Last Updated on July 20, 2021 by InfraExam
312-49 : Computer Hacking Forensic Investigator : Part 06
What information do you need to recover when searching a victim’s computer for a crime committed with specific e-mail message?
- Internet service provider information
- E-mail header
- Username and password
- Firewall log
Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool?
- A disk imaging tool would check for CRC32s for internal self-checking and validation and have MD5 checksum
- Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file
- A simple DOS copy will not include deleted files, file slack and other information
- There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector
You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacture. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO?
- the attorney-work-product rule
- Good manners
- Trade secrets
- ISO 17799
One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example, changing a .jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension?
- the File Allocation Table
- the file header
- the file footer
- the sector map
This organization maintains a database of hash signatures for known software.
- International Standards Organization
- Institute of Electrical and Electronics Engineers
- National Software Reference Library
- American National standards Institute
The ____________________ refers to handing over the results of private investigations to the authorities because of indications of criminal activity.
- Locard Exchange Principle
- Clark Standard
- Kelly Policy
- Silver-Platter Doctrine
You are working as Computer Forensics investigator and are called by the owner of an accounting firm to investigate possible computer abuse by one of the firm’s employees. You meet with the owner of the firm and discover that the company has never published a policy stating that they reserve the right to inspect their computing assets at will. What do you do?
- Inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned
- Inform the owner that conducting an investigation without a policy is a violation of the 4th amendment
- Inform the owner that conducting an investigation without a policy is a violation of the employee’s expectation of privacy
- Inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies
During the course of a corporate investigation, you find that an Employee is committing a crime.
Can the Employer file a criminal complaint with Police?
- Yes, and all evidence can be turned over to the police
- Yes, but only if you turn the evidence over to a federal law enforcement agency
- No, because the investigation was conducted without following standard police procedures
- No, because the investigation was conducted without warrant
____________________ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.
- Network Forensics
- Computer Forensics
- Incident Response
- Event Reaction
What is the name of the Standard Linux Command that is also available as windows application that can be used to create bit-stream images?
To preserve digital evidence, an investigator should ____________________.
- Make two copies of each evidence item using a single imaging tool
- Make a single copy of each evidence item using an approved imaging tool
- Make two copies of each evidence item using different imaging tools
- Only store the original evidence item
Profiling is a forensics technique for analyzing evidence with the goal of identifying the perpetrator from their various activity. After a computer has been compromised by a hacker, which of the following would be most important in forming a profile of the incident?
- The manufacturer of the system compromised
- The logic, formatting and elegance of the code used in the attack
- The nature of the attack
- The vulnerability exploited in the incident
Printing under a Windows Computer normally requires which one of the following files types to be created?
An Expert witness give an opinion if:
- The Opinion, inferences or conclusions depend on special knowledge, skill or training not within the ordinary experience of lay jurors
- To define the issues of the case for determination by the finder of fact
- To stimulate discussion between the consulting expert and the expert witness
- To deter the witness form expanding the scope of his or her investigation beyond the requirements of the case
When using Windows acquisitions tools to acquire digital evidence, it is important to use a well-tested hardware write-blocking device to:
- Automate Collection from image files
- Avoiding copying data from the boot partition
- Acquire data from host-protected area on a disk
- Prevent Contamination to the evidence drive
Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?
- Globally unique ID
- Microsoft Virtual Machine Identifier
- Personal Application Protocol
- Individual ASCII string
You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disk?
- Throw the hard disk into the fire
- Run the powerful magnets over the hard disk
- Format the hard disk multiple times using a low level disk utility
- Overwrite the contents of the hard disk with Junk data
You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?
- The X509 Address
- The SMTP reply Address
- The E-mail Header
- The Host Domain Name
You are working as a Computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact law enforcement and provide them with the evidence that you have found. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subject’s computer. You inform the officer that you will not be able to comply with that request because doing so would:
- Violate your contract
- Cause network congestion
- Make you an agent of law enforcement
- Write information to the subject’s hard drive
A law enforcement officer may only search for and seize criminal evidence with _______________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists and the evidence of the specific crime exists at the place to be searched.
- Mere Suspicion
- A preponderance of the evidence
- Probable cause
- Beyond a reasonable doubt