An investigator has extracted the device descriptor for a 1GB thumb drive that looks like: Disk&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15. What does the
`Geek_Squad` part represent?

A. Product description

B. Manufacturer Details

C. Developer description

D. Software or OS used

Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted so as to cause a denial-of-service attack?

A. Email spamming

B. Phishing

C. Email spoofing

D. Mail bombing

Which US law does the interstate or international transportation and receiving of child pornography fall under?

A. ֲ§18. U.S.C. 1466A

B. ֲ§18. U.S.C 252

C. ֲ§18. U.S.C 146A

D. ֲ§18. U.S.C 2252

In an ongoing investigation, a computer forensics investigator encounters a suspicious file believed to be packed using a password-protected program packer. The investigator possesses both the knowledge of the packing tool used and the necessary unpacking tool. What critical step should the investigator consider before analyzing the packed file?

A. Conduct static analysis on the packed file immediately

B. Reverse engineer the packed file to understand the hidden attack tools

C. Attempt to decrypt the password prior to unpacking the file

D. Run the packed file in a controlled environment for dynamic analysis

A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?

A. Searching for evidence themselves would not have any ill effects

B. Searching could possibly crash the machine or device

C. Searching creates cache files, which would hinder the investigation

D. Searching can change date/time stamps

This organization maintains a database of hash signatures for known software.

A. International Standards Organization

B. Institute of Electrical and Electronics Engineers

C. National Software Reference Library

D. American National standards Institute

If a suspect computer is located in an area that may have toxic chemicals, you must:

A. coordinate with the HAZMAT team

B. determine a way to obtain the suspect computer

C. assume the suspect machine is contaminated

D. do not enter alone

What method of copying should always be performed first before carrying out an investigation?

A. Parity-bit copy

B. Bit-stream copy

C. MS-DOS disc copy

D. System level copy

What type of analysis helps to identify the time and sequence of events in an investigation?

A. Time-based

B. Functional

C. Relational

D. Temporal

_____________ allows a forensic investigator to identify the missing links during investigation.

A. Chain of custody

B. Exhibit numbering

C. Evidence preservation

D. Evidence reconstruction

John is working on his company policies and guidelines. The section he is currently working on covers company documents; how they should be handled, stored, and eventually destroyed. John is concerned about the process whereby outdated documents are destroyed. What type of shredder should John write in the guidelines to be used when destroying documents?

A. Strip-cut shredder

B. Cross-cut shredder

C. Cross-hatch shredder

D. Cris-cross shredder

Which of the following is a federal law enacted in the US to control the ways that financial institutions deal with the private information of individuals?

A. SOX

B. HIPAA 1996

C. GLBA

D. PCI DSS

During an international cybercrime investigation, your team discovers an intercepted email with a sequence of special characters. Believing that the Unicode standard might have been used in encoding the message, which of the following elements could serve as the strongest indicator of this suspicion?

A. The presence of characters from multiple modern and historic scripts

B. The presence of over 128.000 different characters in the intercepted email

C. The presence of a unique number for each character, irrespective of the platform, program, and language

D. The presence of characters from a single non-English script

Linux operating system has two types of typical bootloaders namely LILO (Linux Loader) and GRUB (Grand Unified Bootloader). In which stage of the booting process do the bootloaders become active?

A. Bootloader Stage

B. Kernel Stage

C. BootROM Stage

D. BIOS Stage

In a situation where an investigator needs to acquire volatile data from a live Linux system, the physical access to the suspect machine is either restricted or unavailable. Which of the following steps will be the most suitable approach to perform this task?

A. The investigator should use the Belkasoft Live RAM Capturer on the forensic workstation, then remotely execute the tool on the suspect machine to acquire the RAM image

B. The investigator should initiate a listening session on the forensic workstation using ‘netcat’, then execute a ‘dd’ command on the suspect machine and pipe the output using ‘netcat’

C. The investigator should leverage OSXPMem to remotely parse the physical memory in the Linux machine and create AFF4 format images for analysis

D. The investigator should employ the LiME tool and ‘netcat’, starting a listening session using tcp:port on the suspect machine and then establishing a connection from the forensic workstation using ‘netcat’

Before you are called to testify as an expert, what must an attorney do first?

A. engage in damage control

B. prove that the tools you used to conduct your examination are perfect

C. read your curriculum vitae to the jury

D. qualify you as an expert witness

A law enforcement officer may only search for and seize criminal evidence with _______________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searched.

A. Mere Suspicion

B. A preponderance of the evidence

C. Probable cause

D. Beyond a reasonable doubt

Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen?

A. OpenGL/ES and SGL

B. Surface Manager

C. Media framework

D. WebKit

Which of the following is NOT a graphics file?

A. Picture1.tga

B. Picture2.bmp

C. Picture3.nfo

D. Picture4.psd

What does the 63.78.199.4(161) denotes in a Cisco router log?
Mar 14 22:57:53.425 EST: %SEC-6-IPACCESSLOGP: list internet-inbound denied udp 66.56.16.77(1029) -> 63.78.199.4(161), 1 packet

A. Destination IP address

B. Source IP address

C. Login IP address

D. None of the above

What binary coding is used most often for e-mail purposes?

A. MIME

B. Uuencode

C. IMAP

D. SMTP

What advantage does the tool Evidor have over the built-in Windows search?

A. It can find deleted files even after they have been physically removed

B. It can find bad sectors on the hard drive

C. It can search slack space

D. It can find files hidden within ADS

An investigator is searching through the firewall logs of a company and notices ICMP packets that are larger than 65,536 bytes. What type of activity is the investigator seeing?

A. Smurf

B. Ping of death

C. Fraggle

D. Nmap scan

You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data.
What method would be most efficient for you to acquire digital evidence from this network?

A. create a compressed copy of the file with DoubleSpace

B. create a sparse data copy of a folder or file

C. make a bit-stream disk-to-image file

D. make a bit-stream disk-to-disk file

A forensic investigator is analyzing a smartphone to gather crucial evidence. To fully understand the device's working and data flow, he needs to comprehend the various mobile architectural layers. While examining the device's frequency conversion, the investigator focuses on which of the following hardware components?

A. Baseband part

B. DAC/ADC

C. Antenna

D. RF part

Malware analysis can be conducted in various manners. An investigator gathers a suspicious executable file and uploads it to VirusTotal in order to confirm whether the file is malicious, provide information about its functionality, and provide information that will allow to produce simple network signatures. What type of malware analysis was performed here?

A. Hybrid

B. Static

C. Volatile

D. Dynamic

A CHFI expert creates a forensics image of a pen drive using AccessData FTK Imager during a computer forensics investigation. The investigator uses The Sleuth Kit (TSK) to examine an ext4 file system on a Linux disk image and suspects data tampering. The expert decides to verify inode metadata for a critical file. However, he notes an unexpected block allocation in the inode details. Which TSK command-line tool and argument should the investigator utilize to examine the addresses of all allocated disk units for the suspicious inode?

A. fsstat -f ext4

B. img_stat -i raw

C. fls -o imgoffset

D. istat -B num

A major corporation has faced multiple SQL injection attacks on its web application. They have a ModSecurity WAF in place with default settings. However, attacks are still getting through. The forensic investigator recommends a measure to enhance security. What is the most likely recommendation?

A. Customize ModSecurity rules according to their environment

B. Replace ModSecurity with a next-generation firewall (NGFW)

C. Install an additional conventional firewall for protection

D. Implement real-time alerting and extensive logging capabilities

What technique used by Encase makes it virtually impossible to tamper with evidence once it has been acquired?

A. Every byte of the file(s) is given an MD5 hash to match against a master file

B. Every byte of the file(s) is verified using 32-bit CRC

C. Every byte of the file(s) is copied to three different hard drives

D. Every byte of the file(s) is encrypted using three different methods

Recently, an internal web app that a government agency utilizes has become unresponsive. Betty, a network engineer for the government agency, has been tasked to determine the cause of the web application's unresponsiveness. Betty launches Wireshark and begins capturing the traffic on the local network. While analyzing the results, Betty noticed that a syn flood attack was underway. How did Betty know a syn flood attack was occurring?

A. Wireshark capture does not show anything unusual and the issue is related to the web application

B. Wireshark capture shows multiple ACK requests and SYN responses from single/multiple IP address(es)

C. Wireshark capture shows multiple SYN requests and RST responses from single/multiple IP address(es)

D. Wireshark capture shows multiple SYN requests and ACK responses from single/multiple IP address(es)

Data Files contain Multiple Data Pages, which are further divided into Page Header, Data Rows, and Offset Table. Which of the following is true for Data Rows?

A. Data Rows store the actual data

B. Data Rows present Page type. Page ID, and so on

C. Data Rows point to the location of actual data

D. Data Rows spreads data across multiple databases

An executive has leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system?

A. Postmortem Analysis

B. Real-Time Analysis

C. Packet Analysis

D. Malware Analysis

Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext, where `x` represents the ___________________.

A. Drive name

B. Original file name’s extension

C. Sequential number

D. Original file name

A large multinational corporation suspects an internal breach of its data center and hires a forensic investigator. The investigator is required to conduct a search on the emails of an employee who is a US citizen, believed to be communicating classified information with a foreign entity. The forensic investigator, while respecting international laws and US privacy laws, should:

A. Utilize the Privacy Act of 1974 to access the individual’s personal records without their written consent

B. Use the Foreign Intelligence Surveillance Act of 1978 (FISA) to get judicial authorization for electronic surveillance

C. Refer to the Protect America Act of 2007 to conduct surveillance without a specific warrant on the employee’s electronic communication

D. Apply the provisions under the Cybercrime Act 2001 of Australia to initiate electronic surveillance

You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics lab. How many law-enforcement computer investigators should you request to staff the lab?

A. 8

B. 1

C. 4

D. 2

Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their various activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident?

A. The manufacturer of the system compromised

B. The logic, formatting and elegance of the code used in the attack

C. The nature of the attack

D. The vulnerability exploited in the incident

To which phase of the Computer Forensics Investigation Process does the Planning and Budgeting of a Forensics Lab belong?

A. Post-investigation Phase

B. Reporting Phase

C. Pre-investigation Phase

D. Investigation Phase

Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the_________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.

A. Adjacent memory locations

B. Adjacent bit blocks

C. Adjacent buffer locations

D. Adjacent string locations

A mid-sized enterprise recently suffered a security breach in their AWS-hosted application. The responsibility for identifying the source and cause of this breach falls under the purview of the internal security team. Based on the AWS shared responsibility model, which of the following would be the appropriate action for the team?

A. Investigate AWS’s underlying infrastructure including hardware and databases for security flaws

B. Audit the application security and IAM configurations within the enterprise’s AWS services

C. Conduct a full review of AWS’s global infrastructure including regions, availability zones, and edge locations

D. Check for security vulnerabilities in AWS container services’ OS and application platform

Which of the following file system is used by Mac OS X?

A. EFS

B. HFS+

C. EXT2

D. NFS

Which among the following files provides email header information in the Microsoft Exchange server?

A. gwcheck.db

B. PRIV.EDB

C. PUB.EDB

D. PRIV.STM

Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?

A. bench warrant

B. wire tap

C. subpoena

D. search warrant

How many bits is Source Port Number in TCP Header packet?

A. 16

B. 32

C. 48

D. 64

In a FAT32 system, a 123 KB file will use how many sectors?

A. 34

B. 25

C. 11

D. 56

James, a hacker, identifies a vulnerability in a website. To exploit the vulnerability, he visits the login page and notes down the session ID that is created. He appends this session ID to the login URL and shares the link with a victim. Once the victim logs into the website using the shared URL, James reloads the webpage (containing the URL with the session ID appended) and now, he can browse the active session of the victim. Which attack did James successfully execute?

A. Cross Site Request Forgery

B. Cookie Tampering

C. Parameter Tampering

D. Session Fixation Attack

An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s"," -E as part of collecting the primary data file and logs from a database. What does the
"WIN-CQQMK62867E` represent?

A. Name of the Database

B. Name of SQL Server

C. Operating system of the system

D. Network credentials of the database

A clothing company has recently deployed a website on its latest product line to increase its conversion rate and base of customers. Andrew, the network administrator recently appointed by the company, has been assigned with the task of protecting the website from intrusion and vulnerabilities. Which of the following tool should Andrew consider deploying in this scenario?

A. Kon-Boot

B. Recuva

C. CryptaPix

D. ModSecurity

Which of the following Registry components include offsets to other cells as well as the LastWrite time for the key?

A. Value list cell

B. Value cell

C. Key cell

D. Security descriptor cell

A Computer Hacking Forensic Investigator (CHFI) arrives at the crime scene in an incident involving cybercrime. While performing the initial search of the scene, the investigator spots a GPS device, a keyboard, and a telephone line connected to a caller ID box. Considering the steps involved in searching for evidence, which of the following actions should the investigator perform first?

A. Secure the keyboard to protect any potential fingerprints

B. Initiate the search and seizure evidence log to document details of the identified devices

C. Record observations about the current situation at the scene

D. Survey the GPS device to explore potential sources of digital information

As a part of the investigation, Caroline, a forensic expert, was assigned the task to examine the transaction logs pertaining to a database named Transfers. She used SQL Server Management Studio to collect the active transaction log files of the database. Caroline wants to extract detailed information on the logs, including AllocUnitId, page id, slot id, etc. Which of the following commands does she need to execute in order to extract the desired information?

A. DBCC LOG(Transfers, 1)

B. DBCC LOG(Transfers, 3)

C. DBCC LOG(Transfers, 0)

D. DBCC LOG(Transfers, 2)