Last Updated on July 21, 2021 by InfraExam

312-49 : Computer Hacking Forensic Investigator : Part 11

  1. Your company’s network just finished going through a SAS 70 audit. This audit reported that overall, your network is secure, but there are some areas that needs improvement. The major area was SNMP security. The audit company recommended turning off SNMP, but that is not an option since you have so many remote nodes to keep track of. What step could you take to help secure SNMP on your network?

    • Block all internal MAC address from using SNMP
    • Block access to UDP port 171
    • Block access to TCP port 171
    • Change the default community string names
  2. After attending a CEH security seminar, you make a list of changes you would like to perform on your network to increase its security. One of the first things you change is to switch the Restrict Anonymous setting from 0 to 1 on your servers. This, as you were told, would prevent anonymous users from establishing a null session on the server. Using User info tool mentioned at the seminar, you succeed in establishing a null session with one of the servers. Why is that?

    • Restrict Anonymous must be set to “10” for complete security
    • Restrict Anonymous must be set to “3” for complete security
    • Restrict Anonymous must be set to “2” for complete security
    • There is no way to always prevent an anonymous null session from establishing
  3. In a virtual test environment, Michael is testing the strength and security of BGP using multiple routers to mimic the backbone of the Internet. This project will help him write his doctoral thesis on “bringing down the Internet”. Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in an attempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What will the other routers communicate between themselves?

    • The change in the routing fabric to bypass the affected router
    • More RESET packets to the affected router to get it to power back up
    • RESTART packets to the affected router to get it to power back up
    • STOP packets to all other routers warning of where the attack originated
  4. How many possible sequence number combinations are there in TCP/IP protocol?

    • 1 billion
    • 320 billion
    • 4 billion
    • 32 million
  5. Tyler is setting up a wireless network for his business that he runs out of his home. He has followed all the directions from the ISP as well as the wireless router manual. He does not have any encryption set and the SSID is being broadcast. On his laptop, he can pick up the wireless signal for short periods of time, but then the connection drops and the signal goes away.

    Eventually the wireless signal shows back up, but drops intermittently. What could be Tyler issue with his home wireless network?

    • Computers on his wired network
    • Satellite television
    • 2.4Ghz Cordless phones
    • CB radio
  6. If a PDA is seized in an investigation while the device is turned on, what would be the proper procedure?

    • Keep the device powered on
    • Turn off the device immediately
    • Remove the battery immediately
    • Remove any memory cards immediately
  7. What hashing method is used to password protect Blackberry devices?

    • AES
    • RC5
    • MD5
    • SHA-1
  8. What layer of the OSI model do TCP and UDP utilize?

    • Data Link
    • Network
    • Transport
    • Session
  9. When making the preliminary investigations in a sexual harassment case, how many investigators are you recommended having?

    • One
    • Two
    • Three
    • Four
  10. What type of equipment would a forensics investigator store in a StrongHold bag?

    • PDAPDA?
    • Backup tapes
    • Hard drives
    • Wireless cards
  11. If you are concerned about a high level of compression but not concerned about any possible data loss, what type of compression would you use?

    • Lossful compression
    • Lossy compression
    • Lossless compression
    • Time-loss compression
  12. When marking evidence that has been collected with the aa/ddmmyy/nnnn/zz format, what does the nnn denote?

    • The year the evidence was taken
    • The sequence number for the parts of the same exhibit
    • The initials of the forensics analyst
    • The sequential number of the exhibits seized
  13. An investigator is searching through the firewall logs of a company and notices ICMP packets that are larger than 65,536 bytes. What type of activity is the investigator seeing?

    • Smurf
    • Ping of death
    • Fraggle
    • Nmap scan
  14. When carrying out a forensics investigation, why should you never delete a partition on a dynamic disk?

    • All virtual memory will be deleted
    • The wrong partition may be set to active
    • This action can corrupt the disk
    • The computer will be set in a constant reboot state
  15. When using an iPod and the host computer is running Windows, what file system will be used?

    • iPod+
    • HFS
    • FAT16
    • FAT32
  16. What is one method of bypassing a system BIOS password?

    • Removing the processor
    • Removing the CMOS battery
    • Remove all the system memory
    • Login to Windows and disable the BIOS password
  17. What technique used by Encase makes it virtually impossible to tamper with evidence once it has been acquired?

    • Every byte of the file(s) is given an MD5 hash to match against a master file
    • Every byte of the file(s) is verified using 32-bit CRC
    • Every byte of the file(s) is copied to three different hard drives
    • Every byte of the file(s) is encrypted using three different methods
  18. What must an investigator do before disconnecting an iPod from any type of computer?

    • Unmount the iPod
    • Mount the iPod
    • Disjoin the iPod
    • Join the iPod
  19. The following is a log file screenshot from a default installation of IIS 6.0.

    312-49 Part 11 Q19 001
    312-49 Part 11 Q19 001

    What time standard is used by IIS as seen in the screenshot?

    •  UTC
    • GMT
    • TAI
    • UT
  20. A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?

    • Searching for evidence themselves would not have any ill effects
    • Searching could possibly crash the machine or device
    • Searching creates cache files, which would hinder the investigation
    • Searching can change date/time stamps