CHFI Online Study Notes

Question 1

What are the essential Windows system files?

Answer 1

Ntoskrnl.exe

Question 2

Which of the following is NOT a disk editor tool to help view file headers and important information about a file?

Win Edit
Hex Workshop
Disk Edit
WinHex

Answer 2

Win Edit

Question 3

Which LBA contains the GPT header?

Answer 3

LBA 1

Question 4

Which of the following items is used to describe the characteristics of the file system information present on a given CD-ROM?

POSIX attribute
Track header
Boot sector
Volume descriptor

Answer 4

Volume descriptor

Question 5

Which of the following is NOT an advantage of SSDs over HDDs?
Higher reliability
Non-volatile memory
Faster data access
Less power usage

Answer 5

Non-volatile memory

Question 6

Which field type refers to the volume descriptor as a supplementary?

Answer 6

Number 2

Question 7

What is a hard disk’s first sector that specifies the location of an operating system for the system to load into the main storage?

Answer 7

Master Boot Record

Question 8

Which field type refers to the volume descriptor as a set terminator?

Answer 8

Number 255

Question 9

Which of the following should be work area considerations for forensic labs?

Answer 9

Examiner station has an area of about 50–63 square feet.

Question 10

Which of the following is a computer-created source of potential evidence?

Answer 10

Swap File

Question 11

Forensic readiness refers to:

Answer 11

An organization’s ability to make optimal use of digital evidence in a limited period and with minimal investigation costs.

Question 12

Which of the following Windows operating systems powers on and starts up using only the traditional BIOS-MBR method?

Answer 12

Windows Vista

Question 13

Which of the following is a consideration of HDDs but not SSDs?

Answer 13

RPM Speed

Question 14

Which item describes the following UEFI boot process phase? (The phase of EFI consisting of interpreting the boot configuration data, selecting the Boot Policy for later implementation, working with the prior phase to check if the device drivers require signature verification, loading either MBR boot code into memory for Legacy BIOS Boot or the Bootloader program from the EFI partition for UEFI Boot, and providing an option for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.)

Answer 14

BDS (Boot Device Selection) Phase

Question 15

Which of the following is NOT a common computer file system?
EXT2
NTFS
EFX3
FAT32

Answer 15

EFX3

Question 16

What is the role of an expert witness?

Answer 16

To educate the public and court

Question 17

Which of the following Federal Rules of Evidence ensures that the truth may be ascertained and the proceedings justly determined?

Answer 17

Rule 102

Question 18

Which of the following is one of the five UEFI boot process phases?

BSD Phase
RT Phase
PAI Phase
PIE Phase

Answer 18

RT Phase

Question 19

Which of the following describes when the user restarts the system via the operating system?

Answer 19

Warm Booting

Question 20

What do GPTs use instead of the addressing used in modern MBRs?

Answer 20

LBA

Question 21

Which of the following is a 128-bit unique number, generated by the Windows OS for identifying a specific device, document, database entry, or user?

Answer 21

Globally Unique Identifier (GUID)

Question 22

The UEFI assigns how many bytes for the Partition Entry Array?

Answer 22

16,384

Question 23

Which of the following is a user-created source of potential evidence?

Answer 23

Address Book

Question 24

Which of the following should be physical location and structural design considerations for forensics labs?

Answer 24

Lab exteriors should have no windows.

Question 25

Which item describes the following UEFI boot process phase? (The phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume (BFV); locating and executing the chapters to initialize all the found hardware in the system; and creating a Hand-Off Block List with all found resources interface descriptors.)

Answer 25

PEI (Pre-EFI Initialization) Phase

Question 26

Which file system for Linux transfers all tracks and boot images on a CD as normal files?

Answer 26

CDFS

Question 27

On Macintosh computers, which architecture utilizes Open Firmware to initialize the hardware interfaces after the BootROM performs POST?

Answer 27

PowerPC

Question 28

What replaces legacy BIOS firmware interfaces and uses a partition interfacing system to overcome the limitations of the MBR partitioning scheme?

Answer 28

UEFI (Unified Extensible Firmware Interface)

Question 29

Which of the following is an advantage of the GPT disk layout?

Answer 29

GPT allows users to partition disks larger than 2 terabytes.

Question 30

Which of the following is NOT part of the Computer Forensics Investigation Methodology?

Answer 30

Testify as an expert defendant.

Question 31

Which of the following file systems are used for adding more descriptors to a CD-ROM’s file system sequence?

Answer 31

Joliet and UDF

Question 32

Which of the following is TRUE of cybercrimes?

Answer 32

Investigators, with a warrant, have the authority to forcibly seize the computing devices.

Question 33

Which commands help create MBR in Windows and DOS operating systems?

Answer 33

FDISK/MBR

Question 34

Which of the following is a small piece of instruction in computer language, which the system loads into the BIOS and executes to initiate the system’s boot process?

Answer 34

Master Boot Code

Question 35

Which logical drive holds the information regarding the data and files that are stored in the disk?

Answer 35

Extended Partition

Question 36

Which cmdlet can investigators use in Windows PowerShell to analyze the GUID Partition Table to find the exact type of boot sector and display the partition object?

Answer 36

Get-PartitionTable

Question 37

Which of the following basic partitioning tools displays details about GPT partition tables in Macintosh OS?

Answer 37

Disk Utility

Question 38

How many tracks are typically contained on a platter of a 3.5″ HDD?

Answer 38

1,000

Question 39

Under which of the following conditions will duplicate evidence NOT suffice?

Answer 39

When original evidence is in possession of the originator

Question 40

Which field type in a volume descriptor refers to a boot record?

Answer 40

Number 0

Question 41

Which of the following is NOT an objective of computer forensics?

Answer 41

Mitigate vulnerabilities to prevent further loss of intellectual property, finances, and reputation during an attack.

Question 42

How many bytes is each partition entry in GPT?

Answer 42

128 Bytes

Question 43

Which partition type designates the protective MBR from legacy MBR?

Answer 43

0xEE

Question 44

Which cmdlet can investigators use in Windows PowerShell to analyze the GUID Partition Table data structure of the hard disk?

Answer 44

Get-GPT

Question 45

How many bits are used by the MBR partition scheme for storing LBAs (Logical Block Addresses) and the size information on a 512-byte sector?

Answer 45

32

Question 46

Under which of the following circumstances has a court of law allowed investigators to perform searches without a warrant?

Answer 46

Delay in obtaining a warrant may lead to the destruction of evidence and hamper the investigation process.

Question 47

Which of the following Windows operating systems powers on and starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method?

Answer 47

Windows 8

Question 48

Which of the following Federal Rules of Evidence states that the court shall restrict the evidence to its proper scope and instruct the jury accordingly?

Answer 48

Rule 105

Question 49

What file format is used by Windows Vista and later versions to store event logs as simple text files in XML format?

Answer 49

EVTX

Question 50

Which is NOT a valid type of digital evidence?

Answer 50

DNA Sample

Question 51

What is a common technique used to distribute malware on the web by mimicking legitimate institutions in an attempt to steal passwords, credit cards, and bank account data?

Answer 51

Spear phishing sites

Question 52

What is the primary information required for starting an email investigation?

Answer 52

The unique IP address

Question 53

What is a common technique used to distribute malware on the web by injecting malware into legitimate-looking websites to trick users into selecting them?

Answer 53

Click-jacking

Question 54

What is NOT a command used to determine logged-on users?

Answer 54

LoggedSessions

Question 55

What is NOT one of the three tiers a log management infrastructure typically comprises?

Answer 55

Log Rotation

Question 56

Where are deleted items stored on Windows Vista and later versions of Windows?

Answer 56

Drive:$Recycle.Bin

Question 57

Which web application threat occurs when attackers bypass the client’s ID security mechanisms, gain access privileges, and inject malicious scripts into specific fields in web pages?

Answer 57

Cross-site scripting

Question 58

What is a common technique used to distribute malware on the web when an attacker exploits flaws in browser software to install malware just by visiting a website?

Answer 58

Drive-by downloads

Question 59

Which of the following stakeholders is responsible for making sure all the forensic activities are within the jurisdiction and not violating any regulations or agreements?

Answer 59

Law Advisors

Question 60

Which web application threat occurs when an authenticated user is forced to perform certain tasks on the web application chosen by an attacker?

Answer 60

Cross-site request forgery

Question 61

What prefetch does value 1 from the registry entry, EnablePrefetcher, tell the system to use?

Answer 61

Application prefetching is enabled.

Question 62

Which of the three different files storing data and logs in SQL servers is optional?

Answer 62

NDF

Question 63

What layer of web application architecture contains components that parse the request (HTTP Request Parser) coming in and forwards the response back?

Answer 63

Web server layer

Question 64

Which is a threat to web applications?

Answer 64

Cookie poisoning

Question 65

What layer of web application architecture is composed of cloud services which hold all commercial transactions and a server that supplies an organization’s production data in a structured form?

Answer 65

Database Layer

Question 66

What is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards?

Answer 66

PCI DSS

Question 67

Which is a violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act?

Answer 67

Retransmitting spam messages through a computer to mislead others about the origin of the message

Question 68

Where can congressional security standards and guidelines be found, with an emphasis for federal agencies, for the development, documentation, and implementation of organization-wide programs for information security?

Answer 68

FISMA

Question 69

Which is NOT an indication of a web attack?

Answer 69

Logs found to have no known anomalies

Question 70

What must an investigator do in order to offer a good report to a court of law and ease the prosecution?

Answer 70

Preserve the evidence

Question 71

Which of the following is NOT a digital data storage type?

Answer 71

Quantum storage devices

Question 72

Which of the following is an internal network vulnerability?

Answer 72

Bottleneck

Question 73

Which tool helps collect information about network connections operative in a Windows system?

Answer 73

NETSTAT

Question 74

What is NOT true of email crimes?

Answer 74

Email crime is not limited by the email organization.

Question 75

What cloud service offers application software to subscribers on demand or over the internet and is charged for by the provider on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users?

Answer 75

SaaS

Question 76

Which is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples?

Answer 76

Volatility Framework

Question 77

Which architectural layer of mobile device environments provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS?

Answer 77

Phone API

Question 78

Which web application threat is a method intended to terminate website or server operations by making resources unavailable to clients?

Answer 78

Denial-of-service

Question 79

Which is NOT a log management system function?

Answer 79

Log generation

Question 80

What operating system was Android based on?

Answer 80

Linux

Question 81

Which web application threat refers to a drawback in a web application where it unintentionally reveals sensitive data to an unauthorized user?

Answer 81

Information leakage

Question 82

What is NOT a command used to determine open files?

Answer 82

Open files

Not to be confused with Openfiles

Question 83

Which architectural layer of mobile device environments simplifies the process of interacting with web services and other applications such as email, the internet, and SMS?

Answer 83

Communication API

Question 84

What cloud service enables subscribers to use fundamental IT resources, such as computing power, virtualization, data storage, network, etc., on demand?

Answer 84

IaaS

Question 85

What is a cloud environment composed of two or more clouds that remain unique entities but are bound together to offer the benefits of multiple deployment models?

Answer 85

Hybrid cloud

Question 86

Which web application threat refers to the modification of a website’s remnant data for bypassing security measures or gaining unauthorized information?

Answer 86

Cookie poisoning

Question 87

What prefetch does value 3 from the registry entry, EnablePrefetcher, tell the system to use?

Answer 87

Both application and boot prefetching are enabled.

Question 88

Which of the following includes security standards for health information?

Answer 88

HIPAA

Question 89

What is NOT one of the three major concerns regarding log management?

Answer 89

Log viewing

Question 90

What tool enables you to retrieve information about event logs and publishers in Windows 10?

Answer 90

Wevutil

Question 91

Which cloud environment allows the provider to make services—such as applications, servers, and data storage—available to the public over the internet?

Answer 91

Public Cloud

Question 92

Which architectural layer of mobile device environments contains items that are responsible for mobile operations such as a display device, a keypad, RAM, flash, an embedded processor, and a media processor?

Answer 92

Hardware

Question 93

Which is a type of network-based attack?

Answer 93

Eavesdropping

Question 94

Which web application threat occurs when attackers insert commands via input data and are able to tamper with the data?

Answer 94

SQL injection

Question 95

Which of the following best describes flash memory?

Answer 95

Flash memory is a non-volatile, electronically erasable and reprogrammable storage medium.

Question 96

Which of the following stakeholders is responsible for conducting forensic examinations against allegations made regarding wrongdoings, found vulnerabilities, and attacks over the cloud?

Answer 96

Investigators

Question 97

Which web application threat refers to vulnerable management functions, including user updates, recovery of passwords, or resetting passwords?

Answer 97

Broken account management

Question 98

What type of analysis do investigators perform to detect something that has already occurred in a network/device and determine what it is?

Answer 98

Postmortem

Question 99

Smith, as a part of his forensic investigation assignment, seized a mobile device. He was asked to recover the Subscriber Identity Module (SIM card) data in the mobile device. Smith found that the SIM was protected by a Personal Identification Number (PIN) code, but he was also aware that people generally leave the PIN numbers to the defaults or use easily guessable numbers such as 1234. He made three unsuccessful attempts, which blocked the SIM card. What can Smith do in this scenario to reset the PIN and access SIM data?

Answer 99

He should ask the Network Operator for Personal Unlock Number (PUK) to gain access to the SIM

Question 100

Sectors are pie-shaped regions on a hard disk that store data. Which of the following parts of a hard disk do not contribute to determining the addresses of data?

Answer 100

Interface

Question 101

Which of the following standard represents a legal precedent set in 1993 by the Supreme Court of the United States regarding the admissibility of expert witnesses’ testimony during federal legal proceedings?

Answer 101

Daubert

Question 102

Which of the following examinations refers to the process of the witness being questioned by the attorney who called the latter to the stand?

Answer 102

Direct-Examination

Question 103

Who is responsible for the following tasks?
• Secure the scene
• Ensure that it is maintained in a secure state until the Forensic Team arrives
• Make notes about the scene that will eventually be handed over to the Forensic Team

Answer 103

Non-forensics staff

Question 104

Which of the following tool is used to locate IP addresses?

Answer 104

SmartWhois

Question 105

Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:

Answer 105

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

Question 106

Which US law does the interstate or international transportation and receiving of child pornography fall under?

Answer 106

18 U.S. Code § 2252

Question 107

ata is striped at a byte level across multiple drives, and parity information is distributed among all member drives. What RAID level is represented here?

Answer 107

RAID Level 5