Preassessment attempt 1

Question 1

Which law requires both parties to consent to the recording of a conversation?

Electronic Communications Privacy Act (ECPA)

Communications Assistance to Law Enforcement Act (CALEA)

USA Patriot Act

Health Insurance Portability and Accountability Act (HIPAA)

Answer 1

Electronic Communications Privacy Act (ECPA)

Question 2

Which law is related to the disclosure of personally identifiable protected health information (PHI)?

Federal Privacy Act of 1974

Electronic Communications Privacy Act

Health Insurance Portability and Accountability Act (HIPAA)

CAN-SPAM Act

Answer 2

Health Insurance Portability and Accountability Act (HIPAA)

Question 3

Which U.S. law criminalizes the act of knowingly using a misleading domain name with the intent to deceive a minor into viewing harmful material?

18 U.S.C. 2252B

CAN-SPAM Act

Children’s Online Privacy Protection Act (COPPA)

Communications Decency Act

Answer 3

18 U.S.C. 2252B

Question 4

Which U.S. law protects journalists from turning over their work or sources to law enforcement before the information is shared with the public?

The Privacy Protection Act (PPA)

The Federal Privacy Act

The Communications Assistance to Law Enforcement Act (CALEA)

The Electronic Communications Privacy Act (ECPA)

Answer 4

The Privacy Protection Act (PPA)

Question 5

Which law or guideline lists the four states a mobile device can be in when data is extracted from it?

NIST SP 800-72 Guidelines

The USA Patriot Act

NIST SP 101r1 Guidelines

The Electronic Communications Privacy Act (ECPA)

Answer 5

NIST SP 800-72 Guidelines

Question 6

Which law includes a provision permitting the wiretapping of VoIP calls?

Communications Assistance to Law Enforcement Act (CALEA)

USA Patriot Act

Electronic Communications Privacy Act (ECPA)

Sarbanes-Oxley Act (SOX)

Answer 6

Communications Assistance to Law Enforcement Act (CALEA)

Question 7

Which policy is included in the CAN-SPAM Act?

The email sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out.

Whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a person into viewing material constituting obscenity shall be fined or imprisoned not more than 2 years, or both.

Law enforcement officers may now intercept communications to and from the computer trespasser if they have reasonable grounds to believe that the trespasser’s communications will be relevant to the investigation.

A business can claim the business extension exemption only for monitoring by certain types of equipment; the recording must occur in the ordinary course of business.

Answer 7

The email sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out.

Question 8

Which United States law requires telecommunications equipment manufacturers to provide built-in surveillance capabilities for federal agencies?

Electronic Communication Privacy Act (ECPA)

Communication Assistance to Law Enforcement Act (CALEA)

Foreign Intelligence Surveillance Act (FISA)

USA Patriot Act

Answer 8

Communication Assistance to Law Enforcement Act (CALEA)

Question 9

Which law requires a search warrant or one of the recognized exceptions to the search warrant requirements for searching email messages on a computer?

The CAN-SPAM Act

The Fourth Amendment to the U.S. Constitution

USC 2252B

The Communication Assistance to Law Enforcement Act

Answer 9

The Fourth Amendment to the U.S. Constitution

Question 10

Where are local passwords stored for the Windows operating system?

SAM file in \Windows\System32\

SAM file in \Windows\Security\

In the registry key HKEY_LOCAL_MACHINE\SYSTEM

In the registry key HKEY_LOCAL_MAHCINE\SECURITY

Answer 10

SAM file in \Windows\System32\

Question 11

Where on a Windows system is the config folder located that contains the SAM file?

C:\Windows\System32

C:\Windows\SystemResources

C:\Program Files

C:\Users

Answer 11

C:\Windows\System32

Question 12

A forensic examiner wants to try to extract passwords for wireless networks to which a system was connected.

Where should passwords for wireless networks be stored on a Windows XP system?

BIOS

Registry

Program Files

Bash

Answer 12

Registry

Question 13

Which Windows password cracking tool uses rainbow tables?

Ophcrack

ComputerCOP

Sleuth Kit

Digital Intelligence

Answer 13

Ophcrack

Question 14

How does a rainbow table work to crack a password?

It uses a table of all possible keyboard combinations and their hash values, then searches for a match.

It uses a table to store hash value for every character in the alphabet, then assembles them to create a match.

It starts with a hashed password and then decrypts each individual character.

It searches for passwords stored in RAM and startup files and then matches them to the predefined table.

Answer 14

It uses a table of all possible keyboard combinations and their hash values, then searches for a match.

Question 15

What should a forensic investigator use to gather the most reliable routing information for tracking an email message?

Email header

Email address

Tracert

Netstat

Answer 15

Email header

Question 16

Which activity involves email tracing?

Determining the ownership of the source email server

Making bit-by-bit copies of each of the email servers involved

Performing nslookup on the recipient of the message

Removing email header information

Answer 16

Determining the ownership of the source email server

Question 17

A forensic examiner reviews a laptop running OS X which has been compromised. The examiner wants to know if there were any mounted volumes created from USB drives.

Which digital evidence should be reviewed?

/var/log

/var/vm

/Users/<user>/.bash_history</user>

/Users/<user>/Library/Preferences</user>

Answer 17

/var/log

Question 18

Which log or folder contains information about printed documents on a computer running Mac OS X?

/var/spool/cups

/var/log

/var/vm

/var/log/lpr.log

Answer 18

/var/spool/cups

Question 19

Which Windows event log should be checked for evidence of invalid logon attempts?

Security

System

Application

ForwardedEvents

Answer 19

Security

Question 20

A cyber security organization has issued a warning about a cybercriminal who is using a known vulnerability to attack unpatched corporate Macintosh systems. A network administrator decides to examine the software updates logs on a Macintosh system to ensure the system has been patched.

Which folder contains the software updates logs?

/Library/Receipts

/var/spool/cups

/proc

/var/log

Answer 20

/Library/Receipts

Question 21

A forensic investigator wants to image an older BlackBerry smartphone running OS 7.0.

Which tool should the investigator use?

BlackBerry Desktop Manager

BlackBerry Extractor

CopyQM Plus

The Sleuth Kit

Answer 21

BlackBerry Desktop Manager

Question 22

An investigator wants to extract information from a mobile device by connecting it to a computer.

What should the investigator take great care to ensure?

That the mobile device does not synchronize with the computer

That the mobile device is updated with the latest operating system

That proper step information is written to the mobile device

That current time stamps of forensics activities are written to the device

Answer 22

That the mobile device does not synchronize with the computer

Question 23

Which state is a device in if it is powered on, performing tasks, and able to be manipulated by the user?

Active

Nascent

Quiescent

Guest-mode

Answer 23

Active

Question 24

The chief information officer of an accounting firm believes sensitive data is being exposed on the local network.

Which tool should the IT staff use to gather digital evidence about this security vulnerability?

Sniffer

Tracer

Disk analyzer

Virus scanner

Answer 24

Sniffer

Question 25

A police detective investigating a threat traces the source to a house. The couple at the house shows the detective the only computer the family owns, which is in their son’s bedroom. The couple states that their son is presently in class at a local middle school.

How should the detective legally gain access to the computer?

Obtain consent to search from the parents

Seize the computer under the USA Patriot Act

Seize the computer under the Computer Security Act

Obtain a search warrant from the police

Answer 25

Obtain consent to search from the parents

Question 26

How should a forensic scientist obtain the network configuration from a Windows PC before seizing it from a crime scene?

By using the ipconfig command from a command prompt on the computer

By using the tracert command from a command prompt on the computer

By installing a network packet sniffer on the computer

By logging into the router to which the PC is connected

Answer 26

By using the ipconfig command from a command prompt on the computer

Question 27

The human resources manager of a small accounting firm believes he may have been a victim of a phishing scam. The manager clicked on a link in an email message that asked him to verify the logon credentials for the firm’s online bank account.

Which digital evidence should a forensic investigator collect to investigate this incident?

Browser cache

Security log

System log

Disk cache

Answer 27

Browser cache

Question 28

After a company’s single-purpose, dedicated messaging server is hacked by a cybercriminal, a forensics expert is hired to investigate the crime and collect evidence.

Which digital evidence should be collected?

Firewall logs

Workstation logs

Phishing emails

Spam messages

Answer 28

Firewall logs

Question 29

Thomas received an email stating that he needed to follow a link and verify his bank account information to ensure it was secure. Shortly after following the instructions, Thomas noticed money was missing from his account.

Which digital evidence should be considered to determine how Thomas’ account information was compromised?

Flash drive contents

Social media accounts

Email messages

Router logs

Answer 29

Email messages

Question 30

The chief executive officer (CEO) of a small computer company has identified a potential hacking attack from an outside competitor.

Which type of evidence should a forensics investigator use to identify the source of the hack?

Browser history

Email headers

Network transaction logs

Disk drive backups

Answer 30

Network transaction logs

Question 31

A forensic scientist arrives at a crime scene to begin collecting evidence.

What is the first thing the forensic scientist should do?

Photograph all evidence in its original place

Unplug all network connections so data cannot be deleted remotely

Turn off the power to the entire area being examined

Gather up all physical evidence and move it out as quickly as possible

Answer 31

Photograph all evidence in its original place

Question 32

Which method of copying digital evidence ensures proper evidence collection?

Make the copy at the bit-level

Copy files using drag and drop

Make the copy using file transfer

Copy the logical partitions

Answer 32

Make the copy at the bit-level

Question 33

A computer involved in a crime is infected with malware. The computer is on and connected to the company’s network. The forensic investigator arrives at the scene.

Which action should be the investigator’s first step?

Unplug the computer’s Ethernet cable.

Unplug the computer’s power cord.

Remove the malware and secure the computer.

Label all the attachments and secure the computer.

Answer 33

Unplug the computer’s Ethernet cable.

Question 34

What are the three basic tasks that a systems forensic specialist must keep in mind when handling evidence during a cybercrime investigation?

Answer options may be used more than once or not at all. Select your answers from the pull-down list.

Find evidence

Catalog evidence

Disseminate evidence

Preserve evidence

Prepare evidence

Prepare evidence report

Make multiple copies of evidence

Answer 34

Find evidence
Preserve evidence
Prepare evidence

Question 35

How do forensic specialists show that digital evidence was handled in a protected, secure manner during the process of collecting and analyzing the evidence?

Forensic lab logbooks

Chain of custody

Forensic software logs

Chain of email messages

Answer 35

Chain of custody

Question 36

Which characteristic applies to magnetic drives compared to solid-state drives (SSDs)?

Lower cost

Lower capacity

Lower power consumption

Better durability

Answer 36

Lower cost

Question 37

Which characteristic applies to solid-state drives (SSDs) compared to magnetic drives?

They are less susceptible to damage.

They cost less.

They have slower start-up times.

They use more power.

Answer 37

They are less susceptible to damage.

Question 38

Which type of storage format should be transported in a special bag to reduce electrostatic interference?

Solid-state drives

Optical media

Digital audio tapes

Magnetic media

Answer 38

Magnetic media

Question 39

Which Windows component is responsible for reading the boot.ini file and displaying the boot loader menu on Windows XP during the boot process?

NTLDR

NTOSKRNL

Windows Registry

Win32 subsystem

Answer 39

NTLDR

Question 40

The following line of code is an example of how to make a forensic copy of a suspect drive:

dd if=/dev/mem of=/evidence/image.memory1

Which operating system should be used to run this command?

Windows

Chrome

BlackBerry

Linux

Answer 40

Linux

Question 41

Which file system is supported by Mac?

Berkeley Fast File System (FFS)

Extended File System (Ext)

Reiser File System (ReiserFS)

Hierarchical File System Plus (HFS+)

Answer 41

Hierarchical File System Plus (HFS+)

Question 42

What is one purpose of steganography?

To deliver information secretly

To alter the color of a photo

To decipher encrypted messages

To prevent images from being edited

Answer 42

To deliver information secretly

Question 43

Which method is used to implement steganography through pictures?

LSB

MD5

3DES

ROT13

Answer 43

LSB

Question 44

The chief information security officer of a company believes that an attacker has infiltrated the company’s network and is using steganography to communicate with external sources. A security team is investigating the incident. They are told to start by focusing on the core elements of steganography.

What are the core elements of steganography?

Process, intelligence, mobility

Telemetry, cryptography, multiplexing

Payload, carrier, channel

Transport, network, data link

Answer 44

Payload, carrier, channel

Question 45

A system administrator believes data are being leaked from the organization. The administrator decides to use steganography to hide tracking information in the types of files he thinks are being leaked.

Which steganographic term describes this tracking information?

Payload

Carrier

Channel

Audit

Answer 45

Payload

Question 46

A criminal organization has compromised a third-party web server and is using it to control a botnet. The botnet server hides command and control messages through the DNS protocol.

Which steganographic component are the command and control messages?

Payload

Carrier

Channel

Dead drop

Answer 46

Payload

Question 47

Which method is commonly used to hide data via steganography?

LSB

AES

DES

RSA

Answer 47

LSB

Question 48

A system administrator believes an employee is leaking information to a competitor by hiding confidential data in images being attached to outgoing emails. The administrator has captured the outgoing emails.

Which tool should the forensic investigator use to search for the hidden data in the images?

Forensic Toolkit (FTK)

Snow

Data Doctor

Wolf

Answer 48

Forensic Toolkit (FTK)

Question 49

A foreign government is communicating with its agents in the U.S. by hiding text messages in popular American songs, which are uploaded to the web.

Which steganographic tool can be used to do this?

MP3Stego

QuickStego

Steganophony

Snow

Answer 49

MP3Stego

Question 50

During a cyber-forensics investigation, a USB drive was found that contained multiple pictures of the same flower.

How should an investigator use properties of a file to detect steganography?

Compare the file extensions using a tool such as Windows Explorer

Process the file using SHA-1 to generate a new hash value to compare using a tool such as FTK

Review the properties log looking for changes compared to the original file using a tool such as EnCase

Review the hexadecimal code looking for anomalies in the file headers and endings using a tool such as EnCase

Answer 50

Review the hexadecimal code looking for anomalies in the file headers and endings using a tool such as EnCase