EC0-349 - ECCouncil Computer Hacking Forensic Investigator
Go back to ECCouncil
You have used a newly released forensic investigation tool, which doesnt meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case?
The tool has not been reviewed and accepted by your peers
What operating system would respond to the following command?
If a suspect's computer is located in an area that may have toxic chemicals, you must
coordinate with the HAZMAT team
You work as a penetration tester for Hammond Security Consultants. You are currently working on a contract for the state government of California. Your next step is to initiate a DoS attack on their network. Why would you want to initiate a DoS attack on a system you are testing?
List weak points on their network
Which part of the Windows Registry contains the user's password file?
When examining a file with a Hex Editor, what space does the file header occupy?
the first several bytes of the file
A law enforcement officer may only search for and seize criminal evidence with ____________________, which are facts or circumstances that would lead a reasonable person to believe a crime has been committed or is about to be committed, evidence of the specific crime exists, and the evidence of the specific crime exists at the place to be searched.
Lance wants to place a honeypot on his network. Which of the following would be your recommendations?
Use it on a system in an external DMZ in front of the firewall
What happens when a file is deleted by a Microsoft operating system using the FAT file system?
only the reference to the file is removed from the FAT
When a file is deleted by Windows Explorer or through the MS-DOS Delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.
the lowercase Greek letter sigma (s)
In conducting a computer abuse investigation you become aware that the suspect of the investigation is using ABC Company as his Internet Service Provider (ISP). You contact the ISP and request that they provide you assistance with your investigation. What assistance can the ISP provide?
the ISP can investigate computer abuse committed by their employees, but must preserve the privacy of their customers and therefore cannot assist you without a warrant
Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?
If you discover a criminal act while investigating a corporate policy abuse, it becomes a public- sector investigation and should be referred to law enforcement?
The __________________________ refers to handing over the results of private investigations to the authorities because of indications of criminal activity.
The efforts to obtain information before a trial by demanding documents, depositions, questions and answers written under oath, written requests for admissions of fact, and examination of the scene is a description of what legal term?
Your company uses Cisco routers exclusively throughout the network. After securing the routers to the best of your knowledge, an outside security firm is brought in to assess the network security. Although they found very few issues, they were able to enumerate the model, OS version, and capabilities for all your Cisco routers with very little effort. Which feature will you disable to eliminate the ability to enumerate this information on your Cisco routers?
Cisco Discovery Protocol
George is performing security analysis for Hammond and Sons LLC. He is testing security vulnerabilities of their wireless network. He plans on remaining as "stealthy" as possible during the scan. Why would a scanner like Nessus is not recommended in this situation?
Nessus is too loud
When conducting computer forensic analysis, you must guard against _________ so that you remain focused on the primary job and insure that the level of work does not increase beyond what was originally expected.
Law enforcement officers are conducting a legal search for which a valid warrant was obtained. While conducting the search, officers observe an item of evidence for an unrelated crime that was not included in the warrant. The item was clearly visible to the officers and immediately identified as evidence. What is the term used to describe how this evidence is admissible?
plain view doctrine
You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protected. What are two common methods used by password cracking software that you can use to obtain the password?
brute force and dictionary attack
Harold is a web designer who has completed a website for ghttech.net. As part of the maintenance agreement he signed with the client, Harold is performing research online and seeing how much exposure the site has received so far. Harold navigates to google.com and types in the following search. link:www.ghttech.net What will this search produce?
All sites that link to ghttech.net
In general, _________________ involves the investigation of data that can be retrieved from the hard disk or other disks of a computer by applying scientific methods to retrieve the data.
To test your website for vulnerabilities, you type in a Quotation mark (? for the username field. After you click Ok, you receive the following error message window: What can you infer from this error window?
SQL injection is possible
You are running known exploits against your network to test for possible vulnerabilities. To test the strength of your virus software, you load a test network to mimic your production network. Your software successfully blocks some simple macro and encrypted viruses. You decide to really test the software by using virus code where the code rewrites itself entirely and the signatures change from child to child, but the functionality stays the same. What type of virus is this that you are testing?
Which of the following filesystem is used by Mac OS X?
You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data from other offices like it is for your main office. You suspect that firewall changes are to blame. What ports should you open for SNMP to work through Firewalls (Select 2)
One way to identify the presence of hidden partitions on a suspects hard drive is to:
add up the total size of all known partitions and compare it to the total size of the hard drive
What file structure database would you expect to find on floppy disks?
When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?
If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive.
Which of the following should a computer forensics investigations lab have?
An expert witness may give an opinion if:
the opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay jurors
How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?
When investigating a potential e-mail crime, what is your first step in the investigation?
Trace the IP address to its origin
Corporate investigations are typically easier than public investigations because
the investigator does not have to get a warrant
You are a security analyst performing reconnaissance on a company you will be carrying out a penetration test for. You conduct a search for IT jobs on Dice.com and find the following information for an open position: 7+ years experience in Windows Server environment 5+ years experience in Exchange 2000/2003 environment Experience with Cisco Pix Firewall, Linksys 1376 router, Oracle 11i and MYOB v3.4 Accounting software are reQuired MCSA desired, MCSE, CEH preferred No Unix/Linux Experience needed What is this information posted on the job website considered?
You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?
The MD5 program is used to:
verify that a disk is not altered when you examine it
What does the superblock in Linux define?
location of the firstinode
Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. He knows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT. Which firewall would be most appropriate for Harold? needs?
Application-level proxy firewall
How many sectors will a 125 KB file use in a FAT32 file system?
Paulette works for an IT security consulting company that is currently performing an audit for the firm ACE Unlimited. Paulette's duties include logging on to all the company's network equipment to ensure IOS versions are up-to-date and all the other security settings are as stringent as possible. Paulette presents the following screenshot to her boss so he can inform the client about necessary changes need to be made. From the screenshot, what changes should the client company make?
Remove any identifying numbers, names, or version information
Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool?
A simple DOS copy will not include deleted files, file slack and other information
Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank to assess its network security through scanning, pen tests, and vulnerability assessments. After discovering numerous known vulnerabilities detected by a temporary IDS he set up, he notices a number of items that show up as unknown but Questionable in the logs. He looks up the behavior on the Internet, but cannot find anything related. What organization should Frank submit the log to find out if it is a new vulnerability or not?
In a virtual test environment, Michael is testing the strength and security of BGP using multiple routers to mimic the backbone of the Internet. This project will help him write his doctoral thesis on "bringing down the Internet". Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in an attempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What will the other routers communicate between themselves?
The change in the routing fabric to bypass the affected router
A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation? Choose the most feasible option.
Image the disk and try to recover deleted files
When you carve an image, recovering the image depends on which of the following skills?
recognizing the pattern of the header content
An "idle" system is also referred to as what?
An employee is suspected of stealing proprietary information belonging to your company that he had no rights to possess. The information was stored on the employees computer that was protected with the NTFS Encrypted File System (EFS) and you had observed him copy the files to a floppy disk just before leaving work for the weekend. You detain the employee before he leaves the building and recover the floppy disk and secure his computer. Will you be able to break the encryption so that you can verify that the employee was in possession of the proprietary information?
When the encrypted file was copied to the floppy disk, it was automatically unencrypted, so you can recover the information.
In the context of file deletion process, which of the following statement holds true?
While booting, the machine may create temporary files that can delete evidence