Last Updated on July 20, 2021 by InfraExam
312-49 : Computer Hacking Forensic Investigator : Part 05
When you carve an image, recovering the image depends on which of the following skills?
- Recognizing the pattern of the header content
- Recovering the image from a tape backup
- Recognizing the pattern of a corrupt file
- Recovering the image from the tape backup
When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.
- A Capital X
- A Blank Space
- The Underscore Symbol
- The lowercase Greek Letter Sigma (s)
While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense?
- Keep the information of file for later review
- Destroy the evidence
- Bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge
- Present the evidence to the defense attorney
In Microsoft file structures, sectors are grouped together to form:
What type of file is represented by a colon (:) with a name following it in the Master File Table of NTFS disk?
- A compressed file
- A Data stream file
- An encrypted file
- A reserved file
An Employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the Employees Computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the Employee before he leaves the building and recover the floppy disks and secure his computer. Will you be able to break the encryption so that you can verify that that the employee was in possession of the proprietary information?
- EFS uses a 128-bit key that can’t be cracked, so you will not be able to recover the information
- When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information.
- The EFS Revoked Key Agent can be used on the Computer to recover the information
- When the Encrypted file was copied to the floppy disk, the EFS private key was also copied to the floppy disk, so you can recover the information.
When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:
- Recycle Bin
- Case files
You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protected. What are two common methods used by password cracking software that you can use to obtain the password?
- Limited force and library attack
- Brute Force and dictionary Attack
- Maximum force and thesaurus Attack
- Minimum force and appendix Attack
When reviewing web logs, you see an entry for resource not found in the HTTP status code filed.
What is the actual error code that you would see in the log for resource not found?
Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?
- Use VMware to be able to capture the data in memory and examine it
- Give the Operating System a minimal amount of memory, forcing it to use a swap file
- Create a Separate partition of several hundred megabytes and place the swap file there
- Use intrusion forensic techniques to study memory resident infections
You are working in the security Department of law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the company SMTP server?
This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.
- Master Boot Record (MBR)
- Master File Table (MFT)
- File Allocation Table (FAT)
- Disk Operating System (DOS)
What should you do when approached by a reporter about a case that you are working on or have worked on?
- Refer the reporter to the attorney that retained you
- Say, “no comment”
- Answer all the reporter’s questions as completely as possible
- Answer only the questions that help your case
Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?
- Slack Space
A state department site was recently attacked and all the servers had their disks erased. The incident response team sealed the area and commenced investigation. During evidence collection they came across a zip disks that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong?
- They examined the actual evidence on an unrelated system
- They attempted to implicate personnel without proof
- They tampered with evidence by using it
- They called in the FBI without correlating with the fingerprint data
When investigating a Windows System, it is important to view the contents of the page or swap file because:
- Windows stores all of the systems configuration information in this file
- This is file that windows use to communicate directly with Registry
- A Large volume of data can exist within the swap file of which the computer user has no knowledge
- This is the file that windows use to store the history of the last 100 commands that were run from the command line
Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual media. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events?
- Connect the target media; prepare the system for acquisition; Secure the evidence; Copy the media
- Prepare the system for acquisition; Connect the target media; copy the media; Secure the evidence
- Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media
- Secure the evidence; prepare the system for acquisition; Connect the target media; copy the media
The use of warning banners helps a company avoid litigation by overcoming an employee assumed __________________________. When connecting to the company’s intranet, network or Virtual Private Network(VPN) and will allow the company’s investigators to monitor, search and retrieve information stored within the network.
- Right to work
- Right of free speech
- Right to Internet Access
- Right of Privacy
What does mactime, an essential part of the coroner’s toolkit do?
- It traverses the file system and produces a listing of all files based on the modification, access and change timestamps
- It can recover deleted file space and search it for data. However, it does not allow the investigator to preview them
- The tools scans for i-node information, which is used by other tools in the tool kit
- It is too specific to the MAC OS and forms a core component of the toolkit
One way to identify the presence of hidden partitions on a suspect’s hard drive is to:
- Add up the total size of all known partitions and compare it to the total size of the hard drive
- Examine the FAT and identify hidden partitions by noting an H in the partition Type field
- Examine the LILO and note an H in the partition Type field
- It is not possible to have hidden partitions on a hard drive