CHFI Online Study Notes Flashcards
What are the essential Windows system files?
Ntoskrnl.exe
Which of the following is NOT a disk editor tool to help view file headers and important information about a file?
Win Edit
Hex Workshop
Disk Edit
WinHex
Win Edit
Which LBA contains the GPT header?
LBA 1
Which of the following items is used to describe the characteristics of the file system information present on a given CD-ROM?
POSIX attribute
Track header
Boot sector
Volume descriptor
Volume descriptor
Which of the following is NOT an advantage of SSDs over HDDs? Higher reliability Non-volatile memory Faster data access Less power usage
Non-volatile memory
Which field type refers to the volume descriptor as a supplementary?
Number 2
What is a hard disk’s first sector that specifies the location of an operating system for the system to load into the main storage?
Master Boot Record
Which field type refers to the volume descriptor as a set terminator?
Number 255
Which of the following should be work area considerations for forensic labs?
Examiner station has an area of about 50–63 square feet.
Which of the following is a computer-created source of potential evidence?
Swap File
Forensic readiness refers to:
An organization’s ability to make optimal use of digital evidence in a limited period and with minimal investigation costs.
Which of the following Windows operating systems powers on and starts up using only the traditional BIOS-MBR method?
Windows Vista
Which of the following is a consideration of HDDs but not SSDs?
RPM Speed
Which item describes the following UEFI boot process phase? (The phase of EFI consisting of interpreting the boot configuration data, selecting the Boot Policy for later implementation, working with the prior phase to check if the device drivers require signature verification, loading either MBR boot code into memory for Legacy BIOS Boot or the Bootloader program from the EFI partition for UEFI Boot, and providing an option for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.)
BDS (Boot Device Selection) Phase
Which of the following is NOT a common computer file system? EXT2 NTFS EFX3 FAT32
EFX3
What is the role of an expert witness?
To educate the public and court
Which of the following Federal Rules of Evidence ensures that the truth may be ascertained and the proceedings justly determined?
Rule 102
Which of the following is one of the five UEFI boot process phases?
BSD Phase
RT Phase
PAI Phase
PIE Phase
RT Phase
Which of the following describes when the user restarts the system via the operating system?
Warm Booting
What do GPTs use instead of the addressing used in modern MBRs?
LBA
Which of the following is a 128-bit unique number, generated by the Windows OS for identifying a specific device, document, database entry, or user?
Globally Unique Identifier (GUID)
The UEFI assigns how many bytes for the Partition Entry Array?
16,384
Which of the following is a user-created source of potential evidence?
Address Book
Which of the following should be physical location and structural design considerations for forensics labs?
Lab exteriors should have no windows.
Which item describes the following UEFI boot process phase? (The phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume (BFV); locating and executing the chapters to initialize all the found hardware in the system; and creating a Hand-Off Block List with all found resources interface descriptors.)
PEI (Pre-EFI Initialization) Phase
Which file system for Linux transfers all tracks and boot images on a CD as normal files?
CDFS
On Macintosh computers, which architecture utilizes Open Firmware to initialize the hardware interfaces after the BootROM performs POST?
PowerPC
What replaces legacy BIOS firmware interfaces and uses a partition interfacing system to overcome the limitations of the MBR partitioning scheme?
UEFI (Unified Extensible Firmware Interface)
Which of the following is an advantage of the GPT disk layout?
GPT allows users to partition disks larger than 2 terabytes.
Which of the following is NOT part of the Computer Forensics Investigation Methodology?
Testify as an expert defendant.
Which of the following file systems are used for adding more descriptors to a CD-ROM’s file system sequence?
Joliet and UDF
Which of the following is TRUE of cybercrimes?
Investigators, with a warrant, have the authority to forcibly seize the computing devices.
Which commands help create MBR in Windows and DOS operating systems?
FDISK/MBR
Which of the following is a small piece of instruction in computer language, which the system loads into the BIOS and executes to initiate the system’s boot process?
Master Boot Code
Which logical drive holds the information regarding the data and files that are stored in the disk?
Extended Partition
Which cmdlet can investigators use in Windows PowerShell to analyze the GUID Partition Table to find the exact type of boot sector and display the partition object?
Get-PartitionTable
Which of the following basic partitioning tools displays details about GPT partition tables in Macintosh OS?
Disk Utility
How many tracks are typically contained on a platter of a 3.5″ HDD?
1,000
Under which of the following conditions will duplicate evidence NOT suffice?
When original evidence is in possession of the originator
Which field type in a volume descriptor refers to a boot record?
Number 0
Which of the following is NOT an objective of computer forensics?
Mitigate vulnerabilities to prevent further loss of intellectual property, finances, and reputation during an attack.
How many bytes is each partition entry in GPT?
128 Bytes
Which partition type designates the protective MBR from legacy MBR?
0xEE
Which cmdlet can investigators use in Windows PowerShell to analyze the GUID Partition Table data structure of the hard disk?
Get-GPT
How many bits are used by the MBR partition scheme for storing LBAs (Logical Block Addresses) and the size information on a 512-byte sector?
32
Under which of the following circumstances has a court of law allowed investigators to perform searches without a warrant?
Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process.
Which of the following Windows operating systems powers on and starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method?
Windows 8
Which of the following Federal Rules of Evidence states that the court shall restrict the evidence to its proper scope and instruct the jury accordingly?
Rule 105
What file format is used by Windows Vista and later versions to store event logs as simple text files in XML format?
EVTX
Which is NOT a valid type of digital evidence?
DNA Sample
What is a common technique used to distribute malware on the web by mimicking legitimate institutions in an attempt to steal passwords, credit cards, and bank account data?
Spear phishing sites
What is the primary information required for starting an email investigation?
The unique IP address
What is a common technique used to distribute malware on the web by injecting malware into legitimate-looking websites to trick users into selecting them?
Click-jacking
What is NOT a command used to determine logged-on users?
LoggedSessions
What is NOT one of the three tiers a log management infrastructure typically comprises?
Log Rotation
Where are deleted items stored on Windows Vista and later versions of Windows?
Drive:$Recycle.Bin
Which web application threat occurs when attackers bypass the client’s ID security mechanisms, gain access privileges, and inject malicious scripts into specific fields in web pages?
Cross-site scripting
What is a common technique used to distribute malware on the web when an attacker exploits flaws in browser software to install malware just by visiting a website?
Drive-by downloads
Which of the following stakeholders is responsible for making sure all the forensic activities are within the jurisdiction and not violating any regulations or agreements?
Law Advisors
Which web application threat occurs when an authenticated user is forced to perform certain tasks on the web application chosen by an attacker?
Cross-site request forgery
What prefetch does value 1 from the registry entry, EnablePrefetcher, tell the system to use?
Application prefetching is enabled.
Which of the three different files storing data and logs in SQL servers is optional?
NDF
What layer of web application architecture contains components that parse the request (HTTP Request Parser) coming in and forwards the response back?
Web server layer
Which is a threat to web applications?
Cookie poisoning
What layer of web application architecture is composed of cloud services which hold all commercial transactions and a server that supplies an organization’s production data in a structured form?
Database Layer
What is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards?
PCI DSS
Which is a violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act?
Retransmitting spam messages through a computer to mislead others about the origin of the message
Where can congressional security standards and guidelines be found, with an emphasis for federal agencies, for the development, documentation, and implementation of organization-wide programs for information security?
FISMA
Which is NOT an indication of a web attack?
Logs found to have no known anomalies
What must an investigator do in order to offer a good report to a court of law and ease the prosecution?
Preserve the evidence
Which of the following is NOT a digital data storage type?
Quantum storage devices
Which of the following is an internal network vulnerability?
Bottleneck
Which tool helps collect information about network connections operative in a Windows system?
NETSTAT
What is NOT true of email crimes?
Email crime is not limited by the email organization.
What cloud service offers application software to subscribers on demand or over the internet and is charged for by the provider on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users?
SaaS
Which is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples?
Volatility Framework
Which architectural layer of mobile device environments provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS?
Phone API
Which web application threat is a method intended to terminate website or server operations by making resources unavailable to clients?
Denial-of-service
Which is NOT a log management system function?
Log generation
What operating system was Android based on?
Linux
Which web application threat refers to a drawback in a web application where it unintentionally reveals sensitive data to an unauthorized user?
Information leakage
What is NOT a command used to determine open files?
Open files
Not to be confused with Openfiles
Which architectural layer of mobile device environments simplifies the process of interacting with web services and other applications such as email, the internet, and SMS?
Communication API
What cloud service enables subscribers to use fundamental IT resources, such as computing power, virtualization, data storage, network, etc., on demand?
IaaS
What is a cloud environment composed of two or more clouds that remain unique entities but are bound together to offer the benefits of multiple deployment models?
Hybrid cloud
Which web application threat refers to the modification of a website’s remnant data for bypassing security measures or gaining unauthorized information?
Cookie poisoning
What prefetch does value 3 from the registry entry, EnablePrefetcher, tell the system to use?
Both application and boot prefetching are enabled.
Which of the following includes security standards for health information?
HIPAA
What is NOT one of the three major concerns regarding log management?
Log viewing
What tool enables you to retrieve information about event logs and publishers in Windows 10?
Wevutil
Which cloud environment allows the provider to make services—such as applications, servers, and data storage—available to the public over the internet?
Public Cloud
Which architectural layer of mobile device environments contains items that are responsible for mobile operations such as a display device, a keypad, RAM, flash, an embedded processor, and a media processor?
Hardware
Which is a type of network-based attack?
Eavesdropping
Which web application threat occurs when attackers insert commands via input data and are able to tamper with the data?
SQL injection
Which of the following best describes flash memory?
Flash memory is a non-volatile, electronically erasable and reprogrammable storage medium.
Which of the following stakeholders is responsible for conducting forensic examinations against allegations made regarding wrongdoings, found vulnerabilities, and attacks over the cloud?
Investigators
Which web application threat refers to vulnerable management functions, including user updates, recovery of passwords, or resetting passwords?
Broken account management
What type of analysis do investigators perform to detect something that has already occurred in a network/device and determine what it is?
Postmortem
Smith, as a part of his forensic investigation assignment, seized a mobile device. He was asked to recover the Subscriber Identity Module (SIM card) data in the mobile device. Smith found that the SIM was protected by a Personal Identification Number (PIN) code, but he was also aware that people generally leave the PIN numbers to the defaults or use easily guessable numbers such as 1234. He made three unsuccessful attempts, which blocked the SIM card. What can Smith do in this scenario to reset the PIN and access SIM data?
He should ask the Network Operator for Personal Unlock Number (PUK) to gain access to the SIM
Sectors are pie-shaped regions on a hard disk that store data. Which of the following parts of a hard disk do not contribute to determining the addresses of data?
Interface
Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses’ testimony during federal legal proceedings?
Daubert
Which of the following examinations refers to the process of the witness being questioned by the attorney who called the latter to the stand?
Direct-Examination
Who is responsible for the following tasks?
• Secure the scene
• Ensure that it is maintained in a secure state until the Forensic Team arrives
• Make notes about the scene that will eventually be handed over to the Forensic Team
Non-forensics staff
Which of the following tool is used to locate IP addresses?
SmartWhois
Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList
Which US law does the interstate or international transportation and receiving of child pornography fall under?
18 U.S. Code § 2252
ata is striped at a byte level across multiple drives, and parity information is distributed among all member drives. What RAID level is represented here?
RAID Level 5
