CHFI

After a major data breach in a financial institution, a forensic investigator is brought in to determine the source and the extent of the breach. The investigator needs to ensure compliance with the legal standards in their investigations. During the investigation, they stumble upon non-public personal information of consumers stored by the institution and suspect this information was illegally shared with non-affiliated third parties. Which law/regulation should be the investigator s primary concern in this scenario?. Health Insurance Portability and Accountability Act of 1996. Federal Information Security Modernization Act of 2014. General Data Protection Regulation. Gramm-Leach-Bliley Act.

A CHFI expert creates a forensics image of a pen drive using AccessData FTK Imager during a computer forensics investigation. The investigator uses The Sleuth Kit (TSK) to examine an ext4 file system on a Linux disk image and suspects data tampering. The expert decides to verify inode metadata for a critical file. However, he notes an unexpected block allocation in the inode details. Which TSK command-line tool and argument should the investigator utilize to examine the addresses of all allocated disk units for the suspicious inode?. fsstat -f ext4. img_stat -i raw. fls -o imgoffset. istat -B num.

A cybersecurity forensics investigator is tasked with acquiring data from a suspect's drive for a civil litigation case. The suspect drive is 1TB, and due to time constraints, the investigator decides to prioritize and acquire only data of evidentiary value. The original drive cannot be retained. In this context, which of the following steps should the investigator prioritize?. Opt for disk-to-image copying for the large suspect drive. Execute logical acquisition considering the one-time opportunity to capture data. Utilize DriveSpace or DoubleSpace to reduce the data size. Use a reliable data acquisition tool to make a copy of the original drive.

Jane is a forensic investigator at a top cybersecurity firm. While analyzing a suspect's computer for evidence related to a potential data breach, she came across a log file that appeared to have been tampered with. The timestamp of the file seems modified, and some parts of the file seem to have been deliberately deleted. What should Jane do first to ensure the preservation and authenticity of the digital evidence?. She should try to recover the deleted parts of the log file. She should make a bit-stream image copy of the hard drive. She should continue her analysis, taking note of the tampering. She should immediately contact her supervisor and present the altered log file.

A security analyst identifies an influx of network traffic from an IoT HVAC system in a multinational corporation. The corporation is concerned about a possible HVAC attack. What should the security analyst prioritize to mitigate this potential threat?. Investigate a possible BlueBorne attack on the IoT devices. Inspect the IoT HVAC system for backdoor access. Validate the IoT HVAC system for a potential DDoS attack. Check for signs of a Rolling Code attack on the IoT HVAC system.

An EC2 instance storing critical data of a company got infected with malware. The forensics team took the EBS volume snapshot of the affected instance to perform further analysis and collected other data of evidentiary value. What should be their next step?. They should terminate all instances connected via the same VPC. They should pause the running instance. They should keep the instance running as it stores critical data. They should terminate the instance after taking necessary backup.

Mark works for a government agency as a cyber-forensic investigator. He has been given the task of restoring data from a hard drive. The partition of the hard drive was deleted by a disgruntled employee in order to hide their nefarious actions. What tool should Mark use to restore the data?. R-Studio. EFSDump. Diskview. Diskmon.

Steve received a mail that seemed to have come from her bank. The mail has instructions for Steve to click on a link and provide information to avoid the suspension of her account. The link in the mail redirected her to a form asking for details such as name, phone number, date of birth, credit card number or PIN, CVV code, SNNs, and email address. On a closer look, Steve realized that the URL of the form in not the same as that of her bank's. Identify the type of external attack performed by the attacker in the above scenario?. Espionage. Brute-force. Phishing. Tailgating.

Recently, an internal web app that a government agency utilizes has become unresponsive. Betty, a network engineer for the government agency, has been tasked to determine the cause of the web application's unresponsiveness. Betty launches Wireshark and begins capturing the traffic on the local network. While analyzing the results, Betty noticed that a syn flood attack was underway. How did Betty know a syn flood attack was occurring?. Wireshark capture does not show anything unusual and the issue is related to the web application. Wireshark capture shows multiple ACK requests and SYN responses from single/multiple IP address(es). Wireshark capture shows multiple SYN requests and RST responses from single/multiple IP address(es). Wireshark capture shows multiple SYN requests and ACK responses from single/multiple IP address(es).

"To ensure that the digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement, and forensics organizations must establish and maintain an effective quality system" is a principle established by: SWGDE. EC-Council. NIST. NCIS.

Fill in the missing Master Boot Record component. 1. Master boot code 2. Partition table 3. ____________. Signature word. Volume boot record. Boot loader. Disk signature.

Which of the following is considered as the starting point of a database and stores user data and database objects in an MS SQL server?. ibdata1. Application data files (ADF). Transaction log data files (LDF). Primary data files (MDF).

Sally accessed the computer system that holds trade secrets of the company where she is employed. She knows she accessed it without authorization and all access (authorized and unauthorized) to this computer is monitored. To cover her tracks, Sally deleted the log entries on this computer. What among the following best describes her action?. Password sniffing. Brute-force attack. Anti-forensics. Network intrusion.

A breach resulted from a malware attack that evaded detection and compromised the machine memory without installing any software or accessing the hard drive. What technique did the adversaries use to deliver the attack?. Trojan. JavaScript. Spyware. Fileless.

The working of the Tor browser is based on which of the following concepts?. Onion routing. Static routing. Both static and default routing. Default routing.

Fred, a cybercrime investigator for the FBI, finished storing a solid-state drive in a static resistant bag and filled out the chain of custody form. Two days later, John grabbed the solid-state drive and created a clone of it (with write blockers enabled) in order to investigate the drive. He did not document the chain of custody though. When John was finished, he put the solid-state drive back in the static resistant and placed it back in the evidence locker. A day later, the court trial began and upon presenting the evidence and the supporting documents, the chief justice outright rejected them. Which of the following statements strongly support the reason for rejecting the evidence?. John did not document the chain of custody. Block clones cannot be created with solid-state drives. Write blockers were used while cloning the evidence. John investigated the clone instead of the original evidence itself.

You are an information security analyst at a large pharmaceutical company. While performing a routine review of audit logs, you have noticed a significant amount of egress traffic to various IP addresses on destination port 22 during off-peak hours. You researched some of the IP addresses and found that many of them are in Eastern Europe. What is the most likely cause of this traffic?. The organization's primary internal DNS server has been compromised and is performing DNS zone transfers to malicious external entities. Data is being exfiltrated by an advanced persistent threat (APT). Malicious software on internal system is downloading research data from partner SFTP servers in Eastern Europe. Internal systems are downloading automatic Windows updates.

When investigating a system, the forensics analyst discovers that malicious scripts were injected into benign and trusted websites. The attacker used a web application to send malicious code, in the form of a browser side script, to a different end-user. What attack was performed here?. SQL injection attack. Cookie poisoning attack. Cross-site scripting attack. Brute-force attack.

An investigator is checking a Cisco firewall log that reads as follows: Aug 21 2019 09:16:44: %ASA-1 -106021: Deny ICMP reverse path check from 10.0.0.44 to 10.0.0.33 on interface outside What does %ASA-1-106021 denote?. Type of request. Mnemonic message. Firewall action. Type of traffic.

Debbie has obtained a warrant to search a known pedophile's house. Debbie went to the house and executed the search warrant to seize digital devices that have been recorded as being used for downloading illicit images. She seized all digital devices except a digital camera. Why did she not collect the digital camera?. The digital camera was not listed as one of the digital devices in the warrant. Debbie overlooked the digital camera because it is not a computer system. The digital camera was old. had a cracked screen, and did not have batteries. Therefore, it could not have been used in a crime. The vehicle Debbie was using to transport the evidence was already full and could not carry more items.

Malware analysis can be conducted in various manners. An investigator gathers a suspicious executable file and uploads it to VirusTotal in order to confirm whether the file is malicious, provide information about its functionality, and provide information that will allow to produce simple network signatures. What type of malware analysis was performed here?. Hybrid. Static. Volatile. Dynamic.

To understand the impact of a malicious program after the booting process and to collect recent information from the disk partition, an investigator should evaluate the content of the: GRUB. UEFI. MBR. BIOS.

This law sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. European Anti-Spam act. Federal Spam act. The CAN-SPAM act. Telemarketing act.

Chloe is a forensic examiner who is currently cracking hashed passwords for a crucial mission and hopefully solve the case. She is using a lookup table used for recovering a plain text password from cipher text; it contains word list and brute-force list along with their computed hash values. Chloe is also using a graphical generator that supports SHA1. a. What password technique is being used? b. What tool is Chloe using?. Cain & Able b. Rten. Rainbow Tables b. Winrtgen. Dictionary attack b. Cisco PIX. Brute-force b. MScache.

You are a forensic investigator who is analyzing a hard drive that was recently collected as evidence. You have been unsuccessful at locating any meaningful evidence within the file system and suspect a drive wiping utility may have been used. You have reviewed the keys within the software hive of the Windows registry and did not find any drive wiping utilities. How can you verify that drive wiping software was used on the hard drive?. Check the list of installed programs. Look for distinct repeating patterns on the hard drive at the bit level. Document in your report that you suspect a drive wiping utility was used, but no evidence was found. Load various drive wiping utilities offline, and export previous run reports.

An investigator needs to perform data acquisition from a storage media without altering its contents to maintain the integrity of the content. The approach adopted by the investigator relies upon the capacity of enabling read-only access to the storage media. Which tool should the investigator integrate into his/her procedures to accomplish this task?. Data duplication tool. BitLocker. Write blocker. Backup tool.

The information security manager at a national legal firm has received several alerts from the intrusion detection system that a known attack signature was detected against the organization's file server. What should the information security manager do first?. Disconnect the file server from the network. Update the anti-virus definitions on the file server. Report the incident to senior management. Manually investigate to verify that an incident has occurred.

Which of the following directory contains the binary files or executables required for system maintenance and administrative tasks on a Linux system?. /lib. /bin. /usr. /sbin.

Which of the following attacks refers to unintentional download of malicious software via the Internet? Here, an attacker exploits flaws in browser software to install malware merely by the user visiting the malicious website. Drive-by downloads. Phishing. Internet relay chats. Malvertising.

Storage location of Recycle Bin for NTFS file systems (Windows Vista and later) is located at: Drive:\RECYCLE.BIN. Drive:\$Recycle.Bin. Drive:\REYCLED. Drive:\RECYCLER.

Which of the following statements pertaining to First Response is true?. First Response is neither a part of pre-investigation phase nor a part of investigation phase. It only involves attending to a crime scene first and taking measures that assist forensic investigators in executing their tasks in the investigation phase more efficiently. First Response is a part of the post-investigation phase. First Response is a part of the investigation phase. First Response is a part of the pre-investigation phase.

You are the incident response manager at a regional bank. While performing routine auditing of web application logs, you find several attempted login submissions that contain the following strings: < SCRIPT type="text/javascript" > var adr = '../evil.php?cakemonster=' + escape(document.cookie); < /SCRIPT > What kind of attack has occurred?. Cross-site scripting. Cross-site request forgery. Buffer overflow. SQL injection.

A cybercriminal is attempting to remove evidence from a Windows computer. He deletes the file evidence1.doc, sending it to Windows Recycle Bin. The cybercriminal then empties the Recycle Bin. After having been removed from the Recycle Bin, what will happen to the data?. The data will remain in its original clusters until it is overwritten. The data will be overwritten with zeroes. The data will be moved to new clusters in unallocated space. The data will become corrupted, making it unrecoverable.

Which set of anti-forensic tools/techniques allows a program to compress and/or encrypt an executable file to hide attack tools from being detected by reverse- engineering or scanning?. Emulators. Botnets. Password crackers. Packers.

Consider a scenario where a forensic investigator is performing malware analysis on a memory dump acquired from a victim's computer. The investigator uses Volatility Framework to analyze RAM contents: which plugin helps investigator to identify hidden processes or injected code/DLL in the memory dump?. malfind. pslist. mallist. malscan.

An investigator wants to extract passwords from SAM and System Files. Which tool can the investigator use to obtain a list of users, passwords, and their hashes in this case?. Nuix. FileMerlin. PWdump7. HashKey.

A forensic analyst has been tasked with investigating unusual network activity inside a retail company's network. Employees complain of not being able to access services, frequent rebooting, and anomalies in log files. The investigator requested log files from the IT administrator and after carefully reviewing them, he finds the following log entry: What type of attack was performed on the companies' web application?. Directory transversal. Unvalidated input. SQL injection. Log tampering.

Choose the layer in iOS architecture that provides frameworks for iOS app development?. Core OS. Core services. Media services. Cocoa Touch.

Robert needs to copy an OS disk snapshot of a compromised VM to a storage account in different region for further investigation. Which of the following should he use in this scenario?. Azure Active Directory. Azure Portal. Azure CLI. Azure Monitor.

James, a forensics specialist, was tasked with investigating a Windows XP machine that was used for malicious online activities. During the investigation, he recovered certain deleted files from Recycle Bin to identify attack clues. Identify the location of Recycle Bin in Windows XP system. local/share/Trash. Drive:\RECYCLER\. Drive:\RECYCLED. Drive:\$Recycle.Bin\.

Data density of a disk drive is calculated by using _________. Track density, areal density, and bit density. Track space, bit area, and slack space. Slack space, bit density, and slack density. Track density, areal density, and slack density.

In which IoT attack does the attacker use multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks?. Blueborne attack. Replay attack. Sybil attack. Jamming attack.

In Java, when multiple applications are launched, multiple Dalvik Virtual Machine instances occur that consume memory and time. To avoid that. Android implements a process that enables low memory consumption and quick start-up time. What is the process called?. Init. Zygote. Daemon. Media server.

According to RFC 3227, which of the following is considered as the most volatile item on a typical system?. Archival media. Temporary system files. Kernel statistics and memory. Registers and cache.

Which following forensic tool allows investigator to detect and extract hidden streams on NTFS drive?. Autopsy. TimeStomp. analyzeMFT. Stream Detector.

Which of the following methods of mobile device data acquisition captures all the data present on the device, as well as all deleted data and access to unallocated space?. Direct acquisition. Physical acquisition. Logical acquisition. Manual acquisition.

Which of the following applications will allow a forensic investigator to track the user login sessions and user transactions that have occurred on an MS SQL Server?. Event Log Explorer. ApexSQL Audit. Notepad++. netcat.

Which of the following Windows event logs record events related to device drives and hardware changes?. Application log. Security log. Forwarded events log. System log.

Frank, a cloud administrator in his company, needs to take backup of the OS disks of two Azure VMs that store business-critical data. Which type of Azure blob storage can he use for this purpose?. Append blob. Medium blob. Block blob. Page blob.

During an investigation, Noel found a SIM card from the suspect's mobile. The ICCID on the card is 8944245252001451548. What does the first four digits (89 and 44) in the ICCID represent?. TAC and industry identifier. Industry identifier and country code. Country code and industry identifier. Issuer identifier number and TAC.

An investigator seized a notebook device installed with a Microsoft Windows OS. Which type of files would support an investigation of the data size and structure in the device?. APFS and HFS. Ext2 and Ext4. HFS and GNUC. NTFS and FAT.

_____________ allows a forensic investigator to identify the missing links during investigation. Chain of custody. Exhibit numbering. Evidence preservation. Evidence reconstruction.

Brian has the job of analyzing malware for a software security company. Brian has setup a virtual environment that includes virtual machines running various versions of OSes. Additionally, Brian has setup separated virtual networks within this environment. The virtual environment does not connect to the company's intranet nor does it connect to the external Internet. With everything setup, Brian now received an executable file from client that has undergone a cyberattack. Brian ran the executable file in the virtual environment to see what it would do. What type of analysis did Brian perform?. Status malware analysis. Static OS analysis. Static malware analysis. Dynamic malware analysis.

SO/IEC 17025 is an accreditation for which of the following: CHFI issuing agency. Chain of custody. Encryption. Forensics lab licensing.

Jeff is a forensics investigator for a government agency's cyber security office. Jeff is tasked with acquiring a memory dump of a Windows 10 computer that was involved in a DDoS attack on the government agency's web application. Jeff is onsite to collect the memory. What tool could Jeff use?. Memcheck. RAMMapper. Autopsy. Volatility.

A computer forensics investigator or forensic analyst is a specially trained professional who works with law enforcement as well as private businesses to retrieve information from computers and other types of data storage devices. For this, the analyst should have an excellent working knowledge of all aspects of the computer. Which of the following is not a duty of the analyst during a criminal investigation?. To recover data from suspect devices. To fill the chain of custody. To create an investigation report. To enforce the security of all devices and software in the scene.

Adam is thinking of establishing a hospital in the US and approaches John, a software developer to build a site and host it for him on one of the servers, which would be used to store patient health records. He has learned from his legal advisors that he needs to have the server's log data reviewed and managed according to certain standards and regulations. Which of the following regulations are the legal advisors referring to?. Health Insurance Portability and Accountability Act of 1996(HIPAA). Payment Card Industry Data Security Standard (PCI DSS). Data Protection Act of 2018. Electronic Communications Privacy Act.

A clothing company has recently deployed a website on its latest product line to increase its conversion rate and base of customers. Andrew, the network administrator recently appointed by the company, has been assigned with the task of protecting the website from intrusion and vulnerabilities. Which of the following tool should Andrew consider deploying in this scenario?. Kon-Boot. Recuva. CryptaPix. ModSecurity.

Place the following in order of volatility from most volatile to the least volatile. Archival media, temporary file systems, disk storage, archival media, register and cache. Register and cache, temporary file systems, routing tables, disk storage, archival media. Registers and cache, routing tables, temporary file systems, disk storage, archival media. Registers and cache, routing tables, temporary file systems, archival media, disk storage.

In forensics ____________ are used to view stored or deleted data from both files and disk sectors. Hex editors. SIEM tools. Hash algorithms. Host interfaces.

What command-line tool enables forensic investigator to establish communication between an Android device and a forensic workstation in order to perform data acquisition from the device?. SDK Manager. Android Debug Bridge. Xcode. APK Analyzer.

When installed on a Windows machine, which port does the Tor browser use to establish a network connection via Tor nodes?. 49664/49665. 49667/49668. 9150/9151. 7680.

Which of the following statements is true with respect to SSDs (solid-state drives)?. Like HDDs, SSDs also have moving parts. SSDs contain tracks, clusters, and sectors to store data. Faster data access, lower power usage, and higher reliability are some of the major advantages of SSDs over HDDs. SSDs cannot store non-volatile data.

Web browsers can store relevant information from user activities. Forensic investigators may retrieve files, lists, access history, cookies, among other digital footprints. Which tool can contribute to this task?. MZCacheView. Google Chrome Recovery Utility. Task Manager. Most Recently Used (MRU) list.

Simona has written a regular expression for the detection of web application-specific attack attempt that reads as /((\%3C)|<)((\%2F)| V)*[a-z0- 9\%]+((\%3E)|>)/ix. Which of the following does the part ((\%3E)|>) look for?. Forward slash for a closing tag or its hex equivalent. Alphanumeric string or its hex equivalent. Closing angle bracket or its hex equivalent. Opening angle bracket or its hex equivalent.

Which among the following acts has been passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations?. Gramm-Leach-Bliley act. Federal Information Security Management act of 2002. Health Insurance Probability and Accountability act of 1996. Sarbanes-Oxley act of 2002.

Jack is reviewing file headers to verify the file format and hopefully find more information of the file. After a careful review of the data chunks through a hex editor; Jack finds the binary value 0xffd8ff. Based on the above information, what type of format is the file/image saved as?. BMP. ASCII. JPEG. GIF.

This is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted. Which among the following is suitable for the above statement?. Rule 1001. Testimony by the accused. Hearsay rule. Limited admissibility.

Jacob, a cybercrime investigator, joined a forensics team to participate in a criminal case involving digital evidence. After the investigator collected all the evidence and presents it to the court, the judge dropped the case and the defense attorney pressed charges against Jacob and the rest of the forensics team for unlawful search and seizure. What forensics privacy issue was not addressed prior to collecting the evidence?. Compliance with the Third Amendment of the U.S. Constitution. None of these. Compliance with the Second Amendment of the U.S. Constitution. Compliance with the Fourth Amendment of the U.S. Constitution.

Which of the following is the most effective tool for acquiring volatile data from a Windows-based system?. Helix. Datagrab. Coreography. Ethereal.

Rule 1002 of Federal Rules of Evidence (US) talks about ______________. Admissibility of duplicates. Admissibility of original. Admissibility of other evidence of contents. Requirement of original.

An investigator is examining a file to identify any potentially malicious content. To avoid code execution and still be able to uncover hidden indicators of compromise (IOC), which type of examination should the investigator perform: Dynamic analysis. Threat hunting. Threat analysis. Static analysis.

Edgar is part of the FBI's forensic media and malware analysis team; he is analyzing a current malware and is conducting a thorough examination of the suspect system, network, and other connected devices. Edgar's approach is to execute the malware code to know how it interacts with the host system and its impacts on it. He is also using a virtual machine and a sandbox environment. What type of malware analysis is Edgar performing?. VirusTotal analysis. Static analysis. Malware disassembly. Dynamic malware analysis/behavioral analysis.

Maria has executed a suspicious executable file in a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for in this scenario?. Event ID 4657. Event ID 4688. Event ID 7040. Event ID 4624.

Harry has collected a suspicious executable file from an infected system and seeks to reverse its machine code to instructions written in assembly language. Which tool should he use for this purpose?. HashCalc. Ollydbg. BinText. oledump.

Consider a scenario where the perpetrator of a dark web crime has uninstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can investigate it for artifacts of Tor browser usage. Which of the following should the investigators examine to establish the use of Tor browser on the suspect machine?. Swap files. Security logs. Files in Recycle Bin. Prefetch files.

What is the extension used by Windows OS for shortcut files present on the machine?. .lnk. .dat. .log. .pf.

During an investigation, the first responders stored mobile devices in specific containers to provide network isolation. All the following are examples of such pieces of equipment, except for: Faraday bag. VirtualBox. Wireless StrongHold bag. RF shield box.

For the purpose of preserving the evidentiary chain of custody, which of the following labels is not appropriate?. SSN of the person collecting the evidence. Exact location the evidence was collected from. Relevant circumstances surrounding the collection. General description of the evidence.

Cloud forensic investigations impose challenges related to multi-jurisdiction and multi-tenancy aspects. To have a better understanding of the roles and responsibilities between the cloud service provider (CSP) and the client, which document should the forensic investigator review?. National and local regulation. Service level agreement. Key performance indicator. Service level management.

"No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court" - this principle is advocated by which of the following?. FBI Cyber Division. Scientific Working Group on Imaging Technology (SWGIT). The Association of Chief Police Officers (ACPO) Principles of Digital Evidence. Locard's exchange principle.

Which of the following tools will allow a forensic investigator to acquire the memory dump of a suspect machine so that it may be investigated on a forensic workstation to collect evidentiary data like processes and Tor browser artifacts?. DB Browser SQLite. Belkasoft Live RAM Capturer and AccessData FTK Imager. Bulk Extractor. Hex Editor.

Which layer in the IoT architecture is comprised of hardware parts such as sensors, RFID tags, and devices that play an important role in data collection?. Access gateway layer. Application layer. Edge technology layer. Middleware layer.

A file requires 10 KB space to be saved on a hard disk partition. An entire cluster of 32 KB has been allocated for this file. The remaining, unused space of 22 KB on this cluster will be identified as ____________. Swap space. Cluster space. Slack space. Sector space.

What happens to the header of the file once it is deleted from the Windows OS file systems?. The OS replaces the entire hex byte coding of the file. The hex byte coding of the file remains the same, but the file location differs. The OS replaces the second letter of a deleted file name with a hex byte code: Eh5. The OS replaces the first letter of a deleted file name with a hex byte code: E5h.

When analyzing logs, it is important that the clocks of all the network devices are synchronized. Which protocol will help in synchronizing these clocks?. UTC. PTP. UCT. NTP.

Derrick, a forensic specialist, was investigating an active computer that was executing various processes. Derrick wanted to check whether this system was used in an incident that occurred earlier. He started inspecting and gathering the contents of RAM, cache, and DLLs to identify incident signatures. Identify the data acquisition method employed by Derrick in the above scenario. Dead data acquisition. Non-volatile data acquisition. Static data acquisition. Live data acquisition.

During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to identify attributes such as "author name," "organization name," "network name," or any additional supporting data that is meant for the owner's identification purpose. Which term describes these attributes?. Metadata. Metabase. Data index. Data header.

Before accessing digital evidence from victims, witnesses, or suspects, on their electronic devices, what should the investigator do first to respect legal privacy requirements?. Protect the device against external communication. Remove the battery or turn-off the device. Notify the fact to the local authority or employer. Obtain a formal written consent to search.

Matthew has been assigned the task of analyzing a suspicious MS Office document via static analysis over an Ubuntu-based forensic machine. He wants to see what type of document it is, whether it is encrypted, or contains any flash objects/VBA macros. Which of the following python-based script should he run to get relevant information?. oleid.py. oleform.py. oledir.py. pdfid.py.

On NTFS file system, which of the following tools can a forensic investigator use in order to identify timestomping of evidence files?. Exiv2. analyzeMFT. Timestomp. wbStego.

"In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court." Which ACPO principle states this?. Principle 1. Principle 2. Principle 3. Principle 4.

A call detail record (CDR) provides metadata about calls made over a phone service. From the following data fields, which one is not contained in a CDR. A unique sequence number identifying the record. The call duration. Phone number receiving the call. The language of the call.

Which "Standards and Criteria" under SWDGE states that "the agency must use hardware and software that are appropriate and effective for the seizure or examination procedure"?. Standards and Criteria 1.4. Standards and Criteria 1.5. Standards and Criteria 1.6. Standards and Criteria 1.7.

Identify the location of Recycle Bin on a Windows 7 machine that uses NTFS file system to store and retrieve files on the hard disk. Drive:\RECYCLER. Drive:\RECYCLED. Drive:\$Recycle.Bin. C:\RECYCLED.

Donald made an OS disk snapshot of a compromised Azure VM under a resource group being used by the affected company as a part of forensic analysis process. He then created a vhd file out of the snapshot and stored it in a file share and as a page blob as backup in a storage account under different region. What is the next thing he should do as a security measure?. Delete the OS disk of the affected VM altogether. Delete the snapshot from the source resource group. Recommend changing the access policies followed by the company. Create another VM by using the snapshot.

Which of the following is a requirement for senders as per the CAN-SPAM act?. Emails must not contain information regarding how to stop receiving emails from the sender in future. Senders should never share their physical postal address in the email. Senders cannot use misleading or false header information. Senders must use deceptive subject lines.

Williamson is a forensic investigator. While investigating a case of data breach at a company, he is maintaining a document that records details such as the forensic processes applied on the collected evidence, particulars of people handling it, the dates and times when it is being handled, and the place of storage of the evidence. What do you call this document?. Authorization form. Consent form. Chain of custody. Log book.

Which Federal Rule of Evidence speaks about the Hearsay exception where the availability of the declarant is immaterial and certain characteristics of the declarant such as present sense impression, excited utterance, and recorded recollection are also observed while giving their testimony?. Rule 801. Rule 802. Rule 803. Rule 804.

Which of the following tools is used to dump the memory of a running process, either immediately or when an error condition occurs?. CacheInf. FATKit. Belkasoft Live RAM Capturer. Coreography.

Which of the following malware targets Android mobile devices and installs a backdoor that remotely installs applications from an attacker-controlled server?. Unflod. Felix. XcodeGhost. xHelper.

Which OWASP IoT vulnerability talks about security flaws such as lack of firmware validation, lack of secure delivery, and lack of anti-rollback mechanisms on IoT devices?. Insecure default settings. Use of insecure or outdated components. Lack of secure update mechanism. Insecure data transfer and storage.

Ronald, a forensic investigator, has been hired by a financial services organization to investigate an attack on their MySQL database server, which is hosted on a Windows machine named WIN-DTRAI83202X. Ronald wants to retrieve information on the changes that have been made to the database. Which of the following files should Ronald examine for this task?. WIN-DTRAI83202X-bin.nnnnnn. WIN-DTRAI83202Xslow.log. relay-log.info. WIN-DTRAI83202Xrelay-bin.index.

Cybercriminals sometimes use compromised computers to commit other crimes, which may involve using computers or networks to spread malware or illegal information. Which type of cybercrime stops users from using a device or network, or prevents a company from providing a software service to its customers?. Malware attack. Denial-of-Service (DoS) attack. Phishing. Ransomware attack.

Assume there is a file named myfile.txt in C: drive that contains hidden data streams. Which of the following commands would you issue to display the contents of a data stream?. echo text > program:source_file. C:\>ECHO text_message > myfile.txt:stream1. C:\MORE < myfile.txt:stream1. myfile.dat:stream1.

A forensic examiner encounters a computer with a failed OS installation and the master boot record (MBR) or partition sector damaged. Which of the following tools can find and restore files and information in the disk?. NetCat. Helix. R-Studio. Wireshark.

In a Filesystem Hierarchy Standard (FHS), which of the following directories contains the binary files required for working?. /mnt. /sbin. /media. /proc.

Which tool allows dumping the contents of process memory without stopping the process?. psdump.exe. pmdump.exe. processdump.exe. pdump.exe.

Which Event Correlation approach assumes and predicts what an attacker can do next after the attack by studying statistics and probability?. Profile/Fingerprint-Based Approach. Bayesian Correlation. Time (Clock Time) or Role-Based Approach. Automated Field Correlation.

James is dealing with a case regarding a cybercrime that has taken place in Arizona, USA. James needs to lawfully seize the evidence from an electronic device without affecting the user's anonymity. Which of the following law should he comply with, before retrieving the evidence?. First Amendment of the U.S. Constitution. Fourth Amendment of the U.S. Constitution. Third Amendment of the U.S. Constitution. Fifth Amendment of the U.S. Constitution.

You are asked to build a forensic lab and your manager has specifically informed you to use copper for lining the walls, ceilings, and floor. What is the main purpose of lining the walls, ceilings, and floor with copper?. To control the room temperature. To strengthen the walls, ceilings, and floor. To avoid electromagnetic emanations. To make the lab sound proof.

James, a hacker, identifies a vulnerability in a website. To exploit the vulnerability, he visits the login page and notes down the session ID that is created. He appends this session ID to the login URL and shares the link with a victim. Once the victim logs into the website using the shared URL, James reloads the webpage (containing the URL with the session ID appended) and now, he can browse the active session of the victim. Which attack did James successfully execute?. Cross Site Request Forgery. Cookie Tampering. Parameter Tampering. Session Fixation Attack.

POP3 is an Internet protocol, which is used to retrieve emails from a mail server. Through which port does an email client connect with a POP3 server?. 110. 143. 25. 993.

In which cloud crime do attackers try to compromise the security of the cloud environment in order to steal data or inject a malware?. Cloud as an Object. Cloud as a Tool. Cloud as an Application. Cloud as a Subject.

Which U.S. law sets the rules for sending emails for commercial purposes, establishes the minimum requirements for commercial messaging, gives the recipients of emails the right to ask the senders to stop emailing them, and spells out the penalties in case the above said rules are violated?. NO-SPAM Act. American: NAVSO P-5239-26 (RLL). CAN-SPAM Act. American: DoD 5220.22-M.

While collecting Active Transaction Logs using SQL Server Management Studio, the query Select * from ::fn_dblog(NULL, NULL) displays the active portion of the transaction log file. Here, assigning NULL values implies?. Start and end points for log sequence numbers are specified. Start and end points for log files are not specified. Start and end points for log files are specified. Start and end points for log sequence numbers are not specified.

Identify the term that refers to individuals who, by virtue of their knowledge and expertise, express an independent opinion on a matter related to a case based on the information that is provided. Expert Witness. Evidence Examiner. Forensic Examiner. Defense Witness.

Which of these Windows utility help you to repair logical file system errors?. Resource Monitor. Disk cleanup. Disk defragmenter. CHKDSK.

Which type of attack is possible when attackers know some credible information about the victim's password, such as the password length, algorithms involved, or the strings and characters used in its creation?. Rule-Based Attack. Brute-Forcing Attack. Dictionary Attack. Hybrid Password Guessing Attack.

Which ISO Standard enables laboratories to demonstrate that they comply with quality assurance and provide valid results?. ISO/IEC 16025. ISO/IEC 18025. ISO/IEC 19025. ISO/IEC 17025.

What do you call the process of studying the changes that have taken place across a system or a machine after a series of actions or incidents?. Windows Services Monitoring. System Baselining. Start-up Programs Monitoring. Host integrity Monitoring.

Robert is a regional manager working in a reputed organization. One day, he suspected malware attack after unwanted programs started to popup after logging into his computer. The network administrator was called upon to trace out any intrusion on the computer and he/she finds that suspicious activity has taken place within Autostart locations. In this situation, which of the following tools is used by the network administrator to detect any intrusion on a system?. Hex Editor. Internet Evidence Finder. Process Monitor. Report Viewer.

In a computer that has Dropbox client installed, which of the following files related to the Dropbox client store information about local Dropbox installation and the Dropbox user account, along with email IDs linked with the account?. config.db. install.db. sigstore.db. filecache.db.

Which of the following tools is not a data acquisition hardware tool?. UltraKit. Atola Insight Forensic. F-Response Imager. Triage-Responder.

Chong-lee, a forensics executive, suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. What type of test would confirm his claim?. File fingerprinting. Identifying file obfuscation. Static analysis. Dynamic analysis.

What is the framework used for application development for iOS-based mobile devices?. Cocoa Touch. Dalvik. Zygote. AirPlay.

Which of the following malware analysis involves executing the malware code to know how the code interacts with the host system and its impact on the system?. Primary Malware Analysis. Static Malware Analysis. Dynamic Malware Analysis. Secondary Malware Analysis.

An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s"," -E as part of collecting the primary data file and logs from a database. What does the "WIN-CQQMK62867E` represent?. Name of the Database. Name of SQL Server. Operating system of the system. Network credentials of the database.

An attacker has compromised a cloud environment of a company and used the employee information to perform an identity theft attack. Which type of attack is this?. Cloud as a subject. Cloud as a tool. Cloud as an object. Cloud as a service.

Gill is a computer forensics investigator who has been called upon to examine a seized computer. This computer, according to the police, was used by a hacker who gained access to numerous banking institutions to steal customer information. After preliminary investigations, Gill finds in the computer's log files that the hacker was able to gain access to these banks through the use of Trojan horses. The hacker then used these Trojan horses to obtain remote access to the companies' domain controllers. From this point, Gill found that the hacker pulled off the SAM files from the domain controllers to then attempt and crack network passwords. What is the most likely password cracking technique used by this hacker to break the user passwords from the SAM files?. Syllable attack. Hybrid attack. Brute force attack. Dictionary attack.

Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted so as to cause a denial-of-service attack?. Email spamming. Phishing. Email spoofing. Mail bombing.

You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a `simple backup copy` of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a `simple backup copy` will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?. Robust copy. Incremental backup copy. Bit-stream copy. Full backup copy.

Which of the following is a federal law enacted in the US to control the ways that financial institutions deal with the private information of individuals?. SOX. HIPAA 1996. GLBA. PCI DSS.

What is the purpose of using Obfuscator in malware?. Execute malicious code in the system. Avoid encryption while passing through a VPN. Avoid detection by security mechanisms. Propagate malware to other connected devices.

A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state?. /auth. /proc. /var/log/debug. /var/spool/cron/.

Centralized binary logging is a process in which many websites write binary and unformatted log data to a single log file. What extension should the investigator look to find its log file?. .cbl. .log. .ibl. .txt.

The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin?. INFO2. INFO1. LOGINFO1. LOGINFO2.

Which of the following Perl scripts will help an investigator to access the executable image of a process?. Lspd.pl. Lpsi.pl. Lspm.pl. Lspi.pl.

If the partition size is 4 GB, each cluster will be 32 K. Even if a file needs only 10 K, the entire 32 K will be allocated, resulting in 22 K of ________. Slack space. Deleted space. Sector space. Cluster space.

Which of the following examinations refers to the process of providing the opposing side in a trial the opportunity to question a witness?. Cross Examination. Direct Examination. Indirect Examination. Witness Examination.

Which command can provide the investigators with details of all the loaded modules on a Linux-based system?. list modules -a. lsmod. plist mod -a. lsof -m.

Investigators can use the Type Allocation Code (TAC) to find the model and origin of a mobile device. Where is TAC located in mobile devices?. International Mobile Equipment Identifier (IMEI). Integrated circuit card identifier (ICCID). International mobile subscriber identity (IMSI). Equipment Identity Register (EIR).

Which of the following processes is part of the dynamic malware analysis?. Process Monitoring. Malware disassembly. Searching for the strings. File fingerprinting.

Which command line tool is used to determine active network connections?. netsh. nbstat. nslookup. netstat.

An investigator has found certain details after analysis of a mobile device. What can reveal the manufacturer information?. Equipment Identity Register (EIR). Electronic Serial Number (ESN). International mobile subscriber identity (IMSI). Integrated circuit card identifier (ICCID).

Event correlation is the process of finding relevance between the events that produce a final result. What type of correlation will help an organization to correlate events across a set of servers, systems, routers and network?. Same-platform correlation. Network-platform correlation. Cross-platform correlation. Multiple-platform correlation.

Which one of the following is not a first response procedure?. Preserve volatile data. Fill forms. Crack passwords. Take photos.

Which part of Metasploit framework helps users to hide the data related to a previously deleted file or currently unused by the allocated file. Waffen FS. RuneFS. FragFS. Slacker.

The Apache server saves diagnostic information and error messages that it encounters while processing requests. The default path of this file is usr/local/apache/ logs/error.log in Linux. Identify the Apache error log from the following logs. http://victim.com/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..% c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Winnt \system32\Logfiles\W3SVC1. [Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/home/live/ap/htdocs/test. 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700]"GET /apache_pb.gif HTTP/1.0" 200 2326. 127.0.0.1 - - [10/Apr/2007:10:39:11 +0300] ] [error] "GET /apache_pb.gif HTTP/1.0" 200 2326.

Gary, a computer technician, is facing allegations of abusing children online by befriending them and sending them illicit adult images from his office computer. What type of investigation does this case require?. Administrative Investigation. Criminal Investigation. Both Criminal and Administrative Investigation. Civil Investigation.

Rusty, a computer forensics apprentice, uses the command nbtstat `"c while analyzing the network information in a suspect system. What information is he looking for?. Contents of the network routing table. Status of the network carrier. Contents of the NetBIOS name cache. Network connections.

An International Mobile Equipment Identifier (IMEI) is a 15-digit number that indicates the manufacturer, model type, and country of approval for GSM devices. The first eight digits of an IMEI number that provide information about the model and origin of the mobile device is also known as: Type Allocation Code (TAC). Integrated Circuit Code (ICC). Manufacturer Identification Code (MIC). Device Origin Code (DOC).

When analyzing logs, it is important that the clocks of all the network devices are synchronized. Which protocol will help in synchronizing these clocks?. UTC. PTP. Time Protocol. NTP.

Lynne receives the following email: Dear lynne@gmail.com! We are sorry to inform you that your ID has been temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24 You have 24 hours to fix this problem or risk to be closed permanently! To proceed Please Connect >> My Apple ID Thank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon/ What type of attack is this?. Mail Bombing. Phishing. Email Spamming. Email Spoofing.

Gary is checking for the devices connected to USB ports of a suspect system during an investigation. Select the appropriate tool that will help him document all the connected devices. DevScan. Devcon. fsutil. Reg.exe.

You are assigned a task to examine the log files pertaining to MyISAM storage engine. While examining, you are asked to perform a recovery operation on a MyISAM log file. Which among the following MySQL Utilities allow you to do so?. mysqldump. myisamaccess. myisamlog. myisamchk.

Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen?. OpenGL/ES and SGL. Surface Manager. Media framework. WebKit.

Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers?. netstat ג€" r. netstat ג€" ano. netstat ג€" b. netstat ג€" s.

Which of the following Event Correlation Approach is an advanced correlation method that assumes and predicts what an attacker can do next after the attack by studying the statistics and probability and uses only two variables?. Bayesian Correlation. Vulnerability-Based Approach. Rule-Based Approach. Route Correlation.

When a user deletes a file or folder, the system stores complete path including the original filename is a special hidden file called `INFO2` in the Recycled folder. If the INFO2 file is deleted, it is recovered when you ______________________. Undo the last action performed on the system. Reboot Windows. Use a recovery tool to undelete the file. Download the file from Microsoft website.

Jacky encrypts her documents using a password. It is known that she uses her daughter's year of birth as part of the password. Which password cracking technique would be optimal to crack her password?. Rule-based attack. Brute force attack. Syllable attack. Hybrid attack.

Which among the following is an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations?. HIPAA. GLBA. SOX. FISMA.

Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as FF D8 FF E1. What is the file type of the image?. gif. bmp. jpeg. png.

An expert witness is a __________________ who is normally appointed by a party to assist the formulation and preparation of a party's claim or defense. Expert in criminal investigation. Subject matter specialist. Witness present at the crime scene. Expert law graduate appointed by attorney.

Which of the following files stores information about a local Google Drive installation such as User email ID, Local Sync Root Path, and Client version installed?. filecache.db. config.db. sigstore.db. Sync_config.db.

Dave, a Computer Hacking Forensic Investigator (CHFI), is investigating a case of suspected cybercrime in a major organization. During the investigation, he identified a suspect s electronic device that might contain crucial evidence. Before Dave proceeds with extracting the data from the device, what is the most important legal obligation he should consider to ensure compliance with privacy laws?. Obtain permission from the owners of the data or system before publicizing the data. Inform the suspect about the investigation. Obtain a warrant mentioning the specific devices to be investigated. Preserve the anonymity of other users related to the target system.

An investigator has been tasked to analyze a suspicious executable file potentially containing malware. She uses a static analysis method to examine the file. Which step below should she NOT include as part of her static malware analysis process?. Running the executable in a sandboxed environment to observe its behavior. Searching for embedded strings in the binary code to infer the functionality. Conducting a file fingerprinting on the binary code to determine its function. Comparing the hash value of the file with online malware databases for recognition.

A cybersecurity forensic investigator analyzes log files to investigate an SQL Injection attack. While going through the Apache across.log, they come across a GET request from the IP 10.0.0.19 containing an encoded query string: GET /sqli/examplel.php?name=root' UniON SeLeCT 1,table_name,3,4,5 From information_schema.tables where Table_Schema=DatabasE() limit 1,2--- What is the intention behind the attacker’s query?. To erase the data in the specific tables of the database. To retrieve the names of the tables in the database. To bypass the website's authentication mechanism and view all user details. To manipulate the order of the columns in the database.

A forensic investigator is tasked with logically acquiring data from an Android device involved in a cybercrime incident. The device is passcode protected, and the suspect refuses to reveal the passcode. How should the investigator proceed?. Enable USB debugging on the Android device and use adb commands to gain root access and extract data. Connect the Android device to a computer with iTunes installed to perform a backup and extract data. Use an adb pull command to download all the data, including system files and deleted data. Use the adb push command to extract data from the device without bypassing the passcode.

A forensic investigator is examining an attack on a MySQL database. The investigator has been given access to a server, but the physical MySQL data files are encrypted, and the database is currently inaccessible. The attacker seems to have tampered with the data. Which MySQL utility program would most likely assist the investigator in determining the changes that occurred during the attack?. Mysqlbinlog, because it reads the binary log files directly and displays them in text format. Myisamchk, because it views the status of the MylSAM table or checks, repairs, and optimizes them. Mysqldump, because it allows dumping a database for backup purposes. Mysqlaccess, because it checks the access privileges defined for a hostname or username.

Following an advanced persistent threat attack, a CHFI investigator is called in to acquire data from the compromised system. Given the wide range of potential data sources, the investigator needs to prioritize the order of data collection based on volatility. Which of the following would be the correct order to collect data in this scenario?. Archival media, physical configuration, network topology, disk or other storage media, temporary file systems, routing table, process table, kernel statistics, registers and processor cache. Archival media, disk or other storage media, temporary file systems, routing table, process table, and kernel statistics, registers and processor cache, physical configuration, and network topology. Registers and processor cache, routing table, process table, kernel statistics, temporary file systems, disk or other storage media, physical configuration, and network topology, archival media. Physical configuration, network topology, archival media, disk or other storage media, temporary file systems, routing table, process table, kernel statistics, registers and processor cache.

A forensic investigator is analyzing a smartphone to gather crucial evidence. To fully understand the device's working and data flow, he needs to comprehend the various mobile architectural layers. While examining the device's frequency conversion, the investigator focuses on which of the following hardware components?. Baseband part. DAC/ADC. Antenna. RF part.

William is examining a log entry that reads 192.168.0.1 - - [18/Jan/2020:12:42:29 +0000] "GET / HTTP/1.1" 200 1861. Which of the following logs does the log entry belong to?. The common log format of Apache access log. IIS log. The combined log format of Apache access log. Apache error log.

What does Locard's Exchange Principle state?. Any information of probative value that is either stored or transmitted in a digital form. Digital evidence must have some characteristics to be disclosed in the court of law. Anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave. Forensic investigators face many challenges during forensics investigation of a digital crime, such as extracting, preserving, and analyzing the digital evidence.

An attacker successfully gained access to a remote Windows system and plans to install persistent backdoors on it. Before that, to avoid getting detected in future, he wants to cover his tracks by disabling the last-accessed timestamps of the machine. What would he do to achieve this?. Set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 0. Run the command fsutil behavior set disablelastaccess 0. Set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 1. Run the command fsutil behavior set enablelastaccess 0.

Examination of a computer by a technically unauthorized person will almost always result in: Rendering any evidence found inadmissible in a court of law. Completely accurate results of the examination. The chain of custody being fully maintained. Rendering any evidence found admissible in a court of law.

During an investigation, Noel found the following SIM card from the suspect's mobile. What does the code 89 44 represent?. Issuer Identifier Number and TAC. Industry Identifier and Country code. Individual Account Identification Number and Country Code. TAC and Industry Identifier.

What must an attorney do first before you are called to testify as an expert?. Qualify you as an expert witness. Read your curriculum vitae to the jury. Engage in damage control. Prove that the tools you used to conduct your examination are perfect.

Identify the file system that uses $BitMap file to keep track of all used and unused clusters on a volume. NTFS. FAT. EXT. FAT32.

To which phase of the Computer Forensics Investigation Process does the Planning and Budgeting of a Forensics Lab belong?. Post-investigation Phase. Reporting Phase. Pre-investigation Phase. Investigation Phase.

Billy, a computer forensics expert, has recovered a large number of DBX files during the forensic investigation of a laptop. Which of the following email clients can he use to analyze the DBX files?. Microsoft Outlook. Eudora. Mozilla Thunderbird. Microsoft Outlook Express.

Amber, a black hat hacker, has embedded a malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?. Click-jacking. Compromising a legitimate site. Spearphishing. Malvertising.

Which of the following is a database in which information about every file and directory on an NT File System (NTFS) volume is stored?. Volume Boot Record. Master Boot Record. GUID Partition Table. Master File Table.

Smith, a network administrator with a large MNC, was the first to arrive at a suspected crime scene involving criminal use of compromised computers. What should be his first response while maintaining the integrity of evidence?. Record the system state by taking photographs of physical system and the display. Perform data acquisition without disturbing the state of the systems. Open the systems, remove the hard disk and secure it. Switch off the systems and carry them to the laboratory.

Annie is searching for certain deleted files on a system running Windows XP OS. Where will she find the files if they were not completely deleted from the system?. C: $Recycled.Bin. C: \$Recycle.Bin. C:\RECYCLER. C:\$RECYCLER.

Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration and critical system files, and to execute commands outside of the web server's root directory?. Parameter/form tampering. Unvalidated input. Directory traversal. Security misconfiguration.

Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\<USER SID>\ while analyzing a hard disk image for the deleted data. What inferences can he make from the file name?. It is a doc file deleted in seventh sequential order. RIYG6VR.doc is the name of the doc file deleted from the system. It is file deleted from R drive. It is a deleted doc file.

Charles has accidentally deleted an important file while working on his Mac computer. He wants to recover the deleted file as it contains some of his crucial business secrets. Which of the following tool will help Charles?. Xplico. Colasoft's Capsa. FileSalvage. DriveSpy.

What does the part of the log, `% SEC-6-IPACCESSLOGP`, extracted from a Cisco router represent?. The system was not able to process the packet because there was not enough room for all of the desired IP header options. Immediate action required messages. Some packet-matching logs were missed because the access list log messages were rate limited, or no access list log buffers were available. A packet matching the log criteria for the given access list has been detected (TCP or UDP).

When marking evidence that has been collected with the `aaa/ddmmyy/nnnn/zz` format, what does the `nnnn` denote?. The initials of the forensics analyst. The sequence number for the parts of the same exhibit. The year he evidence was taken. The sequential number of the exhibits seized by the analyst.

What is the location of the binary files required for the functioning of the OS in a Linux system?. /run. /bin. /root. /sbin.

Data is striped at a byte level across multiple drives, and parity information is distributed among all member drives. What RAID level is represented here?. RAID Level 0. RAID Level 5. RAID Level 3. RAID Level 1.

Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?. 18 USC §ֲ1029. 18 USC §ֲ1030. 18 USC §ֲ1361. 18 USC §ֲ1371.

Which of the following are small pieces of data sent from a website and stored on the user's computer by the user's web browser to track, validate, and maintain specific user information?. Temporary Files. Open files. Cookies. Web Browser Cache.

Which of the following file contains the traces of the applications installed, run, or uninstalled from a system?. Shortcut Files. Virtual files. Prefetch Files. Image Files.

While looking through the IIS log file of a web server, you find the following entries: What is evident from this log file?. Web bugs. Cross site scripting. Hidden fields. SQL injection is possible.

Why is it still possible to recover files that have been emptied from the Recycle Bin on a Windows computer?. The data is still present until the original location of the file is used. The data is moved to the Restore directory and is kept there indefinitely. The data will reside in the L2 cache on a Windows computer until it is manually deleted. It is not possible to recover data that has been emptied from the Recycle Bin.

To check for POP3 traffic using Ethereal, what port should an investigator search by?. 143. 25. 110. 125.

What method of copying should always be performed first before carrying out an investigation?. Parity-bit copy. Bit-stream copy. MS-DOS disc copy. System level copy.

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?. The registry. The swap file. The recycle bin. The metadata.

When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?. Universal Time Set. Network Time Protocol. SyncTime Service. Time-Sync Protocol.

In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court?. rules of evidence. law of probability. chain of custody. policy of separation.