312-49 : Computer Hacking Forensic Investigator : Part 25

  1. In which registry does the system store the Microsoft security IDs?

    • HKEY_CLASSES_ROOT (HKCR)
    • HKEY_CURRENT_CONFIG (HKCC)
    • HKEY_CURRENT_USER (HKCU)
    • HKEY_LOCAL_MACHINE (HKLM)
  2. An investigator has extracted the device descriptor for a 1GB thumb drive that looks like: Disk&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15. What does the “Geek_Squad” part represent?

    • Product description
    • Manufacturer Details
    • Developer description
    • Software or OS used
  3. Which of the following Perl scripts will help an investigator to access the executable image of a process?

    • Lspd.pl
    • Lpsi.pl
    • Lspm.pl
    • Lspi.pl
  4. Which of the following attack uses HTML tags like <script></script>?

    • Phishing
    • XSS attack
    • SQL injection
    • Spam
  5. Examination of a computer by a technically unauthorized person will almost always result in:

    • Rendering any evidence found inadmissible in a court of law
    • Completely accurate results of the examination
    • The chain of custody being fully maintained
    • Rendering any evidence found admissible in a court of law
  6. Adam, a forensic analyst, is preparing VMs for analyzing a malware. Which of the following is NOT a best practice?

    • Isolating the host device
    • Installing malware analysis tools
    • Using network simulation tools
    • Enabling shared folders
  7. The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin?

    • INFO2
    • INFO1
    • LOGINFO1
    • LOGINFO2
  8. During an investigation of an XSS attack, the investigator comes across the term “[a-zA-Z0-9\%]+” in analyzed evidence details. What is the expression used for?

    • Checks for upper and lower-case alphanumeric string inside the tag, or its hex representation
    • Checks for forward slash used in HTML closing tags, its hex or double-encoded hex equivalent
    • Checks for opening angle bracket, its hex or double-encoded hex equivalent
    • Checks for closing angle bracket, hex or double-encoded hex equivalent
  9. Which among the following search warrants allows the first responder to search and seize the victim’s computer components such as hardware, software, storage devices, and documentation?

    • John Doe Search Warrant
    • Citizen Informant Search Warrant
    • Electronic Storage Device Search Warrant
    • Service Provider Search Warrant
  10. Centralized binary logging is a process in which many websites write binary and unformatted log data to a single log file. What extension should the investigator look to find its log file?

    • .cbl
    • .log
    • .ibl
    • .txt
  11. Where should the investigator look for the Edge browser’s browsing records, including history, cache, and cookies?

    • ESE Database
    • Virtual Memory
    • Sparse files
    • Slack Space
  12. Which of the following setups should a tester choose to analyze malware behavior?

    • A virtual system with internet connection
    • A normal system without internet connect
    • A normal system with internet connection
    • A virtual system with network simulation for internet connection
  13. A Linux system is undergoing investigation. In which directory should the investigators look for its current state data if the system is in powered on state?

    • /auth
    • /proc
    • /var/log/debug
    • /var/spool/cron/
  14. What is the purpose of using Obfuscator in malware?

    • Execute malicious code in the system
    • Avoid encryption while passing through a VPN
    • Avoid detection by security mechanisms
    • Propagate malware to other connected devices
  15. Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system?

    • Net config
    • Net sessions
    • Net share
    • Net stat
  16. Which of the following is a federal law enacted in the US to control the ways that financial institutions deal with the private information of individuals?

    • SOX
    • HIPAA 1996
    • GLBA
    • PCI DSS
  17. UEFI is a specification that defines a software interface between an OS and platform firmware. Where does this interface store information about files present on a disk?

    • BIOS-MBR
    • GUID Partition Table (GPT)
    • Master Boot Record (MBR)
    • BIOS Parameter Block
  18. You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a “simple backup copy” of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a “simple backup copy” will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?

    • Robust copy
    • Incremental backup copy
    • Bit-stream copy
    • Full backup copy
  19. Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted so as to cause a denial-of-service attack?

    • Email spamming
    • Phishing
    • Email spoofing
    • Mail bombing
  20. Gill is a computer forensics investigator who has been called upon to examine a seized computer. This computer, according to the police, was used by a hacker who gained access to numerous banking institutions to steal customer information. After preliminary investigations, Gill finds in the computer’s log files that the hacker was able to gain access to these banks through the use of Trojan horses. The hacker then used these Trojan horses to obtain remote access to the companies’ domain controllers. From this point, Gill found that the hacker pulled off the SAM files from the domain controllers to then attempt and crack network passwords. What is the most likely password cracking technique used by this hacker to break the user passwords from the SAM files?

    • Syllable attack
    • Hybrid attack
    • Brute force attack
    • Dictionary attack