Targeted

Question 1

What allows for a lawful search to be conducted without a warrant or probable cause?

Answer 1

Consent of person with authority

Question 2

When is warrantless seizure of evidence justified?

Answer 2

When destruction of evidence is imminent and there is probable cause that the seized item is evidence of criminal activity.

Question 3

When can an investigator collect evidence without formal consent?

Answer 3

When properly worded banners are displayed on a computer screen.

Question 4

What is a web app threat in which the application unintentionally reveals sensitive information to an unauthorized user?

Answer 4

Information Leakage

Question 5

What type of information can be found in a common metadata field for a file?

Answer 5

Network name

Question 6

Which registry key can be analyzed to retrieve folder information?

Answer 6

BagMRU

Question 7

Which registry key tracks files that have been opened or saved within a Windows shell dialog box?

Answer 7

OpenSaveMRU

Question 8

Which registry key may shed light on a user’s activity in a system and can indicate execution of a program or script on a device?

Answer 8

RunMRU

Question 9

Which file format is being viewed if the first hex characters are 42 4D?

Answer 9

BMP

Question 10

Which file format is being viewed if the first hex characters are 47 49 46 38?

Answer 10

GIF

Question 11

Which file format is being viewed if the first hex characters are 89 50 4e 47?

Answer 11

PNG

Question 12

Which file format is being viewed if the first hex characters are ff d8 ff?

Answer 12

JPEG

Question 13

Which file format is being viewed if the first hex characters are 25 50 44 46?

Answer 13

PDF

Question 14

Which file format is being viewed if the first hex characters are d0 cf 11 e0 a1 b1 1a e1?

Answer 14

XLS, DOC, or PPT

Question 15

Which file format is being viewed if the first hex characters are 50 4b 03 04 14 00 06 00?

Answer 15

XLSX, DOCX, or PPTX

Question 16

Which file format is being viewed if the first hex characters are 4e 42 2a 00?

Answer 16

JNT

Question 17

Which file format is being viewed if the first hex characters are 50 4b 03 04?

Answer 17

ZIP

Question 18

Which file format is being viewed if the first hex characters are 52 61 72 21 1a 07?

Answer 18

RAR

Question 19

Which file format is being viewed if the first hex characters are 30 26 b2 75 8e 66 cf 11?

Answer 19

WMV

Question 20

Which file format is being viewed if the first hex characters are 52 49 46 46?

Answer 20

AVI

Question 21

Which file format is being viewed if the first hex characters are 49 44 33 03?

Answer 21

MP3

Question 22

Which file format is being viewed if the first hex characters are 49 20 49?

Answer 22

TIF

Question 23

Which software tool is designed strictly for maintaining the integrity of evidence during data acquisition?

Answer 23

SAFE Block

Question 24

What is the difference between the NIST SP 800-88 recommended types of sanitization, clear, purge, and destroy?

Answer 24

clear: sanitizes media but does not guarantee infeasible recover. allows media reuse.
purge: sanitizes media and guarantees infeasible recovery. allows media reuse.
destroy: destroys media and guarantees infeasible recovery. media not reusable.

Question 25

What are the 3 types of data files MSSQL server stores data and logs in?

Answer 25

Primary data files (MDF)
secondary data files (NDF)
transaction log data files (LDF)

Question 26

Which MySQL utility program is used to dump single or multiple databases for backup purposes?

Answer 26

Mysqldump

Question 27

Which MySQL utility program is used to check the access privileges defined for a hostname or username?

Answer 27

Mysqlaccess

Question 28

Which MySQL utility program is used to process the MyISAM log file and perform recovery operation, display version information, etc?

Answer 28

myisamlog

Question 29

Which MySQL utility program is used to obtain the status of the MyISAM table, identify the corrupted tables, repair the corrupted tables, etc.?

Answer 29

Myisamchk

Question 30

Which MySQL utility program is used to display the content of bin logs (mysql-bin.nnnnnn) in text format?

Answer 30

Mysqlbinlog

Question 31

Which MySQL utility program is used to export metadata, data, or both from one or more databases?

Answer 31

mysqldbexport

Question 32

What python-based tool can be used to analyze suspect MS Office Documents?

Answer 32

oleid

Question 33

What are the different types of logon events?

Answer 33

2: Interactive (user logged on)
3: Network (logged on from network)
4: Batch
5: Service (service started by service control manager)
7: Unlock
8: NetworkCleartext (logged on from network, PW passed unhashed)
9: NewCredentials (cloned current token and specified new credentials for outbound connections
10: RemoteInteractive (User logged on remotely)
11: CachedInteractive (user logged on with cached network credentials

Question 34

What are the two components of an Apache Web Server?

Answer 34

Apache Core: basic functionalities such as allocation of requests and connection maintenance
Apache Modules: Add-ons used for extending core functionality

Question 35

What are the elements of the Apache core component?

Answer 35

http_protocol: responsible for managing routines
http_main: handles server startup and timeouts as well as main server loop
http_request: controls stepwise procedure followed among modules to complete client request as well as error handling
http_core: Includes a header file thaht is not required by the app module
Alloc.c: handles allocation of resource pools
http_config: reads and handles configuration files and arranges the modules

Question 36

What are the two types of Apache Web Server logs?

Answer 36

Access log: records all requests processed by server

error log: diagnostic information and errors the server faced during requests

Question 37

Which program may be used to convert a dd image into a bootable VM?

Answer 37

QEMU disk image utility

Question 38

What TSK command is used to odisplay general details of a file system?

Answer 38

fsstat

Question 39

What TSK command is used to display the details of a metadata structure?

Answer 39

istat

Question 40

What TSK command is used to display the file and directory names in a disk?

Answer 40

fls

Question 41

What TSK command is used to display the details of an image file?

Answer 41

img_stat

Question 42

What is Windows Event ID 4688?

Answer 42

A new process has been created

Question 43

What is Windows Event ID 5156?

Answer 43

Windows Filtering Platform has allowed connection (outbound network connection)

Question 44

What is Windows Event ID 7045?

Answer 44

Service was installed in the system

Question 45

What is Windows Event ID 4657?

Answer 45

Registry value was modified

Question 46

What is Windows Event ID 4660?

Answer 46

Object was deleted (such as account name, domain, process ID, etc.)

Question 47

What is Windows Event ID 4663?

Answer 47

An attempt was made to access an object

Question 48

What is Windows Event ID 7036?

Answer 48

Windows Protection Service has entered the stopped state

Question 49

What is Windows Event ID 7040?

Answer 49

The start of Windows Protection Service was changed from autostart to demand start/auto start disabled

Question 50

Which utility may be used to acquire Mozilla Thunderbird data?

Answer 50

SysTools MailPro+

Question 51

What is the minimum Linux kernel version to support ext4?

Answer 51

2.6.19

Question 52

What is file carving?

Answer 52

technique to recover files and fragments of files from a hard disk in the absence of file system metadata

Question 53

What application should be used for file carving in Windows?

Answer 53

R-Studio, Autopsy, Recover My Files, Ease US Data Recovery Wizard, WinUndelete, R-Undelete

Question 54

What application should be used for file carving in Linux?

Answer 54

R-Studio, Mondo Rescue, Scalpel, Autopsy, Foremost, PhotoRec

Question 55

What application should be used for file carving in macOS?

Answer 55

AppleXsoft File Recovery, 321Soft Data Recovery, Disk Doctors, Disk Drill, R-Studio, Data Rescue 4, Mac Data Recovery Guru

Question 56

What is RAID 0?

Answer 56

Striping only, no redundancy. Min 2 drives

Question 57

What is RAID 1?

Answer 57

Mirroring only. Requires even number of drives

Question 58

What is RAID 2?

Answer 58

Bit-level striping. Better data-integrity, but slower than RAID 0

Question 59

What is RAID 3?

Answer 59

Byte-level striping and dedicated parity disk. Requires at least 3 drives

Question 60

What is RAID 5?

Answer 60

Byte-level striping and distributed parity among drives. Data writing is slow. Min 3 drives

Question 61

What is RAID 6?

Answer 61

Double parity RAID. Data striped across multiple drives and uses dual parity for better redundancy than RAID 5. Min 4 drives.

Question 62

What is RAID 10?

Answer 62

Combo of 0 and 1. Min 4 drives. Includes fault tolerance of RAID 1 and includes redundancy through mirroring