Winter Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: geek65

312-49v10 Computer Hacking Forensic Investigator (CHFI-v10) Questions and Answers

Questions 4

What will the following Linux command accomplish?

dd if=/dev/mem of=/home/sam/mem.bin bs=1024

Options:

A.

Copy the master boot record to a file

B.

Copy the contents of the system folder to a file

C.

Copy the running memory to a file

D.

Copy the memory dump file to an image file

Buy Now
Questions 5

Meyer Electronics Systems just recently had a number of laptops stolen out of their office. On these laptops contained sensitive corporate information regarding patents and company strategies. A month after the laptops were stolen, a competing company was found to have just developed products that almost exactly duplicated products that Meyer produces. What could have prevented this information from being stolen from the laptops?

Options:

A.

EFS Encryption

B.

DFS Encryption

C.

IPS Encryption

D.

SDW Encryption

Buy Now
Questions 6

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

Options:

A.

The registry

B.

The swap file

C.

The recycle bin

D.

The metadata

Buy Now
Questions 7

Michael works for Kimball Construction Company as senior security analyst. As part of yearly security audit, Michael scans his network for vulnerabilities. Using Nmap, Michael conducts XMAS scan and most of the ports scanned do not give a response. In what state are these ports?

Options:

A.

Closed

B.

Open

C.

Stealth

D.

Filtered

Buy Now
Questions 8

Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?

Options:

A.

bench warrant

B.

wire tap

C.

subpoena

D.

search warrant

Buy Now
Questions 9

When is it appropriate to use computer forensics?

Options:

A.

If copyright and intellectual property theft/misuse has occurred

B.

If employees do not care for their boss management techniques

C.

If sales drop off for no apparent reason for an extended period of time

D.

If a financial institution is burglarized by robbers

Buy Now
Questions 10

Where does Encase search to recover NTFS files and folders?

Options:

A.

MBR

B.

MFT

C.

Slack space

D.

HAL

Buy Now
Questions 11

Which Federal Rule of Evidence speaks about the Hearsay exception where the availability of the declarant Is immaterial and certain characteristics of the declarant such as present sense Impression, excited utterance, and recorded recollection are also observed while giving their testimony?

Options:

A.

Rule 801

B.

Rule 802

C.

Rule 804

D.

Rule 803

Buy Now
Questions 12

Williamson is a forensic investigator. While investigating a case of data breach at a company, he is maintaining a document that records details such as the forensic processes applied on the collected evidence, particulars of people handling It. the dates and times when it Is being handled, and the place of storage of the evidence. What do you call this document?

Options:

A.

Consent form

B.

Log book

C.

Authorization form

D.

Chain of custody

Buy Now
Questions 13

Mark works for a government agency as a cyber-forensic investigator. He has been given the task of restoring data from a hard drive. The partition of the hard drive was deleted by a disgruntled employee In order to hide their nefarious actions. What tool should Mark use to restore the data?

Options:

A.

EFSDump

B.

Diskmon D

C.

iskvlew

D.

R-Studio

Buy Now
Questions 14

Edgar is part of the FBI's forensic media and malware analysis team; he Is analyzing a current malware and Is conducting a thorough examination of the suspect system, network, and other connected devices. Edgar's approach Is to execute the malware code to know how It Interacts with the host system and Its Impacts on It. He is also using a virtual machine and a sandbox environment.

What type of malware analysis is Edgar performing?

Options:

A.

Malware disassembly

B.

VirusTotal analysis

C.

Static analysis

D.

Dynamic malware analysis/behavioral analysis

Buy Now
Questions 15

Which of the following Windows event logs record events related to device drives and hardware changes?

Options:

A.

Forwarded events log

B.

System log

C.

Application log

D.

Security log

Buy Now
Questions 16

Which among the following acts has been passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations?

Options:

A.

Federal Information Security Management act of 2002

B.

Gramm-Leach-Bliley act

C.

Health insurance Probability and Accountability act of 1996

D.

Sarbanes-Oxley act of 2002

Buy Now
Questions 17

To which phase of the computer forensics investigation process does "planning and budgeting of a forensics lab" belong?

Options:

A.

Post-investigation phase

B.

Reporting phase

C.

Pre-investigation phase

D.

Investigation phase

Buy Now
Questions 18

Chloe is a forensic examiner who is currently cracking hashed passwords for a crucial mission and hopefully solve the case. She is using a lookup table used for recovering a plain text password from cipher text; it contains word list and brute-force list along with their computed hash values. Chloe Is also using a graphical generator that supports SHA1.

a. What password technique is being used?

b. What tool is Chloe using?

Options:

A.

Dictionary attack b. Cisco PIX

B.

Cain & Able b. Rten

C.

Brute-force b. MScache

D.

Rainbow Tables b. Winrtgen

Buy Now
Questions 19

Brian has the job of analyzing malware for a software security company. Brian has setup a virtual environment that includes virtual machines running various versions of OSes. Additionally, Brian has setup separated virtual networks within this environment The virtual environment does not connect to the company's intranet nor does it connect to the external Internet. With everything setup, Brian now received an executable file from client that has undergone a cyberattack. Brian ran the executable file In the virtual environment to see what it would do. What type of analysis did Brian perform?

Options:

A.

Static malware analysis

B.

Status malware analysis

C.

Dynamic malware analysis

D.

Static OS analysis

Buy Now
Questions 20

You are an information security analyst at a large pharmaceutical company. While performing a routine review of audit logs, you have noticed a significant amount of egress traffic to various IP addresses on destination port 22 during off-peak hours. You researched some of the IP addresses and found that many of them are in Eastern Europe. What is the most likely cause of this traffic?

Options:

A.

Malicious software on internal system is downloading research data from partner 5FTP servers in Eastern Europe

B.

Internal systems are downloading automatic Windows updates

C.

Data is being exfiltrated by an advanced persistent threat (APT)

D.

The organization's primary internal DNS server has been compromised and is performing DNS zone transfers to malicious external entities

Buy Now
Questions 21

The working of the Tor browser is based on which of the following concepts?

Options:

A.

Both static and default routing

B.

Default routing

C.

Static routing

D.

Onion routing

Buy Now
Questions 22

Fred, a cybercrime Investigator for the FBI, finished storing a solid-state drive In a static resistant bag and filled out the chain of custody form. Two days later. John grabbed the solid-state drive and created a clone of It (with write blockers enabled) In order to Investigate the drive. He did not document the chain of custody though. When John was finished, he put the solid-state drive back in the static resistant and placed it back in the evidence locker. A day later, the court trial began and upon presenting the evidence and the supporting documents, the chief Justice outright rejected them. Which of the following statements strongly support the reason for rejecting the evidence?

Options:

A.

Block clones cannot be created with solid-state drives

B.

Write blockers were used while cloning the evidence

C.

John did not document the chain of custody

D.

John investigated the clone instead of the original evidence itself

Buy Now
Questions 23

In a virtual test environment, Michael is testing the strength and security of BGP using multiple routers to mimic the backbone of the Internet. This project will help him write his doctoral thesis on "bringing down the Internet". Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in an attempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What will the other routers communicate between themselves?

Options:

A.

The change in the routing fabric to bypass the affected router

B.

More RESET packets to the affected router to get it to power back up

C.

RESTART packets to the affected router to get it to power back up

D.

STOP packets to all other routers warning of where the attack originated

Buy Now
Questions 24

What will the following command accomplish?

dd if=/dev/xxx of=mbr.backup bs=512 count=1

Options:

A.

Back up the master boot record

B.

Restore the master boot record

C.

Mount the master boot record on the first partition of the hard drive

D.

Restore the first 512 bytes of the first partition of the hard drive

Buy Now
Questions 25

Which of the following is a record of the characteristics of a file system, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups?

Options:

A.

Inode bitmap block

B.

Superblock

C.

Block bitmap block

D.

Data block

Buy Now
Questions 26

Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

Options:

A.

Use a system that has a dynamic addressing on the network

B.

Use a system that is not directly interacting with the router

C.

Use it on a system in an external DMZ in front of the firewall

D.

It doesn't matter as all replies are faked

Buy Now
Questions 27

Investigators can use the Type Allocation Code (TAC) to find the model and origin of a mobile device. Where is TAC located in mobile devices?

Options:

A.

International Mobile Equipment Identifier (IMEI)

B.

Integrated circuit card identifier (ICCID)

C.

International mobile subscriber identity (IMSI)

D.

Equipment Identity Register (EIR)

Buy Now
Questions 28

Report writing is a crucial stage in the outcome of an investigation. Which information should not be included in the report section?

Options:

A.

Speculation or opinion as to the cause of the incident

B.

Purpose of the report

C.

Author of the report

D.

Incident summary

Buy Now
Questions 29

What does Locard's Exchange Principle state?

Options:

A.

Any information of probative value that is either stored or transmitted in a digital form

B.

Digital evidence must have some characteristics to be disclosed in the court of law

C.

Anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave

D.

Forensic investigators face many challenges during forensics investigation of a digital crime, such as extracting, preserving, and analyzing the digital evidence

Buy Now
Questions 30

Chong-lee, a forensics executive, suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. What type of test would confirm his claim?

Options:

A.

File fingerprinting

B.

Identifying file obfuscation

C.

Static analysis

D.

Dynamic analysis

Buy Now
Questions 31

What system details can an investigator obtain from the NetBIOS name table cache?

Options:

A.

List of files opened on other systems

B.

List of the system present on a router

C.

List of connections made to other systems

D.

List of files shared between the connected systems

Buy Now
Questions 32

What does 254 represent in ICCID 89254021520014515744?

Options:

A.

Industry Identifier Prefix

B.

Country Code

C.

Individual Account Identification Number

D.

Issuer Identifier Number

Buy Now
Questions 33

How often must a company keep log files for them to be admissible in a court of law?

Options:

A.

All log files are admissible in court no matter their frequency

B.

Weekly

C.

Monthly

D.

Continuously

Buy Now
Questions 34

Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?

Options:

A.

Network

B.

Transport

C.

Physical

D.

Data Link

Buy Now
Questions 35

A computer forensics investigator is inspecting the firewall logs for a large financial institution that has employees working 24 hours a day, 7 days a week.

What can the investigator infer from the screenshot seen below?

Options:

A.

A smurf attack has been attempted

B.

A denial of service has been attempted

C.

Network intrusion has occurred

D.

Buffer overflow attempt on the firewall.

Buy Now
Questions 36

Which network attack is described by the following statement? "At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries."

Options:

A.

Man-in-the-Middle Attack

B.

Sniffer Attack

C.

Buffer Overflow

D.

DDoS

Buy Now
Questions 37

In Steganalysis, which of the following describes a Known-stego attack?

Options:

A.

The hidden message and the corresponding stego-image are known

B.

During the communication process, active attackers can change cover

C.

Original and stego-object are available and the steganography algorithm is known

D.

Only the steganography medium is available for analysis

Buy Now
Questions 38

A forensics investigator needs to copy data from a computer to some type of removable media so he can examine the information at another location. The problem is that the data is around 42GB in size. What type of removable media could the investigator use?

Options:

A.

Blu-Ray single-layer

B.

HD-DVD

C.

Blu-Ray dual-layer

D.

DVD-18

Buy Now
Questions 39

A picture file is recovered from a computer under investigation. During the investigation process, the file is enlarged 500% to get a better view of its contents. The picture quality is not degraded at all from this process. What kind of picture is this file. What kind of picture is this file?

Options:

A.

Raster image

B.

Vector image

C.

Metafile image

D.

Catalog image

Buy Now
Questions 40

Which of the following is a database in which information about every file and directory on an NT File System (NTFS) volume is stored?

Options:

A.

Volume Boot Record

B.

Master Boot Record

C.

GUID Partition Table

D.

Master File Table

Buy Now
Questions 41

Steven has been given the task of designing a computer forensics lab for the company he works for. He has found documentation on all aspects of how to design a lab except the number of exits needed. How many exits should Steven include in his design for the computer forensics lab?

Options:

A.

Three

B.

One

C.

Two

D.

Four

Buy Now
Questions 42

Which password cracking technique uses details such as length of password, character sets used to construct the password, etc.?

Options:

A.

Dictionary attack

B.

Brute force attack

C.

Rule-based attack

D.

Man in the middle attack

Buy Now
Questions 43

What encryption technology is used on Blackberry devices Password Keeper?

Options:

A.

3DES

B.

AES

C.

Blowfish

D.

RC5

Buy Now
Questions 44

Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:

Options:

A.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

B.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProfileList

C.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegList

D.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Regedit

Buy Now
Questions 45

When a user deletes a file or folder, the system stores complete path including the original filename is a special hidden file called “INFO2” in the Recycled folder. If the INFO2 file is deleted, it is recovered when you ______________________.

Options:

A.

Undo the last action performed on the system

B.

Reboot Windows

C.

Use a recovery tool to undelete the file

D.

Download the file from Microsoft website

Buy Now
Questions 46

Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as FF D8 FF E1. What is the file type of the image?

Options:

A.

gif

B.

bmp

C.

jpeg

D.

png

Buy Now
Questions 47

Under confession, an accused criminal admitted to encrypting child pornography pictures and then hiding them within other pictures. What technique did the accused criminal employ?

Options:

A.

Typography

B.

Steganalysis

C.

Picture encoding

D.

Steganography

Buy Now
Questions 48

How will you categorize a cybercrime that took place within a CSP’s cloud environment?

Options:

A.

Cloud as a Subject

B.

Cloud as a Tool

C.

Cloud as an Audit

D.

Cloud as an Object

Buy Now
Questions 49

What type of analysis helps to identify the time and sequence of events in an investigation?

Options:

A.

Time-based

B.

Functional

C.

Relational

D.

Temporal

Buy Now
Questions 50

Malware analysis can be conducted in various manners. An investigator gathers a suspicious executable file and uploads It to VirusTotal in order to confirm whether the file Is malicious, provide information about Its functionality, and provide Information that will allow to produce simple network signatures. What type of malware analysis was performed here?

Options:

A.

Static

B.

Volatile

C.

Dynamic

D.

Hybrid

Buy Now
Questions 51

A forensic examiner encounters a computer with a failed OS installation and the master boot record (MBR) or partition sector damaged. Which of the following tools can find and restore files and Information In the disk?

Options:

A.

Helix

B.

R-Studio

C.

NetCat

D.

Wireshark

Buy Now
Questions 52

Recently, an Internal web app that a government agency utilizes has become unresponsive, Betty, a network engineer for the government agency, has been tasked to determine the cause of the web application's unresponsiveness. Betty launches Wlreshark and begins capturing the traffic on the local network. While analyzing the results, Betty noticed that a syn flood attack was underway. How did Betty know a syn flood attack was occurring?

Options:

A.

Wireshark capture shows multiple ACK requests and SYN responses from single/multiple IP address(es)

B.

Wireshark capture does not show anything unusual and the issue is related to the web application

C.

Wireshark capture shows multiple SYN requests and RST responses from single/multiple IP address(es)

D.

Wireshark capture shows multiple SYN requests and ACK responses from single/multiple IP address(es)

Buy Now
Questions 53

Derrick, a forensic specialist, was investigating an active computer that was executing various processes. Derrick wanted to check whether this system was used In an Incident that occurred earlier. He started Inspecting and gathering the contents of RAM, cache, and DLLs to Identify Incident signatures. Identify the data acquisition method employed by Derrick in the above scenario.

Options:

A.

Dead data acquisition

B.

Static data acquisition

C.

Non-volatile data acquisition

D.

Live data acquisition

Buy Now
Questions 54

Which of the following malware targets Android mobile devices and installs a backdoor that remotely installs applications from an attacker-controlled server?

Options:

A.

Felix

B.

XcodeGhost

C.

xHelper

D.

Unflod

Buy Now
Questions 55

Sally accessed the computer system that holds trade secrets of the company where she Is employed. She knows she accessed It without authorization and all access (authorized and unauthorized) to this computer Is monitored.To cover her tracks. Sally deleted the log entries on this computer. What among the following best describes her action?

Options:

A.

Password sniffing

B.

Anti-forensics

C.

Brute-force attack

D.

Network intrusion

Buy Now
Questions 56

A cybercriminal is attempting to remove evidence from a Windows computer. He deletes the file evldence1.doc. sending it to Windows Recycle Bin. The cybercriminal then empties the Recycle Bin. After having been removed from the Recycle Bin. what will happen to the data?

Options:

A.

The data will remain in its original clusters until it is overwritten

B.

The data will be moved to new clusters in unallocated space

C.

The data will become corrupted, making it unrecoverable

D.

The data will be overwritten with zeroes

Buy Now
Questions 57

Which of the following is the most effective tool for acquiring volatile data from a Windows-based system?

Options:

A.

Coreography

B.

Datagrab

C.

Ethereal

D.

Helix

Buy Now
Questions 58

You are the incident response manager at a regional bank. While performing routine auditing of web application logs, you find several attempted login submissions that contain the following strings:

What kind of attack has occurred?

Options:

A.

SQL injection

B.

Buffer overflow

C.

Cross-size scripting

D.

Cross-size request forgery

Buy Now
Questions 59

Which OWASP loT vulnerability talks about security flaws such as lack of firmware validation, lack of secure delivery, and lack of anti-rollback mechanisms on loT devices?

Options:

A.

Lack of secure update mechanism

B.

Use of insecure or outdated components

C.

Insecure default settings

D.

Insecure data transfer and storage

Buy Now
Questions 60

Rule 1002 of Federal Rules of Evidence (US) talks about_____

Options:

A.

Admissibility of original

B.

Admissibility of duplicates

C.

Requirement of original

D.

Admissibility of other evidence of contents

Buy Now
Questions 61

Steve received a mail that seemed to have come from her bank. The mail has instructions for Steve to click on a link and provide information to avoid the suspension of her account. The link in the mail redirected her to a form asking for details such as name, phone number, date of birth, credit card number or PIN, CW code, SNNs, and email address. On a closer look, Steve realized that the URL of the form in not the same as that of her bank's. Identify the type of external attack performed by the attacker In the above scenario?

Options:

A.

Aphishing

B.

Espionage

C.

Taiigating

D.

Brute-force

Buy Now
Questions 62

Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame.

Options:

A.

8-bit

B.

32-bit

C.

16-bit

D.

24-bit

Buy Now
Questions 63

What malware analysis operation can the investigator perform using the jv16 tool?

Options:

A.

Files and Folder Monitor

B.

Installation Monitor

C.

Network Traffic Monitoring/Analysis

D.

Registry Analysis/Monitoring

Buy Now
Questions 64

Which of the following ISO standard defines file systems and protocol for exchanging data between optical disks?

Options:

A.

ISO 9660

B.

ISO/IEC 13940

C.

ISO 9060

D.

IEC 3490

Buy Now
Questions 65

Maria has executed a suspicious executable file In a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for In this scenario?

Options:

A.

Event ID 4657

B.

Event ID 4624

C.

Event ID 4688

D.

Event ID 7040

Buy Now
Questions 66

When installed on a Windows machine, which port does the Tor browser use to establish a network connection via Tor nodes?

Options:

A.

7680

B.

49667/49668

C.

9150/9151

D.

49664/49665

Buy Now
Questions 67

A breach resulted from a malware attack that evaded detection and compromised the machine memory without installing any software or accessing the hard drive. What technique did the adversaries use to deliver the attack?

Options:

A.

Fileless

B.

Trojan

C.

JavaScript

D.

Spyware

Buy Now
Questions 68

Which of the following Perl scripts will help an investigator to access the executable image of a process?

Options:

A.

Lspd.pl

B.

Lpsi.pl

C.

Lspm.pl

D.

Lspi.pl

Buy Now
Questions 69

Which of the following is a federal law enacted in the US to control the ways that financial institutions deal with the private information of individuals?

Options:

A.

SOX

B.

HIPAA 1996

C.

GLBA

D.

PCI DSS

Buy Now
Questions 70

During forensics investigations, investigators tend to collect the system time at first and compare it with UTC. What does the abbreviation UTC stand for?

Options:

A.

Coordinated Universal Time

B.

Universal Computer Time

C.

Universal Time for Computers

D.

Correlated Universal Time

Buy Now
Questions 71

Buffer overflow vulnerabilities, of web applications, occurs when the application fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the _________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.

Options:

A.

Adjacent buffer locations

B.

Adjacent string locations

C.

Adjacent bit blocks

D.

Adjacent memory locations

Buy Now
Questions 72

Amber, a black hat hacker, has embedded malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?

Options:

A.

Malvertising

B.

Compromising a legitimate site

C.

Click-jacking

D.

Spearphishing

Buy Now
Questions 73

What is the framework used for application development for iOS-based mobile devices?

Options:

A.

Cocoa Touch

B.

Dalvik

C.

Zygote

D.

AirPlay

Buy Now
Questions 74

Which of the following protocols allows non-ASCII files, such as video, graphics, and audio, to be sent through the email messages?

Options:

A.

MIME

B.

BINHEX

C.

UT-16

D.

UUCODE

Buy Now
Questions 75

A forensic examiner is examining a Windows system seized from a crime scene. During the examination of a suspect file, he discovered that the file is password protected. He tried guessing the password using the suspect’s available information but without any success. Which of the following tool can help the investigator to solve this issue?

Options:

A.

Cain & Abel

B.

Xplico

C.

Recuva

D.

Colasoft’s Capsa

Buy Now
Questions 76

An investigator has acquired packed software and needed to analyze it for the presence of malice. Which of the following tools can help in finding the packaging software used?

Options:

A.

SysAnalyzer

B.

PEiD

C.

Comodo Programs Manager

D.

Dependency Walker

Buy Now
Questions 77

Ron, a computer forensics expert, is investigating a case involving corporate espionage. He has recovered several mobile computing devices from the crime scene. One of the evidence that Ron possesses is a mobile phone from Nokia that was left in ON condition. Ron needs to recover the IMEI number of the device to establish the identity of the device owner. Which of the following key combinations can he use to recover the IMEI number?

Options:

A.

#*06*#

B.

*#06#

C.

#06#*

D.

*IMEI#

Buy Now
Questions 78

Which component in the hard disk moves over the platter to read and write information?

Options:

A.

Actuator

B.

Spindle

C.

Actuator Axis

D.

Head

Buy Now
Questions 79

A section of your forensics lab houses several electrical and electronic equipment. Which type of fire extinguisher you must install in this area to contain any fire incident?

Options:

A.

Class B

B.

Class D

C.

Class C

D.

Class A

Buy Now
Questions 80

Randy has extracted data from an old version of a Windows-based system and discovered info file Dc5.txt in the system recycle bin. What does the file name denote?

Options:

A.

A text file deleted from C drive in sixth sequential order

B.

A text file deleted from C drive in fifth sequential order

C.

A text file copied from D drive to C drive in fifth sequential order

D.

A text file copied from C drive to D drive in fifth sequential order

Buy Now
Questions 81

Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the_________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.

Options:

A.

Adjacent memory locations

B.

Adjacent bit blocks

C.

Adjacent buffer locations

D.

Adjacent string locations

Buy Now
Questions 82

A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker. Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you are required to infer only what is explicit in the excerpt.

(Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)

03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111

TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF

***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32

TCP Options (3) => NOP NOP TS: 23678634 2878772

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111

UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84

Len: 64

01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................

00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................

00 00 00 11 00 00 00 00 ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773

UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104

Len: 1084

47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8

Options:

A.

The attacker has conducted a network sweep on port 111

B.

The attacker has scanned and exploited the system using Buffer Overflow

C.

The attacker has used a Trojan on port 32773

D.

The attacker has installed a backdoor

Buy Now
Questions 83

Paul's company is in the process of undergoing a complete security audit including logical and physical security testing. After all logical tests were performed; it is now time for the physical round to begin. None of the employees are made aware of this round of testing. The security-auditing firm sends in a technician dressed as an electrician. He waits outside in the lobby for some employees to get to work and follows behind them when they access the restricted areas. After entering the main office, he is able to get into the server room telling the IT manager that there is a problem with the outlets in that room. What type of attack has the technician performed?

Options:

A.

Tailgating

B.

Backtrapping

C.

Man trap attack

D.

Fuzzing

Buy Now
Questions 84

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

Options:

A.

The system files have been copied by a remote attacker

B.

The system administrator has created an incremental backup

C.

The system has been compromised using a t0rnrootkit

D.

Nothing in particular as these can be operational files

Buy Now
Questions 85

What is the investigator trying to view by issuing the command displayed in the following screenshot?

Options:

A.

List of services stopped

B.

List of services closed recently

C.

List of services recently started

D.

List of services installed

Buy Now
Questions 86

Hard disk data addressing is a method of allotting addresses to each _______ of data on a hard disk.

Options:

A.

Physical block

B.

Operating system block

C.

Hard disk block

D.

Logical block

Buy Now
Questions 87

Robert is a regional manager working in a reputed organization. One day, he suspected malware attack after unwanted programs started to popup after logging into his computer. The network administrator was called upon to trace out any intrusion on the computer and he/she finds that suspicious activity has taken place within Autostart locations. In this situation, which of the following tools is used by the network administrator to detect any intrusion on a system?

Options:

A.

Hex Editor

B.

Internet Evidence Finder

C.

Process Monitor

D.

Report Viewer

Buy Now
Questions 88

What does the 56.58.152.114(445) denote in a Cisco router log?

Jun 19 23:25:46.125 EST: %SEC-4-IPACCESSLOGP: list internet-inbound denied udp 67.124.115.35(8084) -> 56.58.152.114(445), 1 packet

Options:

A.

Source IP address

B.

None of the above

C.

Login IP address

D.

Destination IP address

Buy Now
Questions 89

CAN-SPAM act requires that you:

Options:

A.

Don’t use deceptive subject lines

B.

Don’t tell the recipients where you are located

C.

Don’t identify the message as an ad

D.

Don’t use true header information

Buy Now
Questions 90

During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore, you report this evidence. This type of evidence is known as:

Options:

A.

Inculpatory evidence

B.

Mandatory evidence

C.

Exculpatory evidence

D.

Terrible evidence

Buy Now
Questions 91

With Regard to using an Antivirus scanner during a computer forensics investigation, You should:

Options:

A.

Scan the suspect hard drive before beginning an investigation

B.

Never run a scan on your forensics workstation because it could change your systems configuration

C.

Scan your forensics workstation at intervals of no more than once every five minutes during an investigation

D.

Scan your Forensics workstation before beginning an investigation

Buy Now
Questions 92

Before you are called to testify as an expert, what must an attorney do first?

Options:

A.

engage in damage control

B.

prove that the tools you used to conduct your examination are perfect

C.

read your curriculum vitae to the jury

D.

qualify you as an expert witness

Buy Now
Questions 93

You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?

Options:

A.

The X509 Address

B.

The SMTP reply Address

C.

The E-mail Header

D.

The Host Domain Name

Buy Now
Questions 94

When you carve an image, recovering the image depends on which of the following skills?

Options:

A.

Recognizing the pattern of the header content

B.

Recovering the image from a tape backup

C.

Recognizing the pattern of a corrupt file

D.

Recovering the image from the tape backup

Buy Now
Questions 95

Jason has set up a honeypot environment by creating a DMZ that has no physical or logical access to his production network. In this honeypot, he has placed a server running Windows Active Directory. He has also placed a Web server in the DMZ that services a number of web pages that offer visitors a chance to download sensitive information by clicking on a button. A week later, Jason finds in his network logs how an intruder accessed the honeypot and downloaded sensitive information. Jason uses the logs to try and prosecute the intruder for stealing sensitive corporate information. Why will this not be viable?

Options:

A.

Entrapment

B.

Enticement

C.

Intruding into a honeypot is not illegal

D.

Intruding into a DMZ is not illegal

Buy Now
Questions 96

The following excerpt is taken from a honeypot log. The log captures activities across three days.

There are several intrusion attempts; however, a few are successful.

(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169

Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482

Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53

Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21

Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53

Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111

Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80

Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)

Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)

Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080

Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

From the options given below choose the one which best interprets the following entry:

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

Options:

A.

An IDS evasion technique

B.

A buffer overflow attempt

C.

A DNS zone transfer

D.

Data being retrieved from 63.226.81.13

Buy Now
Questions 97

An "idle" system is also referred to as what?

Options:

A.

PC not connected to the Internet

B.

Zombie

C.

PC not being used

D.

Bot

Buy Now
Questions 98

You are working for a large clothing manufacturer as a computer forensics investigator and are called in to investigate an unusual case of an employee possibly stealing clothing designs from the company and selling them under a different brand name for a different company. What you discover during the course of the investigation is that the clothing designs are actually original products of the employee and the company has no policy against an employee selling his own designs on his own time. The only thing that you can find that the employee is doing wrong is that his clothing design incorporates the same graphic symbol as that of the company with only the wording in the graphic being different. What area of the law is the employee violating?

Options:

A.

trademark law

B.

copyright law

C.

printright law

D.

brandmark law

Buy Now
Questions 99

One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a .jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension?

Options:

A.

the File Allocation Table

B.

the file header

C.

the file footer

D.

the sector map

Buy Now
Questions 100

John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of the traffic produced by Firewalk. Why is that?

Options:

A.

Firewalk cannot pass through Cisco firewalls

B.

Firewalk sets all packets with a TTL of zero

C.

Firewalk cannot be detected by network sniffers

D.

Firewalk sets all packets with a TTL of one

Buy Now
Questions 101

If you discover a criminal act while investigating a corporate policy abuse, it becomes a publicsector investigation and should be referred to law enforcement?

Options:

A.

true

B.

false

Buy Now
Questions 102

When obtaining a warrant, it is important to:

Options:

A.

particularlydescribe the place to be searched and particularly describe the items to be seized

B.

generallydescribe the place to be searched and particularly describe the items to be seized

C.

generallydescribe the place to be searched and generally describe the items to be seized

D.

particularlydescribe the place to be searched and generally describe the items to be seized

Buy Now
Questions 103

What does the superblock in Linux define?

Options:

A.

filesynames

B.

diskgeometr

C.

location of the firstinode

D.

available space

Buy Now
Questions 104

What file structure database would you expect to find on floppy disks?

Options:

A.

NTFS

B.

FAT32

C.

FAT16

D.

FAT12

Buy Now
Questions 105

Which of the following is NOT a graphics file?

Options:

A.

Picture1.tga

B.

Picture2.bmp

C.

Picture3.nfo

D.

Picture4.psd

Buy Now
Exam Code: 312-49v10
Exam Name: Computer Hacking Forensic Investigator (CHFI-v10)
Last Update: Nov 4, 2024
Questions: 704
312-49v10 pdf

312-49v10 PDF

$28  $80
312-49v10 Engine

312-49v10 Testing Engine

$33.25  $95
312-49v10 PDF + Engine

312-49v10 PDF + Testing Engine

$45.5  $130