312-49 - Computer Hacking Forensic Investigator
Go back to
ECCouncil
Example Questions
Sectors in hard disks typically contain how many bytes?
512
In Windows 7 system files, which file reads the Boot.ini file and loads Ntoskrnl.exe. Bootvid.dll. Hal.dll, and boot-start device drivers?
Ntldr
What does the superblock in Linux define?
location of the firstinode
John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer log files, he does not see any of the traffic produced by Firewalk. Why is that?
Firewalk sets all packets with a TTL of one
Windows Security Accounts Manager (SAM) is a registry file which stores passwords in a hashed format. SAM file in Windows is located at:
C:\windows\system32\config\SAM
Data acquisition system is a combination of tools or processes used to gather, analyze and record Information about some phenomenon. Different data acquisition system are used depends on the location, speed, cost. etc. Serial communication data acquisition system is used when the actual location of the data is at some distance from the computer. Which of the following communication standard is used in serial communication data acquisition system?
RS232
The police believe that Mevin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers, and educational institutions. They also suspect that he has been stealing, copying, and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspect door and searching his home and seizing all of his computer equipment if they haveis preventing the police from breaking down the suspect? door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant?
The Fourth Amendment
You have been given the task to investigate web attacks on a Windows-based server. Which of the following commands will you use to look at which sessions the machine has opened with other systems?
Net use
Attacker uses vulnerabilities in the authentication or session management functions such as exposed accounts, session IDs, logout, password management, timeouts, remember me. secret question, account update etc. to impersonate users, if a user simply closes the browser without logging out from sites accessed through a public computer, attacker can use the same browser later and exploit the user's privileges. Which of the following vulnerability/exploitation is referred above?
Timeout Exploitation
When NTFS Is formatted, the format program assigns the __________ sectors to the boot sectors and to the bootstrap code
First 16
Terri works for a security consulting firm that is currently performing a penetration test on First National Bank in Tokyo. Terri's duties include bypassing firewalls and switches to gain access to the network. Terri sends an IP packet to one of the company's switches with ACK bit and the source address of her machine set. What is Terri trying to accomplish by sending this IP packet?
Trick the switch into thinking it already has a session with Terri's computer
Which of the following Wi-Fi chalking methods refers to drawing symbols in public places to advertise open Wi-Fi networks?
WarChalking
Which is not a part of environmental conditions of a forensics lab?
Open windows facing the public road
Computer forensics report provides detailed information on complete computer forensics investigation process. It should explain how the incident occurred, provide technical details of the incident and should be clear to understand. Which of the following attributes of a forensics report can render it inadmissible in a court of law?
It is based on logical assumptions about the incident timeline
Area density refers to:
the amount of data per disk
What operating system would respond to the following command?
FreeBSD
Which of the following statements is incorrect related to acquiring electronic evidence at crime scene?
At the time of seizing process, you need to shut down the computer immediately
You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation. Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?
The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.
Which of the following email headers specifies an address for mailer-generated errors, like "no such user" bounce messages, to go to (instead of the sender's address)?
Errors-To header
Which is a standard procedure to perform during all computer forensics investigations?
With the hard drive removed from the suspect PC, check the date and time in the system CMOSWith the hard drive removed from the suspect PC, check the date and time in the system? CMOS
You are the network administrator for a small bank in Dallas, Texas. To ensure network security, you enact a security policy that reQuires all users to have 14 character passwords. After giving your users 2 weeks notice, you change the Group Policy to force 14 character passwords. A week later you dump the SAM database from the standalone server and run a password-cracking tool against it. Over 99% of the passwords are broken within an hour. Why were these passwords cracked so Quickly?
Passwords of 14 characters or less are broken up into two 7-character hashes
What is static executable file analysis?
It is a process that consists of collecting information about and from an executable file without actually launching the file under any circumstances
Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox, or overwhelm the server where the email address is hosted, to cause a denial-of-service attack?
Mail bombing
What must be obtained before an investigation is carried out at a location?
Search warrant
If you discover a criminal act while investigating a corporate policy abuse, it becomes a public- sector investigation and should be referred to law enforcement?
true
International Mobile Equipment Identifier (IMEI) is a 15-dlgit number that indicates the manufacturer, model type, and country of approval for GSM devices. The first eight digits of an IMEI number that provide information about the model and origin of the mobile device is also known as:
Type Allocation Code (TAC)
To preserve digital evidence, an investigator should ____________________
Make two copies of each evidence item using different imaging tools
Which of the following password cracking techniques works like a dictionary attack, but adds some numbers and symbols to the words from the dictionary and tries to crack the password?
Hybrid attack
In what circumstances would you conduct searches without a warrant?
When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity
In the context of file deletion process, which of the following statement holds true?
While booting, the machine may create temporary files that can delete evidence
Wi-Fi Protected Access (WPA) is a data encryption method for WLANs based on 802.11 standards. Temporal Key Integrity Protocol (TKIP) enhances WEP by adding a rekeying mechanism to provide fresh encryption and integrity keys. Temporal keys are changed for every____________.
10.000 packets
The efforts to obtain information before a trial by demanding documents, depositions, questions and answers written under oath, written requests for admissions of fact, and examination of the scene is a description of what legal term?
Discovery
Damaged portions of a disk on which no read/Write operation can be performed is known as ______________.
Bad sector
E-mail logs contain which of the following information to help you in your investigation? (Select up to 4)
user account that was used to send the account
unique message identifier
contents of the e-mail message
date and time the message was sent
An "idle" system is also referred to as what?
Zombie
The status of the network interface cards (NICs) connected to a system gives information about whether the system is connected to a wireless access point and what IP address is being used. Which command displays the network configuration of the NICs on the system?
ipconfig /all
When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.
The lowercase Greek Letter Sigma (s)
You are working on a thesis for your doctorate degree in Computer Science. Your thesis is based on HTML, DHTML, and other web-based languages and how they have evolved over the years. You navigate to archive. org and view the HTML code of news.com. You then navigate to the current news.com website and copy over the source code. While searching through the code, you come across something abnormal: What have you found?
Web bug
Jim performed a vulnerability analysis on his network and found no potential problems. He runs another utility that executes exploits against his system to verify the results of the vulnerability test. The second utility executes five known exploits against his network in which the vulnerability analysis said were not exploitable. What kind of results did Jim receive from his vulnerability analysis?
False negatives
Data Acquisition is the process of imaging or otherwise obtaining information from a digital device and its peripheral equipment and media
True
Which table is used to convert huge word lists (i .e. dictionary files and brute-force lists) into password hashes?
Rainbow tables
What is the first step that needs to be carried out to investigate wireless attacks?
Obtain a search warrant
What is a good security method to prevent unauthorized users from "tailgating"?
Man trap
You have used a newly released forensic investigation tool, which doesn't meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case?
The total has not been reviewed and accepted by your peers
Which of the following steganography types hides the secret message in a specifically designed pattern on the document that is unclear to the average reader?
Open code steganography
With Regard to using an Antivirus scanner during a computer forensics investigation, You should:
Scan your Forensics workstation before beginning an investigation
It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?
only one
Billy, a computer forensics expert, has recovered a large number of DBX files during forensic investigation of a laptop. Which of the following email clients he can use to analyze the DBX files?
Microsoft Outlook Express
Which of the following commands shows you the username and IP address used to access the system via a remote login session and the Type of client from which they are accessing the system?
Net sessions
Depending upon the Jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?
18 USC 7030
Study Guides