An attacker has compromised a cloud environment of a company and used the employee information to perform an identity theft attack. Which type of attack is this?

A. Cloud as a subject

B. Cloud as a tool

C. Cloud as an object

D. Cloud as a service

While looking through the IIS log file of a web server, you find the following entries:
 
What is evident from this log file?

A. Web bugs

B. Cross site scripting

C. Hidden fields

D. SQL injection is possible

Which password cracking technique uses details such as length of password, character sets used to construct the password, etc.?

A. Dictionary attack

B. Brute force attack

C. Rule-based attack

D. Man in the middle attack

Which of the following file contains the traces of the applications installed, run, or uninstalled from a system?

A. Shortcut Files

B. Virtual files

C. Prefetch Files

D. Image Files

Centralized binary logging is a process in which many websites write binary and unformatted log data to a single log file. What extension should the investigator look to find its log file?

A. .cbl

B. .log

C. .ibl

D. .txt

John and Hillary works at the same department in the company. John wants to find out Hillary's network password so he can take a look at her documents on the file server. He enables Lophtcrack program to sniffing mode. John sends Hillary an email with a link to Error! Reference source not found. What information will he be able to gather from this?

A. Hillary network username and password hash

B. The SID of Hillary network account

C. The SAM file from Hillary computer

D. The network shares that Hillary has permissions

When investigating a computer forensics case where Microsoft Exchange and Blackberry Enterprise server are used, where would investigator need to search to find email sent from a Blackberry device?

A. RIM Messaging center

B. Blackberry Enterprise server

C. Microsoft Exchange server

D. Blackberry desktop redirector

What will the following command accomplish?

A. Test ability of a router to handle over-sized packets

B. Test the ability of a router to handle under-sized packets

C. Test the ability of a WLAN to handle fragmented packets

D. Test the ability of a router to handle fragmented packets

Company ABC has employed a firewall, IDS, Antivirus, Domain Controller, and SIEM. The company's domain controller goes down. From which system would you begin your investigation?

A. Domain Controller

B. Firewall

C. SIEM

D. IDS

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

A. Passive IDS

B. Active IDS

C. Progressive IDS

D. NIPS

The newer Macintosh Operating System is based on:

A. OS/2

B. BSD Unix

C. Linux

D. Microsoft Windows

As a part of the investigation, Caroline, a forensic expert, was assigned the task to examine the transaction logs pertaining to a database named Transfers. She used SQL Server Management Studio to collect the active transaction log files of the database. Caroline wants to extract detailed information on the logs, including AllocUnitId, page id, slot id, etc. Which of the following commands does she need to execute in order to extract the desired information?

A. DBCC LOG(Transfers, 1)

B. DBCC LOG(Transfers, 3)

C. DBCC LOG(Transfers, 0)

D. DBCC LOG(Transfers, 2)

When examining the log files from a Windows IIS Web Server, how often is a new log file created?

A. the same log is used at all times

B. a new log file is created everyday

C. a new log file is created each week

D. a new log is created each time the Web Server is started

Why should you note all cable connections for a computer you want to seize as evidence?

A. to know what outside connections existed

B. in case other devices were connected

C. to know what peripheral devices exist

D. to know what hardware existed

Smith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use.

A. Windows 98

B. Linux

C. Windows 8.1

D. Windows XP

You have used a newly released forensic investigation tool, which doesn't meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case?

A. The tool hasn’t been tested by the International Standards Organization (ISO)

B. Only the local law enforcement should use the tool

C. The total has not been reviewed and accepted by your peers

D. You are not certified for using the tool

You are working as Computer Forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firm's employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do?

A. Inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned

B. Inform the owner that conducting an investigation without a policy is a violation of the 4th amendment

C. Inform the owner that conducting an investigation without a policy is a violation of the employee’s expectation of privacy

D. Inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies

How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?

A. 128

B. 64

C. 32

D. 16

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

A. Recycle Bin

B. MSDOS.sys

C. BIOS

D. Case files

Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers?

A. netstat “” r

B. netstat “” ano

C. netstat “” b

D. netstat “” s

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

A. Use VMware to be able to capture the data in memory and examine it

B. Give the Operating System a minimal amount of memory, forcing it to use a swap file

C. Create a Separate partition of several hundred megabytes and place the swap file there

D. Use intrusion forensic techniques to study memory resident infections

As a security analyst, you setup a false survey website that will require users to create a username and a strong password. You send the link to all the employees of the company. What information will you be able to gather?

A. The IP address of the employees’ computers

B. Bank account numbers and the corresponding routing numbers

C. The employees network usernames and passwords

D. The MAC address of the employees’ computers

While searching through a computer under investigation, you discover numerous files that appear to have had the first letter of the file name replaced by the hex code byte 5h. What does this indicate on the computer?

A. The files have been marked as hidden

B. The files have been marked for deletion

C. The files are corrupt and cannot be recovered

D. The files have been marked as read-only

Which of the following is NOT a graphics file?

A. Picture1.tga

B. Picture2.bmp

C. Picture3.nfo

D. Picture4.psd

Which layer of iOS architecture should a forensics investigator evaluate to analyze services such as Threading, File Access, Preferences, Networking and high- level features?

A. Core Services

B. Media services

C. Cocoa Touch

D. Core OS

What should you do when approached by a reporter about a case that you are working on or have worked on?

A. Refer the reporter to the attorney that retained you

B. Say, “no comment”

C. Answer all the reporter’s questions as completely as possible

D. Answer only the questions that help your case

Which is a standard procedure to perform during all computer forensics investigations?

A. with the hard drive removed from the suspect PC, check the date and time in the system’s CMOS

B. with the hard drive in the suspect PC, check the date and time in the File Allocation Table

C. with the hard drive removed from the suspect PC, check the date and time in the system’s RAM

D. with the hard drive in the suspect PC, check the date and time in the system’s CMOS

Gary, a computer technician, is facing allegations of abusing children online by befriending them and sending them illicit adult images from his office computer.
What type of investigation does this case require?

A. Administrative Investigation

B. Criminal Investigation

C. Both Criminal and Administrative Investigation

D. Civil Investigation

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

A. one who has NTFS 4 or 5 partitions

B. one who uses dynamic swap file capability

C. one who uses hard disk writes on IRQ 13 and 21

D. one who has lots of allocation units per block or cluster

One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example,
[1]
extension?

A. the File Allocation Table

B. the file header

C. the file footer

D. the sector map

When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.

A. A Capital X

B. A Blank Space

C. The Underscore Symbol

D. The lowercase Greek Letter Sigma (s)

The following excerpt is taken from a honeypot log. The log captures activities across three days.
There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
From the options given below choose the one which best interprets the following entry:
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

A. An IDS evasion technique

B. A buffer overflow attempt

C. A DNS zone transfer

D. Data being retrieved from 63.226.81.13

You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case.
How would you permanently erase the data on the hard disk?

A. Throw the hard disk into the fire

B. Run the powerful magnets over the hard disk

C. Format the hard disk multiple times using a low level disk utility

D. Overwrite the contents of the hard disk with Junk data

This type of testimony is presented by someone who does the actual fieldwork and does not offer a view in court.

A. Civil litigation testimony

B. Expert testimony

C. Victim advocate testimony

D. Technical testimony

One technique for hiding information is to change the file extension from the correct one to the one that might not be noticed by an investigator. For example,
[1]
extension?

A. The file header

B. The File Allocation Table

C. The file footer

D. The sector map

What is the name of the first reserved sector in File allocation table?

A. Volume Boot Record

B. Partition Boot Sector

C. Master Boot Record

D. BIOS Parameter Block

When examining a file with a Hex Editor, what space does the file header occupy?

A. the last several bytes of the file

B. the first several bytes of the file

C. none, file headers are contained in the FAT

D. one byte at the beginning of the file

What is kept in the following directory? HKLMSECURITYPolicySecrets

A. Cached password hashes for the past 20 users

B. Service account passwords in plain text

C. IAS account names and passwords

D. Local store PKI Kerberos certificates

Why should you never power on a computer that you need to acquire digital evidence from?

A. When the computer boots up, files are written to the computer rendering the data nclean

B. When the computer boots up, the system cache is cleared which could destroy evidence

C. When the computer boots up, data in the memory buffer is cleared which could destroy evidence

D. Powering on a computer has no affect when needing to acquire digital evidence from it

Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events?

A. Connect the target media; prepare the system for acquisition; Secure the evidence; Copy the media

B. Prepare the system for acquisition; Connect the target media; copy the media; Secure the evidence

C. Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media

D. Secure the evidence; prepare the system for acquisition; Connect the target media; copy the media

Watson, a forensic investigator, is examining a copy of an ISO file stored in CDFS format. What type of evidence is this?

A. Data from a CD copied using Windows

B. Data from a CD copied using Mac-based system

C. Data from a DVD copied using Windows system

D. Data from a CD copied using Linux system

A law enforcement officer may only search for and seize criminal evidence with _______________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searched.

A. Mere Suspicion

B. A preponderance of the evidence

C. Probable cause

D. Beyond a reasonable doubt

After passing her CEH exam, Carol wants to ensure that her network is completely secure. She implements a DMZ, stateful firewall, NAT, IPSEC, and a packet filtering firewall. Since all security measures were taken, none of the hosts on her network can reach the Internet. Why is that?

A. Stateful firewalls do not work with packet filtering firewalls

B. NAT does not work with stateful firewalls

C. IPSEC does not work with packet filtering firewalls

D. NAT does not work with IPSEC

An executive has leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system?

A. Postmortem Analysis

B. Real-Time Analysis

C. Packet Analysis

D. Malware Analysis

Bob has encountered a system crash and has lost vital data stored on the hard drive of his Windows computer. He has no cloud storage or backup hard drives. he wants to recover all those data, which includes his personal photos, music, documents, videos, official email, etc. Which of the following tools shall resolve Bob's purpose?

A. Colasoft’s Capsa

B. Recuva

C. Cain & Abel

D. Xplico

Smith, as a part his forensic investigation assignment, seized a mobile device. He was asked to recover the Subscriber Identity Module (SIM card) data in the mobile device. Smith found that the SIM was protected by a Personal Identification Number (PIN) code, but he was also aware that people generally leave the PIN numbers to the defaults or use easily guessable numbers such as 1234. He made three unsuccessful attempts, which blocked the SIM card. What can Jason do in this scenario to reset the PIN and access SIM data?

A. He should contact the network operator for a Temporary Unlock Code (TUK)

B. Use system and hardware tools to gain access

C. He can attempt PIN guesses after 24 hours

D. He should contact the network operator for Personal Unlock Number (PUK)

You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published?

A. 70 years

B. the life of the author

C. the life of the author plus 70 years

D. copyrights last forever

You are working as a Computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact law enforcement and provide them with the evidence that you have found. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subject's computer. You inform the officer that you will not be able to comply with that request because doing so would:

A. Violate your contract

B. Cause network congestion

C. Make you an agent of law enforcement

D. Write information to the subject’s hard drive

What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?

A. forensic duplication of hard drive

B. analysis of volatile data

C. comparison of MD5 checksums

D. review of SIDs in the Registry

Software firewalls work at which layer of the OSI model?

A. Application

B. Network

C. Transport

D. Data Link