In Microsoft file structures, sectors are grouped together to form:
What is the slave device connected to the secondary IDE controller on a Linux OS referred to?
Which of the following Registry components include offsets to other cells as well as the LastWrite time for the key?
You are assisting in the investigation of a possible Web Server Hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a porno graphic web site. The company checked the web server and nothing appears wrong. When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site?
Why is it still possible to recover files that have been emptied from the Recycle Bin on a Windows computer?
Using Internet logging software to investigate a case of malicious use of computers, the investigator comes across some entries that appear odd.
From the log, the investigator can see where the person in question went on the Internet. From the log, it appears that the user was manually typing in different user ID numbers. What technique this user was trying?
Before performing a logical or physical search of a drive in Encase, what must be added to the program?
You have been given the task to investigate web attacks on a Windows-based server. Which of the following commands will you use to look at the sessions the machine has opened with other systems?
Smith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use.
The following is a log file screenshot from a default installation of IIS 6.0.
What time standard is used by IIS as seen in the screenshot?
How will you categorize a cybercrime that took place within a CSPâ€™s cloud environment?
Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as FF D8 FF E1. What is the file type of the image?
What type of attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the IP broadcast address of a large network?
Which of the following tasks DOES NOT come under the investigation phase of a cybercrime forensics investigation case?
Linux operating system has two types of typical bootloaders namely LILO (Linux Loader) and GRUB (Grand Unified Bootloader). In which stage of the booting process do the bootloaders become active?
Which MySQL log file contains information on server start and stop?
Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration and critical system files, and to execute commands outside of the web serverâ€™s root directory?
Which among the following files provides email header information in the Microsoft Exchange server?
What feature of Windows is the following command trying to utilize?
Which of the following commands shows you the names of all open shared files on a server and the number of file locks on each file?
What method of copying should always be performed first before carrying out an investigation?
What must be obtained before an investigation is carried out at a location?
To check for POP3 traffic using Ethereal, what port should an investigator search by?
Which of the following tool creates a bit-by-bit image of an evidence media?
What will the following command accomplish?
dd if=/dev/xxx of=mbr.backup bs=512 count=1
When a router receives an update for its routing table, what is the metric value change to that path?
When carrying out a forensics investigation, why should you never delete a partition on a dynamic disk?
Smith, a network administrator with a large MNC, was the first to arrive at a suspected crime scene involving criminal use of compromised computers. What should be his first response while maintaining the integrity of evidence?
Which of the following web browser uses the Extensible Storage Engine (ESE) database format to store browsing records, including history, cache, and cookies?
What is the role of Alloc.c in Apache core?
An investigator has extracted the device descriptor for a 1GB thumb drive that looks like: Disk&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15. What does the â€œGeek_Squadâ€ part represent?
What do you call the process of studying the changes that have taken place across a system or a machine after a series of actions or incidents?
Steve, a forensic investigator, was asked to investigate an email incident in his organization. The organization has Microsoft Exchange Server deployed for email communications. Which among the following files will Steve check to analyze message headers, message text, and standard attachments?
Which program uses different techniques to conceal a malware's code, thereby making it difficult for security mechanisms to detect or remove it?
Analyze the hex representation of mysql-bin.000013 file in the screenshot below. Which of the following will be an inference from this analysis?
In which of these attacks will a steganalyst use a random message to generate a stego-object by using some steganography tool, to find the steganography algorithm used to hide the information?
Which of the following is NOT an anti-forensics technique?
Amber, a black hat hacker, has embedded malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?
Which of the following is a non-zero data that an application allocates on a hard disk cluster in systems running on Windows OS?
Identify the file system that uses $BitMap file to keep track of all used and unused clusters on a volume.
Select the tool appropriate for examining the dynamically linked libraries of an application or malware.
In Linux OS, different log files hold different information, which help the investigators to analyze various issues during a security incident. What information can the investigators obtain from the log file
If the partition size is 4 GB, each cluster will be 32 K. Even if a file needs only 10 K, the entire 32 K will be allocated, resulting in 22 K of ________.
Select the data that a virtual memory would store in a Windows-based system.
Which of the following statements is incorrect when preserving digital evidence?
What does the bytes 0x0B-0x53 represent in the boot sector of NTFS volume on Windows 2000?
The given image displays information about date and time of installation of the OS along with service packs, patches, and sub-directories. What command or tool did the investigator use to view this output?
A companyâ€™s policy requires employees to perform file transfers using protocols which encrypt traffic. You suspect some employees are still performing file transfers using unencrypted protocols because the employees donâ€™t like changes. You have positioned a network sniffer to capture traffic from the laptops used by employees in the data ingest department. Using Wireshark to examine the captured traffic, which command can be used as a display filter to find unencrypted file transfers?
Which of the following does Microsoft Exchange E-mail Server use for collaboration of various e-mail applications?
An investigator has acquired packed software and needed to analyze it for the presence of malice. Which of the following tools can help in finding the packaging software used?
MAC filtering is a security access control methodology, where a ___________ is assigned to each network card to determine access to the network.
Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen?
Which list contains the most recent actions performed by a Windows User?
Which of these Windows utility help you to repair logical file system errors?
What is an investigator looking for in the rp.log file stored in a system running on Windows 10 operating system?
The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin?
You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on the Internet. What is the recommended architecture in terms of server placement?
Self-Monitoring, Analysis, and Reporting Technology (SMART) is built into the hard drives to monitor and report system activity. Which of the following is included in the report generated by SMART?
E-mail logs contain which of the following information to help you in your investigation? (Choose four.)
It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?
The objective of this act was to protect consumersâ€™ personal financial information held by financial institutions and their service providers.
What does the acronym POST mean as it relates to a PC?
To preserve digital evidence, an investigator should ____________________.
What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled?
The following excerpt is taken from a honeypot log. The log captures activities across three days.
There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)
Apr 24 14:46:46 : spp_portscan: portscan detected from 18.104.22.168
Apr 24 14:46:46 : IDS27/FIN Scan: 22.214.171.124:56693 -> 172.16.1.107:482
Apr 24 18:01:05 : IDS/DNS-version-query: 126.96.36.199:3485 -> 172.16.1.107:53
Apr 24 19:04:01 : IDS213/ftp-passwd-retrieval: 188.8.131.52:1425 -> 172.16.1.107:21
Apr 25 08:02:41 : spp_portscan: PORTSCAN DETECTED from 184.108.40.206
Apr 25 02:08:07 : IDS277/DNS-version-query: 220.127.116.11:4499 -> 172.16.1.107:53
Apr 25 02:08:07 : IDS277/DNS-version-query: 18.104.22.168:4630 -> 172.16.1.101:53
Apr 25 02:38:17 : IDS/RPC-rpcinfo-query: 22.214.171.124:642 -> 172.16.1.107:111
Apr 25 19:37:32 : IDS230/web-cgi-space-wildcard: 126.96.36.199:4221 -> 172.16.1.107:80
Apr 26 05:45:12 : IDS212/dns-zone-transfer: 188.8.131.52:2291 -> 172.16.1.101:53
Apr 26 06:43:05 : IDS181/nops-x86: 184.108.40.206:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 : IDS175/socks-probe: 220.127.116.11:20 -> 172.16.1.107:1080
Apr 26 06:52:10 : IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 18.104.22.168:4558
From the options given below choose the one which best interprets the following entry:
Apr 26 06:43:05 : IDS181/nops-x86: 22.214.171.124:1351 -> 172.16.1.107:53
An Employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the Employees Computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the Employee before he leaves the building and recover the floppy disks and secure his computer. Will you be able to break the encryption so that you can verify that that the employee was in possession of the proprietary information?
This organization maintains a database of hash signatures for known software.
Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events?
When searching through file headers for picture file formats, what should be searched to find a JPEG file in hexadecimal format?
Why would a company issue a dongle with the software they sell?
Which US law does the interstate or international transportation and receiving of child pornography fall under?
Ivanovich, a forensics investigator, is trying to extract complete information about running processes from a system. Where should he look apart from the RAM and virtual memory?
You are a security analyst performing a penetration tests for a company in the Midwest. After some initial reconnaissance, you discover the IP addresses of some Cisco routers used by the company. You type in the following URL that includes the IP address of one of the routers:
After typing in this URL, you are presented with the entire configuration file for that router. What have you discovered?
Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool?
The use of warning banners helps a company avoid litigation by overcoming an employee assumed __________________________. When connecting to the company's intranet, network or Virtual Private Network(VPN) and will allow the company's investigators to monitor, search and retrieve information stored within the network.
You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?
Kimberly is studying to be an IT security analyst at a vocational school in her town. The school offers many different programming as well as networking languages. What networking protocol language should she learn that routers utilize?
In Linux, what is the smallest possible shellcode?
One way to identify the presence of hidden partitions on a suspect's hard drive is to:
Which of the following should a computer forensics lab used for investigations have?
Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank to assess its network security through scanning, pen tests, and vulnerability assessments. After discovering numerous known vulnerabilities detected by a temporary IDS he set up, he notices a number of items that show up as unknown but Questionable in the logs. He looks up the behavior on the Internet, but cannot find anything related. What organization should Frank submit the log to find out if it is a new vulnerability or not?
What is kept in the following directory? HKLM\SECURITY\Policy\Secrets
Terri works for a security consulting firm that is currently performing a penetration test on First National Bank in Tokyo. Terri's duties include bypassing firewalls and switches to gain access to the network. Terri sends an IP packet to one of the company's switches with ACK bit and the source address of her machine set. What is Terri trying to accomplish by sending this IP packet?
Why is it a good idea to perform a penetration test from the inside?
You are working as a Computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact law enforcement and provide them with the evidence that you have found. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subjectâ€™s computer. You inform the officer that you will not be able to comply with that request because doing so would: