CHFI Assessment

Question 1

Scientific Working Group on Digital Evidence (SWGDE) has defined standards and criteria for the Exchange of Digital Evidence. Which of this SWGDE standards and criteria states that “Procedures used must be generally accepted in the field or supported by data gathered an recorded in a scientific manner”?

Answer 1

Standards and Criteria 1.3

Question 2

Analysis is the process of interpreting the extracted data to determine their significance to the case. The result of which analysis may indicate the additional steps that need to be taken in the extraction and analysis processes?

Answer 2

Application and File Analysis

Question 3

What is the smallest allocation unit of a hard disk, which contains a set of tracks and sectors ranging from 2 to 32, or more, depending on the formatting scheme?

Answer 3

Cluster

Question 4

File system is a set of data types, which is employed for storage, hierarchical categorization, management, navigation, access, and recovering the data. What type of file system is the one in which a number of systems (servers) have access to the same external disk subsystem?

Answer 4

Shared Disk File Systems

Question 5

Major file systems include FAT, NTFS, HFS, Ext2, Ext3, etc. Identify the correct statement for FAT file system:

Answer 5

Does not support file system recovery

Question 6

Redundant Array of Inexpensive Disks (RAID) is a technology that uses multiple smaller disks simultaneously which functions as a single large volume. In what RAID level is disk mirroring done?

Answer 6

RAID Level 1

Question 7

During live response, you can retrieve and analyze much of the information in the Registry, and the complete data during post-mortem investigation. Which registry Hive contains configuration information relating to which application is used to open various files on the system?

Answer 7

HKEY_CLASSES_ROOT

Question 8

Registry keys that track user’s activities can be found in the NTUSER.DAT file. When a user performs a particular action, the registry keys Lastwrite time is updated. These registry keys track the user’s activity and add or modify timestamp information associated with the Registry values, this timestamp information is maintained in the value data. Important dates are available in the contents of the binary data for the F value such as time/date stamps, represented as 64-bit FILETIME objects. What does bytes 24-31 represent?

Answer 8

Represents the date that the password was last reset

Question 9

FTP stands for File Transfer Protocol and an FTP server sends and receives files using FTP. What description does the FTP sc-status Error Code 1xx give?

Answer 9

Positive Preliminary Replies

Question 10

Data Acquisition is the process of imaging or otherwise obtaining information from a digital device and its peripheral equipment and media. The type of data acquisition which is defined as acquiring data that remains unaltered when the system is powered off or shutdown, is known as:

Answer 10

Static Acquisition

Question 11

Forensic investigators use the built-in Linux command dd to copy data from a disk drive. The “dd” command can copy the data from any disk that Linux can mount and access. What is the syntax for copying one hard disk partition to another hard disk?

Answer 11

dd if=/dev/sda2 of=/dev/sdb2 bs=4096 conv=notrunc,noerror

Question 12

EnCase Forensic provides a variety of software modules that put powerful investigative tools at the disposal of forensic investigators. What EnCase Forensic software module allows investigators to mount computer evidence as a local drive for examination through Windows Explorer?

Answer 12

Physical Disk Emulator (PDE)

Question 13

An evidence case has a tripartite structure consisting of an evidence file, a case file, and EnCase configuration files. By defualt, a backup copy of the case file is saved every 10 minutes. What option can be used to disable the autosave function?

Answer 13

0

Question 14

“EnCase has built-in capabilities to view all file types”. True/False

Answer 14

False

Question 15

The file content of evidence files can be viewed using the View Pane. The View Pane provides several tabs to view file content. What tab provides native views of formats supported by Oracle outside in technology?

Answer 15

Doc tab

Question 16

EnCase allows you to bookmark any content displayed in the View pane. Bookmarks are stored in their associated case file and can be viewed by selecting the Bookmarks tab. When does a file group bookmark get created?

Answer 16

If more than on file is selected in the Entries table.

Question 17

What attack technique is the combination of both a brute-force attack and a dictionary attack to crack a password?

Answer 17

Syllable Attack

Question 18

Wireless communication is the transfer of information between two or more points that are not physically connected. What wireless standard has the Bandwidth up to 54 Mbps and signals in a regulated frequency spectrum around 5 GHz?

Answer 18

802.11a

Question 19

It is essential to understand the laws that apply to the investigation including the internal organization policies before starting the investigation process. Identify Rule 901 of forensic laws:

Answer 19

Requirement of authentication or identification.

Question 20

ETI investigation can be used to show that individuals commit crimes in furtherance of the criminal enterprise. What does ETI stand for?

Answer 20

Enterprise Theory of Investigation

Question 21

A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media is referred to as computer forensics. The person who is responsible for authorization of a policy or procedure for the investigation process is referred to as what?

Answer 21

Decision Maker

Question 22

What is a legal document that demonstrates the progression of evidence as it travels from original evidence location to the forensic laboratory?

Answer 22

Chain of Custody

Question 23

Joh is a Forensic Investigator working for Rodridge Corp. He started investigating a forensic case and has collected some evidence. Now John wants to use this evidence for further analysis. What should John do?

Answer 23

He should not use the original evidence he has collected.

Question 24

The digital evidence must have some characteristics to be disclosed in the court of law. The statement “Evidence must be related to the fact being proved”, defines what characteristic?

Answer 24

Admissible

Question 25

Digital evidence is circumstantial, which makes it difficult for a forensics investigator to trace the system’s activity. Identify the nature of digital evidence:

Answer 25

Fragile

Question 26

Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form”. What type of digital data contains system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, and command history?

Answer 26

Volatile data

Question 27

What type of digital data is used for the secondary storage and is long-term persisting?

Answer 27

Non-volatile Data

Question 28

What type of digital data stores a document file on a computer when it is deleted and helps in the process of retrieving the file until that file space is reused?

Answer 28

Residual Data

Question 29

Rules of evidence govern whether, when, how, and for what purpose proof of a case may be placed before a trier of fact for consideration. In Federal Rules of Evidence, what rule is for Admissibility of Duplicates?

Answer 29

Rule 1003

Question 30

Different types of electronic devices are used for collecting potential evidence to investigate a forensic case. In which electronic device evidence is found through Address book, Notes, Appointment calendars, Phone numbers and Email?

Answer 30

Digital Watches

Question 31

“Under no circumstances should anyone, with the exception of qualified computer forensic personnel, make any attempts to restore or recover information from a computer system or device that hold electronic information”. This statement is valid for what rule?

Answer 31

First response rule

Question 32

When collecting evidence, the collection should proceed from the most volatile to the least volatile. From the given list, identify which one of the following is least volatile.

Answer 32

Archival media.

Question 33

Mike is a Computer Forensic Investigator. He got a task from an organization to investigate a forensic case. When Mike reached the organization to investigate the place, he found that the computer at the crime scene was switched off. In this scenario, what do you think Mike should do?

Answer 33

He should leave the computer off.

Question 34

In Forensic Investigation all evidence collected should be marked as exhibits using the exhibit numbering format. The format of exhibit numbering is aaa/ddmmyy/nnnn/zz. What is the zz in the exhibit number format?

Answer 34

The sequence number for part of the same exhibit

Question 35

A Computer Forensic Lab (CFL) is a designated location for conducting computer based investigation on collected evidence. Identify which one of the following is not a good consideration for the structural design of forensic lab.

Answer 35

It must have windows in the mat exteriro

Question 36

The study of equipment to meet the human requirements of comfort without affecting the efficiency is defined as:

Answer 36

Ersonci

Question 37

Platters are the round flat magnetic metal or ceramic disks in the hard disk that hold the actual data. A concentric circular ring on both sides of each platter is known as a track. Track numbering starts from which number?

Answer 37

0

Question 38

Booting refers to the process of starting or resetting operating systems when the user turns on a computer system. Cold boot is a type of booting, and is defined as the process of starting a computer from a power-down or off state.

Answer 38

Hard Boot

Question 39

What information can be easily modified or lost when the system is shut down or rebooted?

Answer 39

Volatile information

Question 40

You can use the Windows inbuilt command line utility nbtstat to view NetBIOS name table cache. Which switch with nbtstat command switch shows the NetBIOS name table?

Answer 40

Nbtstat -c

Question 41

A system’s audit policy is maintained in the Security hive, below the PolicyPolAdtEv key. Its default value is REG_NONE data type and contains binary information into which the audit policy is encoded. The first 4 bytes (DWORD) of the binary data gives the information about whether auditing was enabled. The value of DWORD explains the status of the audit policy. The value 02 means?

Answer 41

Failure events are audited

Question 42

In Linux validation methods Dcfldd is designed for forensic data acquisition and has validation options integrated i.e.; hash and hashlog. What is the command used at the shell prompt to create an MD5 hash output file during dcfldd data acquisition?

Answer 42

dcfldd if=/dev/sda split=2M of=usbimg hash=md5 hashlog=usbhash.log

Question 43

File deletion is a way of removing a file from a computers file system. The below are the series of events which occur when a file is deleted in windows. What event does not occur when the file is deleted?

Answer 43

Clusters in FAT are marked as used

Question 44

The process of examining acquired evidence is cyclical in nature and reflected in the relationship among the four panes of the EnCase interface. What pane represents a structured view of all gathered evidence in a Windows-like folder hierarchy?

Answer 44

Tree Pane

Question 45

A case is associated with a specific role, which is established by the administrator. The New Case wizard captures role and case settings. The New Case wizard displays the Role dialog box and the Case Options dialog box. “Once you select a role, you can change the role if needed”. True/False

Answer 45

False

Question 46

Entries include evidence and other file types containing digital evidence and other file types containing digital evidence that are added to a case. EnCase applications support four classes of evidence-containing files. What file contains a collection of files, but lack the integration of metadata and compression hash values that the EnCase evidence file provides?

Answer 46

Raw Images Files

Question 47

Source Processor automates and streamlines common investigative tasks that collect, analyze, and report on evidence. What is the source processor module that obtains drives and memory from a target machine?

Answer 47

Acquisition Module

Question 48

What technique is used to hide a secret message within an ordinary message and extract it at the destination to maintain confidentiality of data?

Answer 48

Steganography

Question 49

What program tries every combination of characters until the password is cracked?

Answer 49

Brute Forcing Attacks

Question 50

David needs to recover lost files from a USB flash drive. What tool will help him?

Answer 50

DiskDigger - It can help recover files from hard drives, memory cards, and USB flash drives.

Question 51

Disk Editor tools for file headers include?

Answer 51

DiskEdit, Hex Workshop, and WinHex

Question 52

What tool can be used to restore emails?

Answer 52

Data Recovery Pro

Question 53

What tool can be used to dump password hashes from the SAM file?

Answer 53

PWdump7

Question 54

POP3 runs on what port?

Answer 54

110

Question 55

What are the three tiers of log management infrastructure?

Answer 55

Log monitoring, Log analysis/storage, and Log generation

Question 56

Sara wants to perform a deep scan that scans the entire system. What tool should she use?

Answer 56

Advanced Disk Recovery

Question 57

What Microsoft Exchange archive data file contains message headers, message text, and standard attachments?

Answer 57

PRIV.EDB

Question 58

What approach monitors a computer and user’s behavior for anomalies?

Answer 58

role-based

Question 59

What tool can be used to display details about GPT partition tables in Mac OS?

Answer 59

Disk Utility

Question 60

HFS+ uses?

Answer 60

b-tree structure to store data

Question 61

What are simple, sequential, flat files of a data set called?

Answer 61

Raw format

Question 62

In what stage of the Linux boot process is information retrieved from the CMOS chip?

Answer 62

BIOS

Question 63

What is a tool for Mac OS?

Answer 63

Disk Utility - Used to get details about GPT partition tables.

Question 64

Data Rescue 4 is what kind of tool?

Answer 64

A file recovery tool used for Mac.

Question 65

Lisa is investigating a phishing email attack at a company. She knows the first step in the email investigation process is what?

Answer 65

Obtaining a search warrant.

Question 66

Jason is an investigator with over 10 years of experience. He needs to find a tool that will help him recover a RAID drive. What tool can help him?

Answer 66

Total Recall

Question 67

John wants to root an Apple phone. What tool should he use?

Answer 67

RedSn0w

Question 68

In FAT, the first letter of the deleted file name is replaced with what?

Answer 68

E5H

Question 69

Jennifer needs to repair and recover bad disk sectors. What tool should she use?

Answer 69

Quick Recovery - Also works for file that are lost, deleted, corrupted, or deteriorated.

Question 70

In Windows 98 and earlier, deleted files are named in Dxy.ext format. What does the x stand for?

Answer 70

drive

Question 71

What command can be used to look for suspicious connections and the process ID?

Answer 71

netstat -anop

Question 72

What tool is known for providing quick and deep scanning?

Answer 72

Advanced Disk Recovery

Question 73

For Windows 2000, deleted file are found where?

Answer 73

C:\Recycler

Question 74

In Windows Server 2012 (IIS), log files are stored where?

Answer 74

%SystemDrive%\inetpub\Logs\LogFiles

Question 75

What tool recovers data and also protects it?

Answer 75

OnTrack Easy Recovery

Question 76

Sara is investigating an incident and needs to display information about all logged in sessions on a local Windows computer. What command should she use?

Answer 76

net session

Question 77

David needs a tool that contains an ISO image. He knows that _________ offers this.

Answer 77

Active@ File Recovery

Question 78

What tool offers an “Advanced Deep Scan” mode, that scours a drive to find any traces of files that have been deleted?

Answer 78

Recuva

Question 79

Roberta suspects the company’s network has been compromised. How can she look for unusual network services running?

Answer 79

net start

Question 80

You can check for the creation of new accounts in the administrator group with the ______ command.

Answer 80

lusrmgr.msc

Question 81

Tanisha wants to recover files with their original file name. She should use what tool to accomplish this?

Answer 81

Stellar Phoenix

Question 82

The nbtstat command can be used for what?

Answer 82

NetBIOS

Question 83

William needs a tool that can allow him to specify a specific file type for precise search results. What tool is this?

Answer 83

EaseUS

Question 84

Sally needs a tool that can support large hard disks. What should she use?

Answer 84

EaseUS

Question 85

Jose is an investigator with CyberNet, Inc and is investigating an incident. How does he check to see if sessions have been opened with other systems?

Answer 85

net use

Question 86

What tool can scan and recover encrypted and password-protected files?

Answer 86

Quick Recovery

Question 87

What tool offers a secure overwrite feature that meets military standards?

Answer 87

Recuva

Question 88

What tool supports RAW recovery on lost volumes?

Answer 88

Stellar Phoenix

Question 89

What tool can be used to recover lost data from RAID and hard drives?

Answer 89

Total Recall

Question 90

The insider threat caused a lot of chaos. Sally, the digital forensic investigator, needs a tool that can repair and recover disk bad sectors. What tool should she use?

Answer 90

Quick Recovery

Question 91

How can you find scheduled and unscheduled tasks on the local host?

Answer 91

schtasks.exe

Question 92

Sally is an investigator working for Diamond Corp. She needs to restore lost emails and their attachments. What tool should she use?

Answer 92

Data Recovery Pro

Question 93

Roberta is an investigator with DHS. She is at the scene and needs to locate and recover files deleted from an NTFS-formatted volume. What should she use?

Answer 93

Pandora Recovery

Question 94

What tool offers the ability to “preview data on the fly” and allows you to recover data even if Windows has been reinstalled?

Answer 94

Recover My Files

Question 95

What tool can recover files from a scratched CD?

Answer 95

File Salvage

Question 96

Jason needs to review file shares on the server. He knows that he can use what command to review file shares and ensure their purpose?

Answer 96

net view

Question 97

Johnny wants to use the tool that offers thumbnail previews. What tool should he choose?

Answer 97

DiskDigger

Question 98

A network administrator, with over 10 years of experience in Cisco systems, is trying to see if any TCP or UDP ports have unusual listening. What command is she using?

Answer 98

netstat -na

Question 99

When a file is deleted in FAT, the first letter of the deleted filename is changed to what?

Answer 99

E5H