Independence Day Special Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 1b2718643m

312-49v10 Exam Dumps - Computer Hacking Forensic Investigator (CHFI-v10)

Question # 4

NTFS sets a flag for the file once you encrypt it and creates an EFS attribute where it stores Data Decryption Field (DDF) and Data Recovery Field (DDR). Which of the following is not a part of DDF?

A.

Encrypted FEK

B.

Checksum

C.

EFS Certificate Hash

D.

Container Name

Full Access
Question # 5

Adam, a forensic analyst, is preparing VMs for analyzing a malware. Which of the following is NOT a best practice?

A.

Isolating the host device

B.

Installing malware analysis tools

C.

Using network simulation tools

D.

Enabling shared folders

Full Access
Question # 6

What do you call the process in which an attacker uses magnetic field over the digital media device to delete any previously stored data?

A.

Disk deletion

B.

Disk cleaning

C.

Disk degaussing

D.

Disk magnetization

Full Access
Question # 7

Which of the following setups should a tester choose to analyze malware behavior?

A.

A virtual system with internet connection

B.

A normal system without internet connect

C.

A normal system with internet connection

D.

A virtual system with network simulation for internet connection

Full Access
Question # 8

To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the bank web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement?

A.

if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then permit

B.

if (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 80 or 443) then permit

C.

if (source matches 10.10.10.0 and destination matches 10.20.20.1 and port matches 443) then permit

Full Access
Question # 9

Which of the following statements is true regarding SMTP Server?

A.

SMTP Server breaks the recipient’s address into Recipient’s name and his/her designation before passing it to the DNS Server

B.

SMTP Server breaks the recipient's address into Recipient’s name and recipient’s address before passing it to the DNS Server

C.

SMTP Server breaks the recipient’s address into Recipient’s name and domain name before passing it to the DNS Server

D.

SMTP Server breaks the recipient’s address into Recipient’s name and his/her initial before passing it to the DNS Server

Full Access
Question # 10

What is an investigator looking for in the rp.log file stored in a system running on Windows 10 operating system?

A.

Restore point interval

B.

Automatically created restore points

C.

System CheckPoints required for restoring

D.

Restore point functions

Full Access
Question # 11

Which of the following information is displayed when Netstat is used with -ano switch?

A.

Ethernet statistics

B.

Contents of IP routing table

C.

Details of routing table

D.

Details of TCP and UDP connections

Full Access
Question # 12

Examination of a computer by a technically unauthorized person will almost always result in:

A.

Rendering any evidence found inadmissible in a court of law

B.

Completely accurate results of the examination

C.

The chain of custody being fully maintained

D.

Rendering any evidence found admissible in a court of law

Full Access
Question # 13

Which of the following Perl scripts will help an investigator to access the executable image of a process?

A.

Lspd.pl

B.

Lpsi.pl

C.

Lspm.pl

D.

Lspi.pl

Full Access
Question # 14

Data Files contain Multiple Data Pages, which are further divided into Page Header, Data Rows, and Offset Table. Which of the following is true for Data Rows?

A.

Data Rows store the actual data

B.

Data Rows present Page type. Page ID, and so on

C.

Data Rows point to the location of actual data

D.

Data Rows spreads data across multiple databases

Full Access
Question # 15

Which among the following laws emphasizes the need for each Federal agency to develop, document, and implement an organization-wide program to provide information security for the information systems that support its operations and assets?

A.

FISMA

B.

HIPAA

C.

GLBA

D.

SOX

Full Access
Question # 16

Which of the following is a device monitoring tool?

A.

Capsa

B.

Driver Detective

C.

Regshot

D.

RAM Capturer

Full Access
Question # 17

Which of the following web browser uses the Extensible Storage Engine (ESE) database format to store browsing records, including history, cache, and cookies?

A.

Safari

B.

Mozilla Firefox

C.

Microsoft Edge

D.

Google Chrome

Full Access
Question # 18

What does the Rule 101 of Federal Rules of Evidence states?

A.

Scope of the Rules, where they can be applied

B.

Purpose of the Rules

C.

Limited Admissibility of the Evidence

D.

Rulings on Evidence

Full Access
Question # 19

In a Linux-based system, what does the command “Last -F” display?

A.

Login and logout times and dates of the system

B.

Last run processes

C.

Last functions performed

D.

Recently opened files

Full Access
Question # 20

What must an attorney do first before you are called to testify as an expert?

A.

Qualify you as an expert witness

B.

Read your curriculum vitae to the jury

C.

Engage in damage control

D.

Prove that the tools you used to conduct your examination are perfect

Full Access
Question # 21

Which of the following processes is part of the dynamic malware analysis?

A.

Process Monitoring

B.

Malware disassembly

C.

Searching for the strings

D.

File fingerprinting

Full Access
Question # 22

Chong-lee, a forensics executive, suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. What type of test would confirm his claim?

A.

File fingerprinting

B.

Identifying file obfuscation

C.

Static analysis

D.

Dynamic analysis

Full Access
Question # 23

During the trial, an investigator observes that one of the principal witnesses is severely ill and cannot be present for the hearing. He decides to record the evidence and present it to the court. Under which rule should he present such evidence?

A.

Rule 1003: Admissibility of Duplicates

B.

Limited admissibility

C.

Locard’s Principle

D.

Hearsay

Full Access
Question # 24

What is cold boot (hard boot)?

A.

It is the process of restarting a computer that is already in sleep mode

B.

It is the process of shutting down a computer from a powered-on or on state

C.

It is the process of restarting a computer that is already turned on through the operating system

D.

It is the process of starting a computer from a powered-down or off state

Full Access
Question # 25

Which command line tool is used to determine active network connections?

A.

netsh

B.

nbstat

C.

nslookup

D.

netstat

Full Access
Question # 26

Andie, a network administrator, suspects unusual network services running on a windows system. Which of the following commands should he use to verify unusual network services started on a Windows system?

A.

net serv

B.

netmgr

C.

lusrmgr

D.

net start

Full Access
Question # 27

POP3 is an Internet protocol, which is used to retrieve emails from a mail server. Through which port does an email client connect with a POP3 server?

A.

110

B.

143

C.

25

D.

993

Full Access
Question # 28

An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s"," -E as part of collecting the primary data file and logs from a database. What does the "WIN-CQQMK62867E” represent?

A.

Name of the Database

B.

Name of SQL Server

C.

Operating system of the system

D.

Network credentials of the database

Full Access
Question # 29

An attacker has compromised a cloud environment of a company and used the employee information to perform an identity theft attack. Which type of attack is this?

A.

Cloud as a subject

B.

Cloud as a tool

C.

Cloud as an object

D.

Cloud as a service

Full Access
Question # 30

While collecting Active Transaction Logs using SQL Server Management Studio, the query Select * from ::fn_dblog(NULL, NULL) displays the active portion of the transaction log file. Here, assigning NULL values implies?

A.

Start and end points for log sequence numbers are specified

B.

Start and end points for log files are not specified

C.

Start and end points for log files are specified

D.

Start and end points for log sequence numbers are not specified

Full Access
Question # 31

What is the default IIS log location?

A.

SystemDrive\inetpub\LogFiles

B.

%SystemDrive%\inetpub\logs\LogFiles

C.

%SystemDrive\logs\LogFiles

D.

SystemDrive\logs\LogFiles

Full Access
Question # 32

Which network attack is described by the following statement?

“At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries.”

A.

DDoS

B.

Sniffer Attack

C.

Buffer Overflow

D.

Man-in-the-Middle Attack

Full Access
Question # 33

Paraben Lockdown device uses which operating system to write hard drive data?

A.

Mac OS

B.

Red Hat

C.

Unix

D.

Windows

Full Access
Question # 34

What type of analysis helps to identify the time and sequence of events in an investigation?

A.

Time-based

B.

Functional

C.

Relational

D.

Temporal

Full Access
Question # 35

When marking evidence that has been collected with the aa/ddmmyy/nnnn/zz format, what does the nnn denote?

 

A.

The year the evidence was taken

B.

The sequence number for the parts of the same exhibit

C.

The initials of the forensics analyst

D.

The sequential number of the exhibits seized

Full Access
Question # 36

Which of the following options will help users to enable or disable the last access time on a system running Windows 10 OS?

A.

wmic service

B.

Reg.exe

C.

fsutil

D.

Devcon

Full Access
Question # 37

Julie is a college student majoring in Information Systems and Computer Science. She is currently writing an essay for her computer crimes class. Julie paper focuses on white-collar crimes in America and how forensics investigators investigate the cases. Julie would like to focus the subject. Julie would like to focus the subject of the essay on the most common type of crime found in corporate America. What crime should Julie focus on?

A.

Physical theft

B.

Copyright infringement

C.

Industrial espionage

D.

Denial of Service attacks

Full Access
Question # 38

Under confession, an accused criminal admitted to encrypting child pornography pictures and then hiding them within other pictures. What technique did the accused criminal employ?

A.

Typography

B.

Steganalysis

C.

Picture encoding

D.

Steganography

Full Access
Question # 39

In a virtual test environment, Michael is testing the strength and security of BGP using multiple routers to mimic the backbone of the Internet. This project will help him write his doctoral thesis on "bringing down the Internet". Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in an attempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What will the other routers communicate between themselves?

A.

The change in the routing fabric to bypass the affected router

B.

More RESET packets to the affected router to get it to power back up

C.

RESTART packets to the affected router to get it to power back up

D.

STOP packets to all other routers warning of where the attack originated

Full Access
Question # 40

Which of the following is an iOS Jailbreaking tool?

A.

Kingo Android ROOT

B.

Towelroot

C.

One Click Root

D.

Redsn0w

Full Access
Question # 41

The surface of a hard disk consists of several concentric rings known as tracks; each of these tracks has smaller partitions called disk blocks. What is the size of each block?

A.

512 bits

B.

512 bytes

C.

256 bits

D.

256 bytes

Full Access
Question # 42

Billy, a computer forensics expert, has recovered a large number of DBX files during the forensic investigation of a laptop. Which of the following email clients can he use to analyze the DBX files?

A.

Microsoft Outlook

B.

Eudora

C.

Mozilla Thunderbird

D.

Microsoft Outlook Express

Full Access
Question # 43

Where are files temporarily written in Unix when printing?

A.

/usr/spool

B.

/var/print

C.

/spool

D.

/var/spool

Full Access
Question # 44

What layer of the OSI model do TCP and UDP utilize?

A.

Data Link

B.

Network

C.

Transport

D.

Session

Full Access
Question # 45

Which of the following files gives information about the client sync sessions in Google Drive on Windows?

A.

sync_log.log

B.

Sync_log.log

C.

sync.log

D.

Sync.log

Full Access
Question # 46

What technique used by Encase makes it virtually impossible to tamper with evidence once it has been acquired?

A.

Every byte of the file(s) is given an MD5 hash to match against a master file

B.

Every byte of the file(s) is verified using 32-bit CRC

C.

Every byte of the file(s) is copied to three different hard drives

D.

Every byte of the file(s) is encrypted using three different methods

Full Access
Question # 47

Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\\ while analyzing a hard disk image for the deleted data. What inferences can he make from the file name?

A.

It is a doc file deleted in seventh sequential order

B.

RIYG6VR.doc is the name of the doc file deleted from the system

C.

It is file deleted from R drive

D.

It is a deleted doc file

Full Access
Question # 48

Davidson Trucking is a small transportation company that has three local offices in Detroit Michigan. Ten female employees that work for the company have gone to an attorney reporting that male employees repeatedly harassed them and that management did nothing to stop the problem. Davidson has employee policies that outline all company guidelines, including awareness on harassment and how it will not be tolerated. When the case is brought to court, whom should the prosecuting attorney call upon for not upholding company policy?

A.

IT personnel

B.

Employees themselves

C.

Supervisors

D.

Administrative assistant in charge of writing policies

Full Access
Question # 49

An investigator is searching through the firewall logs of a company and notices ICMP packets that are larger than 65,536 bytes. What type of activity is the investigator seeing?

A.

Smurf

B.

Ping of death

C.

Fraggle

D.

Nmap scan

Full Access
Question # 50

Which of the following techniques can be used to beat steganography?

A.

Encryption

B.

Steganalysis

C.

Decryption

D.

Cryptanalysis

Full Access
Question # 51

Where does Encase search to recover NTFS files and folders?

A.

MBR

B.

MFT

C.

Slack space

D.

HAL

Full Access
Question # 52

Which forensic investigating concept trails the whole incident from how the attack began to how the victim was affected?

A.

Point-to-point

B.

End-to-end

C.

Thorough

D.

Complete event analysis

Full Access
Question # 53

Bob has encountered a system crash and has lost vital data stored on the hard drive of his Windows computer. He has no cloud storage or backup hard drives. he wants to recover all those data, which includes his personal photos, music, documents, videos, official email, etc. Which of the following tools shall resolve Bob’s purpose?

A.

Colasoft’s Capsa

B.

Recuva

C.

Cain & Abel

D.

Xplico

Full Access
Question # 54

Which network attack is described by the following statement? "At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries."

A.

Man-in-the-Middle Attack

B.

Sniffer Attack

C.

Buffer Overflow

D.

DDoS

Full Access
Question # 55

Steven has been given the task of designing a computer forensics lab for the company he works for. He has found documentation on all aspects of how to design a lab except the number of exits needed. How many exits should Steven include in his design for the computer forensics lab?

A.

Three

B.

One

C.

Two

D.

Four

Full Access
Question # 56

Which of the following tool enables a user to reset his/her lost admin password in a Windows system?

A.

Advanced Office Password Recovery

B.

Active@ Password Changer

C.

Smartkey Password Recovery Bundle Standard

D.

Passware Kit Forensic

Full Access
Question # 57

What file is processed at the end of a Windows XP boot to initialize the logon dialog box?

A.

NTOSKRNL.EXE

B.

NTLDR

C.

LSASS.EXE

D.

NTDETECT.COM

Full Access
Question # 58

On an Active Directory network using NTLM authentication, where on the domain controllers are the passwords stored?

A.

SAM

B.

AMS

C.

Shadow file

D.

Password.conf

Full Access
Question # 59

The investigator wants to examine changes made to the system’s registry by the suspect program. Which of the following tool can help the investigator?

A.

TRIPWIRE

B.

RAM Capturer

C.

Regshot

D.

What’s Running

Full Access
Question # 60

Ivanovich, a forensics investigator, is trying to extract complete information about running processes from a system. Where should he look apart from the RAM and virtual memory?

A.

Swap space

B.

Application data

C.

Files and documents

D.

Slack space

Full Access
Question # 61

Which part of the Windows Registry contains the user's password file?

A.

HKEY_LOCAL_MACHINE

B.

HKEY_CURRENT_CONFIGURATION

C.

HKEY_USER

D.

HKEY_CURRENT_USER

Full Access
Question # 62

It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?

A.

by law, three

B.

quite a few

C.

only one

D.

at least two

Full Access
Question # 63

You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics lab. How many law-enforcement computer investigators should you request to staff the lab?

A.

8

B.

1

C.

4

D.

2

Full Access
Question # 64

On Linux/Unix based Web servers, what privilege should the daemon service be run under?

A.

Guest

B.

Root

C.

You cannot determine what privilege runs the daemon service

D.

Something other than root

Full Access
Question # 65

The rule of thumb when shutting down a system is to pull the power plug. However, it has certain drawbacks. Which of the following would that be?

A.

Any data not yet flushed to the system will be lost

B.

All running processes will be lost

C.

The /tmp directory will be flushed

D.

Power interruption will corrupt the pagefile

Full Access
Question # 66

When examining a file with a Hex Editor, what space does the file header occupy?

A.

the last several bytes of the file

B.

the first several bytes of the file

C.

none, file headers are contained in the FAT

D.

one byte at the beginning of the file

Full Access
Question # 67

You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published?

A.

70 years

B.

the life of the author

C.

the life of the author plus 70 years

D.

copyrights last forever

Full Access
Question # 68

A law enforcement officer may only search for and seize criminal evidence with _______________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searched.

A.

Mere Suspicion

B.

A preponderance of the evidence

C.

Probable cause

D.

Beyond a reasonable doubt

Full Access
Question # 69

You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?

A.

Stringsearch

B.

grep

C.

dir

D.

vim

Full Access
Question # 70

You work as an IT security auditor hired by a law firm in Boston to test whether you can gain access to sensitive information about the company clients. You have rummaged through their trash and found very little information. You do not want to set off any alarms on their network, so you plan on performing passive foot printing against their Web servers. What tool should you use?

A.

Ping sweep

B.

Nmap

C.

Netcraft

D.

Dig

Full Access
Question # 71

The objective of this act was to protect consumers’ personal financial information held by financial institutions and their service providers.

A.

Gramm-Leach-Bliley Act

B.

Sarbanes-Oxley 2002

C.

California SB 1386

D.

HIPAA

Full Access
Question # 72

You have compromised a lower-level administrator account on an Active Directory network of a small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect to one of the Domain Controllers on port 389 using ldp.exe. What are you trying to accomplish here?

A.

Poison the DNS records with false records

B.

Enumerate MX and A records from DNS

C.

Establish a remote connection to the Domain Controller

D.

Enumerate domain user accounts and built-in groups

Full Access
Question # 73

You are carrying out the last round of testing for your new website before it goes live. The website has many dynamic pages and connects to a SQL backend that accesses your product inventory in a database. You come across a web security site that recommends inputting the following code into a search field on web pages to check for vulnerabilities: When you type this and click on search, you receive a pop-up window that says: "This is a test."

What is the result of this test?

A.

Your website is vulnerable to CSS

B.

Your website is not vulnerable

C.

Your website is vulnerable to SQL injection

D.

Your website is vulnerable to web bugs

Full Access
Question # 74

You are the security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the bank security defenses are very strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoring some of the traffic, you see a lot of FTP packets traveling back and forth. You want to sniff the traffic and extract usernames and passwords. What tool could you use to get this information?

A.

Airsnort

B.

Snort

C.

Ettercap

D.

RaidSniff

Full Access
Question # 75

Which is a standard procedure to perform during all computer forensics investigations?

A.

with the hard drive removed from the suspect PC, check the date and time in the system's CMOS

B.

with the hard drive in the suspect PC, check the date and time in the File Allocation Table

C.

with the hard drive removed from the suspect PC, check the date and time in the system's RAM

D.

with the hard drive in the suspect PC, check the date and time in the system's CMOS

Full Access
Question # 76

The following excerpt is taken from a honeypot log. The log captures activities across three days.

There are several intrusion attempts; however, a few are successful.

(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169

Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482

Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53

Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21

Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53

Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111

Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80

Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)

Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)

Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080

Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

From the options given below choose the one which best interprets the following entry:

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

A.

An IDS evasion technique

B.

A buffer overflow attempt

C.

A DNS zone transfer

D.

Data being retrieved from 63.226.81.13

Full Access
Question # 77

Before you are called to testify as an expert, what must an attorney do first?

A.

engage in damage control

B.

prove that the tools you used to conduct your examination are perfect

C.

read your curriculum vitae to the jury

D.

qualify you as an expert witness

Full Access
Question # 78

You have used a newly released forensic investigation tool, which doesn't meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case?

A.

The tool hasn't been tested by the International Standards Organization (ISO)

B.

Only the local law enforcement should use the tool

C.

The total has not been reviewed and accepted by your peers

D.

You are not certified for using the tool

Full Access
Question # 79

Kyle is performing the final testing of an application he developed for the accounting department.

His last round of testing is to ensure that the program is as secure as possible. Kyle runs the following command. What is he testing at this point?

#include #include int main(int argc, char

*argv[]) { char buffer[10]; if (argc < 2) { fprintf (stderr, "USAGE: %s string\n", argv[0]); return 1; }

strcpy(buffer, argv[1]); return 0; }

A.

Buffer overflow

B.

SQL injection

C.

Format string bug

D.

Kernal injection

Full Access
Question # 80

If an attacker's computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning, what will be the response?

A.

The zombie will not send a response

B.

31402

C.

31399

D.

31401

Full Access
Question # 81

When examining the log files from a Windows IIS Web Server, how often is a new log file created?

A.

the same log is used at all times

B.

a new log file is created everyday

C.

a new log file is created each week

D.

a new log is created each time the Web Server is started

Full Access
Question # 82

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

A.

The registry

B.

The swap file

C.

The recycle bin

D.

The metadata

Full Access
Question # 83

Bob has been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the System for a period of three weeks. However, law enforcement agencies were recoding his every activity and this was later presented as evidence.

The organization had used a Virtual Environment to trap Bob. What is a Virtual Environment?

A.

A Honeypot that traps hackers

B.

A system Using Trojaned commands

C.

An environment set up after the user logs in

D.

An environment set up before a user logs in

Full Access
Question # 84

With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________.

A.

0

B.

10

C.

100

D.

1

Full Access
Question # 85

You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a “simple backup copy” of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a “simple backup copy” will not provide deleted files or recover file fragments.

What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?

A.

Bit-stream Copy

B.

Robust Copy

C.

Full backup Copy

D.

Incremental Backup Copy

Full Access
Question # 86

What operating system would respond to the following command?

A.

Windows 95

B.

FreeBSD

C.

Windows XP

D.

Mac OS X

Full Access
Question # 87

An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet.

A.

logical

B.

anti-magnetic

C.

magnetic

D.

optical

Full Access
Question # 88

E-mail logs contain which of the following information to help you in your investigation? (Choose four.)

A.

user account that was used to send the account

B.

attachments sent with the e-mail message

C.

unique message identifier

D.

contents of the e-mail message

E.

date and time the message was sent

Full Access
Question # 89

Under which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?

A.

18 U.S.C. 1029 Possession of Access Devices

B.

18 U.S.C. 1030 Fraud and related activity in connection with computers

C.

18 U.S.C. 1343 Fraud by wire, radio or television

D.

18 U.S.C. 1361 Injury to Government Property

E.

18 U.S.C. 1362 Government communication systems

F.

18 U.S.C. 1831 Economic Espionage Act

G.

18 U.S.C. 1832 Trade Secrets Act

Full Access
Question # 90

This organization maintains a database of hash signatures for known software.

A.

International Standards Organization

B.

Institute of Electrical and Electronics Engineers

C.

National Software Reference Library

D.

American National standards Institute

Full Access