EMT Practice Test

1. Question Content...


Question List

Question1: Brian has the job of analyzing malware for a software security company. Brian has setup a virtual environment that includes virtual machines running various versions of OSes. Additionally, Brian has setup separated virtual networks within this environment The virtual environment does not connect to the company's intranet nor does it connect to the external Internet. With everything setup, Brian now received an executable file from client that has undergone a cyberattack. Brian ran the executable file In the virtual environment to see what it would do. What type of analysis did Brian perform?

Question2: You are working as Computer Forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firm's employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do?

Question3: Why is it still possible to recover files that have been emptied from the Recycle Bin on a Windows computer?

Question4: Shane, a forensic specialist, is investigating an ongoing attack on a MySQL database server hosted on a Windows machine with SID "WIN-ABCDE12345F." Which of the following log file will help Shane in tracking all the client connections and activities performed on the database server?

Question5: Which of the following is a MAC-based File Recovery Tool?

Question6: Which of the following tool enables a user to reset his/her lost admin password in a Windows system?

Question7: Data density of a disk drive is calculated by using_______

Question8: Law enforcement officers are conducting a legal search for which a valid warrant was obtained.
While conducting the search, officers observe an item of evidence for an unrelated crime that was not included in the warrant. The item was clearly visible to the officers and immediately identified as evidence. What is the term used to describe how this evidence is admissible?

Question9: Which type of attack is possible when attackers know some credible information about the victim's password, such as the password length, algorithms involved, or the strings and characters used in its creation?

Question10: An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet.

Question11: You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?

Question12: How many times can data be written to a DVD+R disk?

Question13: What stage of the incident handling process involves reporting events?

Question14: Which OWASP loT vulnerability talks about security flaws such as lack of firmware validation, lack of secure delivery, and lack of anti-rollback mechanisms on loT devices?

Question15: The rule of thumb when shutting down a system is to pull the power plug. However, it has certain drawbacks. Which of the following would that be?

Question16: In the context of file deletion process, which of the following statement holds true?

Question17: Robert needs to copy an OS disk snapshot of a compromised VM to a storage account in different region for further investigation. Which of the following should he use in this scenario?

Question18: What do you call the process in which an attacker uses magnetic field over the digital media device to delete any previously stored data?

Question19: Madison is on trial for allegedly breaking into her university's internal network. The police raided her dorm room and seized all of her computer equipment. Madison's lawyer is trying to convince the judge that the seizure was unfounded and baseless. Under which US Amendment is Madison's lawyer trying to prove the police violated?

Question20: It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?

Question21: What does the command "C:\>wevtutil gl <log name>" display?

Question22: How many bits is Source Port Number in TCP Header packet?

Question23: What must an attorney do first before you are called to testify as an expert?

Question24: Your company's network just finished going through a SAS 70 audit. This audit reported that overall, your network is secure, but there are some areas that needs improvement. The major area was SNMP security. The audit company recommended turning off SNMP, but that is not an option since you have so many remote nodes to keep track of. What step could you take to help secure SNMP on your network?

Question25: A state department site was recently attacked and all the servers had their disks erased. The incident response team sealed the area and commenced investigation. During evidence collection they came across a zip disks that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong?

Question26: What should you do when approached by a reporter about a case that you are working on or have worked on?

Question27: Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted so as to cause a denial-of-service attack?

Question28: In which of these attacks will a steganalyst use a random message to generate a stego-object by using some steganography tool, to find the steganography algorithm used to hide the information?

Question29: When setting up a wireless network with multiple access points, why is it important to set each access point on a different channel?

Question30: When you carve an image, recovering the image depends on which of the following skills?

Question31: To which phase of the computer forensics investigation process does "planning and budgeting of a forensics lab" belong?

Question32: You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published?

Question33: When a user deletes a file or folder, the system stores complete path including the original filename is a special hidden file called "INFO2" in the Recycled folder. If the INFO2 file is deleted, it is recovered when you ______________________.

Question34: What command-line tool enables forensic Investigator to establish communication between an Android device and a forensic workstation in order to perform data acquisition from the device?

Question35: ____________________ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.

Question36: Which of the following is a device monitoring tool?

Question37: Which of the following files gives information about the client sync sessions in Google Drive on Windows?

Question38: Donald made an OS disk snapshot of a compromised Azure VM under a resource group being used by the affected company as a part of forensic analysis process. He then created a vhd file out of the snapshot and stored it in a file share and as a page blob as backup in a storage account under different region. What Is the next thing he should do as a security measure?

Question39: Amber, a black hat hacker, has embedded malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?

Question40: All Blackberry email is eventually sent and received through what proprietary RIM-operated mechanism?

Question41: An investigator seized a notebook device installed with a Microsoft Windows OS. Which type of files would support an investigation of the data size and structure in the device?

Question42: Item 2If you come across a sheepdip machine at your client site, what would you infer?

Question43: Jim performed a vulnerability analysis on his network and found no potential problems. He runs another utility that executes exploits against his system to verify the results of the vulnerability test.
The second utility executes five known exploits against his network in which the vulnerability analysis said were not exploitable. What kind of results did Jim receive from his vulnerability analysis?

Question44: Meyer Electronics Systems just recently had a number of laptops stolen out of their office. On these laptops contained sensitive corporate information regarding patents and company strategies. A month after the laptops were stolen, a competing company was found to have just developed products that almost exactly duplicated products that Meyer produces. What could have prevented this information from being stolen from the laptops?

Question45: The Apache server saves diagnostic information and error messages that it encounters while processing requests. The default path of this file is usr/local/apache/logs/error.log in Linux. Identify the Apache error log from the following logs.

Question46: What does mactime, an essential part of the coroner's toolkit do?

Question47: A call detail record (CDR) provides metadata about calls made over a phone service. From the following data fields, which one Is not contained in a CDR.

Question48: What information do you need to recover when searching a victim's computer for a crime committed with specific e-mail message?

Question49: A master boot record (MBR) is the first sector ("sector zero") of a data storage device. What is the size of MBR?

Question50: Diskcopy is:

Question51: In General, __________________ Involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the data.

Question52: Jason discovered a file named $RIYG6VR.doc in the C:\$Recycle.Bin\<USER SID>\ while analyzing a hard disk image for the deleted dat a. What inferences can he make from the file name?

Question53: Which among the following U.S. laws requires financial institutions-companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance-to protect their customers' information against security threats?

Question54: You are running through a series of tests on your network to check for any security vulnerabilities.
After normal working hours, you initiate a DoS attack against your external firewall. The firewall Quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?

Question55: You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

Question56: Heather, a computer forensics investigator, is assisting a group of investigators working on a large computer fraud case involving over 20 people. These 20 people, working in different offices, allegedly siphoned off money from many different client accounts. Heather responsibility is to find out how the accused people communicated between each other. She has searched their email and their computers and has not found any useful evidence. Heather then finds some possibly useful evidence under the desk of one of the accused.
In an envelope she finds a piece of plastic with numerous holes cut out of it. Heather then finds the same exact piece of plastic with holes at many of the other accused peoples desks. Heather believes that the 20 people involved in the case were using a cipher to send secret messages in between each other. What type of cipher was used by the accused in this case?

Question57: What does the part of the log, "% SEC-6-IPACCESSLOGP", extracted from a Cisco router represent?

Question58: What type of analysis helps to identify the time and sequence of events in an investigation?

Question59: Which of these ISO standards define the file system for optical storage media, such as CD-ROM and DVD-ROM?

Question60: An Investigator Is checking a Cisco firewall log that reads as follows:
Aug 21 2019 09:16:44: %ASA-1-106021: Deny ICMP reverse path check from 10.0.0.44 to 10.0.0.33 on Interface outside What does %ASA-1-106021 denote?

Question61: What is the name of the first reserved sector in File allocation table?

Question62: In a Linux-based system, what does the command "Last -F" display?

Question63: Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

Question64: During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to Identify attributes such as "author name," "organization name." "network name," or any additional supporting data that is meant for the owner's Identification purpose. Which term describes these attributes?

Question65: When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.

Question66: Which among the following is an act passed by the U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations?

Question67: Which of the following is a federal law enacted in the US to control the ways that financial institutions deal with the private information of individuals?

Question68: You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?

Question69: When installed on a Windows machine, which port does the Tor browser use to establish a network connection via Tor nodes?

Question70: This type of testimony is presented by someone who does the actual fieldwork and does not offer a view in court.

Question71: Which tool does the investigator use to extract artifacts left by Google Drive on the system?

Question72: Jack Smith is a forensics investigator who works for Mason Computer Investigation Services. He is investigating a computer that was infected by Ramen Virus.

He runs the netstat command on the machine to see its current connections. In the following screenshot, what do the 0.0.0.0 IP addresses signify?

Question73: Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system?

Question74: Which of the following file contains the traces of the applications installed, run, or uninstalled from a system?

Question75: Which of the following Perl scripts will help an investigator to access the executable image of a process?

Question76: Which of the following web browser uses the Extensible Storage Engine (ESE) database format to store browsing records, including history, cache, and cookies?

Question77: What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?

Question78: You are assigned a task to examine the log files pertaining to MyISAM storage engine. While examining, you are asked to perform a recovery operation on a MyISAM log file. Which among the following MySQL Utilities allow you to do so?

Question79: James is testing the ability of his routers to withstand DoS attacks. James sends ICMP ECHO requests to the broadcast address of his network. What type of DoS attack is James testing against his network?

Question80: After undergoing an external IT audit, George realizes his network is vulnerable to DDoS attacks.
What countermeasures could he take to prevent DDoS attacks?

Question81: Sectors in hard disks typically contain how many bytes?

Question82: Which of the following commands shows you the names of all open shared files on a server and the number of file locks on each file?

Question83: Adam Is thinking of establishing a hospital In the US and approaches John, a software developer to build a site and host it for him on one of the servers, which would be used to store patient health records. He has learned from his legal advisors that he needs to have the server's log data reviewed and managed according to certain standards and regulations. Which of the following regulations are the legal advisors referring to?

Question84: Buffer overflow vulnerability of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the_________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.

Question85: What does the superblock in Linux define?

Question86: What type of file is represented by a colon (:) with a name following it in the Master File Table of NTFS disk?

Question87: Investigators can use the Type Allocation Code (TAC) to find the model and origin of a mobile device. Where is TAC located in mobile devices?

Question88: What type of equipment would a forensics investigator store in a StrongHold bag?

Question89: In forensics.______are used lo view stored or deleted data from both files and disk sectors.

Question90: UEFI is a specification that defines a software interface between an OS and platform firmware. Where does this interface store information about files present on a disk?

Question91: Which of the following tools will allow a forensic Investigator to acquire the memory dump of a suspect machine so that It may be Investigated on a forensic workstation to collect evidentiary data like processes and Tor browser artifacts?

Question92: In Linux OS, different log files hold different information, which help the investigators to analyze various issues during a security incident. What information can the investigators obtain from the log file var/log/dmesg?

Question93: Which of the following directory contains the binary files or executables required for system maintenance and administrative tasks on a Linux system?

Question94: Harold is a computer forensics investigator working for a consulting firm out of Atlanta Georgi a. Harold is called upon to help with a corporate espionage case in Miami Florida. Harold assists in the investigation by pulling all the data from the computers allegedly used in the illegal activities. He finds that two suspects in the company where stealing sensitive corporate information and selling it to competing companies. From the email and instant messenger logs recovered, Harold has discovered that the two employees notified the buyers by writing symbols on the back of specific stop signs. This way, the buyers knew when and where to meet with the alleged suspects to buy the stolen material. What type of steganography did these two suspects use?

Question95: Simona has written a regular expression for the detection of web application-specific attack attempt that reads as /((\%3C)|<K(\%2F)|V)*[a-zO-9\%I*((\%3E)|>)/lx. Which of the following does the part (|\%3E)|>) look for?

Question96: Which of the following malware targets Android mobile devices and installs a backdoor that remotely installs applications from an attacker-controlled server?

Question97: Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

Question98: Smith is an IT technician that has been appointed to his company's network vulnerability assessment team. He is the only IT employee on the team. The other team members include employees from Accounting, Management, Shipping, and Marketing. Smith and the team members are having their first meeting to discuss how they will proceed. What is the first step they should do to create the network vulnerability assessment plan?

Question99: An executive has leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system?

Question100: The working of the Tor browser is based on which of the following concepts?

Question101: To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the bank web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement?

Question102: Bill is the accounting manager for Grummon and Sons LLC in Chicago. On a regular basis, he needs to send PDF documents containing sensitive information through E-mail to his customers.
Bill protects the PDF documents with a password and sends them to their intended recipients.
Why PDF passwords do not offer maximum protection?

Question103: Which forensic investigating concept trails the whole incident from how the attack began to how the victim was affected?

Question104: Where does Encase search to recover NTFS files and folders?

Question105: If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

Question106: Web browsers can store relevant information from user activities. Forensic investigators may retrieve files, lists, access history, cookies, among other digital footprints. Which tool can contribute to this task?

Question107: The process of restarting a computer that is already turned on through the operating system is called?

Question108: "No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court" - this principle Is advocated by which of the following?

Question109: In Microsoft file structures, sectors are grouped together to form:

Question110: Company ABC has employed a firewall, IDS, Antivirus, Domain Controller, and SIEM. The company's domain controller goes down. From which system would you begin your investigation?

Question111: The given image displays information about date and time of installation of the OS along with service packs, patches, and sub-directories. What command or tool did the investigator use to view this output?

Question112: Why is it a good idea to perform a penetration test from the inside?

Question113: What type of flash memory card comes in either Type I or Type II and consumes only five percent of the power required by small hard drives?

Question114: NTFS sets a flag for the file once you encrypt it and creates an EFS attribute where it stores Data Decryption Field (DDF) and Data Recovery Field (DDR). Which of the following is not a part of DDF?

Question115: Which of the following protocols allows non-ASCII files, such as video, graphics, and audio, to be sent through the email messages?

Question116: What does 254 represent in ICCID 89254021520014515744?

Question117: Which of the following setups should a tester choose to analyze malware behavior?

Question118: While presenting his case to the court, Simon calls many witnesses to the stand to testify. Simon decides to call Hillary Taft, a lay witness, to the stand. Since Hillary is a lay witness, what field would she be considered an expert in?

Question119: Identify the term that refers to individuals who, by virtue of their knowledge and expertise, express an independent opinion on a matter related to a case based on the information that is provided.

Question120: While searching through a computer under investigation, you discover numerous files that appear to have had the first letter of the file name replaced by the hex code byte 5h. What does this indicate on the computer?

Question121: This law sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.

Question122: Which of the following Ii considered as the starting point of a database and stores user data and database objects in an MS SQL server?

Question123: Which of the following tool is used to locate IP addresses?

Question124: When carrying out a forensics investigation, why should you never delete a partition on a dynamic disk?

Question125: Which of the following acts as a network intrusion detection system as well as network intrusion prevention system?

Question126: Which of the following tool captures and allows you to interactively browse the traffic on a network?

Question127: Given the drive dimensions as follows and assuming a sector has 512 bytes, what is the capacity of the described hard drive?
22,164 cylinders/disk
80 heads/cylinder
63 sectors/track

Question128: When obtaining a warrant, it is important to:

Question129: A computer forensics Investigator or forensic analyst Is a specially trained professional who works with law enforcement as well as private businesses to retrieve Information from computers and other types of data storage devices. For this, the analyst should have an excellent working knowledge of all aspects of the computer. Which of the following is not a duty of the analyst during a criminal investigation?

Question130: When reviewing web logs, you see an entry for resource not found in the HTTP status code filed.
What is the actual error code that you would see in the log for resource not found?

Question131: You are a Penetration Tester and are assigned to scan a server. You need to use a scanning technique wherein the TCP Header is split into many packets so that it becomes difficult to detect what the packets are meant for. Which of the below scanning technique will you use?

Question132: Which of the following file system is used by Mac OS X?

Question133: Which of the following file formats allows the user to compress the acquired data as well as keep it randomly accessible?

Question134: What encryption technology is used on Blackberry devices Password Keeper?

Question135: Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their various activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident?

Question136: Tasklist command displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer. Which of the following tasklist commands provides information about the listed processes, including the image name, PID, name, and number of the session for the process?

Question137: Annie is searching for certain deleted files on a system running Windows XP OS. Where will she find the files if they were not completely deleted from the system?

Question138: Which of the following standard represents a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?

Question139: Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. He knows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT. Which firewall would be most appropriate for Harold? needs?

Question140: During an investigation, an employee was found to have deleted harassing emails that were sent to someone else. The company was using Microsoft Exchange and had message tracking enabled. Where could the investigator search to find the message tracking log file on the Exchange server?

Question141: John is working as a computer forensics investigator for a consulting firm in Canad a. He is called to seize a computer at a local web caf purportedly used as a botnet server. John thoroughly scans the computer and finds nothing that would lead him to think the computer was a botnet server. John decides to scan the virtual memory of the computer to possibly find something he had missed. What information will the virtual memory scan produce?

Question142: Maria has executed a suspicious executable file In a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for In this scenario?

Question143: A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state?

Question144: In conducting a computer abuse investigation you become aware that the suspect of the investigation is using ABC Company as his Internet Service Provider (ISP). You contact ISP and request that they provide you assistance with your investigation. What assistance can the ISP provide?

Question145: What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?

Question146: Which ISO Standard enables laboratories to demonstrate that they comply with quality assurance and provide valid results?

Question147: After suspecting a change in MS-Exchange Server storage archive, the investigator has analyzed it. Which of the following components is not an actual part of the archive?

Question148: What feature of Windows is the following command trying to utilize?

Question149: E-mail logs contain which of the following information to help you in your investigation? (Choose four.)

Question150: Which of the following tools is used to dump the memory of a running process, either immediately or when an error condition occurs?

Question151: What advantage does the tool Evidor have over the built-in Windows search?

Question152: Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?

Question153: Charles has accidentally deleted an important file while working on his Mac computer. He wants to recover the deleted file as it contains some of his crucial business secrets. Which of the following tool will help Charles?

Question154: ______allows a forensic investigator to identify the missing links during investigation.

Question155: Which of the following statements is true with respect to SSDs (solid-state drives)?

Question156: What is the primary function of the tool CHKDSK in Windows that authenticates the file system reliability of a volume?

Question157: What operating system would respond to the following command?

Question158: Which of the following techniques can be used to beat steganography?

Question159: Which code does the FAT file system use to mark the file as deleted?

Question160: Richard is extracting volatile data from a system and uses the command doskey/history. What is he trying to extract?

Question161: Raw data acquisition format creates _________ of a data set or suspect drive.

Question162: You are a security analyst performing a penetration tests for a company in the Midwest. After some initial reconnaissance, you discover the IP addresses of some Cisco routers used by the company. You type in the following URL that includes the IP address of one of the routers:
http://172.168.4.131/level/99/exec/show/config
After typing in this URL, you are presented with the entire configuration file for that router. What have you discovered?

Question163: What type of attack sends SYN requests to a target system with spoofed IP addresses?

Question164: Edgar is part of the FBI's forensic media and malware analysis team; he Is analyzing a current malware and Is conducting a thorough examination of the suspect system, network, and other connected devices. Edgar's approach Is to execute the malware code to know how It Interacts with the host system and Its Impacts on It. He is also using a virtual machine and a sandbox environment.
What type of malware analysis is Edgar performing?

Question165: James is dealing with a case regarding a cybercrime that has taken place in Arizona, USA.
James needs to lawfully seize the evidence from an electronic device without affecting the user's anonymity. Which of the following law should he comply with, before retrieving the evidence?

Question166: In which loT attack does the attacker use multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks?

Question167: According to RFC 3227, which of the following is considered as the most volatile item on a typical system?

Question168: When examining the log files from a Windows IIS Web Server, how often is a new log file created?

Question169: Which of these Windows utility help you to repair logical file system errors?

Question170: What method would be most efficient for you to acquire digital evidence from this network?

Question171: Which of the following is a tool to reset Windows admin password?

Question172: On NTFS file system, which of the following tools can a forensic Investigator use In order to identify timestomping of evidence files?

Question173: Debbie has obtained a warrant to search a known pedophiles house. Debbie went to the house and executed the search warrant to seize digital devices that have been recorded as being used for downloading Illicit Images. She seized all digital devices except a digital camer a. Why did she not collect the digital camera?

Question174: When Investigating a system, the forensics analyst discovers that malicious scripts were Injected Into benign and trusted websites. The attacker used a web application to send malicious code. In the form of a browser side script, to a different end-user. What attack was performed here?

Question175: Buffer overflow vulnerabilities, of web applications, occurs when the application fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites the _________. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack.

Question176: Select the data that a virtual memory would store in a Windows-based system.

Question177: Wireless access control attacks aim to penetrate a network by evading WLAN access control measures such as AP MAC filters and Wi-Fi port access controls. Which of the following wireless access control attacks allow the attacker to set up a rogue access point outside the corporate perimeter and then lure the employees of the organization to connect to it?

Question178: Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?

Question179: Adam, a forensic investigator, is investigating an attack on Microsoft Exchange Server of a large organization. As the first step of the investigation, he examined the PRIV.EDB file and found the source from where the mail originated and the name of the file that disappeared upon execution. Now, he wants to examine the MIME stream content. Which of the following files is he going to examine?

Question180: When investigating a potential e-mail crime, what is your first step in the investigation?

Question181: Which part of the Windows Registry contains the user's password file?

Question182: A picture file is recovered from a computer under investigation. During the investigation process, the file is enlarged 500% to get a better view of its contents. The picture quality is not degraded at all from this process. What kind of picture is this file. What kind of picture is this file?

Question183: Brian needs to acquire data from RAID storage. Which of the following acquisition methods is recommended to retrieve only the data relevant to the investigation?

Question184: In the following directory listing,

Which file should be used to restore archived email messages for someone using Microsoft Outlook?

Question185: CAN-SPAM act requires that you:

Question186: An Employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the Employees Computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the Employee before he leaves the building and recover the floppy disks and secure his computer. Will you be able to break the encryption so that you can verify that that the employee was in possession of the proprietary information?

Question187: You have been called in to help with an investigation of an alleged network intrusion. After questioning the members of the company IT department, you search through the server log files to find any trace of the intrusion. After that you decide to telnet into one of the company routers to see if there is any evidence to be found. While connected to the router, you see some unusual activity and believe that the attackers are currently connected to that router. You start up an ethereal session to begin capturing traffic on the router that could be used in the investigation. At what layer of the OSI model are you monitoring while watching traffic to and from the router?

Question188: Data is striped at a byte level across multiple drives, and parity information is distributed among all member drives.

What RAID level is represented here?

Question189: In which implementation of RAID will the image of a Hardware RAID volume be different from the image taken separately from the disks?

Question190: Consider that you are investigating a machine running an Windows OS released prior to Windows Vist a. You are trying to gather information about the deleted files by examining the master database file named INFO2 located at C:\Recycler\<USER SID>\. You read an entry named "Dd5.exe". What does Dd5.exe mean?

Question191: Using Internet logging software to investigate a case of malicious use of computers, the investigator comes across some entries that appear odd.

From the log, the investigator can see where the person in question went on the Internet. From the log, it appears that the user was manually typing in different user ID numbers. What technique this user was trying?

Question192: Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?

Question193: What TCP/UDP port does the toolkit program netstat use?

Question194: Joshua is analyzing an MSSQL database for finding the attack evidence and other details, where should he look for the database logs?

Question195: Email archiving is a systematic approach to save and protect the data contained in emails so that it can be accessed fast at a later date. There are two main archive types, namely Local Archive and Server Storage Archive. Which of the following statements is correct while dealing with local archives?

Question196: Which of the following information is displayed when Netstat is used with -ano switch?

Question197: Which of the following is a precomputed table containing word lists like dictionary files and brute force lists and their hash values?

Question198: When investigating a Windows System, it is important to view the contents of the page or swap file because:

Question199: Under confession, an accused criminal admitted to encrypting child pornography pictures and then hiding them within other pictures. What technique did the accused criminal employ?

Question200: Which of the following should a computer forensics lab used for investigations have?

Question201: Which of the following statements is TRUE with respect to the Registry settings in the user start-up folder HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\.

Question202: During forensics investigations, investigators tend to collect the system time at first and compare it with UTC. What does the abbreviation UTC stand for?

Question203: Which of the following is NOT a part of pre-investigation phase?

Question204: Which of the following files store the MySQL database data permanently, including the data that had been deleted, helping the forensic investigator in examining the case and finding the culprit?

Question205: Which of the following is found within the unique instance ID key and helps investigators to map the entry from USBSTOR key to the MountedDevices key?

Question206: Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as FF D8 FF E1. What is the file type of the image?

Question207: A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker. Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you are required to infer only what is explicit in the excerpt.
(Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)
03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111
TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 23678634 2878772
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111
UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84
Len: 64
01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................
00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................
00 00 00 11 00 00 00 00 ........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773
UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104
Len: 1084
47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8

Question208: Which is a standard procedure to perform during all computer forensics investigations?

Question209: How often must a company keep log files for them to be admissible in a court of law?

Question210: Steve received a mail that seemed to have come from her bank. The mail has instructions for Steve to click on a link and provide information to avoid the suspension of her account. The link in the mail redirected her to a form asking for details such as name, phone number, date of birth, credit card number or PIN, CW code, SNNs, and email address. On a closer look, Steve realized that the URL of the form in not the same as that of her bank's. Identify the type of external attack performed by the attacker In the above scenario?

Question211: A company's policy requires employees to perform file transfers using protocols which encrypt traffic. You suspect some employees are still performing file transfers using unencrypted protocols because the employees don't like changes. You have positioned a network sniffer to capture traffic from the laptops used by employees in the data ingest department. Using Wireshark to examine the captured traffic, which command can be used as a display filter to find unencrypted file transfers?

Question212: When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

Question213: Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

Question214: Which Federal Rule of Evidence speaks about the Hearsay exception where the availability of the declarant Is immaterial and certain characteristics of the declarant such as present sense Impression, excited utterance, and recorded recollection are also observed while giving their testimony?

Question215: In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

Question216: One way to identify the presence of hidden partitions on a suspect's hard drive is to:

Question217: Which "Standards and Criteria" under SWDGE states that "the agency must use hardware and software that are appropriate and effective for the seizure or examination procedure"?

Question218: Analyze the hex representation of mysql-bin.000013 file in the screenshot below. Which of the following will be an inference from this analysis?