Last Chfi Q

1.
Forensic Science
Korey a data mining specialist in a knowledge processing firm DataHub.com reported his CISO that he has lost
certain sensitive data stored on his laptop. The CISO wants his forensics investigation team to find if the data
loss was accident or intentional. In which of the following category this case will fall?
Civil Investigation
Criminal Investigation
correct: Administrative Investigation
Both Civil and Criminal Investigations
1. Forensic Science
An executive had leaked the company trade secrets through an external drive. What process should the
investigation team take if they could retrieve his system?
Postmortem Analysis
Real-Time Analysis
Malware Analysis
Packet Analysis
1. Forensic Science
Which of the following attacks allows an attacker to access restricted directories including application source code
including application source code and to execute commands outside of the web server's root directory?
Directory traversal
Unvalidated input
Parameter/form tampering
Security misconfiguration
1. Forensic Science
Which of the following Event Correlation Approach checks and compares all the fields systematically and
intentionally for positive and negative correlation with each other to determine the correlation across one or
multiple fields?
Graph-Based Approach
Rule-Based Approach
Field-Based Approach
Automated Field Correlation
1. Forensic Science
When marking evidence that has been collected with the “aaa/ddmmyy/nnnn/zz” format what does the “nnnn”
denote?
The sequential number of the exhibits seized by the analyst
The sequence number for the parts of the same exhibit
The initials of the forensics analyst
The year the evidence was taken
1. Forensic Science
Which of the following Event Correlation Approach is an advanced correlation method that assumes and predicts
what an attacker can do next after the attack by studying the statistics and probability and uses only two
variables?
Bayesian Correlation
Route Correlation
Vulnerability-Based Approach
Rule-Based Approach
1. Forensic Science
Billy a computer forensics expert has recovered a large number of DBX files during the forensic investigation of
a laptop. Which of the following email clients can he use to analyze the DBX files?
Microsoft Outlook
Microsoft Outlook Express
Mozilla Thunderbird
Eudora
1. Forensic Science
Gary a computer technician is facing allegations of abusing children online by befriending them and sending
them illicit adult images from his office computer. What type of investigation does this case require?
Civil Investigation
Criminal Investigation
Administrative Investigation
Both Criminal and Administrative Investigation
1. Forensic Science
adam a forensic investigator is investigating an attack on Microsoft Exchange Server of a large organization. As
the first step of the investigation he examined the PRIV.EDB file and found the source from where the mail
originated and the name of the file that disappeared upon execution. Now he wants to examine the MIME stream
content. Which of the following files is he going to examine?
PRIV.EDB
PUB.EDB
PRIV.STM
gwcheck.db
1. Forensic Science
An expert witness is a ____________ who is normally appointed by a party to assist the formulation and
preparation of a party’s claim or defense.
Subject matter specialist
Expert in criminal investigation
Witness present at the crime scene
Expert law graduate appointed by attorney
1. Forensic Science
Which of the following email headers specifies an address for mailer-generated errors
like "no such user" bounce messages to go to (instead of the sender's address)?
Errors-To header
Content-Transfer-Encoding header
Mime-Version header
Content-Type header
1. Forensic Science
During forensics investigations investigators tend to collect the system time at first and compare it with UTC.
What does the abbreviation UTC stand for?
Correlated Universal Time
Universal Time for Computers
Coordinated Universal Time
Universal Computer Time
1. Forensic Science
What does the 63.78.199.4(161) denotes in a Cisco router log?
Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) ->
63.78.199.4(161) 1 packet
Source IP address
Destination IP address
Login IP address
None of the above
1. Forensic Science
Which among the following files provides email header information in the Microsoft Exchange server?
PRIV.EDB
PUB.EDB
PRIV.STM
gwcheck.db
1. Forensic Science
Which of the following reports are delivered under oath to a board of directors/managers/panel of the jury?
Verbal Formal Report
Written Informal Report
Written Formal Report
Verbal Informal Report
1. Forensic Science
Smith as a part his forensic investigation assignment seized a mobile device. He was asked to recover the
Subscriber Identity Module (SIM card) data in the mobile device. Smith found that the SIM was protected by a
Personal Identification Number (PIN) code but he was also aware that people generally leave the PIN numbers
to the defaults or use easily guessable numbers such as 1234. He made three unsuccessful attempts which
blocked the SIM card. What can Jason do in this scenario to reset the PIN and access SIM data?
He should contact the network operator for a Temporary Unlock Code (TUK)
Use system and hardware tools to gain access
He can attempt PIN guesses after 24 hours
He should contact the network operator for Personal Unlock Number (PUK) to gain access to the SIM
1. Forensic Science
An investigator has acquired packed software and needed to analyze it for the presence of malice. Which of the
following tools can help in finding the packaging software used?
PEiD
Dependency Walker
SysAnalyzer
Comodo Programs Manager
1. Forensic Science
Andie a network administrator suspects unusual network services running on a windows system. Which of the
following commands should he use to verify unusual network services started on a Windows system?
net start
net serv
lusrmgr
netmgr
1. Forensic Science
Which of the following is NOT a physical evidence?
Removable media
Cables
Image file on a hard disk
Publications
1. Forensic Science
What does 254 represent in ICCID 89254021520014515744?
Country Code
Industry Identifier Prefix
Issuer Identifier Number
Individual Account Identification Number
1. Forensic Science
Who is responsible for the following tasks?
* Secure the scene and ensure that it is maintained in a secure state until the Forensic Team advises
* Make notes about the scene that will eventually be handed over to the Forensic Team
Non-forensics staff
System administrators
Local managers or other non-forensic staff
Lawyers
1. Forensic Science
An investigator has found certain details after analysis of a mobile device. What can reveal the manufacturer
information?
Electronic Serial Number (ESN)
Integrated circuit card identifier (ICCID)
Equipment Identity Register (EIR)
International mobile subscriber identity (IMSI)
2. Regulations
Which among the following search warrants allows the first responder to get the victim’s computer information
such as service records billing records and subscriber information from the service provider?
Electronic Storage Device Search Warrant
Service Provider Search Warrant
Citizen Informant Search Warrant
John Doe Search Warrant
2. Regulations
Which among the following U.S. laws requires financial institutions—companies that offer consumers financial
products or services such as loans financial or investment advice or insurance—to protect their customers’
information against security threats?
FISMA
GLBA
HIPAA
SOX
2. Regulations
Which of the following examinations refers to the process of the witness being questioned by the attorney who
called the latter to the stand?
Direct Examination
Cross Examination
Indirect Examination
Witness Examination
2. Regulations
Jacob is a computer forensics investigator with over 10 years of experience in investigations and has written
over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy
and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for
Jacob’s testimony in this case?
Authentication
Justification
Reiteration
Certification
2. Regulations
Which among the following is an act passed by the U.S. Congress in 2002 to protect investors from the
possibility of fraudulent accounting activities by corporations?
FISMA
GLBA
HIPAA
SOX
2. Regulations
Which among the following search warrants allows the first responder to search and seize the victim’s computer
components such as hardware software storage devices and documentation?
Electronic Storage Device Search Warrant
Service Provider Search Warrant
Citizen Informant Search Warrant
John Doe Search Warrant
2. Regulations
Depending upon the jurisdictional areas different laws apply to different incidents. Which of the following law is
related to fraud and related activity in connection with computers?
18 USC §1029
18 USC §1030 , double check
18 USC §1361
18 USC §1371
2. Regulations
Which US law does the interstate or international transportation and receiving of child pornography fall under?
§18 U.S.C. 2252
§ 18 U.S.C. 466A
§ 18 U.S.C. 252
§ 18 U.S.C. 146A
2. Regulations
What must an attorney do first before you are called to testify as an expert?
Engage in damage control
Read your curriculum vitae to the jury
Qualify you as an expert witness
Prove that the tools you used to conduct your examination are perfect
2. Regulations
Which rule requires an original recording to be provided to prove the content of a recording?
1002
1003
1004
1005
2. Regulations
CAN-SPAM act requires that you
Don’t use deceptive subject lines
Don’t use true header information
Don’t identify the message as an ad
Don’t tell the recipients where you are located
2. Regulations
Madison is on trial for allegedly breaking into her university’s internal network. The police raided her dorm room
and seized all of her computer equipment. Madison’s lawyer is trying to convince the judge that the seizure was
unfounded and baseless. Under which US Amendment is Madison’s lawyer trying to prove the police violated?
The 4th Amendment
The 5th Amendment
The 1st Amendment
The 10th Amendment
2. Regulations
Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United
States regarding the admissibility of expert witnesses' testimony during federal legal proceedings?
Frye
Daubert
IOCE
SWGDE & SWGIT
2. Regulations
Which of the following standard represents a legal precedent regarding the admissibility of scientific
examinations or experiments in legal cases?
Frye
Daubert
IOCE
SWGDE & SWGIT
3. Digital Evidence
Linux operating system has two types of typical bootloaders namely LILO (Linux Loader) and GRUB (Grand
Unified Bootloader). In which stage of the booting process do the bootloaders become active?
BootROM Stage
Bootloader Stage
Kernel Stage
BIOS Stage
3. Digital Evidence
A small law firm located in the Midwest has possibly been breached by a computer hacker who was looking to
obtain information on their clientele. The law firm does not have any on-site IT employees but wants to search for
evidence of the breach themselves to prevent any possible media attention. Why would this not be
recommended?
Searching can change date/time stamps
Searching could possibly crash the machine or device
Searching creates cache files which would hinder the investigation
Searching for evidence themselves would not have any ill effects
3. Digital Evidence
You are assigned a task to examine the log files pertaining to MyISAM storage engine. While examining you are
asked to perform a recovery operation on a MyISAM log file. Which among the following MySQL Utilities allow you to do so?
myisamaccess
myisamchk
mysqldump
myisamlog
3. Digital Evidence
Richard is extracting volatile data from a system and uses the command doskey /history. What is he trying to
extract?
History of the browser
Previously typed commands
Events history
Passwords used across the system
3. Digital Evidence
Lynne receives the following emailDear [email protected]!We are sorry to inform you that your ID has been
temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24
You have 24 hours to fix this problem or risk to be closed permanently!To proceed Please Connect My Apple ID
Thank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon>What type of attack is
this?
Phishing
Email Spoofing
Email Spamming
Mail Bombing
3. Digital Evidence
An International Mobile Equipment Identifier (IMEI) is a 15-digit number that indicates the manufacturer
model type and country of approval for GSM devices. The first eight digits of an IMEI number that provide
information about the model and origin of the mobile device is also known as:
Type Allocation Code (TAC)
Device Origin Code (DOC)
Manufacturer Identification Code (MIC)
Integrated Circuit Code (ICC)
3. Digital Evidence
Which of the following is a database in which information about every file and directory on an NT File System
(NTFS) volume is stored?
Master File Table
Master Boot Record
Volume Boot Record
GUID Partition Table
3. Digital Evidence
Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Regedit
3. Digital Evidence
Which of the following ISO standard defines file systems and protocol for exchanging data between optical
disks?
ISO 9660
ISO/IEC 13940
IEC 3490
ISO 9060
3. Digital Evidence
Ivanovich a forensics investigator is trying to extract complete information about running processes from a
system. Where should he look apart from the RAM and virtual memory?
Files and documents
Application data
Swap space
Slack space
3. Digital Evidence
Stephen is checking an image using Compare Files by The Wizard and he sees the file signature is shown as FF
D8 FF E1. What is the file type of the image?
jpeg
png
gif
bmp
3. Digital Evidence
Which of the following stages in a Linux boot process involve initialization of the system’s hardware?
BootROM Stage
BIOS Stage
Bootloader Stage
Kernel Stage
3. Digital Evidence
Hard disk data addressing is a method of allotting addresses to each _______ of data on a hard disk.
Physical block
Logical block
Operating system block
Hard disk block
3. Digital Evidence
Sectors are pie-shaped regions on a hard disk that store data. Which of the following parts of a hard disk do not
contribute in determining the addresses of data?
Cylinder
Heads
Sectors
Interface
3. Digital Evidence
Which of the following registry hive gives the configuration information about which application was used to open
various files on the system?
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_LOCAL_MACHINE
HKEY_USERS
3. Digital Evidence
Shane a forensic specialist is investigating an ongoing attack on a MySQL database server hosted on a
Windows machine with SID “WIN-ABCDE12345F.” Which of the following log file will help Shane in tracking all
the client connections and activities performed on the database server?
WIN-ABCDE12345F.pid
WIN-ABCDE12345F.log
WIN-ABCDE12345F.err
WIN-ABCDE12345F-bin.n
3. Digital Evidence
What is the size value of a nibble?
0.5 bit
0.5 byte
0.5 kilo byte
2 bits
3. Digital Evidence
The surface of a hard disk consists of several concentric rings known as tracks; each of these tracks has smaller
partitions called disk blocks. What is the size of each block?
256 bits
256 bytes
512 bits
512 bytes
3. Digital Evidence
You have been given the task to investigate web attacks on a Windows-based server. Which of the following
commands will you use to look at the sessions the machine has opened with other systems?
Net use
Net sessions
Net config
Net share
3. Digital Evidence
Shane has started the static analysis of a malware and is using the tool ResourcesExtract to find more details of
the malicious program. What part of the analysis is he performing?
Strings search
Dynamic analysis
File obfuscation
Identifying File Dependencies
3. Digital Evidence
Which of the following is a part of a Solid-State Drive (SSD)?
Head
Spindle
Cylinder
NAND-based flash memory
3. Digital Evidence
Data is striped at a byte level across multiple drives and parity information is distributed among all member
drives. What RAID level is represented here?
RAID Level 0
RAID Level 1
RAID Level 3
RAID Level 5
3. Digital Evidence
Sheila is a forensics trainee and is searching for hidden image files on a hard disk. She used a forensic
investigation tool to view the media in hexadecimal code for simplifying the search process. Which of the
following hex codes should she look for to identify image files?
25 50 44 46
50 41 03 04
ff d8 ff
d0 0f 11 e0
3. Digital Evidence
A master boot record (MBR) is the first sector ("sector zero") of a data storage device. What is the size of MBR?
512 Bytes
4092 Bytes
1048 Bytes
Depends on the capacity of the storage device
3. Digital Evidence
Which of the following is a record of the characteristics of a file system including its size the block size the empty
and the filled blocks and their respective counts the size and location of the inode tables the disk block map and
usage information and the size of the block groups
Inode bitmap block
Data block
Block bitmap block
Superblock
3. Digital Evidence
NTFS has reduced slack space than FAT thus having lesser potential to hide data in the slack space. This is
because:
NTFS has lower cluster size space
FAT is an older and inefficient file system
NTFS is a journaling file system
FAT does not index files
3. Digital Evidence
Pagefile.sys is a virtual memory file used to expand the physical memory of a computer. Select the registry path
for the page file:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\PrefetchParameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Device Management
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\System Management
3. Digital Evidence
Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and
UDP connections and their state and network traffic statistics. Which of the following commands shows you the
TCP and UDP network connections listening ports and the identifiers?
netstat – ano
netstat – b
netstat – r
netstat – s
3. Digital Evidence
Which MySQL log file contains information on server start and stop?
Error log file
General query log file
Slow query log file
Binary log
3. Digital Evidence
Raw data acquisition format creates _________ of a data set or suspect drive.
Simple sequential flat files
Segmented files
Compressed image files
Segmented image files
4. Procedures and Methodology

Which command line tool is used to determine active network connections?
netstat
nbstat
netsh
nslookup
When analyzing logs it is important that the clocks of all the network devices are synchronized. Which protocol
will help in synchronizing these clocks?
NTP
PTP
Time Protocol
UTC

Which one of the following is not a first response procedure?
Crack passwords
Preserve volatile data
Take photos
Fill forms

Which of the following is NOT a part of pre-investigation phase?
Building forensics workstation
Gathering information about the incident
Gathering evidence data
Creating an investigation team

Gary is checking for the devices connected to USB ports of a suspect system during an investigation. Select the
appropriate tool that will help him document all the connected devices.
fsutil
Devcon
Reg.exe
DevScan

Which network attack is described by the following statement? At least five Russian major banks came under a
continuous hacker attack although online client services were not disrupted. The attack came from a wide-scale
botnet involving at least 24000 computers located in 30 countries.
DDoS
Buffer Overflow
Man-in-the-Middle Attack
Sniffer Attack

What value of the "Boot Record Signature" is used to indicate that the boot-loader exists?
AA55
AA00
00AA
A100

A suspect is accused of violating the acceptable use of computing resources as he has visited adult websites
and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites.
However the suspect has cleared the search history and emptied the cookie cache. Moreover he has removed
any images he might have downloaded. What can the investigator do to prove the violation? Choose the most
feasible option.
Image the disk and try to recover deleted files
Seek the help of co-workers who are eye-witnesses
Check the Windows registry for connection data (You may or may not recover)
Approach the websites for evidence
When a user deletes a file or folder the system stores complete path including the original filename in a special
hidden file called “INFO2” in the Recycled folder. If the INFO2 file is deleted it is recovered when you ________
Reboot Windows
Use a recovery tool to undelete the file
Undo the last action performed on the system
Download the file from Microsoft website

Which of the following tasks DOES NOT come under the investigation phase of a cybercrime forensics
investigation case?
Secure the evidence
First response
Data analysis
Data collection

Which of the following options will help users to enable or disable the last access time on a system running
Windows 10 OS?
fsutil
Devcon
Reg.exe
wmic service

Which of the following data structures stores attributes of a process as well as pointers to other attributes and
data structures?
EProcess
Lsproc
DumpChk
RegEdit

Report writing is a crucial stage in the outcome of an investigation. Which information should not be included in
the report section?
Speculation or opinion as to the cause of the incident
Purpose of the report
Author of the report
Incident summary

Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the
screen?
Surface Manager
Media framework
OpenGL/ES and SGL
WebKit
You have been asked to investigate the possibility of computer fraud in the finance department of a company. It
is suspected that a staff member has been committing finance fraud by printing cheques that have not been
authorized. You have exhaustively searched all data files on a bitmap image of the target computer but have
found no evidence. You suspect the files may not have been saved. What should you examine next in this case?
The swap file
The registry
The recycle bin
The metadata

Which of the following commands shows you all of the network services running on Windows-based servers?
Net start
Net use
Net Session
Net config

Event correlation is the process of finding relevance between the events that produce a final result. What type of
correlation will help an organization to correlate events across a set of servers systems routers and network?
Same-platform correlation
Cross-platform correlation
Multiple-platform correlation
Network-platform correlation

Tasklist command displays a list of applications and services with their Process ID (PID) for all tasks running on
either a local or a remote computer. Which of the following tasklist commands provides information about the
listed processes including the image name PID name and number of the session for the process?
tasklist /s
tasklist /u
tasklist /p
tasklist /V

The process of restarting a computer that is already turned on through the operating system is called?
Warm boot
Cold boot
Hot Boot
Ice boot

Which of the following commands shows you the names of all open shared files on a server and the number of
file locks on each file?
Net file
Net sessions
Net config
Net share

Bob works as information security analyst for a big finance company. One day the anomaly-based intrusion
detection system alerted that a volumetric DDOS targeting the main IP of the main web server was occurring.
What kind of attack is it?
Network attack
Web application attack
APT
IDS attack
Which of the following technique creates a replica of an evidence media?
Backup
Bit Stream Imaging
Data Deduplication
Data Extraction

In Steganalysis which of the following describes a Known-stego attack?
Original and stego-object are available and the steganography algorithm is known
Only the steganography medium is available for analysis
The hidden message and the corresponding stego-image are known
During the communication process active attackers can change cover

To which phase of the Computer Forensics Investigation Process does the Planning and Budgeting of a
Forensics Lab belong?
Pre-investigation Phase
Investigation Phase
Post-investigation Phase
Reporting Phase

What is the default IIS log location?
%SystemDrive%\inetpub\logs\LogFiles
SystemDrive\inetpub\LogFiles
SystemDrive\logs\LogFiles
%SystemDrive\logs\LogFiles

Which of the following statements is incorrect when preserving digital evidence?
Turn on the computer and extract Windows event viewer log files
Document the actions and changes that you observe in the monitor computer, printer or in other peripherals
Verify if the monitor is in on off or in sleep mode
Remove the plug from the power router or modem

Which of the following files DOES NOT use Object Linking and Embedding (OLE) technology to embed and link
to other objects?
MS-office Word Document
MS-office Word PowerPoint
MS-office Word OneNote
Portable Document Format

Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows
writing beyond its maximum size. Thus it overwrites the_________. There are multiple forms of buffer overflow
including a Heap Buffer Overflow and a Format String Attack.
Adjacent string locations
Adjacent memory locations
Adjacent bit blocks
Adjacent buffer locations
Smith a network administrator with a large MNC was the first to arrive at a suspected crime scene involving
criminal use of compromised computers. What should be his first response while maintaining the integrity of
evidence?
Perform data acquisition without disturbing the state of the systems
Switch off the systems and carry them to the laboratory
Open the systems remove the hard disk and secure it
Record the system state by taking photographs of physical system and the display

Jacky encrypts her documents using a password. It is known that she uses her daughter's year of birth as part of
the password. Which password cracking technique would be optimal to crack her password?
Rule-based attack
Brute force attack
Hybrid attack
Syllable attack
5. Digital Forensics
Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\<USER SID>\ while analyzing a hard
disk image for the deleted data. What inferences can he make from the file name?
It is a deleted doc file
It is a doc file deleted in seventh sequential order
Network connections
RIYG6VR.doc is the name of the doc file deleted from the system
Rusty a computer forensics apprentice a computer forensics apprentice uses the command nbtstat –c while
analyzing the network information in a suspect system. What information is he looking for?
Network connections
Contents of the NetBIOS
NetBOIS name cache
Status of the network carrier
Which of the following files stores information about a local Google Drive installation such as User email ID
Local Sync Root Path and Client version installed?
Sync_config.db
filecache.db
sigstore.db
config.db
Which part of Metasploit framework helps users to hide the data related to a previously deleted file or currently
unused by the allocated file
Slacker
Waffen FS
RuneFS
FragFS
Which of the following files gives information about the client sync sessions in Google Drive on Windows?
Sync_log.log
sync_log.log
sync.log
Sync.log
Which password cracking technique uses details such as length of password character sets used to construct
the password etc.?
Brute force attack
Dictionary attack
Rule-based attack
Man in the middle attack
Wireless access control attacks aim to penetrate a network by evading WLAN access control measures such as
AP MAC filters and Wi-Fi port access controls. Which of the following wireless access control attacks allow the
attacker to set up a rogue access point outside the corporate perimeter and then lure the employees of the
organization to connect to it?
Client mis-association
Ad hoc associations
MAC spoofing
Rogue access points
Annie is searching for certain deleted files on a system running Windows XP OS. Where will she find the files if
they were not completely deleted from the system?
C:\RECYCLER
C:\$Recycle.Bin
C: $Recycled.Bin
C:\$RECYCLER
Randy has extracted data from an old version of a Windows-based system and discovered info file Dc5.txt in the
system recycle bin. What does the file name denote? as well as pointers to other attributes and data structures?
A text file deleted from C drive in fifth sequential order
A text file copied from D drive to C drive in fifth sequential order
A text file copied from C drive to D drive in fifth sequential order
What does the part of the log “%SEC-6-IPACCESSLOGP ” extracted from a Cisco router represent?
The system was not able to process the packet because there was not enough room for all of the desired IP
header options.
Some packet-matching logs were missed because the access list log messages were rate limited or no access
list log buffers were available.
A packet matching the log criteria for the given access list has been detected (TCP or UDP)
Immediate action required messages
Which of the following files stores information about local Dropbox installation and account email IDs linked with
the account current version/build for the local application the host_id and local path information?
filecache.db
sigstore.db
host.db
config.db
Which of the following techniques can be used to beat steganography?
Steganalysis
Decryption
Cryptanalysis
Encryption
Identify the file system that uses $BitMap file to keep track of all used and unused clusters on a volume.
FAT
FAT32
NTFS
EXT
Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext where “x” represents the
_________
Drive name
Sequential number
Original file name’s extension
Original file name
The Apache server saves diagnostic information and error messages that it encounters while processing
requests. The default path of this file is usr/local/apache/logs/error.log in Linux. Identify the Apache error log from
the following logs.
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700]"GET /apache_pb.gif HTTP/1.0" 200 2326
[Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration:
/export/home/live/ap/htdocs/test
http://victim.com/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Winnt\system32\Logfiles\W3SVC1
127.0.0.1 - - [10/Apr/2007:10:39:11 +0300] ] [error] "GET /apache_pb.gif HTTP/1.0" 200 2326
Smith a forensic examiner was analyzing a hard disk image to find and acquire deleted sensitive files. He
stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use.
Windows XP
Linux
Windows 8.1
Windows 98
How will you categorize a cybercrime that took place within a CSP’s cloud environment?
Cloud as a Tool
Cloud as a Subject
Cloud as an Object
Cloud as an Audit
Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors
per frame.
8-bit
16-bit
24-bit
32-bit
When a user deletes a file the system creates a $I file to store its details. What detail does the $I file not contain?
File origin and modification
File Size
File Name
Time and date of deletion
Which of the following file contains the traces of the applications installed run or uninstalled from a system?
Image Files
Prefetch Files
Shortcut Files
Virtual files
Company ABC has employed a firewall IDS Antivirus Domain Controller and SIEM. The company's domain
controller goes down. From which system would you begin your investigation?
SIEM
Domain Controller
Firewall
IDS
Which file is a sequence of bytes organized into blocks understandable by the system’s linker?
Object file
executable file
source file
None of these
Smith an employee of a reputed forensic investigation firm has been hired by a private organization to
investigate a laptop that is suspected to be involved in the hacking of the organization’s DC server. Smith wants
to find all the values typed into the Run box in the Start menu. Which of the following registry keys will Smith
check to find the above information?
UserAssist Key
MountedDevices key
RunMRU key
TypedURLs key
Which of the following are small pieces of data sent from a website and stored on the user's computer by the
user's web browser to track validate and maintain specific user information?
Web Browser Cache
Cookies
Temporary Files
Open files
Which of the following is a list of recently used programs or opened files?
Most Recently Used (MRU)
Master File Table (MFT)
GUID Partition Table (GPT)
Recently Used Programs (RUP)
Casey has acquired data from a hard disk in an open source acquisition format that allows her to generate
compressed or uncompressed image files. What format did she use?
Advanced Forensics Format (AFF)
Proprietary Format
Raw Format
Portable Document Format
In Windows Security Event Log what does an event id of 530 imply?
Logon Failure - Account logon time restriction violation
Logon Failure - Account currently disabled
Logon Failure - Unknown user name or bad password
Logon Failure - User not allowed to logon at this computer
BMP (Bitmap) is a standard file format for computers running the Windows operating system. BMP images can
range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors). Each bitmap file contains a
header the RGBQUAD array information header and image data. Which of the following element specifies the
dimensions compression type and color format for the bitmap?
Header
The RGBQUAD array
Information header
Image data
Which password cracking technique uses every possible combination of character sets?
Rainbow table attack
Brute force attack
Dictionary attack
Rule-based attack
Amber a black hat hacker has embedded a malware into a small enticing advertisement and posted it on a
popular ad-network that displays across various websites. What is she doing?
Malvertising
Spearphishing
Click-jacking
Compromising a legitimate site
Which of the following is NOT an anti-forensics technique?
Data Deduplication
Password Protection
Steganography
Encryption
Watson a forensics investigator is examining a copy of an ISO file stored in CDFS format. What type of evidence
is this?
Data from a CD copied using Linux system
Data from a CD copied using Windows
Data from a CD copied using Mac-based system
Data from a DVD copied using Windows system
What is the primary function of the tool CHKDSK in Windows that authenticates the file system reliability of a
volume?<
Repairs logical file system errors ,,, repairing bad sectors
Check the disk for hardware errors
Check the disk for connectivity errors
Check the disk for Slack Space
Which of the following Windows-based tool displays who is logged onto a computer either locally or remotely?
Tokenmon
Process Monitor
PSLoggedon
TCPView
What is the location of the binary files required for the functioning of the OS in a Linux system?
/sbin
/bin
/root
/run
Which of the following Registry components include offsets to other cells as well as the LastWrite time for the
key?
Security descriptor cell
Value list cell
Key cell
Value cell
Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?
Physical
Transport
Network
Session
Which code does the FAT file system use to mark the file as deleted?
E5H
ESH
5EH
H5E
6. Tools/Systems/Programs
Which of the following is an iOS Jailbreaking tool?
Towelroot
Kingo Android ROOT
One Click Root
Redsn0w
Which tool does the investigator use to extract artifacts left by Google Drive on the system?
RegScanner
RAM Capturer
PEBrowse Professional
Dependency Walker
Which of the following application password cracking tool can discover all password-protected items on a
computer and decrypts them?
TestDisk for Windows
Windows Password Recovery Bootdisk
Passware Kit Forensic
R-Studio
Which of the following tool enables data acquisition and duplication?
DriveSpy
Wireshark
Xplico
Colasoft’s Capsa
Which of the following tool enables a user to reset his/her lost admin password in a Windows system?
SmartKey Password Recovery Bundle Standard
Passware Kit Forensic
Active@ Password Changer
Advanced Office Password Recovery
The investigator wants to examine changes made to the system’s registry by the suspect program. Which of the
following tool can help the investigator?
TRIPWIRE
RAM Capturer
Regshot
What's Running
Which of the following tool can the investigator use to analyze the network to detect Trojan activities?
RAM Capturer
TRIPWIRE
Regshot
Capsa
Which of the following acts as a network intrusion detection system as well as network intrusion prevention
system?
Snort
Kismet
Nikto
Accunetix
Charles has accidentally deleted an important file while working on his Mac computer. He wants to recover the
deleted file as it contains some of his crucial business secrets. Which of the following tool will help Charles?
Xplico
FileSalvage
Colasoft’s Capsa
DriveSpy
What malware analysis operation can the investigator perform using the jv16 tool?
Registry Analysis/Monitoring
Files and Folder Monitor
Installation Monitor
Network Traffic Monitoring/Analysis
Select the tool appropriate for examining the dynamically linked libraries of an application or malware.
DependencyWalker
ResourcesExtract
SysAnalyzer
PEiD
Which of the following is a MAC-based File Recovery Tool?
Cisdem DataRecovery 3
Smart Undeleter
GetDataBack
VirtualLab
A forensic examiner is examining a Windows system seized from a crime scene. During the examination of a
suspect file he discovered that the file is password protected. He tried guessing the password using the
suspect’s available information but without any success. Which of the following tool can help the investigator to
solve this issue?
Colasoft’s Capsa
Recuva
Cain & Abel
Xplico
Bob has encountered a system crash and has lost vital data stored on the hard drive of his Windows computer.
He has no cloud storage or backup hard drives. He wants to recover all those data which includes his personal
photos music documents videos official emails etc. Which of the following tools shall resolve Bob’s purpose?
Colasoft’s Capsa
Recuva
Cain & Abel
Xplico
Which of the following tools will help the investigator to analyze web server logs?
Deep Log Monitor
Deep Log Analyzer
LanWhois
XRY LOGICAL

Last Chfi Q

Uploaded by

Copyright:

Available Formats

Last Chfi Q

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Last Chfi Q

Uploaded by

Copyright:

Available Formats

What are some common tools used in digital forensics investigations and what are their purposes?

What are some common tools used in digital forensics investigations and what are their purposes?

What types of files are commonly analyzed during a digital forensics investigation?

What types of files are commonly analyzed during a digital forensics investigation?

1.

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

4. Procedures and Methodology

You might also like