SEC+ Revision Questions Introduction to Computer Forensics

Question 1

What must be determined by the first responder to an incident?
A. The severity of the event
B. Which other personnel must be called in
C. The dollar amount associated with the incident
D. Who is at fault

Answer 1

A. The severity of the event

Question 2

After seizing computer equipment alleged to have been involved in a crime, it is left in a corridor unattended for ten minutes while officers subdue a violent suspect. The seized equipment is no longer admissible as evidence because of what violation?
A. Order of volatility
B. Damage control
C. Chain of custody
D. Time offset

Answer 2

C. Chain of custody

Question 3

A warrant has been issued to investigate a server believed to be used to swap credit card information by organized crime. Following the order of volatility, which data should you collect first?
A. Electronic memory (RAM)
B. Hard disk
C. USB flash drive
D. CMOS

Answer 3

A. Electronic memory (RAM)

Question 4

A server configured with a RAID-5 array must be properly imaged to preserve the original state of the data. You decide against imaging each physical hard disk in the array. Which two tasks must you perform? (Choose two.)
A. Change the server CMOS boot order.
B. Image the array as a single logical disk.
C. Ensure your imaging solution supports RAID.
D. Update the firmware for the RAID controller.

Answer 4

B. Image the array as a single logical disk.
&
C. Ensure your imaging solution supports RAID.

Question 5

While capturing network traffic, you notice an abnormally excessive number of outbound SMTP packets. To determine whether this is an incident that requires escalation, what else should you consult?
A. The contents of your inbox
B. The mail server log
C. The mail server documentation
D. The web server log

Answer 5

B. The mail server log

Question 6

You decide to work late on a Saturday night to replace wiring in your server room. Upon arriving, you realize there has been a break-in and server backup tapes appear to be missing. What should you do as law enforcement officials arrive?
A. Clean up the server room.
B. Sketch a picture of the broken-into premises on a notepad.
C. Alert officials that the premise has surveillance video.
D. Check the surrounding area for the perpetrator.

Answer 6

C. Alert officials that the premise has surveillance video.

Question 7

Which of the following best visually illustrates the state of a computer at the time it was seized by law enforcement?
A. Digital photograph of the motherboard
B. Screenshot
C. Visio network diagram
D. Steganography

Answer 7

B. Screenshot

Question 8

Choose the correct order of volatility when collecting digital evidence:
A. Hard disk, DVD-R, RAM, swap file
B. Swap file, RAM, DVD-R, hard disk
C. RAM, DVD-R, swap file, hard disk
D. RAM, swap file, hard disk, DVD-R

Answer 8

D. RAM, swap file, hard disk, DVD-R

Question 9

What can a forensic analyst do to reduce the number of files that must be analyzed on a seized disk?
A. Write a Visual Basic script.
B. Delete files thought to be operating system files.
C. Ensure the original disk is pristine and use a hash table on a copy of the files.
D. Ensure the original disk is pristine and use a script to process a copy of the files.

Answer 9

C. Ensure the original disk is pristine and use a hash table on a copy of the files.

Question 10

A professional who is present at the time of evidence gathering can be summoned to appear in court or to prepare a report on their findings for use in court. What is this person referred to as?
A. Plaintiff
B. Defendant
C. Auditor
D. Forensic expert witness

Answer 10

D. Forensic expert witness

Question 11

Which of the following best describes chain of custody?
A. Delegating evidence collection to your superior
B. Preserving, protecting, and documenting evidence
C. Capturing a system image to another disk
D. Capturing memory contents before hard disk contents

Answer 11

B. Preserving, protecting, and documenting evidence

Question 12

In working on an insider trading case, you are asked to prove that an e-mail message is authentic and was sent to another employee. Which items should you consider? (Choose two.)
A. Was the message encrypted?
B. Was the message digitally signed?
C. Are user public keys properly protected?
D. Are user private keys properly protected?

Answer 12

B. Was the message digitally signed?
&
D. Are user private keys properly protected?

Question 13

What type of evidence would be the most difficult for a perpetrator to forge?
A. IP address
B. MAC address
C. Cell phone SIM card
D. Documents on a USB flash drive

Answer 13

C. Cell phone SIM card

Question 14

What is the purpose of disk forensic software? (Choose two.)
A. Using file encryption to ensure copied data mirrors original data
B. Using file hashes to ensure copied data mirrors original data
C. Protecting data on the original disks
D. Creating file hashes on the original disks

Answer 14

B. Using file hashes to ensure copied data mirrors original data
&
C. Protecting data on the original disks

Question 15

You are preparing to gather evidence from a cell phone. Which of the following is false?
A. CDMA mobile devices do not use SIM cards.
B. CDMA mobile devices store user data on the mobile device.
C. GSM mobile devices do not use SIM cards.
D. GSM mobile devices use SIM cards.

Answer 15

C. GSM mobile devices do not use SIM cards.

Question 16

You must analyze data on a digital camera’s internal memory. You plan to connect your forensic computer to the camera using a USB cable. What should you do to ensure you do not modify data on the camera?
A. Ensure the camera is turned off.
B. Flag all files on the camera as read-only.
C. Log in with a nonadministrative account on the forensic computer.
D. Use a USB write-blocking device.

Answer 16

D. Use a USB write-blocking device.

Question 17

What can be used to ensure seized mobile wireless devices do not communicate with other devices?
A. SIM card
B. Faraday bag
C. Antistatic bag
D. GPS jammer

Answer 17

B. Faraday bag

Question 18

Robin works as a network technician at a stock brokerage firm. To test network forensic capturing software, she plugs her laptop into an Ethernet switch and begins capturing network traffic. During later analysis, she notices some broadcast and multicast packets as well as only her own computer’s network traffic. Why was she unable to capture all network traffic on the switch?
A. She must enable promiscuous mode on her NIC.
B. She must disable promiscuous mode on her NIC.
C. Each switch port is an isolated collision domain.
D. Each switch port is an isolated broadcast domain.

Answer 18

C. Each switch port is an isolated collision domain.

Question 19

A network intrusion detection device captures network traffic during the commission of a crime on a network. You notice NTP and TCP packets from all network hosts in the capture. You must find a way to correlate captured packets to a date and time to ensure the packet captures will be considered as admissible as evidence. What should you do? (Choose two.)
A. Nothing. NTP keeps time in sync on a network.
B. Nothing. Packet captures are time stamped.
C. Without digital signatures, date and time cannot be authenticated.
D. Without encryption, date and time cannot be authenticated.

Answer 19

A. Nothing. NTP keeps time in sync on a network.
&
B. Nothing. Packet captures are time stamped.

Question 20

You arrive at a scene where a computer must be seized as evidence. The computer is powered off and has an external USB hard drive plugged in. What should you do?
A. Turn on the computer.
B. Unplug the external USB hard drive.
C. Thoroughly document the state of the equipment.
D. Place the computer in a Faraday bag.

Answer 20

C. Thoroughly document the state of the equipment.

Question 21

You are asked to examine a hard disk for fragments of instant messaging conversations as well as deleted files. How should you do this?
A. Use bit stream copying tools.
B. Log in to the computer and copy the original hard drive contents to an external USB hard drive.
C. Map a drive across the network to the original hard drive and copy the contents to an external USB hard drive.
D. View log files.

Answer 21

A. Use bit stream copying tools.

Question 22

Which type of file is most likely to contain incriminating data?
A. Password-protected Microsoft Word file
B. Encrypted Microsoft Word file
C. Digitally signed Microsoft Word file
D. File hash of Microsoft Word file

Answer 22

B. Encrypted Microsoft Word file

Question 23

How can a forensic analyst benefit from analyzing metadata? (Choose three.)
A. JPEG metadata can reveal specific camera settings.
B. Microsoft Word metadata can reveal the author name.
C. Microsoft Excel metadata can reveal your MAC address.
D. PDF metadata can reveal the registered company name.

Answer 23

A. JPEG metadata can reveal specific camera settings.
&
B. Microsoft Word metadata can reveal the author name.
&
D. PDF metadata can reveal the registered company name.

Question 24

Which of the following rules must be followed when performing forensic analysis? (Choose two.)
A. Work only with the original authentic data.
B. Work only with a copy of data.
C. Seek legal permission to conduct an analysis.
D. Seek your manager’s permission to conduct an analysis.

Answer 24

B. Work only with a copy of data.
&
C. Seek legal permission to conduct an analysis.

Question 25

The IT director is creating the following year’s budget. You are asked to submit forensic dollar figures for your IT forensic team. Which one item should you not submit?
A. Travel expenses
B. Man hour expenses
C. Training expenses
D. ALE amounts

Answer 25

D. ALE amounts

Question 26

Users report at 9:30 A.M. severely degraded network performance since the workday began at 8 A.M. After network analysis and a quick discussion with your IT security team, you
conclude a worm virus has infected your network. What should you do to control the damage? (Choose two.)
A. Determine the severity of the security breach.
B. Unplug SAN devices.
C. Shut down all servers.
D. Shut down Ethernet switches.

Answer 26

A. Determine the severity of the security breach.
&
D. Shut down Ethernet switches.

Question 27

A suspect deletes incriminating files and empties the Windows recycle bin. Which of the following statements are true regarding the deletion? (Choose two.)
A. The files cannot be recovered.
B. The files can be recovered.
C. Deleted files contain all of their original data until the hard disk is filled with other data.
D. Deleted files contain all of their original data until the hard disk is defragmented.

Answer 27

B. The files can be recovered.
&
C. Deleted files contain all of their original data until the hard disk is filled with other data.

Question 28

The local police suspect a woman is using her computer to commit online fraud, but she encrypts her hard disk with a strong passphrase. Law enforcement would like to access the data on the encrypted disk to obtain forensic evidence. What tasks should be done? (Choose two.)
A. Harness the processing power of thousands of Internet computers and attempt to crack the encryption passphrase.
B. Obtain a warrant.
C. Install a packet sniffer on the suspect’s network.
D. Install a keylogger to capture the passphrase.

Answer 28

B. Obtain a warrant.
&
D. Install a keylogger to capture the passphrase.

Question 29

A seized USB flash drive contains only natural scenic pictures. Law enforcement officers were convinced incriminating data was stored on the USB flash drive. What else should be done?
A. Decrypt the USB flash drive.
B. Format the USB flash drive.
C. Check for steganographic hidden data.
D. Analyze the USB flash drive log.

Answer 29

C. Check for steganographic hidden data.

Question 30

Richard, a meteorologist, is using specialized algorithms to develop climate projection models based on 30TB of weather data collected over the years. Which term best describes this scenario?
A. Climate analysis
B. Massive data analysis
C. Weather analysis
D. Big data analysis

Answer 30

D. Big data analysis

Question 31

One of the servers in your data center will no longer boot after being flooded with network traffic from a malicious user. What should you refer to so that the server returns to normal operation?
A. Reconstitution procedures
B. Operating system installation manual
C. Acceptable use policy
D. SLA

Answer 31

A. Reconstitution procedures

Question 32

A user complains that the performance on their workstation has degraded to the point that they cannot get any work done. After investigating the problem, you run a virus scan and receive an alert that the machine is infected with a worm virus. What should you do next?
A. Update the virus definition database.
B. Quarantine the workstation from the rest of the network.
C. Run a network scan on the workstation to identify vulnerabilities.
D. Ensure the workstation can connect to corporate servers using ping.

Answer 32

B. Quarantine the workstation from the rest of the network.

Question 33

You are the network administrator for ABC, Inc. Your IT security colleagues inform you that in the past users have lost USB flash drives containing sensitive company information. You decide to implement a solution that forces all USB flash drives used on company computers to be encrypted. Which security problem are you addressing?
A. Data breach
B. Confidentiality
C. Integrity
D. Incident containment

Answer 33

A. Data breach