1. If a PDA is seized in an investigation while the device is turned on, what would be the proper procedure?
A. Keep the device powered on
B. Turn off the device immediately
C. Remove the battery immediately
D. Remove any memory cards immediately
2. What hashing method is used to password protect Blackberry devices?
A. AES
B. RC5
C. MD5
D. SHA-1
3. You have been asked to investigate the possibility of computer fraud in the finance department of a
company. It is suspected that a staff member has been committing finance fraud by printing cheques that
have not been authorized. You have exhaustively searched all data files on a bitmap image of the target
computer, but have found no evidence. You suspect the files may not have been saved.
What should you examine next in this case?
A. The registry
B. The swapfile
C. The recycle bin
D. The metadata
4. With regard to using an antivirus scanner during a computer forensics investigation, you should:
A. Scan the suspect hard drive before beginning an investigation
B. Never run a scan on your forensics workstation because it could change your system configuration
C. Scan your forensics workstation at intervals of no more than once every five minutes during an
investigation
D. Scan your forensics workstation before beginning an investigation
5. What layer of the OSI model do TCP and UDP utilize?
A. Data Link
B. Network
C. Transport
D. Session
6. When making the preliminary investigations in a sexual harassment case, how many investigators are you
recommended having?
A. One
B. Two
C. Three
D. Four
7. When investigating a network that uses DHCP to assign IP addresses, where would you look to determine
which system (MAC address) had a specific IP address at a specific time?
A. On the individual computer ARP cacheOn the individual computer ARP cache
B. In the Web Server log files
Sumber : http://www.aiotestking.com/ec-council/2012/
Disunting Oleh : Okayana
Subject Name :
312-49 Computer Hacking Forensic Investigator. Computer hacking forensic investigation is
the process of detecting hacking attacks and properly extracting evidence to report the crime
and conduct audits to prevent future attacks.
C. In the DHCP Server log files
D. There is no way to determine the specific IP address
8. What type of equipment would a forensics investigator store in a StrongHold bag?
A. PDAPDA
B. Backup tapes
C. Hard drives
D. Wireless cards
9. When performing a forensics analysis, what device is used to prevent the system from recording data on an
evidence disk?
A. Write-blocker
B. Protocol analyzer
C. Firewall
D. Disk editor
10. If you are concerned about a high level of compression but not concerned about any possible data loss,
what type of compression would you use?
A. Lossful compression
B. Lossy compression
C. Lossless compression
D. Time-loss compression
11. When marking evidence that has been collected with the aa/ddmmyy/nnnn/zz format, what does the nnn
denote?
A. The year the evidence was taken
B. The sequence number for the parts of the same exhibit
C. The initials of the forensics analyst
D. The sequential number of the exhibits seized
12. You are working in the Security Department of a law firm. One of the attorneys asks you about the topic of
sending fake email because he has a client who has been charged with doing just that. His client alleges that
he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his
client is mistaken and that fake email is a possibility and that you can prove it. You return to your desk and
craft a fake email to the attorney that appears to come from his boss.
What port do you send the email to on the company SMTP server?
A. 10
B. 25
C. 110
D. 135
13. The efforts to obtain information before a trial by demanding documents, depositions, questions and
answers written under oath, written requests for admissions of fact, and examination of the scene is a
description of what legal term?
A. Detection
B. Hearsay
C. Spoliation
D. Discovery
14. An investigator is searching through the firewall logs of a company and notices ICMP packets that are
larger than 65,536 bytes.
What type of activity is the investigator seeing?
A. Smurf
B. Ping of death
C. Fraggle
D. Nmap scan
15. What type of file is represented by a colon (:) with a name following it in the Master File Table (MFT) of
an NTFS disk?
A. Compressed file
B. Data stream file
C. Encrypted file
D. Reserved file
16. When carrying out a forensics investigation, why should you never delete a partition on a dynamic disk?
A. All virtual memory will be deleted
B. The wrong partition may be set to active
C. This action can corrupt the disk
D. The computer will be set in a constant reboot state
17. When using an iPod and the host computer is running Windows, what file system will be used?
A. iPod+
B. HFS
C. FAT16
D. FAT32
18. What is one method of bypassing a system BIOS password?
A. Removing the processor
B. Removing the CMOS battery
C. Remove all the system memoryRemove all the system memory
D. Login to Windows and disable the BIOS password
19. What technique used by Encase makes it virtually impossible to tamper with evidence once it has been
acquired?
A. Every byte of the file(s) is given an MD5 hash to match against a master file
B. Every byte of the file(s) is verified using 32-bit CRC
C. Every byte of the file(s) is copied to three different hard drives
D. Every byte of the file(s) is encrypted using three different methods
20. What must an investigator do before disconnecting an iPod from any type of computer?
A.Unmount the iPod
B. Mount the iPod
C. Disjoin the iPod
D. Join the iPod
21. In the context of file deletion process, which of the following statement holds true?
A. When files are deleted, the data is overwritten and the cluster marked as available
B. The longer a disk is in use, the less likely it is that deleted files will be overwritten
C. While booting, the machine may create temporary files that can delete evidence
D. Secure delete programs work by completely overwriting the file in one go
22. The following is a log file screenshot from a default installation of IIS 6.0.
What time standard is used by IIS as seen in the screenshot?
A. UTC
B. GMT
C. TAI
D. UT
23. A small law firm located in the Midwest has possibly been breached by a computer hacker looking to
obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to
search for evidence of the breach themselves to prevent any possible media attention.
Why would this not be recommended?
A. Searching for evidence themselves would not have any ill effects
B. Searching could possibly crash the machine or device
C. Searching creates cache files, which would hinder the investigation
D. Searching can change date/time stamps
24. When examining a file with a Hex Editor, what space does the file header occupy?
A. The first several bytes of the file
B. One byte at the beginning of the file
C. None, file headers are contained in the FAT
D. The last several bytes of the file
25. In the following directory listing,
which file should be used to restore archived email messages for someone using Microsoft Outlook?
A. Outlook bak
B. Outlook ost
C. Outlook NK2
D. Outlook pst
26. Daryl, a computer forensics investigator, has just arrived at the house of an alleged computer hacker. Daryl
takes pictures and tags all computer and peripheral equipment found in the house. Daryl packs all the items
found in his van and takes them back to his lab for further examination. At his lab, Michael his assistant
helps him with the investigation. Since Michael is still in training, Daryl supervises all of his work very
carefully. Michael is not quite sure about the procedures to copy all the data off the computer and
peripheral devices.
How many data acquisition tools should Michael use when creating copies of the evidence for the
investigation?
A. Two
B. One
C. Three
D. Four
27. What feature of Decryption Collection allows an investigator to crack a password as quickly as possible?
A. Cracks every password in 10 minutes
B. Distribute processing over 16 or fewer computers
C. Support for Encrypted File System
D. Support for MD5 hash verification
28. Heather, a computer forensics investigator, is assisting a group of investigators working on a large
computer fraud case involving over 20 people. These 20 people, working in different offices, allegedly
siphoned off money from many different client accounts. Heather responsibility is to findThese 20 people,
working in different offices, allegedly siphoned off money from many different client accounts. Heather
responsibility is to find out how the accused people communicated between each other. She has searched
their email and their computers and has not found any useful evidence. Heather then finds some possibly
useful evidence under the desk of one of the accused.
In an envelope she finds a piece of plastic with numerous holes cut out of it. Heather then finds the same
exact piece of plastic with holes at many of the other accused peoples desks. Heather believes that the 20
people involved in the case were using a cipher to send secret messages in between each other.
What type of cipher was used by the accused in this case?
A. Grill cipher
B. Null cipher
C. Text semagram
D. Visual semagram
29. What is the smallest physical storage unit on a hard drive?
A. Track
B. Cluster
C. Sector
D. Platter
30. When needing to search for a website that is no longer present on the Internet today but was online few
years back, what site can be used to view the website collection of pages view the website collection of
pages?
A. Proxify.net
B. Dnsstuff.com
C. Samspade.org
D. Archive.org
31. Under confession, an accused criminal admitted to encrypting child pornography pictures and then hiding
them within other pictures.
What technique did the accused criminal employ?
A. Typography
B. Steganalysis
C. Picture encoding
D. Steganography
32. Where does Encase search to recover NTFS files and folders?
A. MBR
B. MFT
C. Slack space
D. HAL
33. Given the drive dimensions as follows and assuming a sector has 512 bytes, what is the capacity of the
described hard drive?
22,164 cylinders/disk
80 heads/cylinder
63 sectors/track
A. 53.26 GB
B. 57.19 GB
C. 11.17 GB
D. 10 GB
34. To preserve digital evidence, an investigator should ____________
A. Make two copies of each evidence item using a single imaging tool
B. Make a single copy of each evidence item using an approved imaging tool
C. Make two copies of each evidence item using different imaging tools
D. Only store the original evidence item
35. Travis, a computer forensics investigator, is finishing up a case he has been working on for over a month
involving copyright infringement and embezzlement. His last task is to prepare an investigative report for
the president of the company he has been working for. Travis must submit a hard copy and an electronic
copy to this president.
In what electronic format should Travis send this report?
A. TIFF-8
B. DOC
C. WPD
D. PDF
36. A forensics investigator is searching the hard drive of a computer for files that were recently moved to the
Recycle Bin.
He searches for files in C:\RECYCLED using a command line tool but does not find anything.
What is the reason for this?
A. He should search in C:\Windows\System32\RECYCLED folder
B. The Recycle Bin does not exist on the hard drive
C. The files are hidden and he must use switch to view them
D. Only FAT system contains RECYCLED folder and not NTFS
37. The offset in a hexadecimal code is:
A. The 0x at the beginning of the code
B. The 0x at the end of the code
C. The first byte after the colon
D. The last byte after the colon
38. Why should you never power on a computer that you need to acquire digital evidence from?
A. When the computer boots up, files are written to the computer rendering the data nclean
B. When the computer boots up, the system cache is cleared which could destroy evidence
C. When the computer boots up, data in the memory buffer is cleared which could destroy evidence
D. Powering on a computer has no affect when needing to acquire digital evidence from it
39. Which legal document allows law enforcement to search an office, place of business, or other locale for
evidence relating to an alleged crime?
A. Search warrant
B. Subpoena
C. Wire tap
D. Bench warrant
40. What is the slave device connected to the secondary IDE controller on a Linux OS referred to?
A. hda
B. hdd
C. hdb
D. hdc
41. An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video
discs (DVDs) by using a large magnet.
You inform him that this method will not be effective in wiping out the data because CDs and DVDs are
_________ media used to store large amounts of data and are not affected by the magnet.
A. Magnetic
B. Optical
C. Anti-Magnetic
D. Logical
42. What will the following command accomplish?
dd if=/dev/xxx of=mbr.backup bs=512 count=1
A. Back up the master boot record
B. Restore the master boot record
C. Mount the master boot record on the first partition of the hard drive
D. Restore the first 512 bytes of the first partition of the hard drive
43. Preparing an image drive to copy files to is the first step in Linux forensics.
For this purpose, what would the following command accomplish?
dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync
A. Fill the disk with zeros
B. Low-level format
C. Fill the disk with 4096 zeros
D. Copy files from the master disk to the slave disk on the secondary IDE controller
44. A picture file is recovered from a computer under investigation. During the investigation process, the file is
enlarged 500% to get a better view of its contents.
The picture quality is not degraded at all from this process.
What kind of picture is this file its contents?
A. Raster image
B. Vector image
C. Metafile image
D. Catalog image
45. You are called in to assist the police in an investigation involving a suspected drug dealer. The police
searched the suspect house after a warrant was obtained and they located a floppy disk in the suspect
bedroom. The disk contains several files, but they appear to be password protected.
What are two common methods used by password cracking software that you could use to obtain the
password?
A. Limited force and library attack
B. Brute force and dictionary attack
C. Maximum force and thesaurus attack
D. Minimum force and appendix attack
46. What advantage does the tool Evidor have over the built-in Windows search?
A. It can find deleted files even after they have been physically removed
B. It can find bad sectors on the hard drive
C. It can search slack space
D. It can find files hidden within ADS
47. An on-site incident response team is called to investigate an alleged case of computer tampering within
their company. Before proceeding with the investigation, the CEO informs them that the incident will be
classified as low level.
How long will the team have to respond to the incident the investigation?
A. One working day
B. Two working days
C. Immediately
D. Four hours
48. George was recently fired from his job as an IT analyst at Pitts and Company in Dallas Texas. His main
duties as an analyst were to support the company Active Directory structure and to create network polices.
George now wants to break into the company network by cracking some of company Active Directory
structure and to create network polices.
Which password cracking technique should George use in this situation?
A. Brute force attack
B. Syllable attack
C. Rule-based attack
D. Dictionary attack
49. What term is used to describe a cryptographic technique for embedding information into something else for
the sole purpose of hiding that information from the casual observer?
A. Key escrow
B. Steganography
C. Rootkit
D. Offset
50. What type of attack sends SYN requests to a target system with spoofed IP addresses?
A. SYN flood
B. Ping of death
C. Cross site scripting
D. Land
51. Harold is a computer forensics investigator working for a consulting firm out of Atlanta Georgia. Harold is
called upon to help with a corporate espionage case in Miami Florida. Harold assists in the investigation by
pulling all the data from the computers allegedly used in the illegal activities. He finds that two suspects in
the company where stealing sensitive corporate information and selling it to competing companies. From
the email and instant messenger logs recovered, Harold has discovered that the two employees notified the
buyers by writing symbols on the back of specific stop signs. This way, the buyers knew when and where
to meet with the alleged suspects to buy the stolen material.
What type of steganography did these two suspects use?
A. Text semagram
B. Visual semagram
C. Grill cipher
D. Visual cipher
52. What is the CIDR from the following screenshot?
A. /24A./24A./24
B. /32 B./32 B./32
C. /16 C./16 C./16
D. /8D./8D./8
53. How many times can data be written to a DVD+R disk?
A. Twice
B. Once
C. Zero
D. Infinite
54. What must be obtained before an investigation is carried out at a location?
A. Search warrant
B. Subpoena
C. Habeas corpus
D. Modus operandi
55. Paul is a computer forensics investigator working for Tyler & Company Consultants. Paul has been called
upon to help investigate a computer hacking ring broken up by the local police. Paul begins to inventory the
PCs found in the hackers hideout.
Paul then comes across a PDA left by them that is attached to a number of different peripheral devices.
What is the first step that Paul must take with the PDA to ensure the integrity of the investigation?
A. Place PDA, including all devices, in an antistatic bag
B. Unplug all connected devices
C. Power off all devices if currently on
D. Photograph and document the peripheral devices
56. During an investigation, an employee was found to have deleted harassing emails that were sent to
someone else. The company was using Microsoft Exchange and had message tracking enabled.
Where could the investigator search to find the message tracking log file on the Exchange server?
A. C:\Program Files\Exchsrvr\servername.log
B. D:\Exchsrvr\Message Tracking\servername.log
C. C:\Exchsrvr\Message Tracking\servername.log
D. C:\Program Files\Microsoft Exchange\srvr\servername.log
57. Lockdown device uses which operating system to write hard drive data?
A. Mac OS
B. Red Hat
C. Unix
D. Windows
58. What technique is used by JPEGs for compression?
A. ZIP
B. TCD
C. DCT
D. TIFF-8
59. John is working as a computer forensics investigator for a consulting firm in Canada. He is called to seize a
computer at a local web caf John is working as a computer forensics investigator for a consulting firm in
Canada. John thoroughly scans the computer and finds nothing that would lead him to think the computer
was a botnet server.
John decides to scan the virtual memory of the computer to possibly find something he had missed.
What information will the virtual memory scan produce?
A. It contains the times and dates of when the system was last patched
B. It is not necessary to scan the virtual memory of a computer
C. It contains the times and dates of all the system files
D. Hidden running processes
60. Which is a standard procedure to perform during all computer forensics investigations?
A. With the hard drive in the suspect PC, check the date and time in the system CMOS
B. With the hard drive removed from the suspect PC, check the date and time in the system CMOS
C. With the hard drive in the suspect PC, check the date and time in the File Allocation Table
D. With the hard drive removed from the suspect PC, check the date and time in the system RAM
61. What method of copying should always be performed first before carrying out an investigation?
A. Parity-bit copy
B. Bit-stream copy
C. MS-DOS disc copy
D. System level copy
62. In conducting a computer abuse investigation you become aware that the suspect of the investigation is
using ABC Company as his Internet Service Provider (ISP). You contact the ISP and request that they
provide you assistance with your investigation.
What assistance can the ISP provide?
A. The ISP can investigate anyone using their service and can provide you with assistance
B. The ISP can investigate computer abuse committed by their employees, but must preserve the privacy of
their customers and therefore cannot assist you without a warrant
C. The ISP cannot conduct any type of investigations on anyone and therefore cannot assist you
D. ISPs never maintain log files so they would be of no use to your investigation
63. Where is the default location for Apache access logs on a Linux computer?
A. usr/local/apache/logs/access_log
B. bin/local/home/apache/logs/access_log
C. usr/logs/access_log
D. logs/usr/apache/access_log
64. Jacob is a computer forensics investigator with over 10 years experience in investigations and has written
over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the
accuracy and integrity of the technical log files gathered in an investigation into computer fraud.
What is the term used for Jacob testimony in this case?
A. Justification
B. Authentication
C. Reiteration
D. Certification
65. How often must a company keep log files for them to be admissible in a court of law?
A. All log files are admissible in court no matter their frequency
B. Weekly
C. Monthly
D. Continuously
66. What file is processed at the end of a Windows XP boot to initialize the logon dialog box?
A. NTOSKRNL.EXE
B. NTLDR
C. LSASS.EXE
D. NTDETECT.COM
67. John is working on his company policies and guidelines. The section he is currently working on covers
company documents; how they should be handled, stored, and eventually destroyed. John is concerned
about the process whereby outdated documents are destroyed.
What type of shredder should John write in the guidelines to be used when destroying documents?
A. Strip-cut shredder
B. Cross-cut shredder
C. Cross-hatch shredder
D. Cris-cross shredder
68. To check for POP3 traffic using Ethereal, what port should an investigator search by?
A. 143
B. 25
C. 110
D. 125
69. What does the acronym POST mean as it relates to a PC?
A. Power On Self Test
B. Pre Operational Situation Test
C. Primary Operating System Test
D. Primary Operations Short Test
70. You are called by an author who is writing a book and he wants to know how long the copyright for his
book will last after he has the book published?
A. 70 years
B. The life of the author
C. The life of the author plus 70 years
D. Copyrights last forever
71. When should an MD5 hash check be performed when processing evidence?
A. After the evidence examination has been completed
B. On an hourly basis during the evidence examination
C. Before and after evidence examination
D. Before the evidence examination has been completed
72. At what layer does a cross site scripting attack occur on?
A. Presentation
B. Application
C. Session
D. Data Link
73. What happens when a file is deleted by a Microsoft operating system using the FAT file system?
A. The file is erased and cannot be recovered
B. The file is erased but can be recovered partially
C. A copy of the file is stored and the original file is erased
D. Only the reference to the file is removed from the FAT and can be recovered
74. Davidson Trucking is a small transportation company that has three local offices in Detroit Michigan. Ten
female employees that work for the company have gone to an attorney reporting that male employees
repeatedly harassed them and that management did nothing to stop the problem. Davidson has employee
policies that outline all company guidelines, including awareness on harassment and how it will not be
tolerated.
When the case is brought to court, whom should the prosecuting attorney call upon for not upholding
company policy?
A. IT personnel
B. Employees themselves
C. Supervisors
D. Administrative assistant in charge of writing policies
75. When searching through file headers for picture file formats, what should be searched to find a JPEG file in
hexadecimal format?
A. FF D8 FF E0 00 10
B. FF FF FF FF FF FF
C. FF 00 FF 00 FF 00
D. EF 00 EF 00 EF 00
76. Jack Smith is a forensics investigator who works for Mason Computer Investigation Services. He is
investigating a computer that was infected by Ramen Virus.
He runs the netstat command on the machine to see its current connections.
In the following screenshot, what do the 0.0.0.0 IP addresses signify?
A. Those connections are established A.
B. Those connections are in listening mode B.
C. Those connections are in closed/waiting mode C.
D. Those connections are in timed out/waiting mode D.
77. With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link
count reaches ______
A. 0
B. 1
C. 10
D. 100
78. What type of flash memory card comes in either Type I or Type II and consumes only five percent of the
power required by small hard drives?
A. SD memory
B. CF memory
C. MMC memory
D. SM memory
79. Julie is a college student majoring in Information Systems and Computer Science. She is currently writing
an essay for her computer crimes class. Julie paper focuses on white-collar crimes in America and how
forensics investigators investigate the cases.
What crime should Julie focus on?
A. Physical theft
B. Copyright infringement
C. Industrial espionage
D. Denial of Service attacks
80. A forensics investigator needs to copy data from a computer to some type of removable media so he can
examine the information at another location. The problem is that the data is around 42GB in size.
What type of removable media could the investigator use?
A. Blu-Ray single-layer
B. HD-DVD
C. Blu-Ray dual-layer
D. DVD-18
81. Steven has been given the task of designing a computer forensics lab for the company he works for. He has
found documentation on all aspects of how to design a lab except the number of exits needed.
How many exits should Steven include in his design for the computer forensics lab?
A. Three
B. One
C. Two
D. Four
82. You are working as an independent computer forensics investigator and receive a call from a systems
administrator for a local school system requesting your assistance. One of the students at the local high
school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab.
When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made
a imple PC in the Computer Lab.
What type of copy do you need to make to ensure that the evidence found is complete and admissible in
future proceedings?
A. Bit-stream copy
B. Robust copy
C. Full backup copy
D. Incremental backup copy
83. The newer Macintosh Operating System (MacOS X) is based on:
A. Microsoft Windows
B. OS/2
C. BSD Unix
D. Linux
84. What binary coding is used most often for e-mail purposes?
A. SMTP
B. Uuencode
C. IMAP
D. MIME
85. You have been called in to help with an investigation of an alleged network intrusion. After questioning the
members of the company IT department, you search through the server log files to find any trace of the
intrusion. After that you decide to telnet into one of the company routers to see if there is any evidence to
be found. While connected to the router, you see some unusual activity and believe that the attackers are
currently connected to that router. You start up an ethereal session to begin capturing traffic on the router
that could be used in the investigation.
At what layer of the OSI model are you monitoring while watching traffic to and from the router?
A. Network
B. Transport
C. Data Link
D. Session
86. Which forensic investigating concept trails the whole incident from how the attack began to how the victim
was affected?
A. Point-to-point
B. End-to-end
C. Thorough
D. Complete event analysis
87. Jones had been trying to penetrate a remote production system for the past two weeks. This time however,
he is able to get into the system. He was able to use the system for a period of three weeks. However law
enforcement agencies were recording his every activity and this was later presented as evidence. The
organization had used a virtual environment to trap Jones.
What is a virtual environment?
A. A system using Trojaned commands
B. A honeypot that traps hackers
C. An environment set up after the user logs in
D. An environment set up before an user logs in
88. Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?
A. Network
B. Transport
C.Physical
D. Data Link
89. You are working as a computer forensics investigator for a corporation on a computer abuse case. You
discover evidence that shows the subject of your investigation is also embezzling money from the
company. The company CEO and the corporate legal counsel advise you to contact local law enforcement
and provide them with the evidence that you have found. The law enforcement officer that responds
requests that you put a network sniffer on your network and monitor all traffic to the subject computer.
You inform the officer that you will not be able to comply with that request because doing so would:
A. Violate your contract
B. Cause network congestion
C. Make you an agent of law enforcement
D. Write information to the subject hard drive
90. Where are files temporarily written in Unix when printing?
A. /usr/spool
B. /var/print
C. /spool
D. /var/spool
91. What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the
router with many open connections simultaneously so that all the hosts behind the router are effectively
disabled?
A. ARP redirect
B. Physical attack
C. Digital attack
D. Denial of service
92. When using Windows acquisitions tools to acquire digital evidence, it is important to use a well- tested
hardware write-blocking device to _________
A. Automate collection from image files
B. Avoiding copying data from the boot partition
C. Acquire data from the host-protected area on a disk
D. Prevent contamination to the evidence drive
93. All Blackberry email is eventually sent and received through what proprietary RIM-operated mechanism?
A. Blackberry Message Center
B. Microsoft Exchange
C. Blackberry WAP gateway
D. Blackberry WEP gateway
94. Sectors in hard disks typically contain how many bytes?
A. 256
B. 512
C. 1024
D. 2048
95. Which program is the boot loader when Windows XP starts up?
A. KERNEL.EXE
B. NTLDR
C. LOADER
D. LILO
96. An employee is suspected of stealing proprietary information belonging to your company that he had no
rights to possess. The information was stored on the employee computer that was protected with the NTFS
Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving
work for the weekend. You detain the employee before he leaves the building and recover the floppy disk
and secure his computer.
Will you be able to break the encryption so that you can verify that the employee was in possession of the
proprietary information?
A. EFS uses a 128-bit key that cannot be cracked, so you will not be able to recover the information
B. The EFS Revoked Key Agent can be used on the computer to recover the information
C. When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can
recover the information
D. When the encrypted file was copied to the floppy disk, the EFS private key was also copied to the
floppy disk, so you can recover the information
97. What encryption technology is used on Blackberry devices Password Keeper?
A. 3DES
B. AES
C. Blowfish
D. RC5
98. What is the first step taken in an investigation for laboratory forensic staff members?
A. Packaging the electronic evidence
B. Securing and evaluating the electronic crime scene
C. Conducting preliminary interviews
D. Transporting the electronic evidence
99. Chris has been called upon to investigate a hacking incident reported by one of his clients. The company
suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris
secures the physical area, records the scene using visual media. He shuts the system down by pulling the
power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to
disconnecting any.
What do you think would be the next sequence of events?
A. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media
B. Prepare the system for acquisition; Connect the target media; Copy the media; Secure the evidence
C. Connect the target media; Delete the system for acquisition; Secure the evidence; Copy the media
D. Secure the evidence; Prepare the system for acquisition; Connect the target media; Copy the media
100. When monitoring for both intrusion and security events between multiple computers, it is essential that the
computers’ clocks are synchronized.
Synchronized time allows an administrator to reconstruct what took place during an attack against multiple
computers.
Without synchronized time, it is very difficult to determine exactly when specific events took place, and
how events interlace.
What is the name of the service used to synchronize time among multiple computers?
A. Time-Sync Protocol
B. SyncTime Service
C. Network Time Protocol
D. Universal Time Set
101. What information do you need to recover when searching a victim computer for a crime committed with
specific e-mail message?
A. Internet service provider information
B. E-mail header
C. Username and password
D. Firewall log
102. What type of analysis helps to identify the time and sequence of events in an investigation?
A. Time-based
B. Functional
C. Relational
D. Temporal
103. You are assigned to work in the computer forensics lab of a state police agency. While working on a high
profile criminal case, you have followed every applicable procedure, however your boss is still concerned
that the defense attorney might question wheather evidence has been changed while at the lab.
What can you do to prove that the evidence is the same as it was when it first entered the lab?
A. Sign a statement attesting that the evidence is the same as it was when it entered the lab
B. There is no reason to worry about this possible claim because state labs are certified
C. Make MD5 hashes of the evidence and compare it to the standard database developed by NIST
D. Make MD5 hashes of the evidence and compare it with the original MD5 hash that was taken when the
evidence first entered the lab
104. Cylie is investigating a network breach at a state organization in Florida. She discovers that the intruders
were able to gain access into the company firewalls by overloading them with IP packets.
Cylie then discovers through her investigation that the intruders hacked into the company phone system and
used the hard drives on their PBX system to store shared music files.
What would this attack on the company? PBX system be called?
A. Phreaking
B. Squatting
C. Crunching
D. Pretexting
105. A suspect is accused of violating the acceptable use of computing resources, as he has visited adult
websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit
these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he
has removed any images he might have downloaded.
What can the investigator do to prove the violation? Choose the most feasible option.
A. Image the disk and try to recover deleted files
B. Seek the help of co-workers who are eye-witnesses
C. Check the Windows registry for connection data (You may or may not recover)
D. Approach the websites for evidence
106. What is the name of the standard Linux command that can be used to create bit-stream images?
A. mcopy
B. image
C. MD5
D. dd
107. What will the following command accomplish in Linux?
fdisk /dev/hda
A. Partition the hard drive
B. Format the hard drive
C. Delete all files under the /dev/hda folder
D. Fill the disk with zeros
108. If you discover a criminal act while investigating a corporate policy abuse, it becomes a public- sector
investigation and should be referred to law enforcement?
A. True
B. False
109. In the following email header, where did the email first originate from?
A. Somedomain.com
B. Smtp1.somedomain.com
C. Simon1.state.ok.gov.us
D. David1.state.ok.gov.us
110. A computer forensics investigator is inspecting the firewall logs for a large financial institution that has
employees working 24 hours a day, 7 days a week.
What can the investigator infer from the screenshot seen below?
A. A smurf attack has been attempted
B. A denial of service has been attempted
C. Network intrusion has occurred
D. Buffer overflow attempt on the firewall.
111. One way to identify the presence of hidden partitions on a suspect hard drive is to:
A. Add up the total size of all known partitions and compare it to the total size of the hard drive
B. Examine the FAT and identify hidden partitions by noting an in the artition Type field
C. Examine the LILO and note an in the artition Type field
D. It is not possible to have hidden partitions on a hard drive
112. When investigating a wireless attack, what information can be obtained from the DHCP logs?
A. The operating system of the attacker and victim computers
B. IP traffic between the attacker and the victim
C. MAC address of the attacker
D. If any computers on the network are running in promiscuous mode
113. This type of testimony is presented by someone who does the actual fieldwork and does not offer a view in
court.
A. Civil litigation testimony
B. Expert testimony
C. Victim advocate testimony
D. Technical testimony
114. On an Active Directory network using NTLM authentication, where on the domain controllers are the
passwords stored?
A. SAM
B. AMS
C. Shadow file
D. Password.conf
115. Why is it still possible to recover files that have been emptied from the Recycle Bin on a Windows
computer?
A. The data is still present until the original location of the file is used
B. The data is moved to the Restore directory and is kept there indefinitely
C. The data will reside in the L2 cache on a Windows computer until it is manually deleted
D. It is not possible to recover data that has been emptied from the Recycle Bin
116. When is it appropriate to use computer forensics?
A. If copyright and intellectual property theft/misuse has occurred
B. If employees do not care for their boss?management techniques
C. If sales drop off for no apparent reason for an extended period of time
D. If a financial institution is burglarized by robbers
117. Madison is on trial for allegedly breaking into her university internal network. The police raided her dorm
room and seized all of her computer equipment. Madison lawyer is trying to convince the judge that the
seizure was unfounded and baseless.
Under which US Amendment is Madison lawyer trying to prove the police violated?
A. The 10th Amendment
B. The 5th Amendment
C. The 1st Amendment
D. The 4th Amendment
118. Using Linux to carry out a forensics investigation, what would the following command accomplish?
dd if=/usr/home/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror
A. Search for disk errors within an image file
B. Backup a disk to an image file
C. Copy a partition to an image file
D. Restore a disk from an image file
119. In handling computer-related incidents, which IT role should be responsible for recovery, containment, and
prevention to constituents?
A. Security Administrator
B. Network Administrator
C. Director of Information Technology
D. Director of Administration
120. In a computer forensics investigation, what describes the route that evidence takes from the time you find it
until the case is closed or goes to court?
A. Policy of separation
B. Chain of custody
C. Rules of evidence
D. Law of probability
121. You are working as an investigator for a corporation and you have just received instructions from your
manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to
complete the required evidence custody forms to properly document each piece of evidence as other
members of your team collect it. Your manager instructs you to complete one multi-evidence form for the
entire case and a single-evidence form for each hard drive.
How will these forms be stored to help preserve the chain of custody of the case?
A. All forms should be placed in an approved secure container because they are now primary evidence in
the case
B. The multi-evidence form should be placed in an approved secure container with the hard drives and the
single-evidence forms should be placed in the report file
C. All forms should be placed in the report file because they are now primary evidence in the case
D. The multi-evidence form should be placed in the report file and the single-evidence forms should be
kept with each hard drive in an approved secure container
122. What will the following Linux command accomplish?
dd if=/dev/mem of=/home/sam/mem.bin bs=1024
A. Copy the master boot record to a file
B. Copy the contents of the system folder em to a file
C. Copy the running memory to a file
D. Copy the memory dump file to an image file
123. Before performing a logical or physical search of a drive in Encase, what must be added to the program?
A. File signatures
B. Keywords
C. Hash sets
D. Bookmarks
124. You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large
pharmaceutical manufacturer. While at the corporate office of the company, the CEO demands to know the
status of the investigation.
What prevents you from discussing the case with the CEO?
A. The attorney-work-product rule
B. Good manners
C. Trade secrets
D. ISO 17799
125. When a router receives an update for its routing table, what is the metric value change to that path?
A. Increased by 2
B. Decreased by 1
C. Increased by 1
D. Decreased by 2
126. When operating systems mark a cluster as used but not allocated, the cluster is considered as _________
A. Corrupt
B. Bad
C. Lost
D. Unallocated
127. You are assisting in the investigation of a possible Web Server hack. The company who called you stated
that customers reported to them that whenever they entered the web address of the company in their
browser, what they received was a pornographic web site. The company checked the web server and
nothing appears wrong. When you type in the IP address of the web site in your browser everything appears
normal.
What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those
servers directing users to the wrong web site?
A. ARP Poisoning
B. DNS Poisoning
C. HTTP redirect attack
D. IP Spoofing
128. When cataloging digital evidence, the primary goal is to
A. Make bit-stream images of all hard drives
B. Preserve evidence integrity
C. Not remove the evidence from the scene
D. Not allow the computer to be turned off
129. While looking through the IIS log file of a web server, you find the following entries:
What is evident from this log file?
A. Web bugs
B. Cross site scripting
C. Hidden fields
D. SQL injection is possible
130. Why would you need to find out the gateway of a device when investigating a wireless attack?
A. The gateway will be the IP of the proxy server used by the attacker to launch the attack
B. The gateway will be the IP of the attacker computerThe gateway will be the IP of the attacker computer
C. The gateway will be the IP used to manage the RADIUS server
D. The gateway will be the IP used to manage the access point
131. During the course of a corporate investigation, you find that an employee is committing a federal crime.
Can the employer file a criminal complain with the police?
A. Yes, and all evidence can be turned over to the police
B. Yes, but only if you turn the evidence over to a district judge
C. No, because the investigation was conducted without following standard police procedures
D. No, because the investigation was conducted without a warrant
132. Using Internet logging software to investigate a case of malicious use of computers, the investigator comes
across some entries that appear odd.
From the log, the investigator can see where the person in question went on the Internet.
From the log, it appears that the user was manually typing in different user ID numbers.
What technique this user was trying?
A. Parameter tampering
B. Cross site scripting
C. SQL injection
D. Cookie Poisoning
133. Why would a company issue a dongle with the software they sell?
A. To provide source code protection
B. To provide wireless functionality with the software
C. To provide copyright protection
D. To ensure that keyloggers cannot be used
134. What feature of Windows is the following command trying to utilize?
A. White space
B. AFS
C. ADS
D. Slack file
135. Harold is finishing up a report on a case of network intrusion, corporate spying, and embezzlement that he
has been working on for over six months.
He is trying to find the right term to use in his report to describe network-enabled spying.
What term should Harold use?
A. Spycrack
B. Spynet
C. Netspionage
D. Hackspionage
136. What is considered a grant of a property right given to an individual who discovers or invents a new
machine, process, useful composition of matter or manufacture?
A. Copyright
B. Design patent
C. Trademark
D. Utility patent
137. Where is the startup configuration located on a router?
A. Static RAM
B. BootROM
C. NVRAM
D. Dynamic RAM
138. You are working for a large clothing manufacturer as a computer forensics investigator and are called in to
investigate an unusual case of an employee possibly stealing clothing designs from the company and selling
them under a different brand name for a different company.
What you discover during the course of the investigation is that the clothing designs are actually original
products of the employee and the company has no policy against an employee selling his own designs on
his own time.
The only thing that you can find that the employee is doing wrong is that his clothing design incorporates
the same graphic symbol as that of the company with only the wording in the graphic being different.
What area of the law is the employee violating?
A. Copyright law
B. Brandmark law
C. Trademark law
D. Printright law
139. You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB
storage area networks that store customer data.
What method would be most efficient for you to acquire digital evidence from this network?
A. Make a bit-stream disk-to-disk file
B. Make a bit-stream disk-to-image file
C. Create a sparse data copy of a folder or file
D. Create a compressed copy of the file with DoubleSpace
140. While searching through a computer under investigation, you discover numerous files that appear to have
had the first letter of the file name replaced by the hex code byte 5h.
What does this indicate on the computer?
A. The files have been marked as hidden
B. The files have been marked for deletion
C. The files are corrupt and cannot be recovered
D. The files have been marked as read-only
141. While presenting his case to the court, Simon calls many witnesses to the stand to testify. Simon decides to
call Hillary Taft, a lay witness, to the stand.
Since Hillary is a lay witness, what field would she be considered an expert in?
A. Technical material related to forensics
B. No particular field
C. Judging the character of defendants/victims
D. Legal issues
142. Microsoft Outlook maintains email messages in a proprietary format in what type of file?
A. .email
B. .mail
C. .pst
D. .doc
143. The use of warning banners helps a company avoid litigation by overcoming an employees assumed
_________ when connecting to the company intranet, network, or virtual private network (VPN) and will
allow the company investigators to monitor, search, and retrieve information stored within the network.
A. Right to work
B. Right of free speech
C. Right to Internet access
D. Right of privacy
144. What stage of the incident handling process involves reporting events?
A. Containment
B. Follow-up
C. Identification
D. Recovery
145. When investigating a computer forensics case where Microsoft Exchange and Blackberry Enterprise server
are used, where would investigator need to search to find email sent from a Blackberry device?
A. RIM Messaging center
B. Blackberry Enterprise server
C. Microsoft Exchange server
D. Blackberry desktop redirector
146. What type of attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the
IP broadcast address of a large network?
A. Fraggle
B. Smurf scan
C. SYN flood
D. Teardrop
147. The police believe that Mevin Matthew has been obtaining unauthorized access to computers belonging to
numerous computer software and computer operating systems manufacturers, cellular telephone
manufacturers, Internet Service Providers, and educational institutions. They also suspect that he has been
stealing, copying, and misappropriating proprietary computer software belonging to the several victim
companies.
What is preventing the police from breaking down the suspect door and searching his home and seizing all
of his computer equipment if they have not yet obtained a warrant?
A. The USA Patriot Act
B. The Good Samaritan Laws
C. The Federal Rules of Evidence
D. The Fourth Amendment
148. How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?
A. 16
B. 32
C. 64
D. 48
0 komentar:
Post a Comment