Independence Day Special Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 1b2718643m

312-49v9 Exam Dumps - ECCouncil Computer Hacking Forensic Investigator (V9)

Question # 4

Which of the following commands shows you the names of all open shared files on a server and the number of file locks on each file?

A.

Net config

B.

Net file

C.

Net share

D.

Net sessions

Full Access
Question # 5

Adam, a forensic investigator, is investigating an attack on Microsoft Exchange Server of a large organization. As the first step of the investigation, he examined the PRIV.EDB file and found the source from where the mail originated and the name of the file that disappeared upon execution. Now, he wants to examine the MIME stream content. Which of the following files is he going to examine?

A.

PRIV.STM

B.

gwcheck.db

C.

PRIV.EDB

D.

PUB.EDB

Full Access
Question # 6

Which of the following Event Correlation Approach checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields?

A.

Rule-Based Approach

B.

Automated Field Correlation

C.

Field-Based Approach

D.

Graph-Based Approach

Full Access
Question # 7

Which of the following techniques can be used to beat steganography?

A.

Encryption

B.

Steganalysis

C.

Decryption

D.

Cryptanalysis

Full Access
Question # 8

Bob works as information security analyst for a big finance company. One day, the anomaly-based intrusion detection system alerted that a volumetric DDOS targeting the main IP of the main web server was occurring. What kind of attack is it?

A.

IDS attack

B.

APT

C.

Web application attack

D.

Network attack

Full Access
Question # 9

An executive has leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system?

A.

Postmortem Analysis

B.

Real-Time Analysis

C.

Packet Analysis

D.

Malware Analysis

Full Access
Question # 10

What advantage does the tool Evidor have over the built-in Windows search?

A.

It can find deleted files even after they have been physically removed

B.

It can find bad sectors on the hard drive

C.

It can search slack space

D.

It can find files hidden within ADS

Full Access
Question # 11

An on-site incident response team is called to investigate an alleged case of computer tampering within their company. Before proceeding with the investigation, the CEO informs them that the incident will be classified as low level. How long will the team have to respond to the incident?

A.

One working day

B.

Two working days

C.

Immediately

D.

Four hours

Full Access
Question # 12

Which of the following tasks DOES NOT come under the investigation phase of a cybercrime forensics investigation case?

A.

Data collection

B.

Secure the evidence

C.

First response

D.

Data analysis

Full Access
Question # 13

Pagefile.sys is a virtual memory file used to expand the physical memory of a computer. Select the registry path for the page file:

A.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

B.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\System Management

C.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Device Management

D.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

Full Access
Question # 14

Who is responsible for the following tasks?

A.

Non-forensics staff

B.

Lawyers

C.

System administrators

D.

Local managers or other non-forensic staff

Full Access
Question # 15

Which of the following acts as a network intrusion detection system as well as network intrusion prevention system?

A.

Accunetix

B.

Nikto

C.

Snort

D.

Kismet

Full Access
Question # 16

Which password cracking technique uses every possible combination of character sets?

A.

Rainbow table attack

B.

Brute force attack

C.

Rule-based attack

D.

Dictionary attack

Full Access
Question # 17

Which of the following stages in a Linux boot process involve initialization of the system’s hardware?

A.

BIOS Stage

B.

Bootloader Stage

C.

BootROM Stage

D.

Kernel Stage

Full Access
Question # 18

What layer of the OSI model do TCP and UDP utilize?

A.

Data Link

B.

Network

C.

Transport

D.

Session

Full Access
Question # 19

Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:

A.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

B.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProfileList

C.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegList

D.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Regedit

Full Access
Question # 20

John is working as a computer forensics investigator for a consulting firm in Canada. He is called to seize a computer at a local web caf purportedly used as a botnet server. John thoroughly scans the computer and finds nothing that would lead him to think the computer was a botnet server. John decides to scan the virtual memory of the computer to possibly find something he had missed. What information will the virtual memory scan produce?

A.

It contains the times and dates of when the system was last patched

B.

It is not necessary to scan the virtual memory of a computer

C.

It contains the times and dates of all the system files

D.

Hidden running processes

Full Access
Question # 21

The investigator wants to examine changes made to the system’s registry by the suspect program. Which of the following tool can help the investigator?

A.

TRIPWIRE

B.

RAM Capturer

C.

Regshot

D.

What’s Running

Full Access
Question # 22

When should an MD5 hash check be performed when processing evidence?

A.

After the evidence examination has been completed

B.

On an hourly basis during the evidence examination

C.

Before and after evidence examination

D.

Before the evidence examination has been completed

Full Access
Question # 23

Why would a company issue a dongle with the software they sell?

A.

To provide source code protection

B.

To provide wireless functionality with the software

C.

To provide copyright protection

D.

To ensure that keyloggers cannot be used

Full Access
Question # 24

Which of the following is NOT a part of pre-investigation phase?

A.

Building forensics workstation

B.

Gathering information about the incident

C.

Gathering evidence data

D.

Creating an investigation team

Full Access
Question # 25

Linux operating system has two types of typical bootloaders namely LILO (Linux Loader) and GRUB (Grand Unified Bootloader). In which stage of the booting process do the bootloaders become active?

A.

Bootloader Stage

B.

Kernel Stage

C.

BootROM Stage

D.

BIOS Stage

Full Access
Question # 26

On an Active Directory network using NTLM authentication, where on the domain controllers are the passwords stored?

A.

SAM

B.

AMS

C.

Shadow file

D.

Password.conf

Full Access
Question # 27

Which US law does the interstate or international transportation and receiving of child pornography fall under?

A.

§18. U.S.C. 1466A

B.

§18. U.S.C 252

C.

§18. U.S.C 146A

D.

§18. U.S.C 2252

Full Access
Question # 28

A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?

A.

Searching for evidence themselves would not have any ill effects

B.

Searching could possibly crash the machine or device

C.

Searching creates cache files, which would hinder the investigation

D.

Searching can change date/time stamps

Full Access
Question # 29

What will the following Linux command accomplish?

dd if=/dev/mem of=/home/sam/mem.bin bs=1024

A.

Copy the master boot record to a file

B.

Copy the contents of the system folder to a file

C.

Copy the running memory to a file

D.

Copy the memory dump file to an image file

Full Access
Question # 30

Paul is a computer forensics investigator working for Tyler & Company Consultants. Paul has been called upon to help investigate a computer hacking ring broken up by the local police. Paul begins to inventory the PCs found in the hackers hideout. Paul then comes across a PDA left by them that is attached to a number of different peripheral devices. What is the first step that Paul must take with the PDA to ensure the integrity of the investigation?

A.

Place PDA, including all devices, in an antistatic bag

B.

Unplug all connected devices

C.

Power off all devices if currently on

D.

Photograph and document the peripheral devices

Full Access
Question # 31

Where should the investigator look for the Edge browser’s browsing records, including history, cache, and cookies?

A.

ESE Database

B.

Virtual Memory

C.

Sparse files

D.

Slack Space

Full Access
Question # 32

Which of the following techniques delete the files permanently?

A.

Steganography

B.

Artifact Wiping

C.

Data Hiding

D.

Trail obfuscation

Full Access
Question # 33

During an investigation of an XSS attack, the investigator comes across the term “[a-zA-Z0-9\%]+” in analyzed evidence details. What is the expression used for?

A.

Checks for upper and lower-case alphanumeric string inside the tag, or its hex representation

B.

Checks for forward slash used in HTML closing tags, its hex or double-encoded hex equivalent

C.

Checks for opening angle bracket, its hex or double-encoded hex equivalent

D.

Checks for closing angle bracket, hex or double-encoded hex equivalent

Full Access
Question # 34

Select the tool appropriate for examining the dynamically linked libraries of an application or malware.

A.

DependencyWalker

B.

SysAnalyzer

C.

PEiD

D.

ResourcesExtract

Full Access
Question # 35

Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the_________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.

A.

Adjacent memory locations

B.

Adjacent bit blocks

C.

Adjacent buffer locations

D.

Adjacent string locations

Full Access
Question # 36

Jim’s company regularly performs backups of their critical servers. But the company can’t afford to send backup tapes to an off-site vendor for long term storage and archiving. Instead Jim’s company keeps the backup tapes in a safe in the office. Jim’s company is audited each year, and the results from this year’s audit show a risk because backup tapes aren’t stored off-site. The Manager of Information Technology has a plan to take the backup tapes home with him and wants to know what two things he can do to secure the backup tapes while in transit?

A.

Encrypt the backup tapes and use a courier to transport them.

B.

Encrypt the backup tapes and transport them in a lock box

C.

Degauss the backup tapes and transport them in a lock box.

D.

Hash the backup tapes and transport them in a lock box.

Full Access
Question # 37

Randy has extracted data from an old version of a Windows-based system and discovered info file Dc5.txt in the system recycle bin. What does the file name denote?

A.

A text file deleted from C drive in sixth sequential order

B.

A text file deleted from C drive in fifth sequential order

C.

A text file copied from D drive to C drive in fifth sequential order

D.

A text file copied from C drive to D drive in fifth sequential order

Full Access
Question # 38

The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin?

A.

INFO2

B.

INFO1

C.

LOGINFO1

D.

LOGINFO2

Full Access
Question # 39

Which of the following email headers specifies an address for mailer-generated errors, like "no such user" bounce messages, to go to (instead of the sender's address)?

A.

Mime-Version header

B.

Content-Type header

C.

Content-Transfer-Encoding header

D.

Errors-To header

Full Access
Question # 40

In a Linux-based system, what does the command “Last -F” display?

A.

Login and logout times and dates of the system

B.

Last run processes

C.

Last functions performed

D.

Recently opened files

Full Access
Question # 41

MAC filtering is a security access control methodology, where a ___________ is assigned to each network card to determine access to the network.

A.

48-bit address

B.

24-bit address

C.

16-bit address

D.

32-bit address

Full Access
Question # 42

Amber, a black hat hacker, has embedded malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?

A.

Malvertising

B.

Compromising a legitimate site

C.

Click-jacking

D.

Spearphishing

Full Access
Question # 43

Robert, a cloud architect, received a huge bill from the cloud service provider, which usually doesn't happen. After analyzing the bill, he found that the cloud resource consumption was very high. He then examined the cloud server and discovered that a malicious code was running on the server, which was generating huge but harmless traffic from the server. This means that the server has been compromised by an attacker with the sole intention to hurt the cloud customer financially. Which attack is described in the above scenario?

A.

XSS Attack

B.

DDoS Attack (Distributed Denial of Service)

C.

Man-in-the-cloud Attack

D.

EDoS Attack (Economic Denial of Service)

Full Access
Question # 44

Which one of the following is not a first response procedure?

A.

Preserve volatile data

B.

Fill forms

C.

Crack passwords

D.

Take photos

Full Access
Question # 45

In Windows, prefetching is done to improve system performance. There are two types of prefetching: boot prefetching and application prefetching. During boot prefetching, what does the Cache Manager do?

A.

Determines the data associated with value EnablePrefetcher

B.

Monitors the first 10 seconds after the process is started

C.

Checks whether the data is processed

D.

Checks hard page faults and soft page faults

Full Access
Question # 46

Which tool allows dumping the contents of process memory without stopping the process?

A.

psdump.exe

B.

pmdump.exe

C.

processdump.exe

D.

pdump.exe

Full Access
Question # 47

Which command line tool is used to determine active network connections?

A.

netsh

B.

nbstat

C.

nslookup

D.

netstat

Full Access
Question # 48

Jacob is a computer forensics investigator with over 10 years of experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob’s testimony in this case?

A.

Certification

B.

Justification

C.

Reiteration

D.

Authentication

Full Access
Question # 49

Which cloud model allows an investigator to acquire the instance of a virtual machine and initiate the forensics examination process?

A.

PaaS model

B.

IaaS model

C.

SaaS model

D.

SecaaS model

Full Access
Question # 50

A section of your forensics lab houses several electrical and electronic equipment. Which type of fire extinguisher you must install in this area to contain any fire incident?

A.

Class B

B.

Class D

C.

Class C

D.

Class A

Full Access
Question # 51

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing . What document describes the specifics of the testing, the associated violations, and essentially protects both the organization’s interest and your liabilities as a tester?

A.

Project Scope

B.

Rules of Engagement

C.

Non-Disclosure Agreement

D.

Service Level Agreement

Full Access
Question # 52

A forensic examiner is examining a Windows system seized from a crime scene. During the examination of a suspect file, he discovered that the file is password protected. He tried guessing the password using the suspect’s available information but without any success. Which of the following tool can help the investigator to solve this issue?

A.

Cain & Abel

B.

Xplico

C.

Recuva

D.

Colasoft’s Capsa

Full Access
Question # 53

Which command can provide the investigators with details of all the loaded modules on a Linux-based system?

A.

list modules -a

B.

lsmod

C.

plist mod -a

D.

lsof -m

Full Access
Question # 54

You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a “simple backup copy” of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a “simple backup copy” will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?

A.

Robust copy

B.

Incremental backup copy

C.

Bit-stream copy

D.

Full backup copy

Full Access
Question # 55

Which of the following is NOT a physical evidence?

A.

Removable media

B.

Cables

C.

Image file on a hard disk

D.

Publications

Full Access
Question # 56

What does the bytes 0x0B-0x53 represent in the boot sector of NTFS volume on Windows 2000?

A.

Jump instruction and the OEM ID

B.

BIOS Parameter Block (BPB) and the OEM ID

C.

BIOS Parameter Block (BPB) and the extended BPB

D.

Bootstrap code and the end of the sector marker

Full Access
Question # 57

Which of the following does Microsoft Exchange E-mail Server use for collaboration of various e-mail applications?

A.

Simple Mail Transfer Protocol (SMTP)

B.

Messaging Application Programming Interface (MAPI)

C.

Internet Message Access Protocol (IMAP)

D.

Post Office Protocol version 3 (POP3)

Full Access
Question # 58

Which of the following does not describe the type of data density on a hard disk?

A.

Volume density

B.

Track density

C.

Linear or recording density

D.

Areal density

Full Access
Question # 59

A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state?

A.

/auth

B.

/proc

C.

/var/log/debug

D.

/var/spool/cron/

Full Access
Question # 60

The MAC attributes are timestamps that refer to a time at which the file was last modified or last accessed or originally created. Which of the following file systems store MAC attributes in Coordinated Universal Time (UTC) format?

A.

File Allocation Table (FAT

B.

New Technology File System (NTFS)

C.

Hierarchical File System (HFS)

D.

Global File System (GFS)

Full Access
Question # 61

From the following spam mail header, identify the host IP that sent this spam?

From jie02@netvigator.com jie02@netvigator.com Tue Nov 27 17:27:11 2001

Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk

(8.11.6/8.11.6) with ESMTP id

fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT)

Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by

viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1)

with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT)

Message-Id: >200111270926.fAR9QXwZ018431@viruswall.ie.cuhk.edu.hk

From: "china hotel web"

To: "Shlam"

Subject: SHANGHAI (HILTON HOTEL) PACKAGE

Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0

X-Priority: 3 X-MSMail-

Priority: Normal

Reply-To: "china hotel web"

A.

137.189.96.52

B.

8.12.1.0

C.

203.218.39.20

D.

203.218.39.50

Full Access
Question # 62

Bob has been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the System for a period of three weeks. However, law enforcement agencies were recoding his every activity and this was later presented as evidence.

The organization had used a Virtual Environment to trap Bob. What is a Virtual Environment?

A.

A Honeypot that traps hackers

B.

A system Using Trojaned commands

C.

An environment set up after the user logs in

D.

An environment set up before a user logs in

Full Access
Question # 63

E-mail logs contain which of the following information to help you in your investigation? (Choose four.)

A.

user account that was used to send the account

B.

attachments sent with the e-mail message

C.

unique message identifier

D.

contents of the e-mail message

E.

date and time the message was sent

Full Access
Question # 64

You are carrying out the last round of testing for your new website before it goes live. The website has many dynamic pages and connects to a SQL backend that accesses your product inventory in a database. You come across a web security site that recommends inputting the following code into a search field on web pages to check for vulnerabilities: When you type this and click on search, you receive a pop-up window that says: "This is a test."

What is the result of this test?

A.

Your website is vulnerable to CSS

B.

Your website is not vulnerable

C.

Your website is vulnerable to SQL injection

D.

Your website is vulnerable to web bugs

Full Access
Question # 65

What TCP/UDP port does the toolkit program netstat use?

A.

Port 7

B.

Port 15

C.

Port 23

D.

Port 69

Full Access
Question # 66

You are the network administrator for a small bank in Dallas, Texas. To ensure network security, you enact a security policy that requires all users to have 14 character passwords. After giving your users 2 weeks notice, you change the Group Policy to force 14 character passwords. A week later you dump the SAM database from the standalone server and run a password-cracking tool against it. Over 99% of the passwords are broken within an hour. Why were these passwords cracked so Quickly?

A.

Passwords of 14 characters or less are broken up into two 7-character hashes

B.

A password Group Policy change takes at least 3 weeks to completely replicate throughout a network

C.

Networks using Active Directory never use SAM databases so the SAM database pulled was empty

D.

The passwords that were cracked are local accounts on the Domain Controller

Full Access
Question # 67

You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

A.

allinurl:"exchange/logon.asp"

B.

intitle:"exchange server"

C.

locate:"logon page"

D.

outlook:"search"

Full Access
Question # 68

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

A.

Use VMware to be able to capture the data in memory and examine it

B.

Give the Operating System a minimal amount of memory, forcing it to use a swap file

C.

Create a Separate partition of several hundred megabytes and place the swap file there

D.

Use intrusion forensic techniques to study memory resident infections

Full Access
Question # 69

You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation.

Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?

A.

All forms should be placed in an approved secure container because they are now primary evidence in the case.

B.

The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.

C.

The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file.

D.

All forms should be placed in the report file because they are now primary evidence in the case.

Full Access
Question # 70

Which of the following should a computer forensics lab used for investigations have?

A.

isolation

B.

restricted access

C.

open access

D.

an entry log

Full Access
Question # 71

Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

A.

Only an HTTPS session can be hijacked

B.

HTTP protocol does not maintain session

C.

Only FTP traffic can be hijacked

D.

Only DNS traffic can be hijacked

Full Access
Question # 72

Jason is the security administrator of ACMA metal Corporation. One day he notices the company's Oracle database server has been compromised and the customer information along with financial data has been stolen. The financial loss will be in millions of dollars if the database gets into the hands of the competitors. Jason wants to report this crime to the law enforcement agencies immediately.

Which organization coordinates computer crimes investigations throughout the United States?

A.

Internet Fraud Complaint Center

B.

Local or national office of the U.S. Secret Service

C.

National Infrastructure Protection Center

D.

CERT Coordination Center

Full Access
Question # 73

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

A.

Recycle Bin

B.

MSDOS.sys

C.

BIOS

D.

Case files

Full Access
Question # 74

Corporate investigations are typically easier than public investigations because:

A.

the users have standard corporate equipment and software

B.

the investigator does not have to get a warrant

C.

the investigator has to get a warrant

D.

the users can load whatever they want on their machines

Full Access
Question # 75

John and Hillary works at the same department in the company. John wants to find out Hillary's network password so he can take a look at her documents on the file server. He enables Lophtcrack program to sniffing mode. John sends Hillary an email with a link to Error! Reference source not found. What information will he be able to gather from this?

A.

Hillary network username and password hash

B.

The SID of Hillary network account

C.

The SAM file from Hillary computer

D.

The network shares that Hillary has permissions

Full Access
Question # 76

An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet.

A.

logical

B.

anti-magnetic

C.

magnetic

D.

optical

Full Access
Question # 77

If you discover a criminal act while investigating a corporate policy abuse, it becomes a publicsector investigation and should be referred to law enforcement?

A.

true

B.

false

Full Access
Question # 78

In Linux, what is the smallest possible shellcode?

A.

24 bytes

B.

8 bytes

C.

800 bytes

D.

80 bytes

Full Access
Question # 79

Bill is the accounting manager for Grummon and Sons LLC in Chicago. On a regular basis, he needs to send PDF documents containing sensitive information through E-mail to his customers.

Bill protects the PDF documents with a password and sends them to their intended recipients.

Why PDF passwords do not offer maximum protection?

A.

PDF passwords can easily be cracked by software brute force tools

B.

PDF passwords are converted to clear text when sent through E-mail

C.

PDF passwords are not considered safe by Sarbanes-Oxley

D.

When sent through E-mail, PDF passwords are stripped from the document completely

Full Access
Question # 80

Michael works for Kimball Construction Company as senior security analyst. As part of yearly security audit, Michael scans his network for vulnerabilities. Using Nmap, Michael conducts XMAS scan and most of the ports scanned do not give a response. In what state are these ports?

A.

Closed

B.

Open

C.

Stealth

D.

Filtered

Full Access
Question # 81

It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?

A.

by law, three

B.

quite a few

C.

only one

D.

at least two

Full Access
Question # 82

Area density refers to:

A.

the amount of data per disk

B.

the amount of data per partition

C.

the amount of data per square inch

D.

the amount of data per platter

Full Access
Question # 83

You are assisting in the investigation of a possible Web Server Hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a porno graphic web site. The company checked the web server and nothing appears wrong. When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site?

A.

ARP Poisoning

B.

DNS Poisoning

C.

HTTP redirect attack

D.

IP Spoofing

Full Access
Question # 84

You have compromised a lower-level administrator account on an Active Directory network of a small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect to one of the Domain Controllers on port 389 using ldp.exe. What are you trying to accomplish here?

A.

Poison the DNS records with false records

B.

Enumerate MX and A records from DNS

C.

Establish a remote connection to the Domain Controller

D.

Enumerate domain user accounts and built-in groups

Full Access
Question # 85

The police believe that Melvin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers and Educational Institutions. They also suspect that he has been stealing, copying and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant?

A.

The Fourth Amendment

B.

The USA patriot Act

C.

The Good Samaritan Laws

D.

The Federal Rules of Evidence

Full Access
Question # 86

What will the following URL produce in an unpatched IIS Web Server?

http://www.thetargetsite.com/scripts/..% co%af../..%co%af../windows/system32/cmd.exe?/c+dir+c:\

A.

Directory listing of C: drive on the web server

B.

Insert a Trojan horse into the C: drive of the web server

C.

Execute a buffer flow in the C: drive of the web server

D.

Directory listing of the C:\windows\system32 folder on the web server

Full Access
Question # 87

Which of the following file system is used by Mac OS X?

A.

EFS

B.

HFS+

C.

EXT2

D.

NFS

Full Access
Question # 88

The rule of thumb when shutting down a system is to pull the power plug. However, it has certain drawbacks. Which of the following would that be?

A.

Any data not yet flushed to the system will be lost

B.

All running processes will be lost

C.

The /tmp directory will be flushed

D.

Power interruption will corrupt the pagefile

Full Access