option
Questions
ayuda
daypo
CREATE TEST
search.php

ERASED TEST, YOU MAY BE INTERESTED ON CHFIv10 D

COMMENTS STATISTICS RECORDS
TAKE THE TEST
Title of test:
CHFIv10 D

Description:
Computer Hacking Forensic Investigator

Author:
AVATAR
IchbinPimi
Other tests from this author

Creation Date: 14/02/2025

Category: Others

Number of questions: 150
Share the Test:
New CommentNuevo Comentario
No comments about this test.
Content:
Which command line tool is used to determine active network connections? netsh nbstat nslookup netstat.
Which of the following processes is part of the dynamic malware analysis? Process Monitoring Malware disassembly Searching for the strings File fingerprinting.
Investigators can use the Type Allocation Code (TAC) to find the model and origin of a mobile device. Where is TAC located in mobile devices? International Mobile Equipment Identifier (IMEI) Integrated circuit card identifier (ICCID) International mobile subscriber identity (IMSI) Equipment Identity Register (EIR).
What do you call the process in which an attacker uses magnetic field over the digital media device to delete any previously stored data? Disk deletion Disk cleaning Disk degaussing Disk magnetization.
Which of the following tool can reverse machine code to assembly language? PEiD RAM Capturer IDA Pro Deep Log Analyzer.
Which of the following file formats allows the user to compress the acquired data as well as keep it randomly accessible? Proprietary Format Generic Forensic Zip (gfzip) Advanced Forensic Framework 4 Advanced Forensics Format (AFF).
What is the investigator trying to view by issuing the command displayed in the following screenshot? List of services stopped List of services closed recently List of services recently started List of services installed.
Which layer of iOS architecture should a forensics investigator evaluate to analyze services such as Threading, File Access, Preferences, Networking and high- level features? Core Services Media services Cocoa Touch Core OS.
Which command can provide the investigators with details of all the loaded modules on a Linux-based system? list modules -a lsmod plist mod -a lsof -m.
In a Linux-based system, what does the command `Last -F` display? Login and logout times and dates of the system Last run processes Last functions performed Recently opened files.
Which of the following examinations refers to the process of providing the opposing side in a trial the opportunity to question a witness? Cross Examination Direct Examination Indirect Examination Witness Examination.
Pick the statement which does not belong to the Rule 804. Hearsay Exceptions; Declarant Unavailable. Statement of personal or family history Prior statement by witness Statement against interest Statement under belief of impending death.
Which of the following is a responsibility of the first responder? Determine the severity of the incident Collect as much information about the incident as possible Share the collected information to determine the root cause Document the findings.
NTFS sets a flag for the file once you encrypt it and creates an EFS attribute where it stores Data Decryption Field (DDF) and Data Recovery Field (DDR). Which of the following is not a part of DDF? Encrypted FEK Checksum EFS Certificate Hash Container Name.
If the partition size is 4 GB, each cluster will be 32 K. Even if a file needs only 10 K, the entire 32 K will be allocated, resulting in 22 K of ________. Slack space Deleted space Sector space Cluster space.
After suspecting a change in MS-Exchange Server storage archive, the investigator has analyzed it. Which of the following components is not an actual part of the archive? PRIV.STM PUB.EDB PRIV.EDB PUB.STM.
Which of the following is a non-zero data that an application allocates on a hard disk cluster in systems running on Windows OS? Sparse File Master File Table Meta Block Group Slack Space.
Which of the following is a tool to reset Windows admin password? R-Studio Windows Password Recovery Bootdisk Windows Data Recovery Software TestDisk for Windows.
Ron, a computer forensics expert, is investigating a case involving corporate espionage. He has recovered several mobile computing devices from the crime scene. One of the evidence that Ron possesses is a mobile phone from Nokia that was left in ON condition. Ron needs to recover the IMEI number of the device to establish the identity of the device owner. Which of the following key combinations can he use to recover the IMEI number? #*06*# *#06# #06#* *IMEI#.
Select the data that a virtual memory would store in a Windows-based system. Information or metadata of the files Documents and other files Application data Running processes.
Which of the following does not describe the type of data density on a hard disk? Volume density Track density Linear or recording density Areal density.
Amelia has got an email from a well-reputed company stating in the subject line that she has won a prize money, whereas the email body says that she has to pay a certain amount for being eligible for the contest. Which of the following acts does the email breach? CAN-SPAM Act HIPAA GLBA SOX.
Which principle states that `anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave`? Locard's Exchange Principle Enterprise Theory of Investigation Locard's Evidence Principle Evidence Theory of Investigation.
During an investigation, Noel found the following SIM card from the suspect's mobile. What does the code 89 44 represent? Issuer Identifier Number and TAC Industry Identifier and Country code Individual Account Identification Number and Country Code TAC and Industry Identifier.
Which of the following file system uses Master File Table (MFT) database to store information about every file and directory on a volume? FAT File System ReFS exFAT NTFS File System.
As a part of the investigation, Caroline, a forensic expert, was assigned the task to examine the transaction logs pertaining to a database named Transfers. She used SQL Server Management Studio to collect the active transaction log files of the database. Caroline wants to extract detailed information on the logs, including AllocUnitId, page id, slot id, etc. Which of the following commands does she need to execute in order to extract the desired information? DBCC LOG(Transfers, 1) DBCC LOG(Transfers, 3) DBCC LOG(Transfers, 0) DBCC LOG(Transfers, 2).
%3cscript%3ealert(`XXXXXXXX`)%3c/script%3e is a script obtained from a Cross-Site Scripting attack. What type of encoding has the attacker employed? Double encoding Hex encoding Unicode Base64.
Which of the following is a device monitoring tool? Capsa Driver Detective Regshot RAM Capturer.
What system details can an investigator obtain from the NetBIOS name table cache? List of files opened on other systems List of the system present on a router List of connections made to other systems List of files shared between the connected systems.
While analyzing a hard disk, the investigator finds that the file system does not use UEFI-based interface. Which of the following operating systems is present on the hard disk? Windows 10 Windows 8 Windows 7 Windows 8.1.
In which registry does the system store the Microsoft security IDs? HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_CONFIG (HKCC) HKEY_CURRENT_USER (HKCU) HKEY_LOCAL_MACHINE (HKLM).
An investigator has extracted the device descriptor for a 1GB thumb drive that looks like: Disk&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15. What does the `Geek_Squad` part represent? Product description Manufacturer Details Developer description Software or OS used.
Which of the following Perl scripts will help an investigator to access the executable image of a process? Lspd.p Lpsi.pl Lspm.pl Lspi.pl.
Which of the following attack uses HTML tags like <script></script>? Phishing XSS attack SQL injection Spam.
Examination of a computer by a technically unauthorized person will almost always result in: Rendering any evidence found inadmissible in a court of law Completely accurate results of the examination The chain of custody being fully maintained Rendering any evidence found admissible in a court of law.
Adam, a forensic analyst, is preparing VMs for analyzing a malware. Which of the following is NOT a best practice? Isolating the host device Installing malware analysis tools Using network simulation tools Enabling shared folders.
The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin? NFO2 INFO1 LOGINFO1 LOGINFO2.
During an investigation of an XSS attack, the investigator comes across the term `[a-zA-Z0-9\%]+` in analyzed evidence details. What is the expression used for? Checks for upper and lower-case alphanumeric string inside the tag, or its hex representation Checks for forward slash used in HTML closing tags, its hex or double-encoded hex equivalent Checks for opening angle bracket, its hex or double-encoded hex equivalent Checks for closing angle bracket, hex or double-encoded hex equivalent.
Which among the following search warrants allows the first responder to search and seize the victim's computer components such as hardware, software, storage devices, and documentation? John Doe Search Warrant Citizen Informant Search Warrant Electronic Storage Device Search Warrant Service Provider Search Warrant.
Centralized binary logging is a process in which many websites write binary and unformatted log data to a single log file. What extension should the investigator look to find its log file? cbl log ibl xt.
Where should the investigator look for the Edge browser's browsing records, including history, cache, and cookies? ESE Database Virtual Memory Sparse files Slack Space.
Which of the following setups should a tester choose to analyze malware behavior? A virtual system with internet connection A normal system without internet connect A normal system with internet connection A virtual system with network simulation for internet connection.
A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state? /auth /proc /var/log/debug /var/spool/cron/.
What is the purpose of using Obfuscator in malware? Execute malicious code in the system Avoid encryption while passing through a VPN Avoid detection by security mechanisms Propagate malware to other connected devices.
Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system? Net config Net sessions Net share Net stat.
Which of the following is a federal law enacted in the US to control the ways that financial institutions deal with the private information of individuals? SOX HIPAA 1996 GLBA PCI DSS.
UEFI is a specification that defines a software interface between an OS and platform firmware. Where does this interface store information about files present on a disk? BIOS-MBR GUID Partition Table (GPT) Master Boot Record (MBR) BIOS Parameter Block.
You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a `simple backup copy` of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a `simple backup copy` will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding? Robust copy Incremental backup copy Bit-stream copy Full backup copy.
Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted so as to cause a denial-of-service attack? Email spamming Phishing Email spoofing Mail bombing.
Gill is a computer forensics investigator who has been called upon to examine a seized computer. This computer, according to the police, was used by a hacker who gained access to numerous banking institutions to steal customer information. After preliminary investigations, Gill finds in the computer's log files that the hacker was able to gain access to these banks through the use of Trojan horses. The hacker then used these Trojan horses to obtain remote access to the companies' domain controllers. From this point, Gill found that the hacker pulled off the SAM files from the domain controllers to then attempt and crack network passwords. What is the most likely password cracking technique used by this hacker to break the user passwords from the SAM files? Syllable attack Hybrid attack Brute force attack Dictionary attack.
An attacker has compromised a cloud environment of a company and used the employee information to perform an identity theft attack. Which type of attack is this? Cloud as a subject Cloud as a tool Cloud as an object Cloud as a service.
In which implementation of RAID will the image of a Hardware RAID volume be different from the image taken separately from the disks? RAID 1 The images will always be identical because data is mirrored for redundancy RAID 0 It will always be different.
One technique for hiding information is to change the file extension from the correct one to the one that might not be noticed by an investigator. For example, [1] extension? The file header The File Allocation Table The file footer The sector map.
An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s"," -E as part of collecting the primary data file and logs from a database. What does the "WIN-CQQMK62867E` represent? Name of the Database Name of SQL Server Operating system of the system Network credentials of the database.
During the trial, an investigator observes that one of the principal witnesses is severely ill and cannot be present for the hearing. He decides to record the evidence and present it to the court. Under which rule should he present such evidence? Rule 1003: Admissibility of Duplicates Limited admissibility Locard's Principle Hearsay.
What is cold boot (hard boot)? It is the process of restarting a computer that is already in sleep mode It is the process of shutting down a computer from a powered-on or on state It is the process of restarting a computer that is already turned on through the operating system It is the process of starting a computer from a powered-down or off state.
Which of the following malware analysis involves executing the malware code to know how the code interacts with the host system and its impact on the system? Primary Malware Analysis Static Malware Analysis Dynamic Malware Analysis Secondary Malware Analysis.
Which among the following laws emphasizes the need for each Federal agency to develop, document, and implement an organization-wide program to provide information security for the information systems that support its operations and assets? FISMA HIPAA GLBA SOX.
Which of the following techniques delete the files permanently? Steganography Artifact Wiping Data Hiding Trail obfuscation.
What is an investigator looking for in the rp.log file stored in a system running on Windows 10 operating system? Restore point interval Automatically created restore points System CheckPoints required for restoring Restore point functions.
Email archiving is a systematic approach to save and protect the data contained in emails so that it can be accessed fast at a later date. There are two main archive types, namely Local Archive and Server Storage Archive. Which of the following statements is correct while dealing with local archives? Server storage archives are the server information and settings stored on a local system, whereas the local archives are the local email client information stored on the mail server It is difficult to deal with the webmail as there is no offline archive in most cases. So consult your counsel on the case as to the best way to approach and gain access to the required data on servers Local archives should be stored together with the server storage archives in order to be admissible in a court of law Local archives do not have evidentiary value as the email client may alter the message data.
Which of the following tool is used to locate IP addresses? SmartWhois Deep Log Analyzer Towelroot XRY LOGICAL.
Which of the following protocols allows non-ASCII files, such as video, graphics, and audio, to be sent through the email messages? MIME BINHEX UT-16 UUCODE.
What is the framework used for application development for iOS-based mobile devices? Cocoa Touch Dalvik Zygote AirPlay.
Chong-lee, a forensics executive, suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. What type of test would confirm his claim? File fingerprinting Identifying file obfuscation Static analysis Dynamic analysis.
Which of the following tools is not a data acquisition hardware tool? UltraKit Atola Insight Forensic F-Response Imager Triage-Responder.
The given image displays information about date and time of installation of the OS along with service packs, patches, and sub-directories. What command or tool did the investigator use to view this output? dir /o:d dir /o:s dir /o:e dir /o:n.
Which list contains the most recent actions performed by a Windows User? MRU Activity Recents Windows Error Log.
Joshua is analyzing an MSSQL database for finding the attack evidence and other details, where should he look for the database logs? Model.log Model.txt Model.ldf Model.lgf.
What is the name of the first reserved sector in File allocation table? Volume Boot Record Partition Boot Sector Master Boot Record BIOS Parameter Block.
What does the command `C:\>wevtutil gl <log name>` display? Configuration information of a specific Event Log Event logs are saved in .xml format Event log record structure List of available Event Logs.
An investigator is analyzing a checkpoint firewall log and comes across symbols. What type of log is he looking at? A. Security event was monitored but not stopped Malicious URL detected An email marked as potential spam Connection rejected.
For what purpose do the investigators use tools like iPhoneBrowser, iFunBox, OpenSSHSSH, and iMazing? Bypassing iPhone passcode Debugging iPhone Rooting iPhone Copying contents of iPhone.
In a computer that has Dropbox client installed, which of the following files related to the Dropbox client store information about local Dropbox installation and the Dropbox user account, along with email IDs linked with the account? config.db install.db sigstore.db filecache.db.
Robert is a regional manager working in a reputed organization. One day, he suspected malware attack after unwanted programs started to popup after logging into his computer. The network administrator was called upon to trace out any intrusion on the computer and he/she finds that suspicious activity has taken place within Autostart locations. In this situation, which of the following tools is used by the network administrator to detect any intrusion on a system? Hex Editor Internet Evidence Finder Process Monitor port Viewer.
What do you call the process of studying the changes that have taken place across a system or a machine after a series of actions or incidents? Windows Services Monitoring System Baselining Start-up Programs Monitoring Host integrity Monitoring.
Self-Monitoring, Analysis, and Reporting Technology (SMART) is built into the hard drives to monitor and report system activity. Which of the following is included in the report generated by SMART? Power Off time Logs of high temperatures the drive has reached All the states (running and discontinued) associated with the OS List of running processes.
Data Files contain Multiple Data Pages, which are further divided into Page Header, Data Rows, and Offset Table. Which of the following is true for Data Rows? Data Rows store the actual data Data Rows present Page type. Page ID, and so on Data Rows point to the location of actual data Data Rows spreads data across multiple databases.
In Windows, prefetching is done to improve system performance. There are two types of prefetching: boot prefetching and application prefetching. During boot prefetching, what does the Cache Manager do? Determines the data associated with value EnablePrefetcher Monitors the first 10 seconds after the process is started Checks whether the data is processed Checks hard page faults and soft page faults.
The MAC attributes are timestamps that refer to a time at which the file was last modified or last accessed or originally created. Which of the following file systems store MAC attributes in Coordinated Universal Time (UTC) format? File Allocation Table (FAT) New Technology File System (NTFS) Hierarchical File System (HFS) Hierarchical File System (HFS).
Robert, a cloud architect, received a huge bill from the cloud service provider, which usually doesn't happen. After analyzing the bill, he found that the cloud resource consumption was very high. He then examined the cloud server and discovered that a malicious code was running on the server, which was generating huge but harmless traffic from the server. This means that the server has been compromised by an attacker with the sole intention to hurt the cloud customer financially. Which attack is described in the above scenario? XSS Attack DDoS Attack (Distributed Denial of Service) Man-in-the-cloud Attack EDoS Attack (Economic Denial of Service).
What is the role of Alloc.c in Apache core? It handles allocation of resource pools It is useful for reading and handling of the configuration files It takes care of all the data exchange and socket connections between the client and the server It handles server start-ups and timeouts.
Which of the following statements is true regarding SMTP Server? SMTP Server breaks the recipient's address into Recipient's name and his/her designation before passing it to the DNS Server SMTP Server breaks the recipient's address into Recipient's name and recipient's address before passing it to the DNS Server SMTP Server breaks the recipient's address into Recipient's name and domain name before passing it to the DNS Server SMTP Server breaks the recipient's address into Recipient's name and his/her initial before passing it to the DNS Server.
Which ISO Standard enables laboratories to demonstrate that they comply with quality assurance and provide valid results? ISO/IEC 16025 ISO/IEC 18025 ISO/IEC 19025 SO/IEC 17025.
Which type of attack is possible when attackers know some credible information about the victim's password, such as the password length, algorithms involved, or the strings and characters used in its creation? Rule-Based Attack Brute-Forcing Attack Dictionary Attack Hybrid Password Guessing Attack.
In which of these attacks will a steganalyst use a random message to generate a stego-object by using some steganography tool, to find the steganography algorithm used to hide the information? Chosen-message attack Known-cover attack Known-message attack Known-stego attack.
Which of these Windows utility help you to repair logical file system errors? Resource Monitor Disk cleanup Disk defragmenter CHKDSK.
Identify the term that refers to individuals who, by virtue of their knowledge and expertise, express an independent opinion on a matter related to a case based on the information that is provided. Expert Witness Evidence Examiner Forensic Examiner Defense Witness.
Steve, a forensic investigator, was asked to investigate an email incident in his organization. The organization has Microsoft Exchange Server deployed for email communications. Which among the following files will Steve check to analyze message headers, message text, and standard attachments? PUB.EDB PRIV.EDB PUB.STM PRIV.STM.
Which of the following information is displayed when Netstat is used with -ano switch? Ethernet statistics Contents of IP routing table Details of routing table Details of TCP and UDP connections.
While collecting Active Transaction Logs using SQL Server Management Studio, the query Select * from ::fn_dblog(NULL, NULL) displays the active portion of the transaction log file. Here, assigning NULL values implies? Start and end points for log sequence numbers are specified Start and end points for log files are not specified Start and end points for log files are specified Start and end points for log sequence numbers are not specified.
Which of the following statements is TRUE with respect to the Registry settings in the user start-up folder HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\RunOnce\ All the values in this subkey run when specific user logs on, as this setting is user-specific The string specified in the value run executes when user logs on All the values in this key are executed at system start-up All values in this subkey run when specific user logs on and then the values are deleted.
Which cloud model allows an investigator to acquire the instance of a virtual machine and initiate the forensics examination process? PaaS model IaaS model SaaS model SecaaS model.
An attacker successfully gained access to a remote Windows system and plans to install persistent backdoors on it. Before that, to avoid getting detected in future, he wants to cover his tracks by disabling the last-accessed timestamps of the machine. What would he do to achieve this? Set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 0 Run the command fsutil behavior set disablelastaccess 0 Set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 1 Run the command fsutil behavior set enablelastaccess 0.
Which of the following web browser uses the Extensible Storage Engine (ESE) database format to store browsing records, including history, cache, and cookies? Safari Mozilla Firefox Microsoft Edge Google Chrome.
Which U.S. law sets the rules for sending emails for commercial purposes, establishes the minimum requirements for commercial messaging, gives the recipients of emails the right to ask the senders to stop emailing them, and spells out the penalties in case the above said rules are violated? NO-SPAM Act American: NAVSO P-5239-26 (RLL) CAN-SPAM Act American: DoD 5220.22-M.
Which of the following statements is TRUE about SQL Server error logs? SQL Server error logs record all the events occurred on the SQL Server and its databases Forensic investigator uses SQL Server Profiler to view error log files Error logs contain IP address of SQL Server client connections Trace files record, user-defined events, and specific system events.
Which among the following tools can help a forensic investigator to access the registry files during postmortem analysis? RegistryChangesView RegDIIView RegRipper ProDiscover.
Consider that you are investigating a machine running an Windows OS released prior to Windows Vista. You are trying to gather information about the deleted files by examining the master database file named INFO2 located at C:\Recycler\<USER SID>\. You read an entry named "Dd5.exe". What does Dd5.exe mean? D drive. fifth file deleted, a .exe file D drive, fourth file restored, a .exe file D drive, fourth file deleted, a .exe file D drive, sixth file deleted, a .exe file.
Which Linux command when executed displays kernel ring buffers or information about device drivers loaded into the kernel? pgrep dmesg fsck grep.
A section of your forensics lab houses several electrical and electronic equipment. Which type of fire extinguisher you must install in this area to contain any fire incident? Class B Class D Class C Class A.
Checkpoint Firewall logs can be viewed through a Check Point Log viewer that uses icons and colors in the log table to represent different security events and The firewall rejected a connection A virus was detected in an email The firewall dropped a connection An email was marked as potential spam.
In which cloud crime do attackers try to compromise the security of the cloud environment in order to steal data or inject a malware? Cloud as an Object Cloud as a Tool Cloud as an Application Cloud as a Subject.
POP3 is an Internet protocol, which is used to retrieve emails from a mail server. Through which port does an email client connect with a POP3 server? 110 143 25 993.
James, a hacker, identifies a vulnerability in a website. To exploit the vulnerability, he visits the login page and notes down the session ID that is created. He appends this session ID to the login URL and shares the link with a victim. Once the victim logs into the website using the shared URL, James reloads the webpage (containing the URL with the session ID appended) and now, he can browse the active session of the victim. Which attack did James successfully execute? Cross Site Request Forgery Cookie Tampering Parameter Tampering Session Fixation Attack.
Which of the following components within the android architecture stack take care of displaying windows owned by different applications? Media Framework Surface Manager Resource Manager Application Framework.
Which among the following web application threats is resulted when developers expose various internal implementation objects, such as files, directories, database records, or key-through references? Remote File Inclusion Cross Site Scripting Insecure Direct Object References Cross Site Request Forgery.
What does Locard's Exchange Principle state? Any information of probative value that is either stored or transmitted in a digital form Digital evidence must have some characteristics to be disclosed in the court of law Anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave Forensic investigators face many challenges during forensics investigation of a digital crime, such as extracting, preserving, and analyzing the digital evidence.
Smith is an IT technician that has been appointed to his company's network vulnerability assessment team. He is the only IT employee on the team. The other team members include employees from Accounting, Management, Shipping, and Marketing. Smith and the team members are having their first meeting to discuss how they will proceed. What is the first step they should do to create the network vulnerability assessment plan? Their first step is to make a hypothesis of what their final findings will be. Their first step is to create an initial Executive report to show the management team. Their first step is to analyze the data they have currently gathered from the company or interviews. Their first step is the acquisition of required documents, reviewing of security policies and compliance.
What is the location of a Protective MBR in a GPT disk layout? Logical Block Address (LBA) 2 Logical Block Address (LBA) 0 Logical Block Address (LBA) 1 Logical Block Address (LBA) 3.
In Linux OS, different log files hold different information, which help the investigators to analyze various issues during a security incident. What information can the investigators obtain from the log file var/log/dmesg? Kernel ring buffer information All mail server message logs Global system messages Debugging log messages.
Which of the following hives in Windows registry contain configuration information related to the application type that is used to open various files on the system? HKEY_CURRENT_CONFIG HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL MACHINE.
Which of these ISO standards define the file system for optical storage media, such as CD-ROM and DVD-ROM? ISO 9660 ISO 13346 ISO 9960 ISO 13490.
Which of the following Linux command searches through the current processes and lists the process IDs those match the selection criteria to stdout? pstree pgrep ps grep.
Which forensic investigation methodology believes that criminals commit crimes solely to benefit their criminal enterprises? Scientific Working Group on Digital Evidence Daubert Standard Enterprise Theory of Investigation Fyre Standard.
Which of these rootkit detection techniques function by comparing a snapshot of the file system, boot records, or memory with a known and trusted baseline? Signature-Based Detection Integrity-Based Detection Cross View-Based Detection Heuristic/Behavior-Based Detection.
Which program uses different techniques to conceal a malware's code, thereby making it difficult for security mechanisms to detect or remove it? Dropper Packer Injector Obfuscator.
What does the bytes 0x0B-0x53 represent in the boot sector of NTFS volume on Windows 2000? Jump instruction and the OEM ID BIOS Parameter Block (BPB) and the OEM ID BIOS Parameter Block (BPB) and the extended BPB Bootstrap code and the end of the sector marker.
What does the Rule 101 of Federal Rules of Evidence states? Scope of the Rules, where they can be applied Purpose of the Rules Limited Admissibility of the Evidence Rulings on Evidence.
What document does the screenshot represent? Expert witness form Search warrant form Chain of custody form Evidence collection form.
You are asked to build a forensic lab and your manager has specifically informed you to use copper for lining the walls, ceilings, and floor. What is the main purpose of lining the walls, ceilings, and floor with copper? To control the room temperature To strengthen the walls, ceilings, and floor To avoid electromagnetic emanations To make the lab sound proof.
James is dealing with a case regarding a cybercrime that has taken place in Arizona, USA. James needs to lawfully seize the evidence from an electronic device without affecting the user's anonymity. Which of the following law should he comply with, before retrieving the evidence? First Amendment of the U.S. Constitution Fourth Amendment of the U.S. Constitution Third Amendment of the U.S. Constitution Fifth Amendment of the U.S. Constitution.
Which of the following stand true for BIOS Parameter Block? The BIOS Partition Block describes the physical layout of a data storage volume The BIOS Partition Block is the first sector of a data storage device The length of BIOS Partition Block remains the same across all the file systems The BIOS Partition Block always refers to the 512-byte boot sector.
Which Event Correlation approach assumes and predicts what an attacker can do next after the attack by studying statistics and probability? Profile/Fingerprint-Based Approach Bayesian Correlation Time (Clock Time) or Role-Based Approach Automated Field Correlation.
MAC filtering is a security access control methodology, where a ___________ is assigned to each network card to determine access to the network. 48-bit address 24-bit address 16-bit address 32-bit address.
Which of the following files store the MySQL database data permanently, including the data that had been deleted, helping the forensic investigator in examining the case and finding the culprit? mysql-bin mysql-log iblog ibdata1.
Which tool allows dumping the contents of process memory without stopping the process? psdump.exe pmdump.exe processdump.exe pdump.exe.
Which component in the hard disk moves over the platter to read and write information? Actuator Spindle Actuator Axis Head.
William is examining a log entry that reads 192.168.0.1 - - [18/Jan/2020:12:42:29 +0000] "GET / HTTP/1.1" 200 1861. Which of the following logs does the log entry belong to? The common log format of Apache access log IIS log The combined log format of Apache access log Apache error log.
In a Filesystem Hierarchy Standard (FHS), which of the following directories contains the binary files required for working? /mnt /sbin /media /proc.
A forensic examiner encounters a computer with a failed OS installation and the master boot record (MBR) or partition sector damaged. Which of the following tools can find and restore files and information in the disk? NetCat Helix R-Studio Wireshark.
Assume there is a file named myfile.txt in C: drive that contains hidden data streams. Which of the following commands would you issue to display the contents of a data stream? echo text > program:source_file C:\>ECHO text_message > myfile.txt:stream1 C:\MORE < myfile.txt:stream1 myfile.dat:stream1.
Cybercriminals sometimes use compromised computers to commit other crimes, which may involve using computers or networks to spread malware or illegal information. Which type of cybercrime stops users from using a device or network, or prevents a company from providing a software service to its customers? Malware attack Denial-of-Service (DoS) attack Phishing Ransomware attack.
Ronald, a forensic investigator, has been hired by a financial services organization to investigate an attack on their MySQL database server, which is hosted on a Windows machine named WIN-DTRAI83202X. Ronald wants to retrieve information on the changes that have been made to the database. Which of the following files should Ronald examine for this task? WIN-DTRAI83202X-bin.nnnnnn WIN-DTRAI83202Xslow.log relay-log.info WIN-DTRAI83202Xrelay-bin.index.
Which OWASP IoT vulnerability talks about security flaws such as lack of firmware validation, lack of secure delivery, and lack of anti-rollback mechanisms on IoT devices? Insecure default settings Use of insecure or outdated components Lack of secure update mechanism Insecure data transfer and storage.
Which of the following malware targets Android mobile devices and installs a backdoor that remotely installs applications from an attackercontrolled server? Unflod Felix XcodeGhost xHelper.
Which of the following tools is used to dump the memory of a running process, either immediately or when an error condition occurs? CacheInf FATKit Belkasoft Live RAM Capturer Coreography.
Which Federal Rule of Evidence speaks about the Hearsay exception where the availability of the declarant is immaterial and certain characteristics of the declarant such as present sense impression, excited utterance, and recorded recollection are also observed while giving their testimony? Rule 801 Rule 802 Rule 803 Rule 804.
Williamson is a forensic investigator. While investigating a case of data breach at a company, he is maintaining a document that records details such as the forensic processes applied on the collected evidence, particulars of people handling it, the dates and times when it is being handled, and the place of storage of the evidence. What do you call this document? Authorization form Consent form Chain of custody Log book.
Which of the following is a requirement for senders as per the CAN-SPAM act? Emails must not contain information regarding how to stop receiving emails from the sender in future Senders should never share their physical postal address in the email Senders cannot use misleading or false header information Senders must use deceptive subject lines.
Donald made an OS disk snapshot of a compromised Azure VM under a resource group being used by the affected company as a part of forensic analysis process. He then created a vhd file out of the snapshot and stored it in a file share and as a page blob as backup in a storage account under different region. What is the next thing he should do as a security measure? Delete the OS disk of the affected VM altogether Delete the snapshot from the source resource group Recommend changing the access policies followed by the company Create another VM by using the snapshot.
Identify the location of Recycle Bin on a Windows 7 machine that uses NTFS file system to store and retrieve files on the hard disk. Drive:\RECYCLER Drive:\RECYCLED Drive:\$Recycle.Bin C:\RECYCLED.
Which "Standards and Criteria" under SWDGE states that "the agency must use hardware and software that are appropriate and effective for the seizure or examination procedure"? Standards and Criteria 1.4 Standards and Criteria 1.5 Standards and Criteria 1.6 Standards and Criteria 1.7.
A call detail record (CDR) provides metadata about calls made over a phone service. From the following data fields, which one is not contained in a CDR. A unique sequence number identifying the record The call duration Phone number receiving the call The language of the call.
"In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court." Which ACPO principle states this? Principle 1 Principle 2 Principle 3 Principle 4.
On NTFS file system, which of the following tools can a forensic investigator use in order to identify timestomping of evidence files? Exiv2 analyzeMFT Timestomp wbStego.
Matthew has been assigned the task of analyzing a suspicious MS Office document via static analysis over an Ubuntu-based forensic machine. He wants to see what type of document it is, whether it is encrypted, or contains any flash objects/VBA macros. Which of the following python-based script should he run to get relevant information? oleid.py oleform.py oledir.py pdfid.py.
Before accessing digital evidence from victims, witnesses, or suspects, on their electronic devices, what should the investigator do first to respect legal privacy requirements? Protect the device against external communication Remove the battery or turn-off the device Notify the fact to the local authority or employer Obtain a formal written consent to search.
During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to identify attributes such as "author name," "organization name," "network name," or any additional supporting data that is meant for the owner's identification purpose. Which term describes these attributes? Metadata Metabase Data index Data header.
Derrick, a forensic specialist, was investigating an active computer that was executing various processes. Derrick wanted to check whether this system was used in an incident that occurred earlier. He started inspecting and gathering the contents of RAM, cache, and DLLs to identify incident signatures. Identify the data acquisition method employed by Derrick in the above scenario. Dead data acquisition Non-volatile data acquisition Static data acquisition Live data acquisition.
Report abuse