PT

Question 1

A software company suspects that employees have set up automatic corporate email forwarding to their personal inboxes against company policy. The company hires forensic investigators to identify the employees violating policy, with the intention of issuing warnings to them.

Which type of cybercrime investigation approach is this company taking?

Civil
Criminal
Administrative
Punitive

Answer 1

Administrative

Question 2

Which model or legislation applies a holistic approach toward any criminal activity as a criminal operation?

Enterprise Theory of Investigation
Racketeer Influenced and Corrupt Organizations Act
Evidence Examination
Law Enforcement Cyber Incident Reporting

Answer 2

Enterprise Theory of Investigation

Question 3

What does a forensic investigator need to obtain before seizing a computing device in a criminal case?

Court warrant
Completed crime report
Chain of custody document
Plaintiff’s permission

Answer 3

Court warrant

Question 4

Which activity should be used to check whether an application has ever been installed on a computer?

Penetration test
Risk analysis
Log review
Security review

Answer 4

Log review

Question 5

Which characteristic describes an organization’s forensic readiness in the context of cybercrimes?

It includes moral considerations.
It includes cost considerations.
It excludes nontechnical actions.
It excludes technical actions.

Answer 5

It includes cost considerations.

Question 6

A cybercrime investigator identifies a Universal Serial Bus (USB) memory stick containing emails as a primary piece of evidence.

Who must sign the chain of custody document once the USB stick is in evidence?

Those who obtain access to the device
Anyone who has ever used the device
Recipients of emails on the device
Authors of emails on the device

Answer 6

Those who obtain access to the device

Question 7

Which type of attack is a denial-of-service technique that sends a large amount of data to overwhelm system resources?

Phishing
Spamming
Mail bombing
Bluejacking

Answer 7

Mail bombing

Question 8

Which computer crime forensics step requires an investigator to duplicate and image the collected digital information?

Securing evidence
Acquiring data
Analyzing data
Assessing evidence

Answer 8

Acquiring data

Question 9

What is the last step of a criminal investigation that requires the involvement of a computer forensic investigator?

Analyzing the data collected
Testifying in court
Assessing the evidence
Performing search and seizure

Answer 9

Testifying in court

Question 10

How can a forensic investigator verify an Android mobile device is on, without potentially changing the original evidence or interacting with the operating system?

Check to see if it is plugged into a computer
Tap the screen multiple times
Look for flashing lights
Hold down the power button

Answer 10

Look for flashing lights

Question 11

What should a forensic investigator use to protect a mobile device if a Faraday bag is not available?

Aluminum foil
Sturdy container
Cardboard box
Bubble wrap

Answer 11

Aluminum foil

Question 12

Which criterion determines whether a technology used by government to obtain information in a computer search is considered innovative and requires a search warrant?

Availability to the general public
Dependency on third-party software
Implementation based on open source software
Use of cloud-based machine learning

Answer 12

Availability to the general public

Question 13

Which situation allows a law enforcement officer to seize a hard drive from a residence without obtaining a search warrant?

The computer is left unattended.
The front door is wide open.
The occupant is acting suspicious.
The evidence is in imminent danger.

Answer 13

The evidence is in imminent danger.

Question 14

Which legal document contains a summary of findings and is used to prosecute?

Investigation report
Search warrant
Search and seizure
Chain of custody

Answer 14

Investigation report

Question 15

What should an investigator use to prevent any signals from reaching a mobile phone?

Faraday bag
Dry bag
Anti-static container
Lock box

Answer 15

Faraday bag

Question 16

A forensic investigator is called to the stand as a technical witness in an internet payment fraud case.

Which behavior is considered ethical by this investigator while testifying?

Providing and explaining facts found during the investigation
Interpreting the findings and offering a clear opinion to the jury
Helping the jury arrive at a conclusion based on the facts
Assisting the attorney in compiling a list of essential questions

Answer 16

Providing and explaining facts found during the investigation

Question 17

A government agent is testifying in a case involving malware on a system.

What should this agent have complied with during search and seizure?

Fourth Amendment
Stored Communications Act
Net Neutrality Bill
Federal Rules of Evidence

Answer 17

Fourth Amendment

Question 18

Which method is used when an investigator has access to the plaintext and an image file with the hidden information?

Stego-only
Known-stego
Known-message
Chosen-message

Answer 18

Known-message

Question 19

Which method is used when an investigator takes a plaintext message, uses various tools against it, and finds the algorithm used to hide information?

Stego-only
Known-stego
Known-message
Chosen-message

Answer 19

Chosen-message

Question 20

Which operating system is targeted by the DaveGrohl password cracker?

Linux
OS X
UNIX
Windows

Answer 20

OS X

Question 21

Which password cracker is used to recover passwords on an OS X operating system?

Cain and Abel
DaveGrohl
L0phtCrack
Ophcrack

Answer 21

DaveGrohl

Question 22

Which tool allows a forensic investigator to process Transmission Control Protocol (TCP) streams for analysis of malicious traffic?

Kibana
OSSEC
Syslog-ng
Wireshark

Answer 22

Wireshark

Question 23

Which tool allows an investigator to review or process information in a Windows environment but does not rely on the Windows API?

EnCase
netstat
dd
LogMeister

Answer 23

EnCase

Question 24

A computer forensic investigator finds an unauthorized wireless access point connected to an organization’s network switch. This access point’s wireless network has a random name with a hidden service set identifier (SSID).

What is this set-up designed to do?

Create a backdoor that a perpetrator can use by connecting wirelessly to the network
Jam the wireless signals to stop all legitimate traffic from using the wireless network
Activate the wireless cards in the laptops of victims to gain access to their data and network
Transmit high-power signals that force users to connect to the rogue wireless network

Answer 24

Create a backdoor that a perpetrator can use by connecting wirelessly to the network

Question 25

Which web-based application attack corrupts the execution stack of a web application?

Buffer overflow
Cookie poisoning
SQL injection
Denial-of-service

Answer 25

Buffer overflow

Question 26

An employee is accused of sending a threatening email through Microsoft Exchange.

Which file extension should the investigator search for to find the archived message on the server?

.DB
.NSF
.PST
.EDB

Answer 26

.EDB

Question 27

Investigators do not have physical access to the computer of the victim of an email crime.

Which task should these investigators instruct the victim to perform in order to identify the sending email server?

Provide the email body
Provide the email header
Run Aid4Mail Email Forensics
Run Email Address Verifier

Answer 27

Provide the email header

Question 28

Which tool should a forensic investigator use on a Windows computer to locate all the data on a computer disk, protect evidence, and create evidentiary reports for use in legal proceedings?

Wireshark
OmniPeek
ProDiscover
Capsa

Answer 28

ProDiscover

Question 29

What is the purpose of hashing tools during data acquisition?

Dumping the original RAM contents to a forensically sterile removable device
Enabling write protection on the original media to preserve the original evidence
Validating the collected digital evidence by comparing the original and copied file message digests
Creating a replica of the original source to prevent the inadvertent alteration of the original

Answer 29

Validating the collected digital evidence by comparing the original and copied file message digests

Question 30

Which software-based tool is used to prevent writes to storage devices on a computer?

CRU WiebeTech
ILook Investigator
SAFE Block
USB WriteBlocker

Answer 30

SAFE Block

Question 31

Which tool should a forensic team use to research unauthorized changes in a database?

ApexSQL DBA
Gargoyle Investigator Forensic Pro
LSASecretsView
RSA NetWitness Investigator

Answer 31

ApexSQL DBA

Question 32

Which graphical tool should investigators use to identify publicly available information about a public IP address?

AWStats
GoAccess
SmartWhois
NsLookup

Answer 32

SmartWhois

Question 33

Which tool is used to search and analyze PC messaging logs?

Chat Stick
File Viewer
SnowBatch
Zamzar

Answer 33

Chat Stick

Question 34

Which forensic tool allows an investigator to acquire database files for analysis from a mobile device?

Andriller
Volatility
WinDump
Tripwire

Answer 34

Andriller

Question 35

Which anti-forensic defense technique allows a forensic investigator to determine if the system’s kernel is compromised?

Performing a brute-force attack
Conducting steganalysis
Performing BIOS bypass
Conducting rootkit detection

Answer 35

Conducting rootkit detection

Question 36

Which anti-forensic defense technique allows a forensic investigator to gain access to files protected with Encrypting File System (EFS)?

Installing a recovery certificate
Detecting hosts in promiscuous mode
Performing BIOS bypass
Conducting rootkit detection

Answer 36

Installing a recovery certificate

Question 37

Which anti-forensic defense technique allows a forensic investigator to reset the firmware in order to access the operating system?

Install a recovery certificate
Detect hosts in promiscuous mode
Perform BIOS password bypass
Conduct rootkit detection

Answer 37

Perform BIOS password bypass

Question 38

A software company has a data breach and hires a forensic expert to examine event and intrusion detection logs on its Linux servers. The investigator finds a suspicious user ID and wants to track all events of that user.

Which command should this forensic expert use?

ausearch
dd
readelf
cron

Answer 38

ausearch

Question 39

A forensic investigator receives dozens of log-in failure events within a few minutes. A security attack event is generated.

What is the goal when performing event correlation?

Data aggregation
Content reduction
Explorative data analysis
Root cause identification

Answer 39

Root cause identification

Question 40

A computer forensic investigator is preparing an affidavit statement.

Which type of report should this investigator prepare?

Formal verbal
Informal verbal
Formal written
Informal written

Answer 40

Formal written

Question 41

A forensic investigator is preparing a report in response to a security breach. The report is augmented by documentation provided by a third party.

Which optional section in the report serves as a gesture of thanks for the third-party support?

Acknowledgments
References
Conclusions
Appendices

Answer 41

Acknowledgments

Question 42

A network log from a remote system is entered into evidence, and the proper steps are taken to protect the integrity of the data. The log contains network intrusion data but does not contain any information about the log.

What must an investigator document about this log in the forensic report?

Name of the server
Number of records in the file
Name of the server administrator
Number of bytes in the file

Answer 42

Name of the server

Question 43

What is the minimum number of workstations a forensics lab needs?

One
Two
Three
Four

Answer 43

Two

Question 44

Which function does the BIOS parameter block (BPB) handle for the hard disk?

Describes the physical layout and volume partitions
Specifies the location of the operating system
Initializes code that executes after powering the firmware interface
Interprets the boot configuration data and selects boot policy

Answer 44

Describes the physical layout and volume partitions

Question 45

How does RAID 3 store information?

Information is written on a minimum of two drives for quick reading and writing of data.
Data is mirrored on two drives to improve the speed of retrieving information and resilience.
Information is written at byte level across multiple drives, but only one is dedicated for parity.
Information is stored on multiple drives, with floating parity for improved performance and resilience.

Answer 45

Information is written at byte level across multiple drives, but only one is dedicated for parity.

Question 46

Which file system is on a system with MacOS installed?

New Technology File System (NTFS)
Hierarchical File System Plus (HFS+)
Extended file system (EXT)
Z File System (ZFS)

Answer 46

Hierarchical File System Plus (HFS+)

Question 47

Where should an investigator search for details of activities that have taken place in an SQL database?

Primary data files (MDF)
Secondary data files (NDF)
Data definition language (DDL) files
Transaction log data files (LDF)

Answer 47

Transaction log data files (LDF)

Question 48

Which command line utility enables an investigator to analyze privileges assigned to database files?

DBINFO
SHOWFILESTATS
mysqldump
mysqlaccess

Answer 48

mysqlaccess

Question 49

The following is the header from a threatening email:

Received: from Mailhost.big-isp.com
(mailhost.big-isp.com [124.53.112.16]) by
Mailhost.gigantic-isp.com (8.8.5/8.7.2)
Received: from mail.biedburz.usa
(mail.biedburz.usa [124.211.3.88]) by
Mailhost.big-isp.com (10.5.2/10.4.1)
With ESMTP id LAA20869 for
timmy@gigantic-isp.com; Tue, Jan 26
2016 14:39:24 -0800 (PST)

What is the name of the server that sent the message?

Mail.biedburz.usa
Mailhost.big-isp.com
Mailhost.gigantic-isp.com
Timmy@gigantic-isp.com

Answer 49

Mail.biedburz.usa

Question 50

Which header allows an investigator to determine if a message was sent to many recipients?

In-Reply-To
Content-Type
X-Distribution
X-Mailer

Answer 50

X-Distribution

Question 51

Which operating system contains PLIST files for forensic analysis?

Android
Windows
Linux
MacOS

Answer 51

MacOS

Question 52

Which operating system contains the authentication log at /var/log/auth.log?

Android
Linux
iOS
MacOS

Answer 52

Linux

Question 53

Which path should a forensic investigator use to look for system logs in a Mac?

/var/log/cups/access_log
/var/log/
/var/audit/
/var/log/install.log

Answer 53

/var/log/

Question 54

Which tool should a forensic investigator use to view information from Linux kernel ring buffers?

arp
dmesg
fsck
grep

Answer 54

dmesg

Question 55

A forensic investigator makes a bit-stream copy of a Windows hard drive that has been reformatted. The investigator needs to locate only the Adobe PDF files on the hard drive.

Which tool should this investigator use?

Quick Recovery
Handy Recovery
EaseUS Data Recovery
Stellar Data Recovery

Answer 55

EaseUS Data Recovery

Question 56

Which hexadecimal value should an investigator search for to find JPEG images on a device?

0x424D
0xD0CF11E0A1B11AE1
0x504B030414000600
0xFFD8

Answer 56

0xFFD8

Question 57

Which type of steganography allows the user to physically move a file but keep the associated files in their original location for recovery?

Whitespace
Folder
Image
Web

Answer 57

Folder

Question 58

An employee steals a sensitive text file by embedding it into a PNG file. The employee then sends this file via an instant chat message to an accomplice.

Which type of steganography did this employee use?

Document
Image
Text
Web

Answer 58

Image

Question 59

A first responder arrives at an active crime scene that has several mobile devices.

What should this first responder do while securing the crime scene?

Leave the devices in the state they are in and put them in anti-static bags
Turn on the devices and review recently accessed data
Turn off the devices to preserve the volatile memory
Leave the devices as found and fill out chain of custody paperwork

Answer 59

Leave the devices as found and fill out chain of custody paperwork

Question 60

What is a responsibility of the first responder at a crime scene?

Package and transport the evidence
Identify the presence of rootkits on the evidence
Decrypt the evidence by cracking passwords
Detect malware present on the evidence

Answer 60

Package and transport the evidence

Question 61

Which step preserves the forensic integrity of volatile evidence when a device is discovered in the powered-on state?

Documenting the procedures for shutting down the system
Collecting information with a secure command shell
Using the built-in backup utility to gather information
Copying the file with the keyboard shortcut Ctrl+C

Answer 61

Collecting information with a secure command shell

Question 62

Which action maintains the integrity of evidence when a forensic laptop is used to acquire data from a compromised computer?

Connecting the machines with a straight through cable
Connecting the machines with a crossover cable
Enabling a hardware write blocker
Enabling administrative control

Answer 62

Enabling a hardware write blocker

Question 63

What should an investigator do while collecting evidence from a device?

Turn off the computer to protect the data
Install antivirus software to protect information
Begin documenting the chain of custody
Close any open documents and applications

Answer 63

Begin documenting the chain of custody

Question 64

Why should investigators use the bit-stream disk-to-disk data acquisition method rather than the disk-to-image method?

Ensures that integrity is not compromised
Preserves the required chain of custody
Addresses potential errors and incompatibilities
Avoids the possibility of running out of space

Answer 64

Addresses potential errors and incompatibilities

Question 65

What should an investigator do to ensure that creating a forensic hard drive image does not alter the drive?

Make a duplicate using the dd command
Make a duplicate using the cp command
Copy each file to a new disk using copy and paste
Copy each file to a new disk using File Explorer

Answer 65

Make a duplicate using the dd command

Question 66

A Mac computer that does not have removeable batteries is powered on.

Which action must a first responder take to preserve digital evidence from the computer once volatile information is collected?

Place the computer in an anti-static bag
Obtain the IP address of the computer
Maintain the power with a portable charger
Press the power switch for 30 seconds

Answer 66

Press the power switch for 30 seconds

Question 67

What should an investigator do to ensure that a phone serving as evidence at a crime scene is properly isolated?

Contact the service provider
Turn the device off
Remove the battery
Use a Faraday bag

Answer 67

Use a Faraday bag

Question 68

First responders arrive at a company and determine that a non-company Windows 7 computer was used to breach information systems. The computer is still powered on.

What is the correct procedure for powering off this computer once the volatile information has been collected?

Shut down the device by clicking Special Shutdown
Unplug the electrical cord from the wall socket
Type Get-Service | Where {$_.status –eq ‘running’}
Press down the Ctrl and L keys simultaneously

Answer 68

Unplug the electrical cord from the wall socket