Recipient’s name and recipient’s address before passing it to the DNS Server

C.

SMTP Server breaks the recipient’s address into Recipient’s name and domain name before passing it to the DNS Server

D.

SMTP Server breaks the recipient’s address into Recipient’s name and his/her initial before passing it to the DNS Server

Question 48

James is dealing with a case regarding a cybercrime that has taken place in Arizona, USA. James needs to lawfully seize the evidence from an electronic device without affecting the user's anonymity. Which of the following law should he comply with, before retrieving the evidence?

Options:

A.

First Amendment of the U.S. Constitution

B.

Fourth Amendment of the U.S. Constitution

C.

Third Amendment of the U.S. Constitution

D.

Fifth Amendment of the U.S. Constitution

Question 49

Which among the following tools can help a forensic investigator to access the registry files during postmortem analysis?

Options:

A.

RegistryChangesView

B.

RegDIIView

C.

RegRipper

D.

ProDiscover

Question 50

Which of the following Windows-based tool displays who is logged onto a computer, either locally or remotely?

Options:

A.

Tokenmon

B.

PSLoggedon

C.

TCPView

D.

Process Monitor

Question 51

In Linux OS, different log files hold different information, which help the investigators to analyze various issues during a security incident. What information can the investigators obtain from the log file

var/log/dmesg?

Options:

A.

Kernel ring buffer information

B.

All mail server message logs

C.

Global system messages

D.

Debugging log messages

Question 52

Which of the following standard represents a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?

Options:

A.

SWGDE & SWGIT

B.

Daubert

C.

Frye

D.

IOCE

Question 53

A section of your forensics lab houses several electrical and electronic equipment. Which type of fire extinguisher you must install in this area to contain any fire incident?

Options:

A.

Class B

B.

Class D

C.

Class C

D.

Class A

Question 54

What does Locard's Exchange Principle state?

Options:

A.

Any information of probative value that is either stored or transmitted in a digital form

B.

Digital evidence must have some characteristics to be disclosed in the court of law

C.

Anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave

D.

Forensic investigators face many challenges during forensics investigation of a digital crime, such as extracting, preserving, and analyzing the digital evidence

Question 55

Consider a scenario where the perpetrator of a dark web crime has unlnstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can Investigate It for artifacts of Tor browser usage. Which of the following should the Investigators examine to establish the use of Tor browser on the suspect machine?

Options:

A.

Swap files

B.

Files in Recycle Bin

C.

Security logs

D.

Prefetch files

Question 56

You are a forensic investigator who is analyzing a hard drive that was recently collected as evidence. You have been unsuccessful at locating any meaningful evidence within the file system and suspect a drive wiping utility may have been used. You have reviewed the keys within the software hive of the Windows registry and did not find any drive wiping utilities. How can you verify that drive wiping software was used on the hard drive?

Options:

A.

Document in your report that you suspect a drive wiping utility was used, but no evidence was found

B.

Check the list of installed programs

C.

Load various drive wiping utilities offline, and export previous run reports

D.

Look for distinct repeating patterns on the hard drive at the bit level

Question 57

An EC2 instance storing critical data of a company got infected with malware. The forensics team took the EBS volume snapshot of the affected Instance to perform further analysis and collected other data of evidentiary value. What should be their next step?

Options:

A.

They should pause the running instance

B.

They should keep the instance running as it stores critical data

C.

They should terminate all instances connected via the same VPC

D.

They should terminate the instance after taking necessary backup

Question 58

When Investigating a system, the forensics analyst discovers that malicious scripts were Injected Into benign and trusted websites. The attacker used a web application to send malicious code. In the form of a browser side script, to a different end-user. What attack was performed here?

Options:

A.

Brute-force attack

B.

Cookie poisoning attack

C.

Cross-site scripting attack

D.

SQL injection attack

Question 59

Which "Standards and Criteria" under SWDGE states that "the agency must use hardware and software that are appropriate and effective for the seizure or examination procedure"?

Options:

A.

Standards and Criteria 1.7

B.

Standards and Criteria 1.6

C.

Standards and Criteria 1.4

D.

Standards and Criteria 1.5

Question 60

An investigator wants to extract passwords from SAM and System Files. Which tool can the Investigator use to obtain a list of users, passwords, and their hashes In this case?

Options:

A.

PWdump7

B.

HashKey

C.

Nuix

D.

FileMerlin

Question 61

Which of the following tools is used to dump the memory of a running process, either immediately or when an error condition occurs?

Options:

A.

FATKit

B.

Coreography

C.

Belkasoft Live RAM Capturer

D.

Cachelnf

Question 62

Jacob, a cybercrime investigator, joined a forensics team to participate in a criminal case involving digital evidence. After the investigator collected all the evidence and presents it to the court, the judge dropped the case and the defense attorney pressed charges against Jacob and the rest of the forensics team for unlawful search and seizure. What forensics privacy issue was not addressed prior to collecting the evidence?

Options:

A.

Compliance with the Second Amendment of the U.S. Constitution

B.

Compliance with the Third Amendment of the U.S. Constitution

C.

None of these

D.

Compliance with the Fourth Amendment of the U.S. Constitution

Question 63

During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to Identify attributes such as "author name," "organization name." "network name," or any additional supporting data that is meant for the owner's Identification purpose. Which term describes these attributes?

Options:

A.

Data header

B.

Data index

C.

Metabase

D.

Metadata

Question 64

During an Investigation. Noel found a SIM card from the suspect's mobile. The ICCID on the card is

8944245252001451548.

What does the first four digits (89 and 44) In the ICCID represent?

Options:

A.

TAC and industry identifier

B.

Country code and industry identifier

C.

Industry identifier and country code

D.

Issuer identifier number and TAC

Question 65

Cloud forensic investigations impose challenges related to multi-jurisdiction and multi-tenancy aspects. To have a better understanding of the roles and responsibilities between the cloud service provider (CSP) and the client, which document should the forensic investigator review?

Options:

A.

Service level agreement

B.

Service level management

C.

National and local regulation

D.

Key performance indicator

Question 66

Sally accessed the computer system that holds trade secrets of the company where she Is employed. She knows she accessed It without authorization and all access (authorized and unauthorized) to this computer Is monitored.To cover her tracks. Sally deleted the log entries on this computer. What among the following best describes her action?

Options:

A.

Password sniffing

B.

Anti-forensics

C.

Brute-force attack

D.

Network intrusion

Question 67

Fred, a cybercrime Investigator for the FBI, finished storing a solid-state drive In a static resistant bag and filled out the chain of custody form. Two days later. John grabbed the solid-state drive and created a clone of It (with write blockers enabled) In order to Investigate the drive. He did not document the chain of custody though. When John was finished, he put the solid-state drive back in the static resistant and placed it back in the evidence locker. A day later, the court trial began and upon presenting the evidence and the supporting documents, the chief Justice outright rejected them. Which of the following statements strongly support the reason for rejecting the evidence?

Options:

A.

Block clones cannot be created with solid-state drives

B.

Write blockers were used while cloning the evidence

C.

John did not document the chain of custody

D.

John investigated the clone instead of the original evidence itself

Question 68

A breach resulted from a malware attack that evaded detection and compromised the machine memory without installing any software or accessing the hard drive. What technique did the adversaries use to deliver the attack?

Options:

A.

Fileless

B.

Trojan

C.

JavaScript

D.

Spyware

Question 69

Simona has written a regular expression for the detection of web application-specific attack attempt that reads as /((\%3C)|)/lx. Which of the following does the part (|\%3E)|>) look for?

Options:

A.

Alphanumeric string or its hex equivalent

B.

Opening angle bracket or its hex equivalent

C.

Closing angle bracket or its hex equivalent

D.

Forward slash for a closing tag or its hex equivalent

Question 70

Maria has executed a suspicious executable file In a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for In this scenario?

Options:

A.

Event ID 4657

B.

Event ID 4624

C.

Event ID 4688

D.

Event ID 7040

Question 71

Fill In the missing Master Boot Record component.

1. Master boot code

2. Partition table

3._______________

Options:

A.

Boot loader

B.

Signature word

C.

Volume boot record

D.

Disk signature

Question 72

You are an information security analyst at a large pharmaceutical company. While performing a routine review of audit logs, you have noticed a significant amount of egress traffic to various IP addresses on destination port 22 during off-peak hours. You researched some of the IP addresses and found that many of them are in Eastern Europe. What is the most likely cause of this traffic?

Options:

A.

Malicious software on internal system is downloading research data from partner 5FTP servers in Eastern Europe

B.

Internal systems are downloading automatic Windows updates

C.

Data is being exfiltrated by an advanced persistent threat (APT)

D.

The organization's primary internal DNS server has been compromised and is performing DNS zone transfers to malicious external entities

Question 73

Which among the following acts has been passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations?

Options:

A.

Federal Information Security Management act of 2002

B.

Gramm-Leach-Bliley act

C.

Health insurance Probability and Accountability act of 1996

D.

Sarbanes-Oxley act of 2002

Question 74

Which of the following Windows event logs record events related to device drives and hardware changes?

Options:

A.

Forwarded events log

B.

System log

C.

Application log

D.

Security log

Question 75

What is the extension used by Windows OS for shortcut files present on the machine?

Options:

A.

.log

B.

.pf

C.

.lnk

D.

.dat

Question 76

Which layer in the loT architecture is comprised of hardware parts such as sensors, RFID tags, and devices that play an important role in data collection?

Options:

A.

Middleware layer

B.

Edge technology layer

C.

Application layer

D.

Access gateway layer

Question 77

Matthew has been assigned the task of analyzing a suspicious MS Office document via static analysis over an Ubuntu-based forensic machine. He wants to see what type of document It Is. whether It Is encrypted, or contains any flash objects/VBA macros. Which of the following python-based script should he run to get relevant information?

Options:

A.

oleform.py

B.

oleid.py

C.

oledir.py

D.

pdfid.py

Question 78

William is examining a log entry that reads 192.168.0.1 - - [18/Jan/2020:12:42:29 +0000) "GET / HTTP/1.1" 200 1861. Which of the following logs does the log entry belong to?

Options:

A.

The combined log format of Apache access log

B.

The common log format of Apache access log

C.

Apache error log

D.

IIS log

Question 79

Cybercriminals sometimes use compromised computers to commit other crimes, which may involve using computers or networks to spread malware or Illegal Information. Which type of cybercrime stops users from using a device or network, or prevents a company from providing a software service to its customers?

Options:

A.

Denial-of-Service (DoS) attack

B.

Malware attack

C.

Ransomware attack

D.

Phishing

Question 80

An investigator Is examining a file to identify any potentially malicious content. To avoid code execution and still be able to uncover hidden indicators of compromise (IOC), which type of examination should the investigator perform:

Options:

A.

Threat hunting

B.

Threat analysis

C.

Static analysis

D.

Dynamic analysis

Question 81

A forensic analyst has been tasked with investigating unusual network activity Inside a retail company's network. Employees complain of not being able to access services, frequent rebooting, and anomalies In log files. The Investigator requested log files from the IT administrator and after carefully reviewing them, he finds the following log entry:

What type of attack was performed on the companies' web application?

Options:

A.

Directory transversal

B.

Unvalidated input

C.

Log tampering

D.

SQL injection

Question 82

Why would you need to find out the gateway of a device when investigating a wireless attack?

Options:

A.

The gateway will be the IP of the proxy server used by the attacker to launch the attack

B.

The gateway will be the IP of the attacker computer

C.

The gateway will be the IP used to manage the RADIUS server

D.

The gateway will be the IP used to manage the access point

Question 83

Which rule requires an original recording to be provided to prove the content of a recording?

Options:

A.

1004

B.

1002

C.

1003

D.

1005

Question 84

Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?

Options:

A.

18 USC §1029

B.

18 USC §1030

C.

18 USC §1361

D.

18 USC §1371

Question 85

Why is it still possible to recover files that have been emptied from the Recycle Bin on a Windows computer?

Options:

A.

The data is still present until the original location of the file is used

B.

The data is moved to the Restore directory and is kept there indefinitely

C.

The data will reside in the L2 cache on a Windows computer until it is manually deleted

D.

It is not possible to recover data that has been emptied from the Recycle Bin

Question 86

To which phase of the Computer Forensics Investigation Process does the Planning and Budgeting of a Forensics Lab belong?

Options:

A.

Post-investigation Phase

B.

Reporting Phase

C.

Pre-investigation Phase

D.

Investigation Phase

Question 87

Steven has been given the task of designing a computer forensics lab for the company he works for. He has found documentation on all aspects of how to design a lab except the number of exits needed. How many exits should Steven include in his design for the computer forensics lab?

Options:

A.

Three

B.

One

C.

Two

D.

Four

Question 88

When a router receives an update for its routing table, what is the metric value change to that path?

Options:

A.

Increased by 2

B.

Decreased by 1

C.

Increased by 1

D.

Decreased by 2

Question 89

When should an MD5 hash check be performed when processing evidence?

Options:

A.

After the evidence examination has been completed

B.

On an hourly basis during the evidence examination

C.

Before and after evidence examination

D.

Before the evidence examination has been completed

Question 90

Given the drive dimensions as follows and assuming a sector has 512 bytes, what is the capacity of the described hard drive?

22,164 cylinders/disk

80 heads/cylinder

63 sectors/track

Options:

A.

53.26 GB

B.

57.19 GB

C.

11.17 GB

D.

10 GB

Question 91

What file is processed at the end of a Windows XP boot to initialize the logon dialog box?

Options:

A.

NTOSKRNL.EXE

B.

NTLDR

C.

LSASS.EXE

D.

NTDETECT.COM

Question 92

What type of attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the IP broadcast address of a large network?

Options:

A.

Fraggle

B.

Smurf scan

C.

SYN flood

D.

Teardrop

Question 93

Cylie is investigating a network breach at a state organization in Florida. She discovers that the intruders were able to gain access into the company firewalls by overloading them with IP packets. Cylie then discovers through her investigation that the intruders hacked into the company phone system and used the hard drives on their PBX system to store shared music files. What would this attack on the company PBX system be called?

Options:

A.

Phreaking

B.

Squatting

C.

Crunching

D.

Pretexting

Question 94

Sectors are pie-shaped regions on a hard disk that store data. Which of the following parts of a hard disk do not contribute in determining the addresses of data?

Options:

A.

Sectors

B.

Interface

C.

Cylinder

D.

Heads

Question 95

What will the following Linux command accomplish?

dd if=/dev/mem of=/home/sam/mem.bin bs=1024

Options:

A.

Copy the master boot record to a file

B.

Copy the contents of the system folder to a file

C.

Copy the running memory to a file

D.

Copy the memory dump file to an image file

Question 96

Harold is a computer forensics investigator working for a consulting firm out of Atlanta Georgia. Harold is called upon to help with a corporate espionage case in Miami Florida. Harold assists in the investigation by pulling all the data from the computers allegedly used in the illegal activities. He finds that two suspects in the company where stealing sensitive corporate information and selling it to competing companies. From the email and instant messenger logs recovered, Harold has discovered that the two employees notified the buyers by writing symbols on the back of specific stop signs. This way, the buyers knew when and where to meet with the alleged suspects to buy the stolen material. What type of steganography did these two suspects use?

Options:

A.

Text semagram

B.

Visual semagram

C.

Grill cipher

D.

Visual cipher

Question 97

What is the CIDR from the following screenshot?

Options:

A.

/24A./24A./24

B.

/32 B./32 B./32

C.

/16 C./16 C./16

D.

/8D./8D./8

Question 98

Which of the following are small pieces of data sent from a website and stored on the user’s computer by the user’s web browser to track, validate, and maintain specific user information?

Options:

A.

Temporary Files

B.

Open files

C.

Cookies

D.

Web Browser Cache

Question 99

Which network attack is described by the following statement?

“At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries.”

Options:

A.

DDoS

B.

Sniffer Attack

C.

Buffer Overflow

D.

Man-in-the-Middle Attack

Question 100

Which password cracking technique uses details such as length of password, character sets used to construct the password, etc.?

Options:

A.

Dictionary attack

B.

Brute force attack

C.

Rule-based attack

D.

Man in the middle attack

Question 101

What layer of the OSI model do TCP and UDP utilize?

Options:

A.

Data Link

B.

Network

C.

Transport

D.

Session

Question 102

Which of the following files stores information about local Dropbox installation and account, email IDs linked with the account, current version/build for the local application, the host_id, and local path information?

Options:

A.

host.db

B.

sigstore.db

C.

config.db

D.

filecache.db

Question 103

Jacob is a computer forensics investigator with over 10 years experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob testimony in this case?

Options:

A.

Justification

B.

Authentication

C.

Reiteration

D.

Certification

Question 104

Tyler is setting up a wireless network for his business that he runs out of his home. He has followed all the directions from the ISP as well as the wireless router manual. He does not have any encryption set and the SSID is being broadcast. On his laptop, he can pick up the wireless signal for short periods of time, but then the connection drops and the signal goes away.

Eventually the wireless signal shows back up, but drops intermittently. What could be Tyler issue with his home wireless network?

Options:

A.

Computers on his wired network

B.

Satellite television

C.

2.4Ghz Cordless phones

D.

CB radio

Question 105

What advantage does the tool Evidor have over the built-in Windows search?

Options:

A.

It can find deleted files even after they have been physically removed

B.

It can find bad sectors on the hard drive

C.

It can search slack space

D.

It can find files hidden within ADS

Demo: 105 questions
Total 704 questions