312-49 : Computer Hacking Forensic Investigator : Part 22

312-49 : Computer Hacking Forensic Investigator : Part 22

1. Which of the following statements is incorrect when preserving digital evidence?

   • Verify if the monitor is in on, off, or in sleep mode
   • Turn on the computer and extract Windows event viewer log files
   • Remove the plug from the power router or modem
   • Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals

2. Which of the following ISO standard defines file systems and protocol for exchanging data between optical disks?

   • ISO 9660
   • ISO/IEC 13940
   • ISO 9060
   • IEC 3490

3. Lynne receives the following email:

   Dear [email protected]! We are sorry to inform you that your ID has been temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24

   You have 24 hours to fix this problem or risk to be closed permanently!

   To proceed Please Connect >> My Apple ID

   Thank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon/

   What type of attack is this?

   • Mail Bombing
   • Phishing
   • Email Spamming
   • Email Spoofing

4. What value of the “Boot Record Signature” is used to indicate that the boot-loader exists?

   • AA55
   • 00AA
   • AA00
   • A100

5. Which of the following is a MAC-based File Recovery Tool?

   • VirtualLab
   • GetDataBack
   • Cisdem DataRecovery 3
   • Smart Undeleter

6. Smith, an employee of a reputed forensic investigation firm, has been hired by a private organization to investigate a laptop that is suspected to be involved in the hacking of the organization’s DC server. Smith wants to find all the values typed into the Run box in the Start menu. Which of the following registry keys will Smith check to find the above information?

   • TypedURLs key
   • MountedDevices key
   • UserAssist Key
   • RunMRU key

7. When analyzing logs, it is important that the clocks of all the network devices are synchronized. Which protocol will help in synchronizing these clocks?

   • UTC
   • PTP
   • Time Protocol
   • NTP

8. An International Mobile Equipment Identifier (IMEI) is a 15-digit number that indicates the manufacturer, model type, and country of approval for GSM devices. The first eight digits of an IMEI number that provide information about the model and origin of the mobile device is also known as:

   • Type Allocation Code (TAC)
   • Integrated Circuit Code (ICC)
   • Manufacturer Identification Code (MIC)
   • Device Origin Code (DOC)

9. Which of the following is NOT an anti-forensics technique?

   • Data Deduplication
   • Steganography
   • Encryption
   • Password Protection

10. Rusty, a computer forensics apprentice, uses the command nbtstat –c while analyzing the network information in a suspect system. What information is he looking for?

    • Contents of the network routing table
    • Status of the network carrier
    • Contents of the NetBIOS name cache
    • Network connections

11. Gary, a computer technician, is facing allegations of abusing children online by befriending them and sending them illicit adult images from his office computer. What type of investigation does this case require?

    • Administrative Investigation
    • Criminal Investigation
    • Both Criminal and Administrative Investigation
    • Civil Investigation

12. The Apache server saves diagnostic information and error messages that it encounters while processing requests. The default path of this file is usr/local/apache/logs/error.log in Linux. Identify the Apache error log from the following logs.

    • http://victim.com/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..% c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Winnt\system32\Logfiles\W3SVC1
    • [Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/home/live/ap/htdocs/test
    • 127.0.0.1 – frank [10/Oct/2000:13:55:36 -0700]”GET /apache_pb.gif HTTP/1.0″ 200 2326
    • 127.0.0.1 – – [10/Apr/2007:10:39:11 +0300] ] [error] “GET /apache_pb.gif HTTP/1.0” 200 2326

13. Tasklist command displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer. Which of the following tasklist commands provides information about the listed processes, including the image name, PID, name, and number of the session for the process?

    • tasklist /p
    • tasklist /v
    • tasklist /u
    • tasklist /s

14. Which part of Metasploit framework helps users to hide the data related to a previously deleted file or currently unused by the allocated file.

    • Waffen FS
    • RuneFS
    • FragFS
    • Slacker

15. Which one of the following is not a first response procedure?

    • Preserve volatile data
    • Fill forms
    • Crack passwords
    • Take photos

16. Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame.

    • 8-bit
    • 32-bit
    • 16-bit
    • 24-bit

17. Hard disk data addressing is a method of allotting addresses to each _______ of data on a hard disk.

    • Physical block
    • Operating system block
    • Hard disk block
    • Logical block

18. Which of the following standard represents a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?

    • SWGDE & SWGIT
    • Daubert
    • Frye
    • IOCE

19. Event correlation is the process of finding relevance between the events that produce a final result. What type of correlation will help an organization to correlate events across a set of servers, systems, routers and network?

    • Same-platform correlation
    • Network-platform correlation
    • Cross-platform correlation
    • Multiple-platform correlation

20. What malware analysis operation can the investigator perform using the jv16 tool?

    • Files and Folder Monitor
    • Installation Monitor
    • Network Traffic Monitoring/Analysis
    • Registry Analysis/Monitoring