IP Address Of A Remote Computer Trivia Quiz

(Chapter 14): Both attorneys are present in a deposition. The other answers are incorrect because a judge and/or jury are also present at the trial. This is found in Chapter 14 of the official EC-Council material.

(Chapter 3): GIF contains 8 bits per pixel. The other answers are made up and are incorrect.

(Chapter 10 p858): sync_log.log is the correct answer. google_drive.log, vmos.log, and syn_log are all made up answers.

(Chapter 7): packet matching log criteria for the given access list has been detected (TCP or UDP) is correct. The other answers here are incorrect. For your exam, memorize this Cisco log output.

(Chapter 12): PRIV.STM is correct. PRIV.EDB contains the message headers. PUB.EDB stores public folder hierarchies. PRIB.STM is made up.

(Chapter 3): EXT is correct. HFS is for Mac OS. NTFS is for Windows. EXT3 came after EXT.

(Chapter 12): POP3 is used for retrieving emails form the email server. SMTP is used for sending emails. The other answers are not applicable.

(Chapter 10): Cloud storage has a greater security risk, in most cases, since you are reliant upon the CSP (cloud service provider) to protect your data. Cloud computing DOES offer scalability, elasticity, and generally, greater availability.

(Chapter 13): Open GL/ES and SGL is correct. DVM (Dalvik Virtual Machine) is a type of JAVA virtual machine responsible for power and memory management. FreeType renders bitmap and vector fonts. Libc is a C system library tuned for embedded Linux-based devices. You will likely see Open GL/ES and SGL on the real exam.

(Chapters 3 and 4): Bit stream is correct. MBR is the Master Boot Record. RegEdit is the registry editor. Crest stream is a made up answer.

(Chapter 8): Broken account management would involve poor controls around passwords and accounts in general. The other attacks do not involve poor control around passwords and accounts.

(Chapter 3): CHKDSK verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in Unix. RegEdit (Registry Editor) is used to load registry hives. lsck is made up as is Disk Integrity.

(Chapter 13): The ESN (Electronic Serial Number) has the manufacturer’s code. ICCID (Integrated Circuit Card Identifier) is printed on the SIM to identify the SIM internationally. EIR is made up. IMSI (International Mobile Subscriber Identity) defines the subscriber in the wireless world, including the country and mobile network that the subscriber belongs to.

Chapter 10: Configuration files is correct. The other files are not saved in the installation folder.

(Chapter 5): Data Recovery Pro specifically mentions email recovery in its use. TotalRecall can be used to recover RAID drives. R-Studio and Quick recovery are for file recovery.

(Chapter 13): Any jailbreak tool with "Root" in it should mean Android on your exam. The other choices are all used for iOS.

(Chapter 5): Data Recovery Pro can be used to restore deleted emails and email attachments. Quick Recovery can be used to recover encrypted files and restore them. File Salvage recovers lost files in Mac OS. Total Recall can be used for RAID.

(Chapter 12): POP3 (Post Office Protocol) runs on port 110. SMTP is port 25. Telnet is port 23. Port is 125 is also incorrect.

(Chapter 2): The investigator should unplug the network cable from the router to prevent additional attacks. Routers do contain potential evidence, so it should not be left at the scene. Cutting the power cord with a knife is just silly and dangerous. The router password should not be on the local PC and the investigator's focus should be to preserve evidence. The best answer (and the one ECC uses) is to unplug the network cable form the router.

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR. Windows XP, Vista, and 7 boot with BIOS-MBR.

(Chapter 5): Disk Digger can help recover lost files from hard drives, memory cards, and USB flash drives. R-Studio recovers data from disks. Capsa is a network analyzer that can be used to detect Trojans. Tripwire can be used for file integrity.

(Chapter 1): ETI stands for Enterprise Theory of Investigation. ETI is a powerful methodology that adopts a holistic approach to criminal activity as a criminal operation and not just as a single criminal act.

(Chapter 14): A formal verbal report is given orally to the board, a jury, or managers.

(Chapter 12): Child porn is correct. § 1030 covers Fraud and related activity in connection with computers. The other two answers are made up.

(Note: not seen in the official EC-Council material, but it was reported being seen on the exam): Object file is correct. Snort is an IDS. HDTV and Object oriented database are made up.

(Chapter 8): From the description, this is most likely a denial of service type attack. Since DDoS is the only denial of service attack listed, this is the correct answer.

(Chapter 12): SMTP (Simple Mail Transfer Protocol) normally runs on port 25. Telnet is 23. POP3 is 110. Know your most common ports for the exam. You will probably only see one or two on there.

(Chapter 9): The MDF (primary data file) is the starting point of a database and points to all other files in the database.

(Chapter 1): There is no indication that Johnny inappropriately used a work computer for this crime, so it would just be a criminal investigation. Child porn is a crime, so Civil and Administrative would not be the best choice here.

(Chapter 1): An investigator should always have a duplicate copy of the digital evidence and should use the duplicate for analysis.

(Chapters 2 and 5): Recuva can be used to recover all types of lost files from disk or removable media.​ Capsa is a network analyzer. Netlytic and Recova are made up.

(Chapter 5): E5H is put at the front of a deleted FAT file. The other answers are incorrect because they do not contain the correct sequence.

(Chapter 5): We can infer that this is a document file, based on the extension of .doc. Recuva does not leave a particular file name when performing recovery. The other answers do not make sense, since we do not see Dy5, which indicate a file deleted form the Y drive in the 6th order, and since we know this is a document file.

Chapter 10: The other paths are made up.

(chapter 3): Disk Utility is the only selection that displays details about partition tables in Mac. VFS Rider is a made up tool. DiskDrill can recover from corrupted memory cards. File Salvage is also a Mac tool, but is used for file recovery.

(Chapter 5): Disk Digger can help recover lost files from hard drives, memory cards, and USB flash drives. Data Recovery Pro recovers deleted emails/email attachments. EaseUS allows for precise searching. Partition Ranger is made up and is incorrect as well.

(Chapter 8): Windows Server 2012 log files are stored at %SystemDrive%\inetpub\Logs\LogFiles. You should memorize this path for the CHFI exam. Two of the other answers are missing a percentage (%) sign in the path. The other path is missing the inetpub, which it incorrect.

(Chapter 3): Platters are circular, metal disks that are mounted into a drive enclosure. Tracks are concentric rings on the platters. Clusters are the smallest accessible logical storage units on the hard disk. Plates is a made up answer and is incorrect.

(Chapter 3): Slack space is the wasted area of the disk cluster that lies between the end of the file and end of the cluster, when the file system allocates a full cluster to a file, which is smaller than the cluster size. The other answers here are made up.

(Chapter 1): A digital forensic investigator investigates digital crimes.

(Chapter 3): RAID 5 uses byte-level data striping across multiple drives and distributes parity information among all member drives. RAID 1 offers mirroring. RAID 2 does not implement parity, mirroring, or striping. RAID 6 is made up.

(Chapter 2): According to the United States v. David, a warrantless seizure is used when the destruction of evidence is imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity. If evidence is already collected, a warrant will generally not do any good and the evidence will likely be inadmissible. If no criminal activity has occurred then there is no justification to seize evidence. Instruction of evidence is a silly answer, since you are not instructing the evidence to do anything.

(Chapter 7): Role-based approach is correct. Bayesian correlation uses statistics. Payload correlation compares packets with signatures (i.e.- IPS/IDS). Ronald-based is made up.

(Chapter 5): Cain & Abel is the only password cracking tool in this list. CHS and MBR crack are made up. EaseUS is used for recovery, not passwords.

(Chapter 3): Magic number is correct. The Superblock in Linux EXT2 stores information about the size and shape of EXT2. seven triangles and non-magic number are made up.

(Chapter 8): Look for the keyword of the question, like directory in this one, on the actual exam. It will help you answer correctly. SQL injection involves injecting SQL commands via input data. Insecure storage involves a lack of control around stored data (credit card numbers). Cookie poisoning involves modifying information in cookies.

(Chapter 7): The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect their customers' information against security threats. HIPAA is for healthcare. SOX is to protect investors from account fraud. NIST is a set of standards for security policies, standards, and best practices.

(Chapter 14): Frye is the standard for scientific testimony. Daubert covers Expert Witness testimony. Know these for your exam. The other answers are made up.

(Chapter 13): ​Paraben's Phone Recovery Stick is considered a hardware tool.

(Chapter 14): Daubert pertains to expert witness and Frye pertains to scientific evidence. The other answers are not applicable to testimony of witnesses.

(Chapter 6): The Registry Editor is also known by RegEdit. The other answers are made up and are incorrect.

(Chapter 5): Total Recall is used for RAID. Comodo Programs Manager is used for dynamic malware analysis. DiskDigger offers thumbnail previews of recovered files. Advanced Disk Recovery offers the Quick and Deep scans.

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android.

(Chapter 7): This would be considered post-mortem analysis, since it is after the attack. Real-time analysis is when the incident is occurring and data is being obtained in real-time, so action can be taken. Live analysis would be similar to static analysis. Pre-mortem analysis is made up.

(Chapter 6): NTUSER.DAT is the correct answer. The SAM file contains user credential information. The other answers are made up.

(Chapter 12): The CAN-SPAM act requires opt-out requests be honored within 10 business days. The other choices are incorrect because they do not meet this criteria.

(Chapter 1): A USB is a secondary storage device that represents non-volatile data. Other forms of non-volatile data include hidden files, slack space, swap file, event logs, registry settings, and unused partitions.

(Chapter 13): All of these are Android libraries. OpenGL/ES and SGL is the correct answer. WebKit is the browser engine used to display web pages. FreeType renders bitmap and vector fonts. Libc is a C system library tuned for embedded Linux-based devices.

(Chapter 4): Drivespy can do data acquisition and duplication. Wireshark is for network sniffing. Capsa is a network analyzer and can detect Trojans. Xplico is a network forensics analysis tool.

(Chapter 2): The law firm may alter the data, so it will then be inadmissible in a criminal case.

(Chapter 1 and Chapter 2): The chain of custody document is used to demonstrate the progression of evidence from the original evidence location to the forensic lab. The evidence progression and evidence path documents do not exist. Exhibit numbering is part of collecting the evidence and labeling it for use in court.

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android.

(Chapter 2): In the pre-investigation phase, the scene perimeter is secured. The Investigation phase is when the evidence is being collected and analyzed. There is not a phase named Securing the scene.

(Note: the only Metasploit tool mentioned in the ECC official material is Timestomp-- used to change the timestamp, mentioned in Chapter 5, but you will likely see Slacker mentioned on the exam. Welcome to ECC exams): Slacker is the tool in Metasploit that will hide data in the slack space of FAT or NTFS file systems, WaffenFS stores data in the EXT3 journal file, FragFS hides data within the NTFS Master file table, RuneFS stores data in bad blocks.

(Chapter 5): Active@ File Recovery is the only answer here that contains a CD/DVD ISO image that allows you to burn a bootable CD.

(Chapter 5): PWdump7 can be used to dump password hashes from the SAM file. WinHex is a disk editor tool for file headers. MBRv6 and H_attack are made up answers and are incorrect.

(Chapter 6): netstat -ano is the command used to look for suspicious connections and the process ID. netgift and netrenew are made up commands and are incorrect. netstat -nan is not a valid syntax for the netstat command.

(Chapter 6) UTC stands for Coordinated Universal Time.

(Chapter 1): System time is actually a form of volatile data that can be lost, when the system is turned off. Other volatile data includes open files, network information, logged on users, process information, process memory, clipboard contents, command history, and more.

(Chapter 6): /u is correct. /s is used to specify the name or IP address of a remote computer. /v specifies that verbose task information be displayed in the output. /user_special is made up.

(Chapter 13): The Phone API provides telephony services, like making calls, receiving calls, and SMS. The GUI API is responsible for creating menus and submenus in designing applications. The OS API schedules multiple tasks, offers synchronization, and priority allocation. Kernel API is a made up answer.

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR.

(Chapter 2 and Chapter 4-- both have the same information): RAPID IMAGE 7020 X2 is designed to copy 1 Master hard drive and up to 19 Target hard drives. The other answers are incorrect, based on Chapter 2 of the EC-Council material.

(Chapter 11): jv16 is a registry tool. Memorize this for your exam. Virtual file system and EFI are not valid choices. jv16 is not used for malware analysis--again, remember that for your exam.

(Chapter 5): DiskDigger offers thumbnail previews of recovered files. None of the other options offer thumbnail previews, so they are incorrect.

(Chapter 2): Rule 1003 covers the Admissibility of Duplicate evidence. The admissibility of original evidence is covered in 1002. Other evidence admissibility is covered under 1004. Definitions are covered under 1001.

(Chapter 2): The service provider search warrant allows the investigator to obtain records from the service provider, including things like billing records and subscriber information. An electronic storage device warrant is for the suspect's hardware. A felony warrant is too broad and would cover non-digital crimes as well. Likewise, a search warrant is too broad. The best answer is the Service Provider search warrant.

(Chapter 2): The electronic storage device warrant is used to search and seize hardware. Felony warrant is too broad and also covers non-Digital crime. A Federal warrant is not relevant, since there can be many kinds issued. Powerless warrant is a made up answer and not correct.

(Chapter 3): Sectors are the smallest physical storage units located on the hard disk platter. Clusters are the smallest logical storage unit. Tracks contain sectors. Platters are circular metal disks mounted into a drive enclosure.

(Chapter 1): The 4th Amendment protects against unlawful search and seizure by government officials. The 1st Amendment covers free speech. The 2nd Amendment covers the right to bear arms. The 13th Amendment abolished slavery.

(Chapter 5): Steganalysis is the process of discovering the existence of hidden information within a covered medium (i.e.- an image file). Steganography is the practice of hiding information. The other answers are not applicable to forensics.

(Chapter 6): The net file command displays the names of all open shared files and the number of file locks. netstat is a command to look for suspicious connections, but this answer shows "net stat," which is not a valid command. ls is used to list files in Linux. PsFile shows files opened remotely.

(Chapter 6): The page file is found at this location. There is not a "slack file," but rather it is the slack space (wasted area between the end of a file and cluster). Passware and handle files are made up.

(Chapter 2): The "zz" refers to the sequence number for parts of the same exhibit. aaa is for the investigator's initials. The date of the seizure is in day, month, year (dd/mm/yy) format. The number of exhibits is nnnn.

(Chapter 3): There is not an EVT4 file system. There is an EXT4 file system. UFS is Unix File System. HFS is for Mac OS. EXT is a Linux file system.

(Chapter 3): ISO 9660 is a standard that defines the use for file systems of CD-ROM and DVD media. The other answers are made up.

(Chapter 6): fsutil is the correct answer. The other provided answers are made up.

(Chapter 11): Jamie is not actually running the malware, so the best choice would be static analysis. Dynamic analysis would involve executing the malware to see its behavior. Reversal analysis and BEC analysis are made up answers.

(Chapter 3): ISO 9660 is correct. The other answer choices are made up.

(Chapter 5): This is known as a brute force attack. Hybrid is a combination of brute force and dictionary attacks. Abley cain is not a real tool. Rainbow attacks use rainbow tables.

(Chapter 1): By using ETI, the investigator has a better chance of dismantling an entire criminal organization.