PT Flashcards
A software company suspects that employees have set up automatic corporate email forwarding to their personal inboxes against company policy. The company hires forensic investigators to identify the employees violating policy, with the intention of issuing warnings to them.
Which type of cybercrime investigation approach is this company taking?
Civil
Criminal
Administrative
Punitive
Administrative
Which model or legislation applies a holistic approach toward any criminal activity as a criminal operation?
Enterprise Theory of Investigation
Racketeer Influenced and Corrupt Organizations Act
Evidence Examination
Law Enforcement Cyber Incident Reporting
Enterprise Theory of Investigation
What does a forensic investigator need to obtain before seizing a computing device in a criminal case?
Court warrant
Completed crime report
Chain of custody document
Plaintiff’s permission
Court warrant
Which activity should be used to check whether an application has ever been installed on a computer?
Penetration test
Risk analysis
Log review
Security review
Log review
Which characteristic describes an organization’s forensic readiness in the context of cybercrimes?
It includes moral considerations.
It includes cost considerations.
It excludes nontechnical actions.
It excludes technical actions.
It includes cost considerations.
A cybercrime investigator identifies a Universal Serial Bus (USB) memory stick containing emails as a primary piece of evidence.
Who must sign the chain of custody document once the USB stick is in evidence?
Those who obtain access to the device
Anyone who has ever used the device
Recipients of emails on the device
Authors of emails on the device
Those who obtain access to the device
Which type of attack is a denial-of-service technique that sends a large amount of data to overwhelm system resources?
Phishing
Spamming
Mail bombing
Bluejacking
Mail bombing
Which computer crime forensics step requires an investigator to duplicate and image the collected digital information?
Securing evidence
Acquiring data
Analyzing data
Assessing evidence
Acquiring data
What is the last step of a criminal investigation that requires the involvement of a computer forensic investigator?
Analyzing the data collected
Testifying in court
Assessing the evidence
Performing search and seizure
Testifying in court
How can a forensic investigator verify an Android mobile device is on, without potentially changing the original evidence or interacting with the operating system?
Check to see if it is plugged into a computer
Tap the screen multiple times
Look for flashing lights
Hold down the power button
Look for flashing lights
What should a forensic investigator use to protect a mobile device if a Faraday bag is not available?
Aluminum foil
Sturdy container
Cardboard box
Bubble wrap
Aluminum foil
Which criterion determines whether a technology used by government to obtain information in a computer search is considered innovative and requires a search warrant?
Availability to the general public
Dependency on third-party software
Implementation based on open source software
Use of cloud-based machine learning
Availability to the general public
Which situation allows a law enforcement officer to seize a hard drive from a residence without obtaining a search warrant?
The computer is left unattended.
The front door is wide open.
The occupant is acting suspicious.
The evidence is in imminent danger.
The evidence is in imminent danger.
Which legal document contains a summary of findings and is used to prosecute?
Investigation report
Search warrant
Search and seizure
Chain of custody
Investigation report
What should an investigator use to prevent any signals from reaching a mobile phone?
Faraday bag
Dry bag
Anti-static container
Lock box
Faraday bag
A forensic investigator is called to the stand as a technical witness in an internet payment fraud case.
Which behavior is considered ethical by this investigator while testifying?
Providing and explaining facts found during the investigation
Interpreting the findings and offering a clear opinion to the jury
Helping the jury arrive at a conclusion based on the facts
Assisting the attorney in compiling a list of essential questions
Providing and explaining facts found during the investigation
A government agent is testifying in a case involving malware on a system.
What should this agent have complied with during search and seizure?
Fourth Amendment
Stored Communications Act
Net Neutrality Bill
Federal Rules of Evidence
Fourth Amendment
Which method is used when an investigator has access to the plaintext and an image file with the hidden information?
Stego-only
Known-stego
Known-message
Chosen-message
Known-message
Which method is used when an investigator takes a plaintext message, uses various tools against it, and finds the algorithm used to hide information?
Stego-only
Known-stego
Known-message
Chosen-message
Chosen-message
Which operating system is targeted by the DaveGrohl password cracker?
Linux
OS X
UNIX
Windows
OS X
Which password cracker is used to recover passwords on an OS X operating system?
Cain and Abel
DaveGrohl
L0phtCrack
Ophcrack
DaveGrohl
Which tool allows a forensic investigator to process Transmission Control Protocol (TCP) streams for analysis of malicious traffic?
Kibana
OSSEC
Syslog-ng
Wireshark
Wireshark
Which tool allows an investigator to review or process information in a Windows environment but does not rely on the Windows API?
EnCase
netstat
dd
LogMeister
EnCase
A computer forensic investigator finds an unauthorized wireless access point connected to an organization’s network switch. This access point’s wireless network has a random name with a hidden service set identifier (SSID).
What is this set-up designed to do?
Create a backdoor that a perpetrator can use by connecting wirelessly to the network
Jam the wireless signals to stop all legitimate traffic from using the wireless network
Activate the wireless cards in the laptops of victims to gain access to their data and network
Transmit high-power signals that force users to connect to the rogue wireless network
Create a backdoor that a perpetrator can use by connecting wirelessly to the network
Which web-based application attack corrupts the execution stack of a web application?
Buffer overflow
Cookie poisoning
SQL injection
Denial-of-service
Buffer overflow
An employee is accused of sending a threatening email through Microsoft Exchange.
Which file extension should the investigator search for to find the archived message on the server?
.DB
.NSF
.PST
.EDB
.EDB
Investigators do not have physical access to the computer of the victim of an email crime.
Which task should these investigators instruct the victim to perform in order to identify the sending email server?
Provide the email body
Provide the email header
Run Aid4Mail Email Forensics
Run Email Address Verifier
Provide the email header
Which tool should a forensic investigator use on a Windows computer to locate all the data on a computer disk, protect evidence, and create evidentiary reports for use in legal proceedings?
Wireshark
OmniPeek
ProDiscover
Capsa
ProDiscover
What is the purpose of hashing tools during data acquisition?
Dumping the original RAM contents to a forensically sterile removable device
Enabling write protection on the original media to preserve the original evidence
Validating the collected digital evidence by comparing the original and copied file message digests
Creating a replica of the original source to prevent the inadvertent alteration of the original
Validating the collected digital evidence by comparing the original and copied file message digests
Which software-based tool is used to prevent writes to storage devices on a computer?
CRU WiebeTech
ILook Investigator
SAFE Block
USB WriteBlocker
SAFE Block
Which tool should a forensic team use to research unauthorized changes in a database?
ApexSQL DBA
Gargoyle Investigator Forensic Pro
LSASecretsView
RSA NetWitness Investigator
ApexSQL DBA
Which graphical tool should investigators use to identify publicly available information about a public IP address?
AWStats
GoAccess
SmartWhois
NsLookup
SmartWhois
Which tool is used to search and analyze PC messaging logs?
Chat Stick
File Viewer
SnowBatch
Zamzar
Chat Stick
Which forensic tool allows an investigator to acquire database files for analysis from a mobile device?
Andriller
Volatility
WinDump
Tripwire
Andriller
Which anti-forensic defense technique allows a forensic investigator to determine if the system’s kernel is compromised?
Performing a brute-force attack
Conducting steganalysis
Performing BIOS bypass
Conducting rootkit detection
Conducting rootkit detection
Which anti-forensic defense technique allows a forensic investigator to gain access to files protected with Encrypting File System (EFS)?
Installing a recovery certificate
Detecting hosts in promiscuous mode
Performing BIOS bypass
Conducting rootkit detection
Installing a recovery certificate
Which anti-forensic defense technique allows a forensic investigator to reset the firmware in order to access the operating system?
Install a recovery certificate
Detect hosts in promiscuous mode
Perform BIOS password bypass
Conduct rootkit detection
Perform BIOS password bypass
A software company has a data breach and hires a forensic expert to examine event and intrusion detection logs on its Linux servers. The investigator finds a suspicious user ID and wants to track all events of that user.
Which command should this forensic expert use?
ausearch
dd
readelf
cron
ausearch
A forensic investigator receives dozens of log-in failure events within a few minutes. A security attack event is generated.
What is the goal when performing event correlation?
Data aggregation
Content reduction
Explorative data analysis
Root cause identification
Root cause identification
A computer forensic investigator is preparing an affidavit statement.
Which type of report should this investigator prepare?
Formal verbal
Informal verbal
Formal written
Informal written
Formal written
A forensic investigator is preparing a report in response to a security breach. The report is augmented by documentation provided by a third party.
Which optional section in the report serves as a gesture of thanks for the third-party support?
Acknowledgments
References
Conclusions
Appendices
Acknowledgments
A network log from a remote system is entered into evidence, and the proper steps are taken to protect the integrity of the data. The log contains network intrusion data but does not contain any information about the log.
What must an investigator document about this log in the forensic report?
Name of the server
Number of records in the file
Name of the server administrator
Number of bytes in the file
Name of the server
What is the minimum number of workstations a forensics lab needs?
One
Two
Three
Four
Two
Which function does the BIOS parameter block (BPB) handle for the hard disk?
Describes the physical layout and volume partitions
Specifies the location of the operating system
Initializes code that executes after powering the firmware interface
Interprets the boot configuration data and selects boot policy
Describes the physical layout and volume partitions
How does RAID 3 store information?
Information is written on a minimum of two drives for quick reading and writing of data.
Data is mirrored on two drives to improve the speed of retrieving information and resilience.
Information is written at byte level across multiple drives, but only one is dedicated for parity.
Information is stored on multiple drives, with floating parity for improved performance and resilience.
Information is written at byte level across multiple drives, but only one is dedicated for parity.
Which file system is on a system with MacOS installed?
New Technology File System (NTFS)
Hierarchical File System Plus (HFS+)
Extended file system (EXT)
Z File System (ZFS)
Hierarchical File System Plus (HFS+)
Where should an investigator search for details of activities that have taken place in an SQL database?
Primary data files (MDF)
Secondary data files (NDF)
Data definition language (DDL) files
Transaction log data files (LDF)
Transaction log data files (LDF)
Which command line utility enables an investigator to analyze privileges assigned to database files?
DBINFO
SHOWFILESTATS
mysqldump
mysqlaccess
mysqlaccess
The following is the header from a threatening email:
Received: from Mailhost.big-isp.com (mailhost.big-isp.com [124.53.112.16]) by Mailhost.gigantic-isp.com (8.8.5/8.7.2) Received: from mail.biedburz.usa (mail.biedburz.usa [124.211.3.88]) by Mailhost.big-isp.com (10.5.2/10.4.1) With ESMTP id LAA20869 for timmy@gigantic-isp.com; Tue, Jan 26 2016 14:39:24 -0800 (PST)
What is the name of the server that sent the message?
Mail.biedburz.usa
Mailhost.big-isp.com
Mailhost.gigantic-isp.com
Timmy@gigantic-isp.com
Mail.biedburz.usa
Which header allows an investigator to determine if a message was sent to many recipients?
In-Reply-To
Content-Type
X-Distribution
X-Mailer
X-Distribution
Which operating system contains PLIST files for forensic analysis?
Android
Windows
Linux
MacOS
MacOS
Which operating system contains the authentication log at /var/log/auth.log?
Android
Linux
iOS
MacOS
Linux
Which path should a forensic investigator use to look for system logs in a Mac?
/var/log/cups/access_log
/var/log/
/var/audit/
/var/log/install.log
/var/log/
Which tool should a forensic investigator use to view information from Linux kernel ring buffers?
arp
dmesg
fsck
grep
dmesg
A forensic investigator makes a bit-stream copy of a Windows hard drive that has been reformatted. The investigator needs to locate only the Adobe PDF files on the hard drive.
Which tool should this investigator use?
Quick Recovery
Handy Recovery
EaseUS Data Recovery
Stellar Data Recovery
EaseUS Data Recovery
Which hexadecimal value should an investigator search for to find JPEG images on a device?
0x424D
0xD0CF11E0A1B11AE1
0x504B030414000600
0xFFD8
0xFFD8
Which type of steganography allows the user to physically move a file but keep the associated files in their original location for recovery?
Whitespace
Folder
Image
Web
Folder
An employee steals a sensitive text file by embedding it into a PNG file. The employee then sends this file via an instant chat message to an accomplice.
Which type of steganography did this employee use?
Document
Image
Text
Web
Image
A first responder arrives at an active crime scene that has several mobile devices.
What should this first responder do while securing the crime scene?
Leave the devices in the state they are in and put them in anti-static bags
Turn on the devices and review recently accessed data
Turn off the devices to preserve the volatile memory
Leave the devices as found and fill out chain of custody paperwork
Leave the devices as found and fill out chain of custody paperwork
What is a responsibility of the first responder at a crime scene?
Package and transport the evidence
Identify the presence of rootkits on the evidence
Decrypt the evidence by cracking passwords
Detect malware present on the evidence
Package and transport the evidence
Which step preserves the forensic integrity of volatile evidence when a device is discovered in the powered-on state?
Documenting the procedures for shutting down the system
Collecting information with a secure command shell
Using the built-in backup utility to gather information
Copying the file with the keyboard shortcut Ctrl+C
Collecting information with a secure command shell
Which action maintains the integrity of evidence when a forensic laptop is used to acquire data from a compromised computer?
Connecting the machines with a straight through cable
Connecting the machines with a crossover cable
Enabling a hardware write blocker
Enabling administrative control
Enabling a hardware write blocker
What should an investigator do while collecting evidence from a device?
Turn off the computer to protect the data
Install antivirus software to protect information
Begin documenting the chain of custody
Close any open documents and applications
Begin documenting the chain of custody
Why should investigators use the bit-stream disk-to-disk data acquisition method rather than the disk-to-image method?
Ensures that integrity is not compromised
Preserves the required chain of custody
Addresses potential errors and incompatibilities
Avoids the possibility of running out of space
Addresses potential errors and incompatibilities
What should an investigator do to ensure that creating a forensic hard drive image does not alter the drive?
Make a duplicate using the dd command
Make a duplicate using the cp command
Copy each file to a new disk using copy and paste
Copy each file to a new disk using File Explorer
Make a duplicate using the dd command
A Mac computer that does not have removeable batteries is powered on.
Which action must a first responder take to preserve digital evidence from the computer once volatile information is collected?
Place the computer in an anti-static bag
Obtain the IP address of the computer
Maintain the power with a portable charger
Press the power switch for 30 seconds
Press the power switch for 30 seconds
What should an investigator do to ensure that a phone serving as evidence at a crime scene is properly isolated?
Contact the service provider
Turn the device off
Remove the battery
Use a Faraday bag
Use a Faraday bag
First responders arrive at a company and determine that a non-company Windows 7 computer was used to breach information systems. The computer is still powered on.
What is the correct procedure for powering off this computer once the volatile information has been collected?
Shut down the device by clicking Special Shutdown
Unplug the electrical cord from the wall socket
Type Get-Service | Where {$_.status –eq ‘running’}
Press down the Ctrl and L keys simultaneously
Unplug the electrical cord from the wall socket