Pre-Winter Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ex2p65

Exact2Pass Menu

Question # 4

Which of the following standard represents a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?

A.

SWGDE & SWGIT

B.

Daubert

C.

Frye

D.

IOCE

Full Access
Question # 5

Where should the investigator look for the Edge browser’s browsing records, including history, cache, and cookies?

A.

ESE Database

B.

Virtual Memory

C.

Sparse files

D.

Slack Space

Full Access
Question # 6

In a computer that has Dropbox client installed, which of the following files related to the Dropbox client store information about local Dropbox installation and the Dropbox user account, along with email IDs linked with the account?

A.

config.db

B.

install.db

C.

sigstore.db

D.

filecache.db

Full Access
Question # 7

You are assigned a task to examine the log files pertaining to MyISAM storage engine. While examining, you are asked to perform a recovery operation on a MyISAM log file. Which among the following MySQL Utilities allow you to do so?

A.

mysqldump

B.

myisamaccess

C.

myisamlog

D.

myisamchk

Full Access
Question # 8

MAC filtering is a security access control methodology, where a ___________ is assigned to each network card to determine access to the network.

A.

48-bit address

B.

24-bit address

C.

16-bit address

D.

32-bit address

Full Access
Question # 9

BMP (Bitmap) is a standard file format for computers running the Windows operating system. BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors). Each bitmap file contains a header, the RGBQUAD array, information header, and image data. Which of the following element specifies the dimensions, compression type, and color format for the bitmap?

A.

Information header

B.

Image data

C.

The RGBQUAD array

D.

Header

Full Access
Question # 10

Which of the following email headers specifies an address for mailer-generated errors, like "no such user" bounce messages, to go to (instead of the sender's address)?

A.

Mime-Version header

B.

Content-Type header

C.

Content-Transfer-Encoding header

D.

Errors-To header

Full Access
Question # 11

What is the capacity of Recycle bin in a system running on Windows Vista?

A.

2.99GB

B.

3.99GB

C.

Unlimited

D.

10% of the partition space

Full Access
Question # 12

Which of these rootkit detection techniques function by comparing a snapshot of the file system, boot records, or memory with a known and trusted baseline?

A.

Signature-Based Detection

B.

Integrity-Based Detection

C.

Cross View-Based Detection

D.

Heuristic/Behavior-Based Detection

Full Access
Question # 13

Which of the following information is displayed when Netstat is used with -ano switch?

A.

Ethernet statistics

B.

Contents of IP routing table

C.

Details of routing table

D.

Details of TCP and UDP connections

Full Access
Question # 14

Amelia has got an email from a well-reputed company stating in the subject line that she has won a prize money, whereas the email body says that she has to pay a certain amount for being eligible for the contest. Which of the following acts does the email breach?

A.

CAN-SPAM Act

B.

HIPAA

C.

GLBA

D.

SOX

Full Access
Question # 15

Sheila is a forensics trainee and is searching for hidden image files on a hard disk. She used a forensic investigation tool to view the media in hexadecimal code for simplifying the search process. Which of the following hex codes should she look for to identify image files?

A.

ff d8 ff

B.

25 50 44 46

C.

d0 0f 11 e0

D.

50 41 03 04

Full Access
Question # 16

Which among the following U.S. laws requires financial institutions—companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance—to protect their customers’ information against security threats?

A.

SOX

B.

HIPAA

C.

GLBA

D.

FISMA

Full Access
Question # 17

What is the investigator trying to view by issuing the command displayed in the following screenshot?

A.

List of services stopped

B.

List of services closed recently

C.

List of services recently started

D.

List of services installed

Full Access
Question # 18

Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame.

A.

8-bit

B.

32-bit

C.

16-bit

D.

24-bit

Full Access
Question # 19

In Linux OS, different log files hold different information, which help the investigators to analyze various issues during a security incident. What information can the investigators obtain from the log file

var/log/dmesg?

A.

Kernel ring buffer information

B.

All mail server message logs

C.

Global system messages

D.

Debugging log messages

Full Access
Question # 20

POP3 is an Internet protocol, which is used to retrieve emails from a mail server. Through which port does an email client connect with a POP3 server?

A.

110

B.

143

C.

25

D.

993

Full Access
Question # 21

Which of the following is a non-zero data that an application allocates on a hard disk cluster in systems running on Windows OS?

A.

Sparse File

B.

Master File Table

C.

Meta Block Group

D.

Slack Space

Full Access
Question # 22

Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses' testimony during federal legal proceedings?

A.

SWGDE & SWGIT

B.

IOCE

C.

Frye

D.

Daubert

Full Access
Question # 23

Which cloud model allows an investigator to acquire the instance of a virtual machine and initiate the forensics examination process?

A.

PaaS model

B.

IaaS model

C.

SaaS model

D.

SecaaS model

Full Access
Question # 24

What do you call the process in which an attacker uses magnetic field over the digital media device to delete any previously stored data?

A.

Disk deletion

B.

Disk cleaning

C.

Disk degaussing

D.

Disk magnetization

Full Access
Question # 25

Joshua is analyzing an MSSQL database for finding the attack evidence and other details, where should he look for the database logs?

A.

Model.log

B.

Model.txt

C.

Model.ldf

D.

Model.lgf

Full Access
Question # 26

Which among the following laws emphasizes the need for each Federal agency to develop, document, and implement an organization-wide program to provide information security for the information systems that support its operations and assets?

A.

FISMA

B.

HIPAA

C.

GLBA

D.

SOX

Full Access
Question # 27

Consider a scenario where the perpetrator of a dark web crime has unlnstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can Investigate It for artifacts of Tor browser usage. Which of the following should the Investigators examine to establish the use of Tor browser on the suspect machine?

A.

Swap files

B.

Files in Recycle Bin

C.

Security logs

D.

Prefetch files

Full Access
Question # 28

Simona has written a regular expression for the detection of web application-specific attack attempt that reads as /((\%3C)|)/lx. Which of the following does the part (|\%3E)|>) look for?

A.

Alphanumeric string or its hex equivalent

B.

Opening angle bracket or its hex equivalent

C.

Closing angle bracket or its hex equivalent

D.

Forward slash for a closing tag or its hex equivalent

Full Access
Question # 29

During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to Identify attributes such as "author name," "organization name." "network name," or any additional supporting data that is meant for the owner's Identification purpose. Which term describes these attributes?

A.

Data header

B.

Data index

C.

Metabase

D.

Metadata

Full Access
Question # 30

Which "Standards and Criteria" under SWDGE states that "the agency must use hardware and software that are appropriate and effective for the seizure or examination procedure"?

A.

Standards and Criteria 1.7

B.

Standards and Criteria 1.6

C.

Standards and Criteria 1.4

D.

Standards and Criteria 1.5

Full Access
Question # 31

You are the incident response manager at a regional bank. While performing routine auditing of web application logs, you find several attempted login submissions that contain the following strings:

What kind of attack has occurred?

A.

SQL injection

B.

Buffer overflow

C.

Cross-size scripting

D.

Cross-size request forgery

Full Access
Question # 32

Cloud forensic investigations impose challenges related to multi-jurisdiction and multi-tenancy aspects. To have a better understanding of the roles and responsibilities between the cloud service provider (CSP) and the client, which document should the forensic investigator review?

A.

Service level agreement

B.

Service level management

C.

National and local regulation

D.

Key performance indicator

Full Access
Question # 33

Maria has executed a suspicious executable file In a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for In this scenario?

A.

Event ID 4657

B.

Event ID 4624

C.

Event ID 4688

D.

Event ID 7040

Full Access
Question # 34

Mark works for a government agency as a cyber-forensic investigator. He has been given the task of restoring data from a hard drive. The partition of the hard drive was deleted by a disgruntled employee In order to hide their nefarious actions. What tool should Mark use to restore the data?

A.

EFSDump

B.

Diskmon D

C.

iskvlew

D.

R-Studio

Full Access
Question # 35

Which OWASP loT vulnerability talks about security flaws such as lack of firmware validation, lack of secure delivery, and lack of anti-rollback mechanisms on loT devices?

A.

Lack of secure update mechanism

B.

Use of insecure or outdated components

C.

Insecure default settings

D.

Insecure data transfer and storage

Full Access
Question # 36

SO/IEC 17025 is an accreditation for which of the following:

A.

CHFI issuing agency

B.

Encryption

C.

Forensics lab licensing

D.

Chain of custody

Full Access
Question # 37

Web browsers can store relevant information from user activities. Forensic investigators may retrieve files, lists, access history, cookies, among other digital footprints. Which tool can contribute to this task?

A.

Most Recently Used (MRU) list

B.

MZCacheView

C.

Google Chrome Recovery Utility

D.

Task Manager

Full Access
Question # 38

"To ensure that the digital evidence is collected, preserved, examined, or transferred In a manner safeguarding the accuracy and reliability of the evidence, law enforcement, and forensics organizations must establish and maintain an effective quality system" Is a principle established by:

A.

NCIS

B.

NIST

C.

EC-Council

D.

SWGDE

Full Access
Question # 39

According to RFC 3227, which of the following is considered as the most volatile item on a typical system?

A.

Registers and cache

B.

Temporary system files

C.

Archival media

D.

Kernel statistics and memory

Full Access
Question # 40

Storage location of Recycle Bin for NTFS file systems (Windows Vista and later) is located at:

A.

Drive:\$ Recycle. Bin

B.

DriveARECYClE.BIN

C.

Drive:\RECYCLER

D.

Drive:\REYCLED

Full Access
Question # 41

Which of the following attacks refers to unintentional download of malicious software via the Internet? Here, an attacker exploits flaws in browser software to install malware merely by the user visiting the malicious website.

A.

Malvertising

B.

Internet relay chats

C.

Drive-by downloads

D.

Phishing

Full Access
Question # 42

The information security manager at a national legal firm has received several alerts from the intrusion detection system that a known attack signature was detected against the organization's file server. What should the information security manager do first?

A.

Report the incident to senior management

B.

Update the anti-virus definitions on the file server

C.

Disconnect the file server from the network

D.

Manually investigate to verify that an incident has occurred

Full Access
Question # 43

Brian has the job of analyzing malware for a software security company. Brian has setup a virtual environment that includes virtual machines running various versions of OSes. Additionally, Brian has setup separated virtual networks within this environment The virtual environment does not connect to the company's intranet nor does it connect to the external Internet. With everything setup, Brian now received an executable file from client that has undergone a cyberattack. Brian ran the executable file In the virtual environment to see what it would do. What type of analysis did Brian perform?

A.

Static malware analysis

B.

Status malware analysis

C.

Dynamic malware analysis

D.

Static OS analysis

Full Access
Question # 44

Matthew has been assigned the task of analyzing a suspicious MS Office document via static analysis over an Ubuntu-based forensic machine. He wants to see what type of document It Is. whether It Is encrypted, or contains any flash objects/VBA macros. Which of the following python-based script should he run to get relevant information?

A.

oleform.py

B.

oleid.py

C.

oledir.py

D.

pdfid.py

Full Access
Question # 45

In which loT attack does the attacker use multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks?

A.

Replay attack

B.

Jamming attack

C.

Blueborne attack

D.

Sybil attack

Full Access
Question # 46

Edgar is part of the FBI's forensic media and malware analysis team; he Is analyzing a current malware and Is conducting a thorough examination of the suspect system, network, and other connected devices. Edgar's approach Is to execute the malware code to know how It Interacts with the host system and Its Impacts on It. He is also using a virtual machine and a sandbox environment.

What type of malware analysis is Edgar performing?

A.

Malware disassembly

B.

VirusTotal analysis

C.

Static analysis

D.

Dynamic malware analysis/behavioral analysis

Full Access
Question # 47

This is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted. Which among the following is suitable for the above statement?

A.

Testimony by the accused

B.

Limited admissibility

C.

Hearsay rule

D.

Rule 1001

Full Access
Question # 48

Which Federal Rule of Evidence speaks about the Hearsay exception where the availability of the declarant Is immaterial and certain characteristics of the declarant such as present sense Impression, excited utterance, and recorded recollection are also observed while giving their testimony?

A.

Rule 801

B.

Rule 802

C.

Rule 804

D.

Rule 803

Full Access
Question # 49

To understand the impact of a malicious program after the booting process and to collect recent information from the disk partition, an Investigator should evaluate the content of the:

A.

MBR

B.

GRUB

C.

UEFI

D.

BIOS

Full Access
Question # 50

An EC2 instance storing critical data of a company got infected with malware. The forensics team took the EBS volume snapshot of the affected Instance to perform further analysis and collected other data of evidentiary value. What should be their next step?

A.

They should pause the running instance

B.

They should keep the instance running as it stores critical data

C.

They should terminate all instances connected via the same VPC

D.

They should terminate the instance after taking necessary backup

Full Access
Question # 51

Adam Is thinking of establishing a hospital In the US and approaches John, a software developer to build a site and host it for him on one of the servers, which would be used to store patient health records. He has learned from his legal advisors that he needs to have the server's log data reviewed and managed according to certain standards and regulations. Which of the following regulations are the legal advisors referring to?

A.

Data Protection Act of 2018

B.

Payment Card Industry Data Security Standard (PCI DSS)

C.

Electronic Communications Privacy Act

D.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Full Access
Question # 52

______allows a forensic investigator to identify the missing links during investigation.

A.

Evidence preservation

B.

Chain of custody

C.

Evidence reconstruction

D.

Exhibit numbering

Full Access
Question # 53

Fred, a cybercrime Investigator for the FBI, finished storing a solid-state drive In a static resistant bag and filled out the chain of custody form. Two days later. John grabbed the solid-state drive and created a clone of It (with write blockers enabled) In order to Investigate the drive. He did not document the chain of custody though. When John was finished, he put the solid-state drive back in the static resistant and placed it back in the evidence locker. A day later, the court trial began and upon presenting the evidence and the supporting documents, the chief Justice outright rejected them. Which of the following statements strongly support the reason for rejecting the evidence?

A.

Block clones cannot be created with solid-state drives

B.

Write blockers were used while cloning the evidence

C.

John did not document the chain of custody

D.

John investigated the clone instead of the original evidence itself

Full Access
Question # 54

Your company uses Cisco routers exclusively throughout the network. After securing the routers to the best of your knowledge, an outside security firm is brought in to assess the network security.

Although they found very few issues, they were able to enumerate the model, OS version, and capabilities for all your Cisco routers with very little effort. Which feature will you disable to eliminate the ability to enumerate this information on your Cisco routers?

A.

Border Gateway Protocol

B.

Cisco Discovery Protocol

C.

Broadcast System Protocol

D.

Simple Network Management Protocol

Full Access
Question # 55

This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

A.

Master Boot Record (MBR)

B.

Master File Table (MFT)

C.

File Allocation Table (FAT)

D.

Disk Operating System (DOS)

Full Access
Question # 56

Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?

A.

Globally unique ID

B.

Microsoft Virtual Machine Identifier

C.

Personal Application Protocol

D.

Individual ASCII string

Full Access
Question # 57

When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?

A.

Universal Time Set

B.

Network Time Protocol

C.

SyncTime Service

D.

Time-Sync Protocol

Full Access
Question # 58

Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank to assess its network security through scanning, pen tests, and vulnerability assessments. After discovering numerous known vulnerabilities detected by a temporary IDS he set up, he notices a number of items that show up as unknown but Questionable in the logs. He looks up the behavior on the Internet, but cannot find anything related. What organization should Frank submit the log to find out if it is a new vulnerability or not?

A.

APIPA

B.

IANA

C.

CVE

D.

RIPE

Full Access
Question # 59

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

A.

The registry

B.

The swap file

C.

The recycle bin

D.

The metadata

Full Access
Question # 60

When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.

A.

A Capital X

B.

A Blank Space

C.

The Underscore Symbol

D.

The lowercase Greek Letter Sigma (s)

Full Access
Question # 61

What is a good security method to prevent unauthorized users from "tailgating"?

A.

Man trap

B.

Electronic combination locks

C.

Pick-resistant locks

D.

Electronic key systems

Full Access
Question # 62

John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of the traffic produced by Firewalk. Why is that?

A.

Firewalk cannot pass through Cisco firewalls

B.

Firewalk sets all packets with a TTL of zero

C.

Firewalk cannot be detected by network sniffers

D.

Firewalk sets all packets with a TTL of one

Full Access
Question # 63

When investigating a Windows System, it is important to view the contents of the page or swap file because:

A.

Windows stores all of the systems configuration information in this file

B.

This is file that windows use to communicate directly with Registry

C.

A Large volume of data can exist within the swap file of which the computer user has no knowledge

D.

This is the file that windows use to store the history of the last 100 commands that were run from the command line

Full Access
Question # 64

You are working in the security Department of law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the company SMTP server?

A.

10

B.

25

C.

110

D.

135

Full Access
Question # 65

What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?

A.

rootkit

B.

key escrow

C.

steganography

D.

Offset

Full Access
Question # 66

You are working as Computer Forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firm’s employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do?

A.

Inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned

B.

Inform the owner that conducting an investigation without a policy is a violation of the 4th amendment

C.

Inform the owner that conducting an investigation without a policy is a violation of the employee’s expectation of privacy

D.

Inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies

Full Access
Question # 67

With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________.

A.

0

B.

10

C.

100

D.

1

Full Access
Question # 68

What is the following command trying to accomplish?

A.

Verify that UDP port 445 is open for the 192.168.0.0 network

B.

Verify that TCP port 445 is open for the 192.168.0.0 network

C.

Verify that NETBIOS is running for the 192.168.0.0 network

D.

Verify that UDP port 445 is closed for the 192.168.0.0 network

Full Access
Question # 69

Kimberly is studying to be an IT security analyst at a vocational school in her town. The school offers many different programming as well as networking languages. What networking protocol language should she learn that routers utilize?

A.

ATM

B.

UDP

C.

BPG

D.

OSPF

Full Access
Question # 70

From the following spam mail header, identify the host IP that sent this spam?

From jie02@netvigator.com jie02@netvigator.com Tue Nov 27 17:27:11 2001

Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk

(8.11.6/8.11.6) with ESMTP id

fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT)

Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by

viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1)

with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT)

Message-Id: >200111270926.fAR9QXwZ018431@viruswall.ie.cuhk.edu.hk

From: "china hotel web"

To: "Shlam"

Subject: SHANGHAI (HILTON HOTEL) PACKAGE

Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0

X-Priority: 3 X-MSMail-

Priority: Normal

Reply-To: "china hotel web"

A.

137.189.96.52

B.

8.12.1.0

C.

203.218.39.20

D.

203.218.39.50

Full Access
Question # 71

Printing under a Windows Computer normally requires which one of the following files types to be created?

A.

EME

B.

MEM

C.

EMF

D.

CME

Full Access
Question # 72

How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?

A.

128

B.

64

C.

32

D.

16

Full Access
Question # 73

During the course of a corporate investigation, you find that an Employee is committing a crime.

Can the Employer file a criminal complaint with Police?

A.

Yes, and all evidence can be turned over to the police

B.

Yes, but only if you turn the evidence over to a federal law enforcement agency

C.

No, because the investigation was conducted without following standard police procedures

D.

No, because the investigation was conducted without warrant

Full Access
Question # 74

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

A.

Use VMware to be able to capture the data in memory and examine it

B.

Give the Operating System a minimal amount of memory, forcing it to use a swap file

C.

Create a Separate partition of several hundred megabytes and place the swap file there

D.

Use intrusion forensic techniques to study memory resident infections

Full Access
Question # 75

Meyer Electronics Systems just recently had a number of laptops stolen out of their office. On these laptops contained sensitive corporate information regarding patents and company strategies. A month after the laptops were stolen, a competing company was found to have just developed products that almost exactly duplicated products that Meyer produces. What could have prevented this information from being stolen from the laptops?

A.

EFS Encryption

B.

DFS Encryption

C.

IPS Encryption

D.

SDW Encryption

Full Access
Question # 76

When using Windows acquisitions tools to acquire digital evidence, it is important to use a well-tested hardware write-blocking device to:

A.

Automate Collection from image files

B.

Avoiding copying data from the boot partition

C.

Acquire data from host-protected area on a disk

D.

Prevent Contamination to the evidence drive

Full Access
Question # 77

You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?

A.

The X509 Address

B.

The SMTP reply Address

C.

The E-mail Header

D.

The Host Domain Name

Full Access
Question # 78

While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense?

A.

Keep the information of file for later review

B.

Destroy the evidence

C.

Bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge

D.

Present the evidence to the defense attorney

Full Access
Question # 79

A law enforcement officer may only search for and seize criminal evidence with _______________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searched.

A.

Mere Suspicion

B.

A preponderance of the evidence

C.

Probable cause

D.

Beyond a reasonable doubt

Full Access
Question # 80

How many sectors will a 125 KB file use in a FAT32 file system?

A.

32

B.

16

C.

256

D.

25

Full Access
Question # 81

In both pharming and phishing attacks an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks?

A.

Both pharming and phishing attacks are purely technical and are not considered forms of social engineering

B.

In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name

C.

In a phishing attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual websites domain name

D.

Both pharming and phishing attacks are identical

Full Access
Question # 82

Company ABC has employed a firewall, IDS, Antivirus, Domain Controller, and SIEM. The company’s domain controller goes down. From which system would you begin your investigation?

A.

Domain Controller

B.

Firewall

C.

SIEM

D.

IDS

Full Access
Question # 83

How many times can data be written to a DVD+R disk?

A.

Twice

B.

Once

C.

Zero

D.

Infinite

Full Access
Question # 84

What feature of Decryption Collection allows an investigator to crack a password as quickly as possible?

A.

Cracks every password in 10 minutes

B.

Distribute processing over 16 or fewer computers

C.

Support for Encrypted File System

D.

Support for MD5 hash verification

Full Access
Question # 85

Jacob is a computer forensics investigator with over 10 years experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob testimony in this case?

A.

Justification

B.

Authentication

C.

Reiteration

D.

Certification

Full Access
Question # 86

While searching through a computer under investigation, you discover numerous files that appear to have had the first letter of the file name replaced by the hex code byte 5h. What does this indicate on the computer?

A.

The files have been marked as hidden

B.

The files have been marked for deletion

C.

The files are corrupt and cannot be recovered

D.

The files have been marked as read-only

Full Access
Question # 87

When investigating a wireless attack, what information can be obtained from the DHCP logs?

A.

The operating system of the attacker and victim computers

B.

IP traffic between the attacker and the victim

C.

MAC address of the attacker

D.

If any computers on the network are running in promiscuous mode

Full Access
Question # 88

Which of the following is a record of the characteristics of a file system, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups?

A.

Inode bitmap block

B.

Superblock

C.

Block bitmap block

D.

Data block

Full Access
Question # 89

Which network attack is described by the following statement? "At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries."

A.

Man-in-the-Middle Attack

B.

Sniffer Attack

C.

Buffer Overflow

D.

DDoS

Full Access
Question # 90

When operating systems mark a cluster as used but not allocated, the cluster is considered as _________

A.

Corrupt

B.

Bad

C.

Lost

D.

Unallocated

Full Access
Question # 91

Why would a company issue a dongle with the software they sell?

A.

To provide source code protection

B.

To provide wireless functionality with the software

C.

To provide copyright protection

D.

To ensure that keyloggers cannot be used

Full Access
Question # 92

When needing to search for a website that is no longer present on the Internet today but was online few years back, what site can be used to view the website collection of pages?

A.

Proxify.net

B.

Dnsstuff.com

C.

Samspade.org

D.

Archive.org

Full Access
Question # 93

Bob works as information security analyst for a big finance company. One day, the anomaly-based intrusion detection system alerted that a volumetric DDOS targeting the main IP of the main web server was occurring. What kind of attack is it?

A.

IDS attack

B.

APT

C.

Web application attack

D.

Network attack

Full Access
Question # 94

Which of the following tool creates a bit-by-bit image of an evidence media?

A.

Recuva

B.

FileMerlin

C.

AccessData FTK Imager

D.

Xplico

Full Access
Question # 95

What is considered a grant of a property right given to an individual who discovers or invents a new machine, process, useful composition of matter or manufacture?

A.

Copyright

B.

Design patent

C.

Trademark

D.

Utility patent

Full Access
Question # 96

The surface of a hard disk consists of several concentric rings known as tracks; each of these tracks has smaller partitions called disk blocks. What is the size of each block?

A.

512 bits

B.

512 bytes

C.

256 bits

D.

256 bytes

Full Access
Question # 97

Richard is extracting volatile data from a system and uses the command doskey/history. What is he trying to extract?

A.

Events history

B.

Previously typed commands

C.

History of the browser

D.

Passwords used across the system

Full Access
Question # 98

To check for POP3 traffic using Ethereal, what port should an investigator search by?

A.

143

B.

25

C.

110

D.

125

Full Access
Question # 99

Which of the following data structures stores attributes of a process, as well as pointers to other attributes and data structures?

A.

Lsproc

B.

DumpChk

C.

RegEdit

D.

EProcess

Full Access
Question # 100

Preparing an image drive to copy files to is the first step in Linux forensics. For this purpose, what would the following command accomplish?

dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync

A.

Fill the disk with zeros

B.

Low-level format

C.

Fill the disk with 4096 zeros

D.

Copy files from the master disk to the slave disk on the secondary IDE controller

Full Access
Question # 101

Which of the following options will help users to enable or disable the last access time on a system running Windows 10 OS?

A.

wmic service

B.

Reg.exe

C.

fsutil

D.

Devcon

Full Access
Question # 102

Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?

A.

Network

B.

Transport

C.

Physical

D.

Data Link

Full Access
Question # 103

Which of the following files stores information about a local Google Drive installation such as User email ID, Local Sync Root Path, and Client version installed?

A.

filecache.db

B.

config.db

C.

sigstore.db

D.

Sync_config.db

Full Access
Question # 104

Jack Smith is a forensics investigator who works for Mason Computer Investigation Services. He is investigating a computer that was infected by Ramen Virus.

He runs the netstat command on the machine to see its current connections. In the following screenshot, what do the 0.0.0.0 IP addresses signify?

 

A.

Those connections are established

B.

Those connections are in listening mode

C.

Those connections are in closed/waiting mode

D.

Those connections are in timed out/waiting mode

Full Access
Question # 105

Madison is on trial for allegedly breaking into her university’s internal network. The police raided her dorm room and seized all of her computer equipment. Madison’s lawyer is trying to convince the judge that the seizure was unfounded and baseless. Under which US Amendment is Madison’s lawyer trying to prove the police violated?

A.

The 4th Amendment

B.

The 1st Amendment

C.

The 10th Amendment

D.

The 5th Amendment

Full Access