Pre-Winter Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ex2p65

Exact2Pass Menu

Question # 4

Which component in the hard disk moves over the platter to read and write information?

A.

Actuator

B.

Spindle

C.

Actuator Axis

D.

Head

Full Access
Question # 5

Paul's company is in the process of undergoing a complete security audit including logical and physical security testing. After all logical tests were performed; it is now time for the physical round to begin. None of the employees are made aware of this round of testing. The security-auditing firm sends in a technician dressed as an electrician. He waits outside in the lobby for some employees to get to work and follows behind them when they access the restricted areas. After entering the main office, he is able to get into the server room telling the IT manager that there is a problem with the outlets in that room. What type of attack has the technician performed?

A.

Tailgating

B.

Backtrapping

C.

Man trap attack

D.

Fuzzing

Full Access
Question # 6

An Expert witness give an opinion if:

A.

The Opinion, inferences or conclusions depend on special knowledge, skill or training not within the ordinary experience of lay jurors

B.

To define the issues of the case for determination by the finder of fact

C.

To stimulate discussion between the consulting expert and the expert witness

D.

To deter the witness form expanding the scope of his or her investigation beyond the requirements of the case

Full Access
Question # 7

Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?

A.

network-based IDS systems (NIDS)

B.

host-based IDS systems (HIDS)

C.

anomaly detection

D.

signature recognition

Full Access
Question # 8

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

A.

one who has NTFS 4 or 5 partitions

B.

one who uses dynamic swap file capability

C.

one who uses hard disk writes on IRQ 13 and 21

D.

one who has lots of allocation units per block or cluster

Full Access
Question # 9

Study the log given below and answer the following question:

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169

Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482

Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53

Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21

Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53

Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111

Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80

Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)

Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)

Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080

Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?

A.

Disallow UDP53 in from outside to DNS server

B.

Allow UDP53 in from DNS server to outside

C.

Disallow TCP53 in from secondaries or ISP server to DNS server

D.

Block all UDP traffic

Full Access
Question # 10

What binary coding is used most often for e-mail purposes?

A.

MIME

B.

Uuencode

C.

IMAP

D.

SMTP

Full Access
Question # 11

Billy, a computer forensics expert, has recovered a large number of DBX files during the forensic investigation of a laptop. Which of the following email clients can he use to analyze the DBX files?

A.

Microsoft Outlook

B.

Eudora

C.

Mozilla Thunderbird

D.

Microsoft Outlook Express

Full Access
Question # 12

What does the 63.78.199.4(161) denotes in a Cisco router log?

Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) -> 63.78.199.4(161), 1 packet

A.

Destination IP address

B.

Source IP address

C.

Login IP address

D.

None of the above

Full Access
Question # 13

Jack Smith is a forensics investigator who works for Mason Computer Investigation Services. He is investigating a computer that was infected by Ramen Virus.

He runs the netstat command on the machine to see its current connections. In the following screenshot, what do the 0.0.0.0 IP addresses signify?

 

A.

Those connections are established

B.

Those connections are in listening mode

C.

Those connections are in closed/waiting mode

D.

Those connections are in timed out/waiting mode

Full Access
Question # 14

Annie is searching for certain deleted files on a system running Windows XP OS. Where will she find the files if they were not completely deleted from the system?

A.

C: $Recycled.Bin

B.

C: \$Recycle.Bin

C.

C:\RECYCLER

D.

C:\$RECYCLER

Full Access
Question # 15

Shane has started the static analysis of a malware and is using the tool ResourcesExtract to find more details of the malicious program. What part of the analysis is he performing?

A.

Identifying File Dependencies

B.

Strings search

C.

Dynamic analysis

D.

File obfuscation

Full Access
Question # 16

Which of the following files stores information about local Dropbox installation and account, email IDs linked with the account, current version/build for the local application, the host_id, and local path information?

A.

host.db

B.

sigstore.db

C.

config.db

D.

filecache.db

Full Access
Question # 17

Which of the following data structures stores attributes of a process, as well as pointers to other attributes and data structures?

A.

Lsproc

B.

DumpChk

C.

RegEdit

D.

EProcess

Full Access
Question # 18

Which of the following tool captures and allows you to interactively browse the traffic on a network?

A.

Security Task Manager

B.

Wireshark

C.

ThumbsDisplay

D.

RegScanner

Full Access
Question # 19

Which of the following Registry components include offsets to other cells as well as the LastWrite time for the key?

A.

Value list cell

B.

Value cell

C.

Key cell

D.

Security descriptor cell

Full Access
Question # 20

Which code does the FAT file system use to mark the file as deleted?

A.

ESH

B.

5EH

C.

H5E

D.

E5H

Full Access
Question # 21

Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext, where “x” represents the ___________________.

A.

Drive name

B.

Original file name’s extension

C.

Sequential number

D.

Original file name

Full Access
Question # 22

Davidson Trucking is a small transportation company that has three local offices in Detroit Michigan. Ten female employees that work for the company have gone to an attorney reporting that male employees repeatedly harassed them and that management did nothing to stop the problem. Davidson has employee policies that outline all company guidelines, including awareness on harassment and how it will not be tolerated. When the case is brought to court, whom should the prosecuting attorney call upon for not upholding company policy?

A.

IT personnel

B.

Employees themselves

C.

Supervisors

D.

Administrative assistant in charge of writing policies

Full Access
Question # 23

Which of the following files stores information about a local Google Drive installation such as User email ID, Local Sync Root Path, and Client version installed?

A.

filecache.db

B.

config.db

C.

sigstore.db

D.

Sync_config.db

Full Access
Question # 24

Which of the following standard represents a legal precedent sent in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses’ testimony during federal legal proceedings?

A.

IOCE

B.

SWGDE & SWGIT

C.

Frye

D.

Daubert

Full Access
Question # 25

Which among the following search warrants allows the first responder to get the victim’s computer information such as service records, billing records, and subscriber information from the service provider?

A.

Citizen Informant Search Warrant

B.

Electronic Storage Device Search Warrant

C.

John Doe Search Warrant

D.

Service Provider Search Warrant

Full Access
Question # 26

An on-site incident response team is called to investigate an alleged case of computer tampering within their company. Before proceeding with the investigation, the CEO informs them that the incident will be classified as low level. How long will the team have to respond to the incident?

A.

One working day

B.

Two working days

C.

Immediately

D.

Four hours

Full Access
Question # 27

Which of the following files gives information about the client sync sessions in Google Drive on Windows?

A.

sync_log.log

B.

Sync_log.log

C.

sync.log

D.

Sync.log

Full Access
Question # 28

Why should you never power on a computer that you need to acquire digital evidence from?

A.

When the computer boots up, files are written to the computer rendering the data nclean

B.

When the computer boots up, the system cache is cleared which could destroy evidence

C.

When the computer boots up, data in the memory buffer is cleared which could destroy evidence

D.

Powering on a computer has no affect when needing to acquire digital evidence from it

Full Access
Question # 29

To which phase of the Computer Forensics Investigation Process does the Planning and Budgeting of a Forensics Lab belong?

A.

Post-investigation Phase

B.

Reporting Phase

C.

Pre-investigation Phase

D.

Investigation Phase

Full Access
Question # 30

A computer forensics investigator is inspecting the firewall logs for a large financial institution that has employees working 24 hours a day, 7 days a week.

What can the investigator infer from the screenshot seen below?

A.

A smurf attack has been attempted

B.

A denial of service has been attempted

C.

Network intrusion has occurred

D.

Buffer overflow attempt on the firewall.

Full Access
Question # 31

This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

A.

Master Boot Record (MBR)

B.

Master File Table (MFT)

C.

File Allocation Table (FAT)

D.

Disk Operating System (DOS)

Full Access
Question # 32

If a suspect computer is located in an area that may have toxic chemicals, you must:

A.

coordinate with the HAZMAT team

B.

determine a way to obtain the suspect computer

C.

assume the suspect machine is contaminated

D.

do not enter alone

Full Access
Question # 33

When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?

A.

Universal Time Set

B.

Network Time Protocol

C.

SyncTime Service

D.

Time-Sync Protocol

Full Access
Question # 34

How many sectors will a 125 KB file use in a FAT32 file system?

A.

32

B.

16

C.

256

D.

25

Full Access
Question # 35

You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disk?

A.

Throw the hard disk into the fire

B.

Run the powerful magnets over the hard disk

C.

Format the hard disk multiple times using a low level disk utility

D.

Overwrite the contents of the hard disk with Junk data

Full Access
Question # 36

You are working in the security Department of law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the company SMTP server?

A.

10

B.

25

C.

110

D.

135

Full Access
Question # 37

If an attacker's computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning, what will be the response?

A.

The zombie will not send a response

B.

31402

C.

31399

D.

31401

Full Access
Question # 38

A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation?

A.

Image the disk and try to recover deleted files

B.

Seek the help of co-workers who are eye-witnesses

C.

Check the Windows registry for connection data (you may or may not recover)

D.

Approach the websites for evidence

Full Access
Question # 39

You are the security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the bank security defenses are very strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoring some of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic and extract usernames and passwords. What tool could you use to get this information?

A.

Airsnort

B.

Snort

C.

Ettercap

D.

RaidSniff

Full Access
Question # 40

The use of warning banners helps a company avoid litigation by overcoming an employee assumed __________________________. When connecting to the company's intranet, network or Virtual Private Network(VPN) and will allow the company's investigators to monitor, search and retrieve information stored within the network.

A.

Right to work

B.

Right of free speech

C.

Right to Internet Access

D.

Right of Privacy

Full Access
Question # 41

An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet.

A.

logical

B.

anti-magnetic

C.

magnetic

D.

optical

Full Access
Question # 42

The MD5 program is used to:

A.

wipe magnetic media before recycling it

B.

make directories on an evidence disk

C.

view graphics files on an evidence drive

D.

verify that a disk is not altered when you examine it

Full Access
Question # 43

What does the superblock in Linux define?

A.

filesynames

B.

diskgeometr

C.

location of the firstinode

D.

available space

Full Access
Question # 44

As a CHFI professional, which of the following is the most important to your professional reputation?

A.

Your Certifications

B.

The correct, successful management of each and every case

C.

The free that you charge

D.

The friendship of local law enforcement officers

Full Access
Question # 45

When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.

A.

A Capital X

B.

A Blank Space

C.

The Underscore Symbol

D.

The lowercase Greek Letter Sigma (s)

Full Access
Question # 46

Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests. What type of scan is Jessica going to perform?

A.

Tracert

B.

Smurf scan

C.

Ping trace

D.

ICMP ping sweep

Full Access
Question # 47

Why should you note all cable connections for a computer you want to seize as evidence?

A.

to know what outside connections existed

B.

in case other devices were connected

C.

to know what peripheral devices exist

D.

to know what hardware existed

Full Access
Question # 48

Diskcopy is:

A.

a utility by AccessData

B.

a standard MS-DOS command

C.

Digital Intelligence utility

D.

dd copying tool

Full Access
Question # 49

Where is the default location for Apache access logs on a Linux computer?

A.

usr/local/apache/logs/access_log

B.

bin/local/home/apache/logs/access_log

C.

usr/logs/access_log

D.

logs/usr/apache/access_log

Full Access
Question # 50

Where are files temporarily written in Unix when printing?

A.

/usr/spool

B.

/var/print

C.

/spool

D.

/var/spool

Full Access
Question # 51

E-mail logs contain which of the following information to help you in your investigation? (Choose four.)

A.

user account that was used to send the account

B.

attachments sent with the e-mail message

C.

unique message identifier

D.

contents of the e-mail message

E.

date and time the message was sent

Full Access
Question # 52

During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore, you report this evidence. This type of evidence is known as:

A.

Inculpatory evidence

B.

Mandatory evidence

C.

Exculpatory evidence

D.

Terrible evidence

Full Access
Question # 53

The offset in a hexadecimal code is:

A.

The last byte after the colon

B.

The 0x at the beginning of the code

C.

The 0x at the end of the code

D.

The first byte after the colon

Full Access
Question # 54

What are the security risks of running a "repair" installation for Windows XP?

A.

Pressing Shift+F10gives the user administrative rights

B.

Pressing Shift+F1gives the user administrative rights

C.

Pressing Ctrl+F10 gives the user administrative rights

D.

There are no security risks when running the "repair" installation for Windows XP

Full Access
Question # 55

Which of the following files DOES NOT use Object Linking and Embedding (OLE) technology to embed and link to other objects?

A.

Portable Document Format

B.

MS-office Word Document

C.

MS-office Word OneNote

D.

MS-office Word PowerPoint

Full Access
Question # 56

The following is a log file screenshot from a default installation of IIS 6.0.

What time standard is used by IIS as seen in the screenshot?

A.

UTC

B.

GMT

C.

TAI

D.

UT

Full Access
Question # 57

What is the size value of a nibble?

A.

0.5 kilo byte

B.

0.5 bit

C.

0.5 byte

D.

2 bits

Full Access
Question # 58

Smith, a network administrator with a large MNC, was the first to arrive at a suspected crime scene involving criminal use of compromised computers. What should be his first response while maintaining the integrity of evidence?

A.

Record the system state by taking photographs of physical system and the display

B.

Perform data acquisition without disturbing the state of the systems

C.

Open the systems, remove the hard disk and secure it

D.

Switch off the systems and carry them to the laboratory

Full Access
Question # 59

NTFS has reduced slack space than FAT, thus having lesser potential to hide data in the slack space. This is because:

A.

FAT does not index files

B.

NTFS is a journaling file system

C.

NTFS has lower cluster size space

D.

FAT is an older and inefficient file system

Full Access
Question # 60

What type of analysis helps to identify the time and sequence of events in an investigation?

A.

Time-based

B.

Functional

C.

Relational

D.

Temporal

Full Access
Question # 61

When should an MD5 hash check be performed when processing evidence?

A.

After the evidence examination has been completed

B.

On an hourly basis during the evidence examination

C.

Before and after evidence examination

D.

Before the evidence examination has been completed

Full Access
Question # 62

You work as a penetration tester for Hammond Security Consultants. You are currently working on a contract for the state government of California. Your next step is to initiate a DoS attack on their network. Why would you want to initiate a DoS attack on a system you are testing?

A.

Show outdated equipment so it can be replaced

B.

List weak points on their network

C.

Use attack as a launching point to penetrate deeper into the network

D.

Demonstrate that no system can be protected against DoS attacks

Full Access
Question # 63

With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________.

A.

0

B.

10

C.

100

D.

1

Full Access
Question # 64

In Steganalysis, which of the following describes a Known-stego attack?

A.

The hidden message and the corresponding stego-image are known

B.

During the communication process, active attackers can change cover

C.

Original and stego-object are available and the steganography algorithm is known

D.

Only the steganography medium is available for analysis

Full Access
Question # 65

For what purpose do the investigators use tools like iPhoneBrowser, iFunBox, OpenSSHSSH, and iMazing?

A.

Bypassing iPhone passcode

B.

Debugging iPhone

C.

Rooting iPhone

D.

Copying contents of iPhone

Full Access
Question # 66

When a user deletes a file, the system creates a $I file to store its details. What detail does the $I file not contain?

A.

File Size

B.

File origin and modification

C.

Time and date of deletion

D.

File Name

Full Access
Question # 67

Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the_________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.

A.

Adjacent memory locations

B.

Adjacent bit blocks

C.

Adjacent buffer locations

D.

Adjacent string locations

Full Access
Question # 68

Which among the following search warrants allows the first responder to search and seize the victim’s computer components such as hardware, software, storage devices, and documentation?

A.

John Doe Search Warrant

B.

Citizen Informant Search Warrant

C.

Electronic Storage Device Search Warrant

D.

Service Provider Search Warrant

Full Access
Question # 69

Event correlation is the process of finding relevance between the events that produce a final result. What type of correlation will help an organization to correlate events across a set of servers, systems, routers and network?

A.

Same-platform correlation

B.

Network-platform correlation

C.

Cross-platform correlation

D.

Multiple-platform correlation

Full Access
Question # 70

Which of the following is a part of a Solid-State Drive (SSD)?

A.

Head

B.

Cylinder

C.

NAND-based flash memory

D.

Spindle

Full Access
Question # 71

Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame.

A.

8-bit

B.

32-bit

C.

16-bit

D.

24-bit

Full Access
Question # 72

Checkpoint Firewall logs can be viewed through a Check Point Log viewer that uses icons and colors in the log table to represent different security events and their severity. What does the icon in the checkpoint logs represent?

A.

The firewall rejected a connection

B.

A virus was detected in an email

C.

The firewall dropped a connection

D.

An email was marked as potential spam

Full Access
Question # 73

Jim’s company regularly performs backups of their critical servers. But the company can’t afford to send backup tapes to an off-site vendor for long term storage and archiving. Instead Jim’s company keeps the backup tapes in a safe in the office. Jim’s company is audited each year, and the results from this year’s audit show a risk because backup tapes aren’t stored off-site. The Manager of Information Technology has a plan to take the backup tapes home with him and wants to know what two things he can do to secure the backup tapes while in transit?

A.

Encrypt the backup tapes and use a courier to transport them.

B.

Encrypt the backup tapes and transport them in a lock box

C.

Degauss the backup tapes and transport them in a lock box.

D.

Hash the backup tapes and transport them in a lock box.

Full Access
Question # 74

An investigator is analyzing a checkpoint firewall log and comes across symbols. What type of log is he looking at?

A.

Security event was monitored but not stopped

B.

Malicious URL detected

C.

An email marked as potential spam

D.

Connection rejected

Full Access
Question # 75

Examination of a computer by a technically unauthorized person will almost always result in:

A.

Rendering any evidence found inadmissible in a court of law

B.

Completely accurate results of the examination

C.

The chain of custody being fully maintained

D.

Rendering any evidence found admissible in a court of law

Full Access
Question # 76

Which of the following is a precomputed table containing word lists like dictionary files and brute force lists and their hash values?

A.

Directory Table

B.

Rainbow Table

C.

Master file Table (MFT)

D.

Partition Table

Full Access
Question # 77

During forensics investigations, investigators tend to collect the system time at first and compare it with UTC. What does the abbreviation UTC stand for?

A.

Coordinated Universal Time

B.

Universal Computer Time

C.

Universal Time for Computers

D.

Correlated Universal Time

Full Access
Question # 78

While analyzing a hard disk, the investigator finds that the file system does not use UEFI-based interface. Which of the following operating systems is present on the hard disk?

A.

Windows 10

B.

Windows 8

C.

Windows 7

D.

Windows 8.1

Full Access
Question # 79

Lynne receives the following email:

Dear lynne@gmail.com! We are sorry to inform you that your ID has been temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24

You have 24 hours to fix this problem or risk to be closed permanently!

To proceed Please Connect >> My Apple ID

Thank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon/

What type of attack is this?

A.

Mail Bombing

B.

Phishing

C.

Email Spamming

D.

Email Spoofing

Full Access
Question # 80

Which of the following statements is incorrect when preserving digital evidence?

A.

Verify if the monitor is in on, off, or in sleep mode

B.

Turn on the computer and extract Windows event viewer log files

C.

Remove the plug from the power router or modem

D.

Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals

Full Access
Question # 81

Rusty, a computer forensics apprentice, uses the command nbtstat –c while analyzing the network information in a suspect system. What information is he looking for?

A.

Contents of the network routing table

B.

Status of the network carrier

C.

Contents of the NetBIOS name cache

D.

Network connections

Full Access
Question # 82

In which cloud crime do attackers try to compromise the security of the cloud environment in order to steal data or inject a malware?

A.

Cloud as an Object

B.

Cloud as a Tool

C.

Cloud as an Application

D.

Cloud as a Subject

Full Access
Question # 83

Chong-lee, a forensics executive, suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. What type of test would confirm his claim?

A.

File fingerprinting

B.

Identifying file obfuscation

C.

Static analysis

D.

Dynamic analysis

Full Access
Question # 84

What does the bytes 0x0B-0x53 represent in the boot sector of NTFS volume on Windows 2000?

A.

Jump instruction and the OEM ID

B.

BIOS Parameter Block (BPB) and the OEM ID

C.

BIOS Parameter Block (BPB) and the extended BPB

D.

Bootstrap code and the end of the sector marker

Full Access
Question # 85

Pick the statement which does not belong to the Rule 804. Hearsay Exceptions; Declarant Unavailable.

A.

Statement of personal or family history

B.

Prior statement by witness

C.

Statement against interest

D.

Statement under belief of impending death

Full Access
Question # 86

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing . What document describes the specifics of the testing, the associated violations, and essentially protects both the organization’s interest and your liabilities as a tester?

A.

Project Scope

B.

Rules of Engagement

C.

Non-Disclosure Agreement

D.

Service Level Agreement

Full Access
Question # 87

What is the investigator trying to view by issuing the command displayed in the following screenshot?

A.

List of services stopped

B.

List of services closed recently

C.

List of services recently started

D.

List of services installed

Full Access
Question # 88

Adam, a forensic analyst, is preparing VMs for analyzing a malware. Which of the following is NOT a best practice?

A.

Isolating the host device

B.

Installing malware analysis tools

C.

Using network simulation tools

D.

Enabling shared folders

Full Access