EC0-349 : ECCouncil Computer Hacking Forensic Investigator : Part 03

  1. What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?

    • rootkit
    • key escrow
    • steganography
    • Offset
  2. During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore, you report this evidence. This type of evidence is known as:

    • Inculpatory evidence
    • Mandatory evidence
    • Exculpatory evidence
    • Terrible evidence
  3. If you discover a criminal act while investigating a corporate policy abuse, it becomes a publicsector investigation and should be referred to law enforcement?

    • true
    • false
  4. What binary coding is used most often for e-mail purposes?

    • MIME
    • Uuencode
    • IMAP
    • SMTP
  5. If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

    • The system files have been copied by a remote attacker
    • The system administrator has created an incremental backup
    • The system has been compromised using a t0rnrootkit
    • Nothing in particular as these can be operational files
  6. From the following spam mail header, identify the host IP that sent this spam?

    From Tue Nov 27 17:27:11 2001
    Received: from (viruswall []) by
    (8.11.6/8.11.6) with ESMTP id
    fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT)
    Received: from ( []) by (8.12.1/8.12.1)
    with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT)
    Message-Id: >
    From: “china hotel web”
    To: “Shlam”
    Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0
    X-Priority: 3 X-MSMail-
    Priority: Normal
    Reply-To: “china hotel web”

  7. If you plan to startup a suspect’s computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect’s hard drive by booting to the hard drive.

    • deltree command
    • CMOS
    • Boot.sys
    • Scandisk utility
  8. You are working for a local police department that services a population of 1,000,000 people and you have been given the task of building a computer forensics lab. How many law-enforcement computer investigators should you request to staff the lab?

    • 8
    • 1
    • 4
    • 2
  9. When obtaining a warrant, it is important to:

    • particularlydescribe the place to be searched and particularly describe the items to be seized 
    • generallydescribe the place to be searched and particularly describe the items to be seized
    • generallydescribe the place to be searched and generally describe the items to be seized
    • particularlydescribe the place to be searched and generally describe the items to be seized
  10. What does the superblock in Linux define?

    • filesynames
    • diskgeometr
    • location of the firstinode
    • available space
  11. Diskcopy is:

    • a utility by AccessData
    • a standard MS-DOS command
    • Digital Intelligence utility
    • dd copying tool

    diskcopy is a STANDARD DOS utility. C:\WINDOWS>diskcopy /? Copies the contents of one floppy disk to another.

  12. Sectors in hard disks typically contain how many bytes?

    • 256
    • 512
    • 1024
    • 2048
  13. Area density refers to:

    • the amount of data per disk
    • the amount of data per partition
    • the amount of data per square inch
    • the amount of data per platter
  14. Corporate investigations are typically easier than public investigations because:

    • the users have standard corporate equipment and software
    • the investigator does not have to get a warrant
    • the investigator has to get a warrant
    • the users can load whatever they want on their machines
  15. Which of the following should a computer forensics lab used for investigations have?

    • isolation
    • restricted access
    • open access
    • an entry log
  16. Jason is the security administrator of ACMA metal Corporation. One day he notices the company’s Oracle database server has been compromised and the customer information along with financial data has been stolen. The financial loss will be in millions of dollars if the database gets into the hands of the competitors. Jason wants to report this crime to the law enforcement agencies immediately.

    Which organization coordinates computer crimes investigations throughout the United States?

    • Internet Fraud Complaint Center
    • Local or national office of the U.S. Secret Service
    • Local or national office of the U.S. Secret Service
    • CERT Coordination Center
  17. Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?

    • network-based IDS systems (NIDS)
    • host-based IDS systems (HIDS)
    • anomaly detection
    • signature recognition
  18. You should make at least how many bit-stream copies of a suspect drive?

    • 1
    • 2
    • 3
    • 4
  19. Why should you note all cable connections for a computer you want to seize as evidence?

    • to know what outside connections existed
    • in case other devices were connected
    • to know what peripheral devices exist
    • to know what hardware existed
  20. What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?

    • ICMP header field
    • TCP header field
    • IP header field
    • UDP header field
Notify of
Inline Feedbacks
View all comments