Question: 1
In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court?
A. rules of evidence
B. law of probability
C. chain of custody
D. policy of separation
Question: 2
How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?
A. 128
B. 64
C. 32
D. 16
Question: 3
What does the superblock in Linux define?
A. file system names
B. available space
C. location of the first inode
D. disk geometry
Question: 4
The newer Macintosh Operating System is based on:
A. OS/2
B. BSD Unix
C. Linux
D. Microsoft Windows
Question: 5
Before you are called to testify as an expert, what must an attorney do first?
A. engage in damage control
B. prove that the tools you used to conduct your examination are perfect
C. read your curriculum vitae to the jury
D. qualify you as an expert witness
Question: 6
You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data. What method would be most efficient for you to acquire digital evidence from this network?
A. create a compressed copy of the file with DoubleSpace
B. create a sparse data copy of a folder or file
C. make a bit-stream disk-to-image file
D. make a bit-stream disk-to-disk file
Question: 7
You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the
wording in the graphic being different. What area of the law is the employee violating?
A. trademark law
B. copyright law
C. printright law
D. brandmark law
Question: 8
What file structure database would you expect to find on floppy disks?
A. NTFS
B. FAT32
C. FAT16
D. FAT12
Question: 9
What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled?
A. digital attack
B. denial of service
C. physical attack
D. ARP redirect
Question: 10
When examining a file with a Hex Editor, what space does the file header occupy?
A. the last several bytes of the file
B. the first several bytes of the file
C. none, file headers are contained in the FAT
D. one byte at the beginning of the file
Question: 11
In the context of file deletion process, which of the following statement holds true?
A. When files are deleted, the data is overwritten and the cluster marked as available
B. The longer a disk is in use, the less likely it is that deleted files will be overwritten
C. While booting, the machine may create temporary files that can delete evidence
D. Secure delete programs work by completely overwriting the file in one go
Question: 12
A(n) _____________________ is one that's performed by a computer program rather than the attacker manually performing the steps in the attack sequence.
A. blackout attack
B. automated attack
C. distributed attack
D. central processing attack
Question: 13
The offset in a hexadecimal code is:
A. The last byte after the colon
B. The 0x at the beginning of the code
C. The 0x at the end of the code
D. The first byte after the colon
Question: 14
It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?
A. by law, three
B. quite a few
C. only one
D. at least two
Question: 15
With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches ________.
A. 0
B. 10
C. 100
D. 1
Question: 16
When examining the log files from a Windows IIS Web Server, how often is a new log file created?
A. the same log is used at all times
B. a new log file is created everyday
C. a new log file is created each week
D. a new log is created each time the Web Server is started
Question: 17
Which part of the Windows Registry contains the user's password file?
A. HKEY_LOCAL_MACHINE
B. HKEY_CURRENT_CONFIGURATION
C. HKEY_USER
D. HKEY_CURRENT_USER
Question: 18
An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large
amounts of data and are not affected by the magnet.
A. logical
B. anti-magnetic
C. magnetic
D. optical
Question: 19
Lance wants to place a honeypot on his network. Which of the following would be your recommendations?
A. Use a system that has a dynamic addressing on the network
B. Use a system that is not directly interacing with the router
C. Use it on a system in an external DMZ in front of the firewall
D. It doesn't matter as all replies are faked
Question: 20
What does the acronym POST mean as it relates to a PC?
A. Primary Operations Short Test
B. Power On Self Test
C. Pre Operational Situation Test
D. Primary Operating System Test
Question: 21
You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation.
Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?
A. All forms should be placed in an approved secure container because they are now primary evidence in the case.
B. The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.
C. The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file.
D. All forms should be placed in the report file because they are now primary evidence in the case.
Question: 22
The MD5 program is used to:
A. wipe magnetic media before recycling it
B. make directories on a evidence disk
C. view graphics files on an evidence drive
D. verify that a disk is not altered when you examine it
Question: 23
Which is a standard procedure to perform during all computer forensics investigations?
A. with the hard drive removed from the suspect PC, check the date and time in the system's CMOS
B. with the hard drive in the suspect PC, check the date and time in the File Allocation Table
C. with the hard drive removed from the suspect PC, check the date and time in the system's RAM
D. with the hard drive in the suspect PC, check the date and time in the system's CMOS
Question: 24
E-mail logs contain which of the following information to help you in your investigation? (Select up to 4)
A. user account that was used to send the account
B. attachments sent with the e-mail message
C. unique message identifier
D. contents of the e-mail message
E. date and time the message was sent
Question: 25
In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?
A. one who has NTFS 4 or 5 partitions
B. one who uses dynamic swap file capability
C. one who uses hard disk writes on IRQ 13 and 21
D. one who has lots of allocation units per block or cluster
Question: 26
In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?
A. evidence must be handled in the same way regardless of the type of case
B. evidence procedures are not important unless you work for a law enforcement agency
C. evidence in a criminal case must be secured more tightly than in a civil case
D. evidence in a civil case must be secured more tightly than in a criminal case
Question: 27
You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question weather evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab?
A. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab
B. make an MD5 hash of the evidence and compares it to the standard database developed by NIST
C. there is no reason to worry about this possible claim because state labs are certified
D. sign a statement attesting that the evidence is the same as it was when it entered the lab
Question: 28
When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized
time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?
A. Universal Time Set
B. Network Time Protocol
C. SyncTime Service
D. Time-Sync Protocol
Question: 29
When investigating a potential e-mail crime, what is your first step in the investigation?
A. Trace the IP address to its origin
B. Write a report
C. Determine whether a crime was actually committed
D. Recover the evidence
Question: 30
What happens when a file is deleted by a Microsoft operating system using the FAT file system?
A. only the reference to the file is removed from the FAT
B. the file is erased and cannot be recovered
C. a copy of the file is stored and the original file is erased
D. the file is erased but can be recovered
Question: 31
What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?
A. rootkit
B. key escrow
C. steganography
D. Offset
Question: 32
During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore you report this evidence. This type of evidence is known as:
A. Inculpatory evidence
B. mandatory evidence
C. exculpatory evidence
D. Terrible evidence
Question: 33
Corporate investigations are typically easier than public investigations because:
A. the investigator has to get a warrant
B. the users have standard corporate equipment and software
C. the investigator does not have to get a warrant
D. the users can load whatever they want on their machines
Question: 34
What binary coding is used most often for e-mail purposes?
A. MIME
B. Uuencode
C. IMAP
D. SMTP
Question: 35
If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive.
A. deltree command
B. CMOS
C. Boot.sys
D. Scandisk utility
Question: 36
You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics lab. How many law-enforcement computer investigators should you request to staff the lab?
A. 8
B. 1
C. 4
D. 2
Question: 37
If a suspect computer is located in an area that may have toxic chemicals, you must:
A. assume the suspect machine is contaminated
B. coordinate with the HAZMAT team
C. do not enter alone
D. determine a way to obtain the suspect computer
Question: 38
Diskcopy is:
A. a utility by AccessData
B. a standard MS-DOS command
C. Digital Intelligence utility
D. dd copying tool
Question: 39
Sectors in hard disks typically contain how many bytes?
A. 256
B. 512
C. 1024
D. 2048
Question: 40
Area density refers to:
A. the amount of data per disk
B. the amount of data per partition
C. the amount of data per square inch
D. the amount of data per platter
Question: 41
How many characters long is the fixed-length MD5 algorithm checksum of a critical syfile?
A. 16
B. 32
C. 64
D. 128
Question: 42
In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?
A. one who has lots of allocation units per block or cluster
B. one who has NTFS 4 or 5 partitions
C. one who uses dynamic swap file capability
D. one who uses hard disk writes on IRQ 13 and 21
Question: 43
Which part of the Windows Registry contains the user's password file?
A. HKEY_CURRENT_USER
B. HKEY_USER
C. HKEY_LOCAL_MACHINE
D. HKEY_CURRENT_CONFIGURATION
Question: 44
What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?
A. ICMP header field
B. TCP header field
C. IP header field
D. UDP header field
Question: 45
What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?
A. forensic duplication of hard drive
B. analysis of volatile data
C. comparison of MD5 checksums
D. review of SIDs in the Registry
Question: 46
Which response organization tracks hoaxes as well as viruses?
A. NIPC
B. FEDCIRC
C. CERT
D. CIAC
Question: 47
Which federal computer crime law specifically refers to fraud and related activity in connection with access devices like routers?
A. 18 U.S.C. 1029
B. 18 U.S.C. 1362
C. 18 U.S.C. 2511
D. 18 U.S.C. 2703
Question: 48
What TCP/UDP port does the toolkit program netstat use?
A. Port 7
B. Port 15
C. Port 23
D. Port 69
Question: 49
Under which Federal Statutes does FBI investigate for computer crimes involving e-mail scams and mail fraud?
A. 18 U.S.C. 1029 Possession of Access Devices
B. 18 U.S.C. 1030 Fraud and related activity in connection with computers
C. 18 U.S.C. 1343 Fraud by wire, radio or television
D. 18 U.S.C. 1361 Injury to Government Property
E. 18 U.S.C. 1362 Government communication systems
F. 18 U.S.C. 1831 Economic Espionage Act
G. 18 U.S.C. 1832 Trade Secrets Act
Question: 50
In a FAT32 system, a 123 KB file will use how many sectors?
A. 34
B. 25
C. 11
D. 56
Question: 51
What does the superblock in Linux define?
A. file synames
B. disk geometr
C. location of the first inode
D. available space
Question: 52
Why should you note all cable connections for a computer you want to seize as evidence?
A. to know what outside connections existed
B. in case other devices were connected
C. to know what peripheral devices exist
D. to know what hardware existed
Question: 53
You should make at least how many bit-stream copies of a suspect drive?
A. 1
B. 2
C. 3
D. 4
Question: 54
Which of the following should a computer forensics lab used for investigations have?
A. isolation
B. restricted access
C. open access
D. an entry log
Question: 55
Corporate investigations are typically easier than public investigations because:
A. the users have standard corporate equipment and software
B. the investigator does not have to get a warrant
C. the investigator has to get a warrant
D. the users can load whatever they want on their machines
Question: 56
If a suspect computer is located in an area that may have toxic chemicals, you must:
A. coordinate with the HAZMAT team
B. determine a way to obtain the suspect computer
C. assume the suspect machine is contaminated
D. do not enter alone
No comments:
Post a Comment