EC0-349 : ECCouncil Computer Hacking Forensic Investigator : Part 07

  1. The police believe that Melvin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers and Educational Institutions. They also suspect that he has been stealing, copying and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant?

    • The Fourth Amendment
    • The USA patriot Act
    • The Good Samaritan Laws
    • The Federal Rules of Evidence
  2. When cataloging digital evidence, the primary goal is to

    • Make bit-stream images of all hard drives
    • Preserve evidence integrity
    • Not remove the evidence from the scene
    • Not allow the computer to be turned off
  3. You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?

    • Stringsearch
    • grep
    • dir
    • vim
  4. As a CHFI professional, which of the following is the most important to your professional reputation?

    • Your Certifications
    • The correct, successful management of each and every case
    • The free that you charge
    • The friendship of local law enforcement officers
  5. In conducting a computer abuse investigation you become aware that the suspect of the investigation is using ABC Company as his Internet Service Provider (ISP). You contact ISP and request that they provide you assistance with your investigation. What assistance can the ISP provide?

    • The ISP can investigate anyone using their service and can provide you with assistance
    • The ISP can investigate computer abuse committed by their employees, but must preserve the privacy of their customers and therefore cannot assist you without a warrant
    • The ISP can’t conduct any type of investigations on anyone and therefore can’t assist you
    • ISP’s never maintain log files so they would be of no use to your investigation
  6. You are assisting in the investigation of a possible Web Server Hack. The company who called you stated that customers reported to them that whenever they entered the web address of the company in their browser, what they received was a porno graphic web site. The company checked the web server and nothing appears wrong. When you type in the IP address of the web site in your browser everything appears normal. What is the name of the attack that affects the DNS cache of the name resolution servers, resulting in those servers directing users to the wrong web site?

    • ARP Poisoning
    • DNS Poisoning
    • HTTP redirect attack
    • IP Spoofing
  7. You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a simple backup copy of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a simple backup copy will not provide deleted files or recover file fragments.

    What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings?

    • Bit-stream Copy
    • Robust Copy
    • Full backup Copy
    • Incremental Backup Copy
  8. Law enforcement officers are conducting a legal search for which a valid warrant was obtained.

    While conducting the search, officers observe an item of evidence for an unrelated crime that was not included in the warrant. The item was clearly visible to the officers and immediately identified as evidence. What is the term used to describe how this evidence is admissible?

    • Plain view doctrine
    • Corpus delicti
    • Locard Exchange Principle
    • Ex Parte Order
  9. Microsoft Outlook maintains email messages in a proprietary format in what type of file?

    • .email
    • .mail
    • .pst
    • .doc
  10. The efforts to obtain information before a trail by demanding documents, depositions, questioned and answers written under oath, written requests for admissions of fact and examination of the scene is a description of what legal term?

    • Detection
    • Hearsay
    • Spoliation
    • Discovery
  11. The rule of thumb when shutting down a system is to pull the power plug. However, it has certain drawbacks. Which of the following would that be?

    • Any data not yet flushed to the system will be lost
    • All running processes will be lost
    • The /tmp directory will be flushed
    • Power interruption will corrupt the pagefile
  12. You are a computer forensics investigator working with local police department and you are called to assist in an investigation of threatening emails. The complainant has printer out 27 email messages from the suspect and gives the printouts to you. You inform her that you will need to examine her computer because you need access to the _________________________ in order to track the emails back to the suspect.

    • Routing Table
    • Firewall log
    • Configuration files
    • Email Header
  13. Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

    • HKEY_LOCAL_MACHINE\hardware\windows\start
    • HKEY_LOCAL_USERS\Software\Microsoft\old\Version\Load
    • HKEY_CURRENT_USER\Microsoft\Default
    • HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run
  14. Which of the following file system is used by Mac OS X?

    • EFS
    • HFS+
    • EXT2
    • NFS
  15. When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

    • Passive IDS
    • Active IDS
    • Progressive IDS
    • NIPS
  16. Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company’s network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?

    • Send DOS commands to crash the DNS servers
    • Perform DNS poisoning
    • Perform a zone transfer
    • Enumerate all the users in the domain
  17. What will the following command produce on a website login page? SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘[email protected]’; DROP TABLE members; –‘

    • Deletes the entire members table
    • Inserts the Error! Reference source not address into the members table
    • Retrieves the password for the first user in the members table
    • This command will not produce anything since the syntax is incorrect
  18. You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data from other offices like it is for your main office. You suspect that firewall changes are to blame. What ports should you open for SNMP to work through Firewalls? (Choose two.).

    • 162
    • 161
    • 163
    • 160
  19. You are carrying out the last round of testing for your new website before it goes live. The website has many dynamic pages and connects to a SQL backend that accesses your product inventory in a database. You come across a web security site that recommends inputting the following code into a search field on web pages to check for vulnerabilities: When you type this and click on search, you receive a pop-up window that says: “This is a test.”

    What is the result of this test?

    • Your website is vulnerable to CSS
    • Your website is not vulnerable
    • Your website is vulnerable to SQL injection
    • Your website is vulnerable to web bugs
  20. If an attacker’s computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning, what will be the response?

    • The zombie will not send a response
    • 31402
    • 31399
    • 31401