CHFI Online Study Notes Flashcards
1
Q
What are the essential Windows system files?
A
Ntoskrnl.exe
2
Q
Which of the following is NOT a disk editor tool to help view file headers and important information about a file?
Win Edit
Hex Workshop
Disk Edit
WinHex
A
Win Edit
3
Q
Which LBA contains the GPT header?
A
LBA 1
4
Q
Which of the following items is used to describe the characteristics of the file system information present on a given CD-ROM?
POSIX attribute
Track header
Boot sector
Volume descriptor
A
Volume descriptor
5
Q
Which of the following is NOT an advantage of SSDs over HDDs? Higher reliability Non-volatile memory Faster data access Less power usage
A
Non-volatile memory
6
Q
Which field type refers to the volume descriptor as a supplementary?
A
Number 2
7
Q
What is a hard disk’s first sector that specifies the location of an operating system for the system to load into the main storage?
A
Master Boot Record
8
Q
Which field type refers to the volume descriptor as a set terminator?
A
Number 255
9
Q
Which of the following should be work area considerations for forensic labs?
A
Examiner station has an area of about 50–63 square feet.
10
Q
Which of the following is a computer-created source of potential evidence?
A
Swap File
11
Q
Forensic readiness refers to:
A
An organization’s ability to make optimal use of digital evidence in a limited period and with minimal investigation costs.
12
Q
Which of the following Windows operating systems powers on and starts up using only the traditional BIOS-MBR method?
A
Windows Vista
13
Q
Which of the following is a consideration of HDDs but not SSDs?
A
RPM Speed
14
Q
Which item describes the following UEFI boot process phase? (The phase of EFI consisting of interpreting the boot configuration data, selecting the Boot Policy for later implementation, working with the prior phase to check if the device drivers require signature verification, loading either MBR boot code into memory for Legacy BIOS Boot or the Bootloader program from the EFI partition for UEFI Boot, and providing an option for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.)
A
BDS (Boot Device Selection) Phase
15
Q
Which of the following is NOT a common computer file system? EXT2 NTFS EFX3 FAT32
A
EFX3
16
Q
What is the role of an expert witness?
A
To educate the public and court
17
Q
Which of the following Federal Rules of Evidence ensures that the truth may be ascertained and the proceedings justly determined?
A
Rule 102
18
Q
Which of the following is one of the five UEFI boot process phases?
BSD Phase
RT Phase
PAI Phase
PIE Phase
A
RT Phase
19
Q
Which of the following describes when the user restarts the system via the operating system?
A
Warm Booting
20
Q
What do GPTs use instead of the addressing used in modern MBRs?
A
LBA
21
Q
Which of the following is a 128-bit unique number, generated by the Windows OS for identifying a specific device, document, database entry, or user?
A
Globally Unique Identifier (GUID)
22
Q
The UEFI assigns how many bytes for the Partition Entry Array?
A
16,384
23
Q
Which of the following is a user-created source of potential evidence?
A
Address Book
24
Q
Which of the following should be physical location and structural design considerations for forensics labs?
A
Lab exteriors should have no windows.
25
Which item describes the following UEFI boot process phase? (The phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume (BFV); locating and executing the chapters to initialize all the found hardware in the system; and creating a Hand-Off Block List with all found resources interface descriptors.)
PEI (Pre-EFI Initialization) Phase
26
Which file system for Linux transfers all tracks and boot images on a CD as normal files?
CDFS
27
On Macintosh computers, which architecture utilizes Open Firmware to initialize the hardware interfaces after the BootROM performs POST?
PowerPC
28
What replaces legacy BIOS firmware interfaces and uses a partition interfacing system to overcome the limitations of the MBR partitioning scheme?
UEFI (Unified Extensible Firmware Interface)
29
Which of the following is an advantage of the GPT disk layout?
GPT allows users to partition disks larger than 2 terabytes.
30
Which of the following is NOT part of the Computer Forensics Investigation Methodology?
Testify as an expert defendant.
31
Which of the following file systems are used for adding more descriptors to a CD-ROM's file system sequence?
Joliet and UDF
32
Which of the following is TRUE of cybercrimes?
Investigators, with a warrant, have the authority to forcibly seize the computing devices.
33
Which commands help create MBR in Windows and DOS operating systems?
FDISK/MBR
34
Which of the following is a small piece of instruction in computer language, which the system loads into the BIOS and executes to initiate the system's boot process?
Master Boot Code
35
Which logical drive holds the information regarding the data and files that are stored in the disk?
Extended Partition
36
Which cmdlet can investigators use in Windows PowerShell to analyze the GUID Partition Table to find the exact type of boot sector and display the partition object?
Get-PartitionTable
37
Which of the following basic partitioning tools displays details about GPT partition tables in Macintosh OS?
Disk Utility
38
How many tracks are typically contained on a platter of a 3.5″ HDD?
1,000
39
Under which of the following conditions will duplicate evidence NOT suffice?
When original evidence is in possession of the originator
40
Which field type in a volume descriptor refers to a boot record?
Number 0
41
Which of the following is NOT an objective of computer forensics?
Mitigate vulnerabilities to prevent further loss of intellectual property, finances, and reputation during an attack.
42
How many bytes is each partition entry in GPT?
128 Bytes
43
Which partition type designates the protective MBR from legacy MBR?
0xEE
44
Which cmdlet can investigators use in Windows PowerShell to analyze the GUID Partition Table data structure of the hard disk?
Get-GPT
45
How many bits are used by the MBR partition scheme for storing LBAs (Logical Block Addresses) and the size information on a 512-byte sector?
32
46
Under which of the following circumstances has a court of law allowed investigators to perform searches without a warrant?
Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process.
47
Which of the following Windows operating systems powers on and starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method?
Windows 8
48
Which of the following Federal Rules of Evidence states that the court shall restrict the evidence to its proper scope and instruct the jury accordingly?
Rule 105
49
What file format is used by Windows Vista and later versions to store event logs as simple text files in XML format?
EVTX
50
Which is NOT a valid type of digital evidence?
DNA Sample
51
What is a common technique used to distribute malware on the web by mimicking legitimate institutions in an attempt to steal passwords, credit cards, and bank account data?
Spear phishing sites
52
What is the primary information required for starting an email investigation?
The unique IP address
53
What is a common technique used to distribute malware on the web by injecting malware into legitimate-looking websites to trick users into selecting them?
Click-jacking
54
What is NOT a command used to determine logged-on users?
LoggedSessions
55
What is NOT one of the three tiers a log management infrastructure typically comprises?
Log Rotation
56
Where are deleted items stored on Windows Vista and later versions of Windows?
Drive:\$Recycle.Bin
57
Which web application threat occurs when attackers bypass the client's ID security mechanisms, gain access privileges, and inject malicious scripts into specific fields in web pages?
Cross-site scripting
58
What is a common technique used to distribute malware on the web when an attacker exploits flaws in browser software to install malware just by visiting a website?
Drive-by downloads
59
Which of the following stakeholders is responsible for making sure all the forensic activities are within the jurisdiction and not violating any regulations or agreements?
Law Advisors
60
Which web application threat occurs when an authenticated user is forced to perform certain tasks on the web application chosen by an attacker?
Cross-site request forgery
61
What prefetch does value 1 from the registry entry, EnablePrefetcher, tell the system to use?
Application prefetching is enabled.
62
Which of the three different files storing data and logs in SQL servers is optional?
NDF
63
What layer of web application architecture contains components that parse the request (HTTP Request Parser) coming in and forwards the response back?
Web server layer
64
Which is a threat to web applications?
Cookie poisoning
65
What layer of web application architecture is composed of cloud services which hold all commercial transactions and a server that supplies an organization's production data in a structured form?
Database Layer
66
What is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards?
PCI DSS
67
Which is a violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act?
Retransmitting spam messages through a computer to mislead others about the origin of the message
68
Where can congressional security standards and guidelines be found, with an emphasis for federal agencies, for the development, documentation, and implementation of organization-wide programs for information security?
FISMA
69
Which is NOT an indication of a web attack?
Logs found to have no known anomalies
70
What must an investigator do in order to offer a good report to a court of law and ease the prosecution?
Preserve the evidence
71
Which of the following is NOT a digital data storage type?
Quantum storage devices
72
Which of the following is an internal network vulnerability?
Bottleneck
73
Which tool helps collect information about network connections operative in a Windows system?
NETSTAT
74
What is NOT true of email crimes?
Email crime is not limited by the email organization.
75
What cloud service offers application software to subscribers on demand or over the internet and is charged for by the provider on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users?
SaaS
76
Which is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples?
Volatility Framework
77
Which architectural layer of mobile device environments provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS?
Phone API
78
Which web application threat is a method intended to terminate website or server operations by making resources unavailable to clients?
Denial-of-service
79
Which is NOT a log management system function?
Log generation
80
What operating system was Android based on?
Linux
81
Which web application threat refers to a drawback in a web application where it unintentionally reveals sensitive data to an unauthorized user?
Information leakage
82
What is NOT a command used to determine open files?
Open files
| Not to be confused with Openfiles
83
Which architectural layer of mobile device environments simplifies the process of interacting with web services and other applications such as email, the internet, and SMS?
Communication API
84
What cloud service enables subscribers to use fundamental IT resources, such as computing power, virtualization, data storage, network, etc., on demand?
IaaS
85
What is a cloud environment composed of two or more clouds that remain unique entities but are bound together to offer the benefits of multiple deployment models?
Hybrid cloud
86
Which web application threat refers to the modification of a website's remnant data for bypassing security measures or gaining unauthorized information?
Cookie poisoning
87
What prefetch does value 3 from the registry entry, EnablePrefetcher, tell the system to use?
Both application and boot prefetching are enabled.
88
Which of the following includes security standards for health information?
HIPAA
89
What is NOT one of the three major concerns regarding log management?
Log viewing
90
What tool enables you to retrieve information about event logs and publishers in Windows 10?
Wevutil
91
Which cloud environment allows the provider to make services—such as applications, servers, and data storage—available to the public over the internet?
Public Cloud
92
Which architectural layer of mobile device environments contains items that are responsible for mobile operations such as a display device, a keypad, RAM, flash, an embedded processor, and a media processor?
Hardware
93
Which is a type of network-based attack?
Eavesdropping
94
Which web application threat occurs when attackers insert commands via input data and are able to tamper with the data?
SQL injection
95
Which of the following best describes flash memory?
Flash memory is a non-volatile, electronically erasable and reprogrammable storage medium.
96
Which of the following stakeholders is responsible for conducting forensic examinations against allegations made regarding wrongdoings, found vulnerabilities, and attacks over the cloud?
Investigators
97
Which web application threat refers to vulnerable management functions, including user updates, recovery of passwords, or resetting passwords?
Broken account management
98
What type of analysis do investigators perform to detect something that has already occurred in a network/device and determine what it is?
Postmortem
99
Smith, as a part of his forensic investigation assignment, seized a mobile device. He was asked to recover the Subscriber Identity Module (SIM card) data in the mobile device. Smith found that the SIM was protected by a Personal Identification Number (PIN) code, but he was also aware that people generally leave the PIN numbers to the defaults or use easily guessable numbers such as 1234. He made three unsuccessful attempts, which blocked the SIM card. What can Smith do in this scenario to reset the PIN and access SIM data?
He should ask the Network Operator for Personal Unlock Number (PUK) to gain access to the SIM
100
Sectors are pie-shaped regions on a hard disk that store data. Which of the following parts of a hard disk do not contribute to determining the addresses of data?
Interface
101
Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses' testimony during federal legal proceedings?
Daubert
102
Which of the following examinations refers to the process of the witness being questioned by the attorney who called the latter to the stand?
Direct-Examination
103
Who is responsible for the following tasks?
• Secure the scene
• Ensure that it is maintained in a secure state until the Forensic Team arrives
• Make notes about the scene that will eventually be handed over to the Forensic Team
Non-forensics staff
104
Which of the following tool is used to locate IP addresses?
SmartWhois
105
Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList
106
Which US law does the interstate or international transportation and receiving of child pornography fall under?
18 U.S. Code § 2252
107
ata is striped at a byte level across multiple drives, and parity information is distributed among all member drives. What RAID level is represented here?
RAID Level 5
