IP Address Of A Remote Computer Trivia Quiz

316 Questions | Total Attempts: 84

SettingsSettingsSettings
Please wait...
IP Address Quizzes & Trivia

.


Questions and Answers
  • 1. 
    Exchange server email header information is located here.
    • A. 

      PRIV.STM

    • B. 

      PRIV.EDB

    • C. 

      PUB.EDB

    • D. 

      PRIB.EDB

  • 2. 
    UTC stands for:
    • A. 

      Universal Coordinate Tasks

    • B. 

      Coordinated Universal Time

    • C. 

      Coordinated User Time

    • D. 

      Universal Computer Time

  • 3. 
    The forensic investigator uses this command to see what sessions are open.
    • A. 

      Net session 

    • B. 

      Net open

    • C. 

      Net run

    • D. 

      Net sessioning

    • E. 

      Option 5

  • 4. 
    This is a type of anti-forensic technique with malware.
    • A. 

      Packing

    • B. 

      Vacationing

    • C. 

      $Rxyte provisioning

    • D. 

      Static analysis

  • 5. 
    This does not use OLE.
    • A. 

      Word

    • B. 

      Excel

    • C. 

      PDF

    • D. 

      MS Office

  • 6. 
    This verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in unix.
    • A. 

      RegEdit

    • B. 

      CHKDSK

    • C. 

      Disk Integrity

    • D. 

      Lsck

  • 7. 
    The investigator is looking to detect something after the incident has ended.
    • A. 

      Real-time analysis

    • B. 

      Post-trial analysis

    • C. 

      Post-mortem analysis

    • D. 

      After-action anaylsis

  • 8. 
    A hacker commits a DDoS attack against a specific IP address of a company's Web server. This is considered what type of attack?
    • A. 

      APT attack

    • B. 

      Network attack

    • C. 

      Web application attack

    • D. 

      Ids attack

  • 9. 
    What file type is this? FF D8 FF E1
    • A. 

      BMP

    • B. 

      JPEG

    • C. 

      GIF

    • D. 

      PNG

  • 10. 
    This tasklist command specifies the name or IP address of a remote computer.
    • A. 

      /v

    • B. 

      /s

    • C. 

      /u

    • D. 

      /r

  • 11. 
    You can use this to see the last access time change for win10
    • A. 

      Devcon

    • B. 

      Fsutil

    • C. 

      Wmic service

    • D. 

      Reg.exe

    • E. 

      Option 5

  • 12. 
    This displays all commands stored in memory.
    • A. 

      Memory key command

    • B. 

      Doskey history

    • C. 

      -l display

    • D. 

      Regedit

  • 13. 
    GIF has how many bits per pixel
    • A. 

      16

    • B. 

      24

    • C. 

      8

    • D. 

      32

  • 14. 
    Jv16 tool is used for
    • A. 

      Malware reversing

    • B. 

      Dynamic analysis

    • C. 

      Registry

    • D. 

      Bit-to-bit mapping

  • 15. 
    You can detect Trojans with which of the following?
    • A. 

      Tripwire

    • B. 

      Capsa

    • C. 

      Belkasoft RAM Cap

    • D. 

      Regshot

  • 16. 
    A web analytics solution for small and medium sized websites.
    • A. 

      Clickfunnels

    • B. 

      Deep Log Analyzer

    • C. 

      XRY log

    • D. 

      LAN Who

  • 17. 
    This contains the manufacturer's information
    • A. 

      ICCID

    • B. 

      ESN

    • C. 

      EIR

    • D. 

      IMSI

  • 18. 
    You can view DBX files in:
    • A. 

      Adobe Acrobat Reader

    • B. 

      Thunderbird

    • C. 

      MS Outlook Express

    • D. 

      Thundercats

  • 19. 
    When a FAT file is deleted, what is placed at the front?
    • A. 

      ELH

    • B. 

      E5H

    • C. 

      EH5

    • D. 

      ESH

  • 20. 
    This can do data acquisition and duplication.
    • A. 

      Capsa

    • B. 

      Drivespy

    • C. 

      Wireshark

    • D. 

      Xplico

  • 21. 
    A deleted file in the Recycle Bin is named RIYH6VR.doc. This tells us:
    • A. 

      The file was deleted from the Y drive in the 6th order

    • B. 

      The deleted file is a document file

    • C. 

      The file was deleted with Recuva

    • D. 

      None of the above

  • 22. 
    This is an IDS:
    • A. 

      Kismet

    • B. 

      Snort

    • C. 

      Accountix Pro

    • D. 

      Nikto 1000

  • 23. 
    The $l file contains all of the following EXCEPT:
    • A. 

      The original file size

    • B. 

      The date the file was sent to the recycle bin

    • C. 

      The length of the files as 344 bytes long

    • D. 

      The original file path

  • 24. 
    This has journaling:
    • A. 

      Ext1

    • B. 

      NTFS

    • C. 

      FAT

    • D. 

      FAT32

  • 25. 
    A small law firm suspects an incident, where there was potential criminal action, and wants to investigate themselves.  Why should they avoid doing so? (choose the best answer)
    • A. 

      Law firms should not perform digital forensic investigations

    • B. 

      They may alter the date or timestamp information of the evidence

    • C. 

      They can prosecute the attack

    • D. 

      They have a conflict of interest, since they are involved in real estate law

  • 26. 
    This is part of Metasploit that can be used to hide data in the slack space of FAT and NTFS
    • A. 

      RuneFS

    • B. 

      Slacker

    • C. 

      FragFS

    • D. 

      WaffenFS

  • 27. 
    The attorney that calls the witness to the stand is asking the questions
    • A. 

      Cross-examination

    • B. 

      Direct examination

    • C. 

      Deposition

    • D. 

      Expert testimony

  • 28. 
    The first __ bits of the ESN is the manufacturer's code
    • A. 

      32

    • B. 

      8

    • C. 

      16

    • D. 

      24

  • 29. 
    The linux bootloader is active in this stage
    • A. 

      Kernel stage

    • B. 

      Bootloader stage

    • C. 

      Bios stage

    • D. 

      Gluc stage

  • 30. 
    This tool is used to open registry hives
    • A. 

      MySQLlog Editor

    • B. 

      Registry Editor

    • C. 

      Reg_HIV OpenPS

    • D. 

      Hiveopener 3000

  • 31. 
    This is the default folder path used for syncing files in Dropbox
    • A. 

      C:\Users\$user\Dropbox

    • B. 

      C:\Users\Dropbox\sync.config

    • C. 

      C:\Dropbox\Client\sync

    • D. 

      C:\Users\Admin\sync\Dropbox\Client

  • 32. 
    These files are located within an instance (n) of Dropbox folder in AppData of the user's profile
    • A. 

      Executables

    • B. 

      Configuration

    • C. 

      User files

    • D. 

      N-instance files

  • 33. 
    This contains executables, libraries, Program Files, LiNK files, links of user profiles, and application shortcuts in Dropbox.
    • A. 

      Google Client

    • B. 

      Dropbox.dbl

    • C. 

      Dropbox Client

    • D. 

      Program File

  • 34. 
    Dropbox Client path:
    • A. 

      C:\Program Files(x86)\Dropbox\Client

    • B. 

      C:\Program Files\Dropbox\Client

    • C. 

      C:\Dropbox\Client

    • D. 

      C:\Dropbox\Client\Config

  • 35. 
    These store information of files synced ot the cloud using Dropbox.
    • A. 

      Store.db and dropbox.db

    • B. 

      Store.dbx and dropbox.dbx

    • C. 

      Filecache.dbx and config.dbx

    • D. 

      Config.dbx and Filesystem.dbx

  • 36. 
    The default Google Drive installation location in win10 OS
    • A. 

      C:\Program Files (x86)\Google\Drive

    • B. 

      C:\Program Files(x64)\Google Driver

    • C. 

      C:\Progarm Files\System32\Google Drive

    • D. 

      C:\Program Files (x86)\Google\Drive\Config

  • 37. 
    These are saved in the installation folder in the user profile for Google Drive
    • A. 

      Backup files

    • B. 

      Configuration files

    • C. 

      Log files

    • D. 

      Image files

  • 38. 
    Google Drive Configuration files are stored at this path:
    • A. 

      C:\Google\Drive\User\Default

    • B. 

      C:\Google Drive\<user default>

    • C. 

      C:\Users\<username>\AppData\Local\Google\Drive\user_default

    • D. 

      C:\Users\AppData\Local\Google Drive\user

  • 39. 
    This contains the Google Drive version, the local sync root path, and user's email address
    • A. 

      Snapshot.db

    • B. 

      Sync_config.db

    • C. 

      Sync_config.db

    • D. 

      Config.db

  • 40. 
    The installation of Google Drive Client Version in Windows 10 creates this (choose the best answer):
    • A. 

      Problems

    • B. 

      Sync_log.log

    • C. 

      Config.exe

    • D. 

      Gd.exe

  • 41. 
    RAPID IMAGE 7020 X2 is designed to copy how many “Master” hard drives?
    • A. 

      Two

    • B. 

      One

    • C. 

      Three

    • D. 

      Unlimited

    • E. 

      Option 5

  • 42. 
    This rule covers limited admissibility
    • A. 

      Rule 401

    • B. 

      Rule 402

    • C. 

      Rule 105

    • D. 

      Rule 103

  • 43. 
    Which one do you like?Max has arrived on scene and sees that the computer is turned on.  His first step should be to (choose the best answer):``
    • A. 

      Power off the computer to preserve evidence

    • B. 

      Leave the computer on, but look at task manager to see if any programs are running

    • C. 

      Photograph the current computer state

    • D. 

      Perform a bit by bit copy of the drive

  • 44. 
    Samuel has completed static analysis of a new malware strain.  He is now going to perform dynamic analysis.  Which tool can he use to monitor for installations, while performing dynamic analysis?
    • A. 

      Jv16

    • B. 

      Sysanalyzer

    • C. 

      Data recovery pro

    • D. 

      Stellar phoenix

  • 45. 
    This tool displays details about GPT partition tables in Mac OS
    • A. 

      VFS Rider

    • B. 

      DiskDrill

    • C. 

      File Salvage

    • D. 

      Disk Utility

    • E. 

      Option 5

  • 46. 
    Nasir is needing to recover lost data from RAID. He knows that this tool will be needed.
    • A. 

      Total Recall

    • B. 

      DiskDigger

    • C. 

      Advanced Disk Recovery

    • D. 

      Comodo Programs Manager

  • 47. 
    Jennifer is an investigator with the FBI. She is performing dynamic analysis on malware and wants to know the dependencies. What tool should she use?
    • A. 

      Jv16 power tools

    • B. 

      Xplico

    • C. 

      Dependency walker

    • D. 

      Dependency crawler

  • 48. 
    Which wondows version can use uefi-gpt or bios-mbr
    • A. 

      Xp

    • B. 

      10

    • C. 

      7

    • D. 

      95

  • 49. 
    This tool can recover deleted files emptied from the Recycle Bin, or lost because of the formatting/corruption of a hard drive, virus or Trojan infection, and unexpected system shutdowns.
    • A. 

      File Salvage

    • B. 

      DiskDigger

    • C. 

      Recover My Files

    • D. 

      Recuva

  • 50. 
    David is looking for a tool that contains an ISO image, so he can burn a bootable CD. What tool is he looking for?
    • A. 

      CD Boot

    • B. 

      [email protected] File Recovery

    • C. 

      Pandora Recovery

    • D. 

      Data Rescue 4

  • 51. 
    This is an open source NFAT.
    • A. 

      Comodo Programs Manager

    • B. 

      Install Watch

    • C. 

      Xplico

    • D. 

      Snort

  • 52. 
    This extracts data contained from an internet traffic capture
    • A. 

      X data extract

    • B. 

      Xplico

    • C. 

      Sysanalyzer

    • D. 

      Web syssol

  • 53. 
    Jv16 can be used for 
    • A. 

      Static malware analysis

    • B. 

      Registry

    • C. 

      Efi

    • D. 

      Vfs

    • E. 

      Option 5

  • 54. 
    James enjoys this tool that offers thumbnail previews
    • A. 

      Revuca preview mode

    • B. 

      Diskdigger

    • C. 

      Stellar phoenix

    • D. 

      Xplico

  • 55. 
    This tool can be used for dynamic malware analysis
    • A. 

      Easeus

    • B. 

      Install watch

    • C. 

      Mbr

    • D. 

      R-studio

  • 56. 
    This can recover documents, even if windows is reinstalled
    • A. 

      Undeleteplus

    • B. 

      [email protected] file recovery

    • C. 

      Pandora recovery

    • D. 

      R-studio

  • 57. 
    Jamie needs a tool that can recover files with their original file name
    • A. 

      Diskdigger

    • B. 

      Stellar phoenix

    • C. 

      Total recall

    • D. 

      Sysanalyzer

  • 58. 
    The investigator has performed a bit-by-bit copy of a drive.  Now the investigator wants to look for unusual network services.  What command should be used?
    • A. 

      Net stat

    • B. 

      Net start

    • C. 

      Netstat

    • D. 

      Net session

  • 59. 
    This type of password attack uses a combination of dictionary and brute force techniques.
    • A. 

      Hybrid

    • B. 

      Rule-based

    • C. 

      Syllable

    • D. 

      Dictionary-brute

  • 60. 
    This tool recovers all file types from a HFS formatted drive.
    • A. 

      Disk utility

    • B. 

      Data rescue 4

    • C. 

      Recuva

    • D. 

      Total recall

  • 61. 
    PUB.EDB
    • A. 

      Streams internet content files, like video and audio

    • B. 

      Contains message headers and message text

    • C. 

      Stores public folder hierarchies and contents

    • D. 

      Publishes email message content

  • 62. 
    This tool restores deleted emails and email attachments
    • A. 

      Quick recovery

    • B. 

      Total recall

    • C. 

      Data recovery pro

    • D. 

      R-studio

  • 63. 
    CAN-SPAM requires senders to honor opt-out requests within:
    • A. 

      6 months

    • B. 

      3 months

    • C. 

      10 business days

    • D. 

      30 business days

  • 64. 
    Paco needs to open an Android phone. He should use:
    • A. 

      Pangu Jail Break

    • B. 

      GeekSn0w

    • C. 

      TowelRoot

    • D. 

      Redsn0w

  • 65. 
    This can recover files from newly formatted drives
    • A. 

      Recuva

    • B. 

      EaseUS

    • C. 

      Undelete Plus

    • D. 

      Pandora Recovery

  • 66. 
    This tool can be used to recover lost data from RAID and hard drives:
    • A. 

      EaseUS

    • B. 

      Total Recall

    • C. 

      DiskDigger

    • D. 

      File Salvage

  • 67. 
    You can check for the creation of new accounts in the administrator group with the ____ command.
    • A. 

      Check admin.exe

    • B. 

      Check lusmgr.msc

    • C. 

      Lusrmgr.msc

    • D. 

      Lusrmr.exe

  • 68. 
    Sally is an investigator working for Diamond Corp.  She needs to restore lost emails and their attachments.  Which tool should she use (choose the best answer)?
    • A. 

      File Salvage

    • B. 

      DiskDigger

    • C. 

      Data Recovery Pro

    • D. 

      Data Rescue 4

  • 69. 
    This tool can scan and recover encrypted and password-protected files.
    • A. 

      Diskdigger

    • B. 

      R-studio

    • C. 

      Quick recovery

    • D. 

      Pandora recovery

  • 70. 
    This tool offers the ability to “preview data on the fly” and allows you to recover data even if Windows has been reinstalled.
    • A. 

      Recuva

    • B. 

      Recover my files

    • C. 

      Easeus

    • D. 

      Ontrack easy recovery

  • 71. 
    Sally needs a tool that can support large hard disks.  What should she use?
  • 72. 
    This tool recovers data and also protects it
    • A. 

      Undelete plus

    • B. 

      Easeus

    • C. 

      Ontrack easy recovery

    • D. 

      Advanced disk recovery

  • 73. 
    Roberta is an investigator with DHS.  She is at the scene and needs to locate and recover files deleted from an NTFS-formatted volume.  What should she use?
    • A. 

      [email protected] file recovery

    • B. 

      R-studio

    • C. 

      Stellar phoenix

    • D. 

      Pandora recovery

  • 74. 
    This tool can recover files from a scratched CD
    • A. 

      File salvage

    • B. 

      Diskdigger

    • C. 

      Total Recall

    • D. 

      Data Recovery Pro

  • 75. 
    Johnny wants to use the tool that offers thumbnail previews.  He should choose:
    • A. 

      File salvage

    • B. 

      Diskdigger

    • C. 

      R-studio

    • D. 

      Pandora recovery

  • 76. 
    David needs a tool that contains an ISO image.  He knows that ______ offers this.
  • 77. 
    This tool offers a secure overwrite feature that meets military standards.
    • A. 

      Easeus

    • B. 

      Recover my files

    • C. 

      Recuva

    • D. 

      Data rescue 4

  • 78. 
    Tanisha wants to recover files with their original file name.  She should use which of the following tools to accomplish this (choose the best answer)?
    • A. 

      Data rescue 4

    • B. 

      Stellar phoenix

    • C. 

      Total recall

    • D. 

      Quick recovery

  • 79. 
    The insider threat caused a lot of chaos.  Sally, the digital forensic investigator, needs a tool that can repair and recover disk bad sectors.  Which tool should she use?
    • A. 

      Quick recovery

    • B. 

      Sysanalyzer

    • C. 

      Jv16

    • D. 

      Total recall

  • 80. 
    This tool supports RAW recovery on lost volumes
    • A. 

      Capsa

    • B. 

      DiskDigger

    • C. 

      Stellar Phoenix

    • D. 

      Quick Recovery

  • 81. 
    This tool offers an “Advanced Deep Scan” mode, that scours a drive to find any traces of files that have been deleted.
    • A. 

      [email protected] file recovery 

    • B. 

      Recuva

    • C. 

      Easeus

    • D. 

      Ontrack easy recovery

  • 82. 
    William needs a tool that can allow him to specify a specific file type for precise search results.  What tool is this?
    • A. 

      Undelete plus

    • B. 

      Easeus

    • C. 

      R-studio

    • D. 

      File salvage

  • 83. 
    Sara is investigating an incident and needs to display information about all logged in sessions on a local Windows computer.  Which command should she use?
    • A. 

      Net view

    • B. 

      Net session

    • C. 

      Net use

    • D. 

      Net log

  • 84. 
    A network administrator, with over 10 years of experience in Cisco systems, is trying to see if any TCP or UDP ports have unusual listening.  What command is she using?
    • A. 

      Net tcp_udp

    • B. 

      Net tcp/udp_use

    • C. 

      Netstat -na

    • D. 

      Netstat -tu

  • 85. 
    When a file is deleted in FAT, the first letter of the deleted filename is changed to:
    • A. 

      H5H

    • B. 

      E5H

    • C. 

      ESH

    • D. 

      ESE

  • 86. 
    Jason needs to review file shares on the server.  He knows that he can use this command to review file shares and ensure their purpose.
    • A. 

      Msconfig fls

    • B. 

      Net view

    • C. 

      Net session

    • D. 

      Net use

  • 87. 
    The nbtstat command can be used for:
    • A. 

      Linux servers 

    • B. 

      NBT servers

    • C. 

      NetBIOS

    • D. 

      Malware execution

  • 88. 
    Roberta suspects the company’s network has been compromised.  How can she look for unusual network services running?
    • A. 

      Net start

    • B. 

      Net service

    • C. 

      Net process

    • D. 

      Net run

  • 89. 
    How can you find scheduled and unscheduled tasks on the local host?
    • A. 

      Net local.host

    • B. 

      Schtasks.exe

    • C. 

      Find schtasks.exe

    • D. 

      Use schtasks.exe

  • 90. 
    Jose is an investigator with CyberNet, Inc and is investigating an incident.  How does he check to see if sessions have been opened with other systems?
    • A. 

      Net session

    • B. 

      Net view

    • C. 

      Net use

    • D. 

      Net analysis

  • 91. 
    This tool can be used to display details about GPT partition tables in Mac OS.
    • A. 

      Diskdigger

    • B. 

      Recover my files

    • C. 

      Windows super disk recovery

    • D. 

      Disk utility

  • 92. 
    Simple, sequential, flat files of a data set is called:
    • A. 

      Blank format

    • B. 

      Raw format

    • C. 

      MBR format

    • D. 

      First data format

  • 93. 
    Disk Editor tools for file headers include all of the following EXCEPT:
    • A. 

      Hex workshop

    • B. 

      Winhex

    • C. 

      Windows hex editor

    • D. 

      Diskedit

  • 94. 
    Jennifer needs to repair and recover bad disk sectors.  Which tool should she use?
    • A. 

      Quick recovery

    • B. 

      Windows super file recovery

    • C. 

      File salvage

    • D. 

      Total recall

  • 95. 
    This is a tool for Mac OS
    • A. 

      Recover my files

    • B. 

      Windows defender

    • C. 

      File ravage

    • D. 

      Disk utility

  • 96. 
    This tool can be used to restore emails
    • A. 

      Quick recovery

    • B. 

      File salvage

    • C. 

      Data recovery pro

    • D. 

      Total recall

  • 97. 
    Data rescue 4 is:
    • A. 

      A new movie coming out

    • B. 

      A file recovery tool only for windows

    • C. 

      A file recovery tool used for mac

    • D. 

      A new forensic tool used to sanitize digital media

  • 98. 
    Which of the following is known for providing quick and deep scanning?
    • A. 

      Easeuk

    • B. 

      Easeus

    • C. 

      Advanced disk recovery

    • D. 

      Recover my files

  • 99. 
    David needs to recover lost files from a USB flash drive.  Which tool will help him?
    • A. 

      Partition ranger

    • B. 

      Diskdigger

    • C. 

      Easeus

    • D. 

      Data recovery pro

  • 100. 
    In this stage of the Linux boot process, information is retrieved from the CMOS chip.
    • A. 

      Kernel

    • B. 

      Bec

    • C. 

      Bios

    • D. 

      Bootloader

  • 101. 
    In Windows 98 and earlier, deleted files are named in Dxy.ext format.  What does the x stand for?
    • A. 

      Sequence number

    • B. 

      Original extension

    • C. 

      File name

    • D. 

      Drive

  • 102. 
    Jason is an investigator with over 10 years of experience.  He needs to find a tool that will help him recover a RAID drive.  Which tool can help him?
    • A. 

      Quick recovery

    • B. 

      Quick RAID recovery

    • C. 

      Total recall

    • D. 

      Diskdigger

  • 103. 
    Sara wants to perform a deep scan that scans the entire system.  She should use:
    • A. 

      Recover my files

    • B. 

      Total recall

    • C. 

      Diskdigger

    • D. 

      Advanced disk recovery

  • 104. 
    For Windows 2000, deleted files are found in:
    • A. 

      C:/Recycler

    • B. 

      C:\Recycler

    • C. 

      C:\$Recycle.Bin

    • D. 

      C:\Recycle.Bin$

  • 105. 
    What is not one of the three tiers of log management infrastructure.
    • A. 

      Log generation

    • B. 

      Log protection

    • C. 

      Log monitoring

    • D. 

      Log analysis/storage

  • 106. 
    In FAT, the first letter of the deleted file name is replaced with:
    • A. 

      X5h

    • B. 

      E5h

    • C. 

      Esh

    • D. 

      Exy

  • 107. 
    This can be used to dump password hashes from the SAM file.
    • A. 

      Winhex

    • B. 

      Pwdump7

    • C. 

      Mbr v6

    • D. 

      H_attack

  • 108. 
    This approach monitors a computer and user's behavior for anomalies.
    • A. 

      Bayesian coorelation

    • B. 

      Access-control based

    • C. 

      Role-based

    • D. 

      Route-correlation

  • 109. 
    HFS+ uses:
    • A. 

      Windows OS

    • B. 

      B-tree structure to store data

    • C. 

      UEFI

    • D. 

      MBR partitions

  • 110. 
    In Windows Server 2012 (IIS), log files are stored at:
    • A. 

      SystemDrive%\inetpub\Logs\LogFiles

    • B. 

      %SystemDrive%\Logs\LogFiles

    • C. 

      %SystemDrive%\inetpub\Logs\LogFiles

    • D. 

      %SystemDrive\inetpub\Logs\LogFiles

  • 111. 
    Which command can be used to look for suspicious connections and the process ID
    • A. 

      Netstat -nan

    • B. 

      Netstat -ano

    • C. 

      Netgift -ano

    • D. 

      Netrenew -ano

  • 112. 
    POP3 runs on port:
    • A. 

      125

    • B. 

      25

    • C. 

      23

    • D. 

      110

  • 113. 
    This Microsoft Exchange archive data file contains message headers, message text, and standard attachments.
    • A. 

      PRIV.STM

    • B. 

      PUB.EDB

    • C. 

      PRIV.EDA

    • D. 

      PRIV.EDB

  • 114. 
    Lisa is investigating a phishing email attack at a company.  She knows the first step in the email investigation process is:
    • A. 

      Examining email messages

    • B. 

      Tracing the email origin

    • C. 

      Obtaining a search warrant

    • D. 

      Examining email logs

  • 115. 
    John wants to root an Apple phone.  Which tool should he use?
    • A. 

      OneClickRoot

    • B. 

      TowelRoot

    • C. 

      RescuRoot

    • D. 

      RedSn0w

  • 116. 
    18 USC §1030 covers:
    • A. 

      Child pornography

    • B. 

      Malicious mischief

    • C. 

      Misleading domain activity

    • D. 

      Fraud and related activity in connection with computers

  • 117. 
    This Federal statute covers child pornography
    • A. 

      18 USC 2252A

    • B. 

      18 USC 2252B

    • C. 

      Texas Penal Code 2281

    • D. 

      18 USC 20000AB

  • 118. 
    This rule involves rulings on evidence
    • A. 

      Rule 101

    • B. 

      Rule 107

    • C. 

      Rule 104

    • D. 

      Rule 103

  • 119. 
    Sara is an Assistant U.S. Attorney.  She knows that this rule covers the general admissibility of relevant evidence.
    • A. 

      Rule 402

    • B. 

      Rule 701

    • C. 

      Rule 804

    • D. 

      Rule 502

  • 120. 
    This person provides legal advice about the investigation and any potential legal issues in the forensic investigation process.
    • A. 

      Photographer

    • B. 

      Investigator

    • C. 

      Attorney

    • D. 

      Incident responder

  • 121. 
    Rule 1003 covers:
    • A. 

      Admissibility of original evidence

    • B. 

      Definitions

    • C. 

      Admissibility of other evidence

    • D. 

      Admissibility of duplicates

  • 122. 
    Phil is a digital forensic investigator that needs to obtain information from a suspect's service provider about billing records and subscriber information.  What type of warrant would Phil need to obtain in this case?
    • A. 

      Electronic storage device warrant

    • B. 

      Search warrant

    • C. 

      Service provider search warrant

    • D. 

      Felony warrant

  • 123. 
    The FBI is investigating Sally for hacking her school's network.  What type of warrant should they obtain in order to search and seize Sally's personal laptop?
    • A. 

      Felony warrant

    • B. 

      Federal warrant

    • C. 

      Electronic storage device warrant

    • D. 

      Powerless warrant

  • 124. 
    Johnny has been with the DEA for 17 years.  He shows up on the scene and notices the suspect's computer is turned on.  After securing the scene, Johnny should:
    • A. 

      Turn the computer off and unplug the power cords

    • B. 

      Leave the computer on and document the scene

    • C. 

      Turn the computer off and document the scene

    • D. 

      Pull the power cord and place the computer in an anti-static box

  • 125. 
    For a router, the investigator should:
    • A. 

      Cut the power cord with a 3b72 knife

    • B. 

      Unplug the network cable from the router

    • C. 

      Search the closest PC for the router password

    • D. 

      Leave the router at the site as it does not contain any evidence

  • 126. 
    All investigators keep track of the evidence path by using the:
    • A. 

      Exhibit numbering standard

    • B. 

      Chain of custody document

    • C. 

      Evidence progression document

    • D. 

      Evidence path document

  • 127. 
    The zz in exhibit numbering stands for:
    • A. 

      The investigator's initials

    • B. 

      The data of the evidence collection

    • C. 

      The date of evidence seizure

    • D. 

      The sequence number for parts of the same exhibit

  • 128. 
    In exhibit numbering, the aaa is:
    • A. 

      The sequential number of exhibits

    • B. 

      The sequence number for parts of the same exhibit

    • C. 

      The investigator's badge number

    • D. 

      The initials of the individual seizing the equipment

  • 129. 
    Tools involved in Hashing include all of the following EXCEPT:
    • A. 

      Hashcalc

    • B. 

      Md5 calculator

    • C. 

      Hashmyfiles

    • D. 

      Superhasher

  • 130. 
    Nnnn represents
    • A. 

      The initials of the forensic analyst

    • B. 

      The sequential number of the exhibits seized by the investigator

    • C. 

      The sequence number for parts of the same exhibit

    • D. 

      The sequential level of investigative process

  • 131. 
    Circular, metal disks mounted into the drive enclosure are called:
    • A. 

      Plates

    • B. 

      Tracks

    • C. 

      Platters

    • D. 

      Clusters

  • 132. 
    Disk Density is calculated with:
    • A. 

      Bit, area, and lcuster density

    • B. 

      Cluster, area, and track density

    • C. 

      Track, area, and bit density

    • D. 

      Cylinder circumference, area density, and cluster density

  • 133. 
    This is the smallest physical storage unit on the hard disk platter.
    • A. 

      Sector

    • B. 

      Cluster

    • C. 

      Track

    • D. 

      Platter

  • 134. 
    There are this many bits for storing Logical Block Addresses (LBAs) on the Master Boot Record (MBR).
    • A. 

      64

    • B. 

      90

    • C. 

      128

    • D. 

      32

  • 135. 
    Sectors are how many bytes long.
    • A. 

      256

    • B. 

      512

    • C. 

      128

    • D. 

      32

  • 136. 
    Jennifer is studying for her CHFI exam and knows that the MBR is:
    • A. 

      128

    • B. 

      64

    • C. 

      512

    • D. 

      256

  • 137. 
    These determine the sector addressing for individual sectors on a disk.
    • A. 

      Clusters, heads, and sectors (CHS)

    • B. 

      Heads, sectors, and tracks (HST)

    • C. 

      Cylinders, heads, and sectors (CHS)

    • D. 

      Clusters, cylinders, and tracks (CCT)

  • 138. 
    The Master Boot Record (MBR) starts at this sector.
    • A. 

      Sector 8

    • B. 

      Sector 1

    • C. 

      Sector 0

    • D. 

      Sector 32

  • 139. 
    The MBR signature is always:
    • A. 

      Hw66ax

    • B. 

      0x55aa

    • C. 

      Aa0xss

    • D. 

      0xssaa

  • 140. 
    The GUID has this number of hexadecimal digits, with groups separated by hyphens.
    • A. 

      64

    • B. 

      32

    • C. 

      128

    • D. 

      512

  • 141. 
    This command can be used to obtain details about partitions.
    • A. 

      Get-detailspartition

    • B. 

      Get-gpt

    • C. 

      Get-gpt-partition

    • D. 

      Get-partitiontable

  • 142. 
    In UEFI SEC, this is initialized.
    • A. 

      Mbr

    • B. 

      Sec_boot

    • C. 

      Code

    • D. 

      Hobl

  • 143. 
    This is wasted area of the disk cluster, lying between the end of the file and end of the cluster.
    • A. 

      Spare space

    • B. 

      Recycled space

    • C. 

      Slack space

    • D. 

      Stream space

  • 144. 
    Tasha is looking for the UEFI phase that involves clearing UEFI from memory.
    • A. 

      Dxe

    • B. 

      Sec

    • C. 

      Rt

    • D. 

      Bsd

  • 145. 
    The GUID is how many bits?
    • A. 

      256

    • B. 

      512

    • C. 

      64

    • D. 

      128

  • 146. 
    Which Windows version boots in either UEFI-GPT or BIOS-MBR?
    • A. 

      Xp

    • B. 

      Vista

    • C. 

      7

    • D. 

      10

  • 147. 
    This is a tool for Mac that can be used to recover files from crashed or virus corrupted hard drives.
    • A. 

      Recover my files

    • B. 

      Total recall

    • C. 

      File salvage

    • D. 

      Data recovery pro

  • 148. 
    Keira is an investigator with the FBI that needs to recover lost files from a USB flash drive.  Which tool can help her do this?
    • A. 

      R-studio

    • B. 

      Diskdigger

    • C. 

      Capsa

    • D. 

      Tripwire

  • 149. 
    Sandra needs to see details about GPT partition tables in Mac OS.  Which tool should she use?
    • A. 

      Vfs

    • B. 

      Disk utility

    • C. 

      Diskdigger

    • D. 

      Recover my files

  • 150. 
    UTC stands for: 
    • A. 

      Universal Computer Time

    • B. 

      Coordinated Universal Time

    • C. 

      Universal Time to Compute figures

    • D. 

      Coordinated Universe Timing

  • 151. 
    A Digital Forensic Investigator investigates this type of crime (choose the best answer).
    • A. 

      Gang violence

    • B. 

      Narcotics

    • C. 

      Digital crime

    • D. 

      Crime not involving computers

  • 152. 
    What does ETI stand for?
    • A. 

      Extra-Technology Investigator

    • B. 

      Enterprise Technology Investigator

    • C. 

      Enterprise Theory of Investigation

    • D. 

      Elite and Tactical Investigation Team

  • 153. 
    System time is an example of non-volatile data.
    • A. 

      True

    • B. 

      False

    • C. 

      Option 3

    • D. 

      Option 4

  • 154. 
    John is a forensic investigator working on a case for a WHC hospital.  John finds a USB drive sitting behind an access control door in the server room.  The hospital provides John access to retrieve the device.  John knows that the USB represents:
    • A. 

      Non-volatile data

    • B. 

      Volatile data

    • C. 

      A cluster

    • D. 

      A partition

  • 155. 
    The SWGDE 1.1 standard maintains that agencies seizing or examining digital evidence must do this.
    • A. 

      Maintain an appropriate SOP document

    • B. 

      Review the SOP every 6 months

    • C. 

      Maintain written copies of the technical procedures

    • D. 

      Evaluate damages of each security breach

  • 156. 
    Shamika is the VP of Technology at XYZ, Inc.  She suspects that her newest employee, David, may be using his work computer to look at child pornography.  What type of investigation(s) should be started?
    • A. 

      Civil

    • B. 

      Criminal and civil

    • C. 

      Administrative and civil

    • D. 

      Criminal and administrative

  • 157. 
    Randill, Inc has initiated an informal evidence collection process.  Which type of investigation usually has an informal process for evidence collection?
    • A. 

      Criminal

    • B. 

      Civil

    • C. 

      Administrative

    • D. 

      Nv investigation

  • 158. 
    A warrantless seizure of digital evidence is used when:
    • A. 

      The destruction of evidence is non-imminent and there is no cause to believe that the item being seized constitutes evidence of criminal activity

    • B. 

      The destruction of evidence is non-imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity

    • C. 

      The destruction of evidence is imminent and there is no cause to believe that the item being seized constitutes evidence of criminal activity

    • D. 

      The destruction of evidence is imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity

  • 159. 
    An internal investigation, undertaken by an organization,  to determine if employees are following rules and/or policies is called.
    • A. 

      Criminal

    • B. 

      Frye

    • C. 

      Administrative

    • D. 

      Civil

  • 160. 
    All of these are a part of the Pre-investigation phase EXCEPT:
    • A. 

      Setting up the CFL

    • B. 

      Securing the perimeter

    • C. 

      Building the investigation team

    • D. 

      Acquiring the evidence

  • 161. 
    A computer forensics lab should have windows all around the perimeter.
    • A. 

      True

    • B. 

      False

    • C. 

      Option 3

    • D. 

      Option 4

  • 162. 
    Before acquiring evidence, the digital forensic investigator should always (choose the BEST answer):
    • A. 

      Call for backup

    • B. 

      Email the judge

    • C. 

      Obtain a search warrant that specifies exactly what evidence can be collected

    • D. 

      Obtain a warrant

  • 163. 
    This is a network sniffer that can support several hundred network protocols.
    • A. 

      Cain & Abel

    • B. 

      Recuva

    • C. 

      Capsa

    • D. 

      Snort

  • 164. 
    A deposition is different from a regular trial in that:
    • A. 

      Both attorneys are present

    • B. 

      A judge is present

    • C. 

      The jury is present

    • D. 

      Both the judge and jury are present

  • 165. 
    This rule governs proceedings in the courts of the United States.
    • A. 

      Rule 101

    • B. 

      Rule 103

    • C. 

      Rule 493

    • D. 

      Rule 622

  • 166. 
    Deleted files are found here in Windows 7 and later.
    • A. 

      C:\Recycler

    • B. 

      C:\Recycled

    • C. 

      C:\$Recycle.Bin

    • D. 

      C:\Recycle.Bin$

  • 167. 
    This tool can be used to restore emails.
    • A. 

      FSSTAT

    • B. 

      File Salvage

    • C. 

      Data Recovery Pro

    • D. 

      EaseUS

  • 168. 
    This tool can be used to recover from partition loss.
    • A. 

      EaseUS

    • B. 

      File Salvage

    • C. 

      Recover My Files

    • D. 

      DiskDigger

  • 169. 
    This is used to render 2D (SGL) or 3D graphics to the screen.
    • A. 

      Webkit

    • B. 

      Freetype

    • C. 

      OpenGL/ES and SGL

    • D. 

      Libc

  • 170. 
    If the INFO2 file is deleted, it can be recovered by:
    • A. 

      Restarting Windows

    • B. 

      Using a digital forensic tool

    • C. 

      Un-deleting it

    • D. 

      Restoring from a boot CD

  • 171. 
    A 32 bit number placed on the chip by the manufacturer is called.
    • A. 

      IMSI

    • B. 

      IMEI

    • C. 

      ESN

    • D. 

      ICCID

  • 172. 
    A report, presented orally, to a board of directors, jury, or managers would be called.
    • A. 

      Formal verbal report

    • B. 

      Informal verbal report

    • C. 

      Formal written report

    • D. 

      Informal written report

  • 173. 
    All of the following are Android rooting tools EXCEPT
    • A. 

      OneClickRoot

    • B. 

      TowelRoot

    • C. 

      Redsn0w

    • D. 

      RescuRoot

  • 174. 
    Phil has been called to testify on the scientific techniques used in the investigation.  What standard would his testimony fall under?
    • A. 

      Frye

    • B. 

      Daubert

    • C. 

      SIM6

    • D. 

      Expert Witness

  • 175. 
    A lossless image format that is designed to replace older formats and that is copyright free.
    • A. 

      JPEG

    • B. 

      BMP

    • C. 

      GIF

    • D. 

      PNG

  • 176. 
    The TSK command used to display general details about a file system is:
    • A. 

      Flsstat

    • B. 

      Img_stat

    • C. 

      Fsstat

    • D. 

      Istat

  • 177. 
    The img_stat command:
    • A. 

      Displays details of an image file

    • B. 

      Lists file and directory names in an image

    • C. 

      Displays general details of a file system

    • D. 

      Displays metadata

  • 178. 
    This type of analysis is ongoing and returns simultaneously, so that attacks can be responded to immediately. 
    • A. 

      Postmortem analysis

    • B. 

      Real-Time analysis

    • C. 

      Deceased analysis

    • D. 

      Disk Removal analysis

  • 179. 
    Which of the following is a starting hex value of an image file:
    • A. 

      99 xd 54

    • B. 

      Ff d8 ff

    • C. 

      Xx c9 53

    • D. 

      If d9 ff

  • 180. 
    How many bits per pixel does GIF contain?
    • A. 

      16

    • B. 

      32

    • C. 

      8

    • D. 

      64

  • 181. 
    This RAID level uses byte-level striping, with a dedicated parity disk and stores checksums.
    • A. 

      2

    • B. 

      10

    • C. 

      3

    • D. 

      5

  • 182. 
    UTC stands for which of the following:
    • A. 

      Universal Computing Time

    • B. 

      Universal Computer Time

    • C. 

      Coordinated Universal Time

    • D. 

      Computer Universal Time

  • 183. 
    This RAID level uses byte-level data striping across multiple drives and distributes parity information among all member drives.
    • A. 

      6

    • B. 

      5

    • C. 

      1

    • D. 

      2

  • 184. 
    This contains the configuration information related to the user currently logged on (i.e.- wallpaper, display settings, etc...)
    • A. 

      HKEY_LOCAL_MACHINE

    • B. 

      HKEY_VALID_USER

    • C. 

      HKEY_CURRENT_USER

    • D. 

      HKEY_LOCAL_PC

  • 185. 
    In FHS, essential user command binaries are in this.
    • A. 

      /bin

    • B. 

      \bin

    • C. 

      /shin

    • D. 

      \binary

  • 186. 
    Misuse of a work computer generally can lead to this type of investigation.
    • A. 

      Civil

    • B. 

      Administrative

    • C. 

      Criminal

    • D. 

      Criminal and Civil

  • 187. 
    The Scientific Working Group on Digital Evidence (SWGDE) standard that states SOPs must generally be accepted is:
    • A. 

      1.2

    • B. 

      1.1

    • C. 

      1.3

    • D. 

      1.5

  • 188. 
    A first responder secures the scene perimeter.  This is:
    • A. 

      Pre-investigation phase

    • B. 

      Post-investigation phase

    • C. 

      Investigation phase

    • D. 

      Securing the scene phase

  • 189. 
    This is the Amendment that protects again unlawful search and seizure.
    • A. 

      2nd

    • B. 

      1st

    • C. 

      13th

    • D. 

      4th

  • 190. 
    This type of event correlation stores sets of events in codes.
    • A. 

      Codebook-based

    • B. 

      Standards-based

    • C. 

      Bayesian correlation

    • D. 

      Open-Port based

  • 191. 
    All of the following are Registry tools EXCEPT:
    • A. 

      Jv16

    • B. 

      Jv22

    • C. 

      RegRipper

    • D. 

      ProDiscover

  • 192. 
    This law subsection covers child pornography.
    • A. 

      1030

    • B. 

      123

    • C. 

      2252A

    • D. 

      476

  • 193. 
    This type of warrant is used to get records from service providers.
    • A. 

      Super Warrant

    • B. 

      Felony Warrant

    • C. 

      Electronic storage device warrant

    • D. 

      Service provider search warrant

  • 194. 
    A warrantless seizure can be used when
    • A. 

      The instruction of evidence is imminent

    • B. 

      The destruction of evidence is imminent

    • C. 

      Evidence is already collected

    • D. 

      The item being seized is not evidence of criminal activity

  • 195. 
    Jonathan is an investigator, but he is not the first one on the scene.  He wants to show the path of evidence collected from the scene to the forensic lab.  What should he use?
    • A. 

      Criminal Report

    • B. 

      Daubert standard report

    • C. 

      Chain of custody

    • D. 

      Exhibit numbering

  • 196. 
    The dd command dd if=/dev/xxx of=mbr.backupbs=512 count=1 can be used to:
    • A. 

      Do double duty

    • B. 

      Complete the Dugle Davis Report

    • C. 

      Backup the MBR

    • D. 

      Backup the MBR

  • 197. 
    This event correlation approach monitors computer and user behavior for anomalies.
    • A. 

      Ronald-based approach

    • B. 

      Role-based approach

    • C. 

      Bayesian correlation

    • D. 

      Payload correlation approach

  • 198. 
    This type of attack is a combination of both a brute force attack and dictionary attack.
    • A. 

      Hybrid

    • B. 

      Syllable

    • C. 

      Rule-based

    • D. 

      Dictionary

  • 199. 
    Stacey needs to crack a Windows password.  She can use which tool to do this?
    • A. 

      MBR Crack

    • B. 

      EaseUS

    • C. 

      Cain & Abel

    • D. 

      CHS Crack

  • 200. 
    Bob arrives on the scene of a large corporation after an attack.  His analysis of the affected devices is considered:
    • A. 

      Pre-mortem analysis

    • B. 

      Live analysis

    • C. 

      Real-time analysis

    • D. 

      Post-mortem analysis

  • 201. 
    Rob wants to discover potential hidden information in an image file.  He would use this to see it.
    • A. 

      Stegasorous

    • B. 

      Steganography

    • C. 

      Steganalysis

    • D. 

      Stegographic

  • 202. 
    The collection of the system time is the ____ step in investigating an incident.
    • A. 

      2nd

    • B. 

      1st

    • C. 

      4th

    • D. 

      3rd

  • 203. 
    All of the following can be used to determine logged on users EXCEPT
    • A. 

      PsLoggedOn

    • B. 

      LogonSessions

    • C. 

      LogonUsers

    • D. 

      Net sessions

  • 204. 
    This command can be used to see the names of all open shared files and the number of file locks.
    • A. 

      PsFile

    • B. 

      Net stat

    • C. 

      Net file

    • D. 

      Ls

  • 205. 
    This contains information about all the currently active user profiles on the computer.
    • A. 

      HKEY_Current_User

    • B. 

      HKEY_Local_Machine

    • C. 

      HKEY_Users

    • D. 

      HKEY_R_RM

  • 206. 
    This file is found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.
    • A. 

      Passware file

    • B. 

      Handle file

    • C. 

      Slack file

    • D. 

      Page file

  • 207. 
    In exhibit numbering, the zz is for:
    • A. 

      Investigator initials

    • B. 

      Year of collection

    • C. 

      Number of exhibits in sequence

    • D. 

      Sequence number of parts of the same exhibit

    • E. 

      Option 5

  • 208. 
    This is a library and collection of command line tools for investigating disk images.
    • A. 

      TPF

    • B. 

      TPS

    • C. 

      TSK

    • D. 

      TKS

  • 209. 
    Internal server error is error code:
    • A. 

      648

    • B. 

      502

    • C. 

      500

    • D. 

      503

  • 210. 
    This stores information about the current hardware profile of the system.
    • A. 

      HKEY_CURRENT_USER

    • B. 

      HKEY_CURRENT_CONFIG

    • C. 

      HKEY_CURRENT_HARDWARE

    • D. 

      HKEY_LOCAL_MACHINE

  • 211. 
    This is a tool used for monitoring log files, produced by UNIX syslog facility.
    • A. 

      Logcheck

    • B. 

      RegEdit

    • C. 

      Swatch

    • D. 

      Watch

  • 212. 
    Google Drive logs are:
    • A. 

      Google_drive.log

    • B. 

      Vmos.log

    • C. 

      Sync_log.log

    • D. 

      Syn_log

  • 213. 
    What determines the sector addressing for individual sectors on a disk?
    • A. 

      HCS

    • B. 

      CEH

    • C. 

      CHS

    • D. 

      DPC

  • 214. 
    Intel is to EFI as PowerPC is to:
    • A. 

      VFS

    • B. 

      Open Firmware

    • C. 

      CSH

    • D. 

      CDD

  • 215. 
    This type of event correlation extracts the attack route information to single out other attack data.
    • A. 

      Bayesian

    • B. 

      Role-based

    • C. 

      Time-based

    • D. 

      Route

  • 216. 
    A file system used by SUn Microsystems is:
    • A. 

      UFS

    • B. 

      SMFS

    • C. 

      EXT

    • D. 

      ZFS

  • 217. 
    An investigator needs to jailbreak an iOS phone.
    • A. 

      Yellow_Root

    • B. 

      RedSn0w

    • C. 

      Winter_Time 3000

    • D. 

      King_Root

  • 218. 
    UNIX uses this file system:
    • A. 

      HFS

    • B. 

      UFS

    • C. 

      HFS+

    • D. 

      EXT2

  • 219. 
    Which is not a file system?
    • A. 

      HFS

    • B. 

      EXT

    • C. 

      EVT4

    • D. 

      UFS

  • 220. 
    This saves data about programs, so programs load faster at boot:
    • A. 

      PasswareKit 47

    • B. 

      Prefetch folder

    • C. 

      Recuva

    • D. 

      RegEdit

  • 221. 
    David has been called to the stand to offer scientific testimony.  This is an example of:
    • A. 

      Daubert

    • B. 

      Robert

    • C. 

      Frye

    • D. 

      Pierre

  • 222. 
    This file system uses journaling.
    • A. 

      HXS

    • B. 

      FAT

    • C. 

      UFS

    • D. 

      NTFS

  • 223. 
    This standard defines the use for file systems of CD-ROM and DVD media.
    • A. 

      ISO/IEC 9960

    • B. 

      ISO 9660

    • C. 

      ISO 3287

    • D. 

      NIST 800-9934

  • 224. 
    18 USC § 2252A covers
    • A. 

      Small Business Loans

    • B. 

      Fraud

    • C. 

      Abuse

    • D. 

      Child Porn

  • 225. 
    The Superblock in UFS has:
    • A. 

      Seven triangles

    • B. 

      Non-magic number

    • C. 

      Magic number

    • D. 

      Size and shape of EXT2

  • 226. 
    This is a sequence of bytes, organized into blocks understandable by the system's Linker.
    • A. 

      HDTV

    • B. 

      Object file

    • C. 

      Object oriented database

    • D. 

      Snort

  • 227. 
    Julie wants to use an open-source format.  What should she choose?
    • A. 

      EnCase

    • B. 

      AFF

    • C. 

      TFF

    • D. 

      AutoBahn 2.9

  • 228. 
    These commands can be used in linux.
    • A. 

      Dd and lfox

    • B. 

      Dd and dcfldd

    • C. 

      Dcfldd and hash -l

    • D. 

      Hfs and hfs -list

  • 229. 
    In Windows 7, deleted files are named $Ry.ext, where the y stands for the:
    • A. 

      Drive number

    • B. 

      Sequence number

    • C. 

      File abbreviation

    • D. 

      File type

  • 230. 
    Cisco shows this: %SEC-6-IPACCESSLOGP
    • A. 

      IP invalid

    • B. 

      File Corrupt

    • C. 

      Packet matching log criteria for the given access list has been detected (TCP or UDP)

    • D. 

      IP Access log is alerting on the stored P drive

  • 231. 
    This Tasklist command is used to run the command with the account permissions of the user specified.
    • A. 

      /user_special

    • B. 

      /v

    • C. 

      /s

    • D. 

      /u

  • 232. 
    This can be used to detect Trojans.
    • A. 

      Capsa

    • B. 

      Trojan_Detect 3000

    • C. 

      Recuva

    • D. 

      MESN

  • 233. 
    Comodo Programs Manager is used for:
    • A. 

      Active Directory advanced security administration

    • B. 

      SQL Logs

    • C. 

      To see all running programs

    • D. 

      Malware analysis

  • 234. 
    Jenny is a software developer that took shortcuts.  As such, the application does not perform proper bounds checking.  What type of vulnerability is the application she wrote most susceptible to?
    • A. 

      Cookie poisoning

    • B. 

      Buffer overflow

    • C. 

      Information leakage

    • D. 

      SQL injection

  • 235. 
    The attacker uses exploits to access other directories.  This is known as:
    • A. 

      SQL injection attack 

    • B. 

      Directory traversal attack

    • C. 

      Insecure storage

    • D. 

      Cookie poisoning

  • 236. 
    Lenny needs to reset an Administrator password in order to access a device during an investigation.  He knows that this tool can be used (choose the BEST answer).
  • 237. 
    Show active network connections with this:
    • A. 

      Tripwire

    • B. 

      503 connector

    • C. 

      Netstat

    • D. 

      Nbtstat

  • 238. 
    MySQL server start and stop can be found in which log file?
    • A. 

      Mysqldump.log

    • B. 

      Query6.log

    • C. 

      Advanced log file

    • D. 

      General query log file

  • 239. 
    This requires Federal agencies to develop, document, and implement information security programs.
    • A. 

      HIPAA

    • B. 

      GLBA

    • C. 

      SOX

    • D. 

      FISMA

  • 240. 
    This requires financial institutions to protect their customers' information against security threats.
    • A. 

      SOX

    • B. 

      NIST

    • C. 

      GLBA

    • D. 

      HIPAA

  • 241. 
    MIME stream is found:
    • A. 

      PRIVE.EDB

    • B. 

      PRIVE.STM

    • C. 

      PUB.EDB

    • D. 

      PRIB.STM

  • 242. 
    Used for registry and not malware installation file analysis.
    • A. 

      GIF

    • B. 

      SysAnalyzer

    • C. 

      JPEG

    • D. 

      Jv16

  • 243. 
    This command can be used to analyze NetBIOS over TCP/IP activity.
    • A. 

      Nbtstat -S

    • B. 

      Nbtstat -w

    • C. 

      Netstat -na

    • D. 

      Net session

  • 244. 
    This command can be used to check if sessions have been opened with other systems.
    • A. 

      Net view

    • B. 

      Net use

    • C. 

      Net session

    • D. 

      Net start

  • 245. 
    Richard wants to look for unusual network services.  What command should he use?
    • A. 

      Net stat

    • B. 

      Net start

    • C. 

      Nbtstat

    • D. 

      Net view

  • 246. 
    BigCHFIDog.com is an e-Commerce business with $500,000 in annual revenue.  Last night, for about 4 hours, their customers were unable to access the website for shopping.  What type of attack did they most likely experience?
    • A. 

      DTC

    • B. 

      DDoS

    • C. 

      SQL

    • D. 

      XSS

  • 247. 
    The MBR partition table structure is ____ bytes.
    • A. 

      32

    • B. 

      128

    • C. 

      512

    • D. 

      64

  • 248. 
    The General Query Log file is for:
    • A. 

      BIOS

    • B. 

      MySQL

    • C. 

      Kernel

    • D. 

      VFS

  • 249. 
    The max single file size in EXT3 is 
    • A. 

      2GB

    • B. 

      20TB

    • C. 

      2TB

    • D. 

      1EiB

  • 250. 
    The first file system developed for Linux in 1992 was:
    • A. 

      EXT3

    • B. 

      HFS

    • C. 

      NTFS

    • D. 

      EXT

  • 251. 
    The file system that ships with many Linux distributions is:
    • A. 

      EXT3

    • B. 

      EXT2

    • C. 

      EXT

    • D. 

      EXT44

  • 252. 
    This level of RAID does not even implement even one of the standard techniques of parity, mirroring, or striping.
    • A. 

      3

    • B. 

      0

    • C. 

      2

    • D. 

      10

  • 253. 
    This was designed to replace ISO 9660 on optical media.
    • A. 

      CDFS

    • B. 

      ISO 13491

    • C. 

      UDF

    • D. 

      ISO/IEC27001

  • 254. 
    This file type is device independent.
    • A. 

      DOC

    • B. 

      PDF

    • C. 

      XLS

    • D. 

      HVX

  • 255. 
    The hex value of GIF starts with:
    • A. 

      47 49 46

    • B. 

      89 50 e4

    • C. 

      Ff d8 ff

    • D. 

      46 5f hk

  • 256. 
    This is one of the Disk Editor tools for file headers:
    • A. 

      Windows Hex Editor

    • B. 

      DiskEdit

    • C. 

      Disk Editor

    • D. 

      DFF File Retriever

    • E. 

      Option 5

  • 257. 
    All of the following are Windows file recovery tools EXCEPT:
    • A. 

      Total Recall

    • B. 

      Stellar Phoenix

    • C. 

      File Salvage

    • D. 

      Glary Undelete

  • 258. 
    Scientific testimony.
    • A. 

      Daubert

    • B. 

      Frye

    • C. 

      Willie

    • D. 

      00AB Standard

  • 259. 
    SMTP normally runs on this port:
    • A. 

      23

    • B. 

      110

    • C. 

      143

    • D. 

      25

  • 260. 
    POP3 is used for:
    • A. 

      Sending emails

    • B. 

      Retrieving emails

    • C. 

      Deleting emails

    • D. 

      IMAP emails only

  • 261. 
    Tools designated as software tools include all of the following EXCEPT:
    • A. 

      TULP2G

    • B. 

      Phone Image Carver

    • C. 

      Paraben's Phone Recovery Stick

    • D. 

      Scalpel

  • 262. 
    The ICCID is 89254245252001451548.  What does the 254 represent?
    • A. 

      The industry identifier

    • B. 

      The Issuer ID number

    • C. 

      The country code

    • D. 

      The account ID

  • 263. 
    The Daubert standard pertains to:
    • A. 

      Scientific testimony

    • B. 

      Expert witness testimony

    • C. 

      Admissibility of evidence

    • D. 

      Legal proceedings

  • 264. 
    The attorney that called the witness to the stand is asking the questions, this would be called:
    • A. 

      Cross examination

    • B. 

      Direct examination

    • C. 

      Contempt of court

    • D. 

      E Pluribus Unum

  • 265. 
    This is the person initiating a lawsuit.
    • A. 

      Defendant

    • B. 

      Plaintiff

    • C. 

      Judge

    • D. 

      Respondent

  • 266. 
    In a deposition, the following is true:
    • A. 

      A judge is present 

    • B. 

      A jury may be present

    • C. 

      Both attorneys are present

    • D. 

      Opposing counsel is not allowed to ask questions

  • 267. 
    In Ubuntu Linux, Apache error logs are stored at:
    • A. 

      /var/log/httpd/access_log

    • B. 

      /var/log/apache2/error.log

    • C. 

      /var/log/httpd-error.log

    • D. 

      /var/log/http/apache/error_log

  • 268. 
    This is the starting point of a database.
    • A. 

      MDF

    • B. 

      LDF

    • C. 

      NDF

    • D. 

      ADF

  • 269. 
    This command can be used to take a backup of the database.
    • A. 

      Mysqldump

    • B. 

      Myisamlog

    • C. 

      Mysqlbackup

    • D. 

      Mysqlexport

  • 270. 
    This transaction log file holds the entire log information for the database.
    • A. 

      MDF

    • B. 

      LDF

    • C. 

      TDF

    • D. 

      NDF

  • 271. 
    Windows Event Log text file output format is:
    • A. 

      XVTX

    • B. 

      EVTX

    • C. 

      A.TXT

    • D. 

      .DOC

  • 272. 
    This is used to perform a Quick Analysis of a crash dump file.
    • A. 

      RegEdit

    • B. 

      DumpChk

    • C. 

      MBR

    • D. 

      NBC 3000

  • 273. 
    Which of the following is not a benefit of cloud computing?
    • A. 

      Scalability

    • B. 

      Elasticity

    • C. 

      Less security risk

    • D. 

      Availability

  • 274. 
    This can be used for Last access time change in Windows 10.
    • A. 

      Win_10.exe

    • B. 

      Fsutil

    • C. 

      T_change

    • D. 

      Latc

  • 275. 
    An attacker has used the cloud to commit a DDoS attack against the CSP.  This is:
    • A. 

      Cloud as a subject

    • B. 

      Cloud as an object

    • C. 

      Cloud as a tool

    • D. 

      Cloud DDoS use

  • 276. 
    Jamie is analyzing malware, but not executing it on his computer.  What best describes the type of analysis he is doing?
    • A. 

      Dynamic analysis

    • B. 

      Reversal analysis

    • C. 

      Static analysis

    • D. 

      BEC analysis

  • 277. 
    The Microsoft Exchange archive data file that stores public folder hierarchies and contents is:
    • A. 

      PUB.EVTM

    • B. 

      PUB.EDB

    • C. 

      PUB.STM

    • D. 

      PRIV.EDB

  • 278. 
    What is not one of the MS Exchange archive data files?
    • A. 

      PRIV.STM

    • B. 

      PUB.EDB

    • C. 

      PRIV.EDB

    • D. 

      PUB.STM

  • 279. 
    Which is not a requirement under the CAN-SPAM act?
    • A. 

      Not using deceptive subject lines

    • B. 

      Identifying the commercial email as an ad

    • C. 

      Honoring opt-out requests within 30 days

    • D. 

      Including a valid physical postal mailing address in the email

  • 280. 
    This mobile API provides telephony services, like making calls, receiving calls, and SMS.
    • A. 

      Phone

    • B. 

      GUI

    • C. 

      OS

    • D. 

      Kernel

  • 281. 
    This Android library is used to render 2D (SGL) or 3D (OpenGL/ES) graphics to the screen.
    • A. 

      DVM

    • B. 

      FreeType

    • C. 

      Libc

    • D. 

      Open GL/ES and SGL

  • 282. 
    The IMEI is obtained with:
    • A. 

      *#06#

    • B. 

      *#06#*

    • C. 

      #06*#

    • D. 

      #06#x

  • 283. 
    A hacker sets up an AP to mimick the local Starbuck's AP.  What is this?
    • A. 

      Honeypot

    • B. 

      Honeycomb

    • C. 

      Honeyspot

    • D. 

      Starbuck's spot

  • 284. 
    What is not a challenge of log management?
    • A. 

      Log creation and storage

    • B. 

      Log analysis

    • C. 

      Log generation

    • D. 

      Log protection

  • 285. 
    This is a two-digit network ID number that is used along with the MCC (Mobile Country Code) printed on SIM, that is used to identify the SIM user on a mobile network.
    • A. 

      MCC2

    • B. 

      MSC

    • C. 

      MNC

    • D. 

      BTS

  • 286. 
    An investigator should use ______ imaging for copying data.
    • A. 

      MBR

    • B. 

      Bit Stream

    • C. 

      Crest Stream

    • D. 

      RegEdit

  • 287. 
    Mila wants to boot with either BIOS-MBR or UEFI-GPT.  Which Windows OS should she use?
    • A. 

      7

    • B. 

      Vista

    • C. 

      10

    • D. 

      XP

  • 288. 
    This is an abstract layer that resides on top of a complete file system and allows the client to access various file systems.
    • A. 

      MBR

    • B. 

      VFS

    • C. 

      EXT

    • D. 

      EXT2

  • 289. 
    These are bootloaders for Linux.
    • A. 

      LILO and STITCH

    • B. 

      GRUB and HUBB

    • C. 

      LILI and GRUB

    • D. 

      LILO and GRUB

  • 290. 
    Opposing attorney, that did not call the witness to the stand, is doing this:
    • A. 

      Cross-Examination

    • B. 

      Direct-Examination

    • C. 

      Daubert

    • D. 

      Frye

  • 291. 
    CD-ROM/DVD standard.
    • A. 

      NIST 99.01A

    • B. 

      NIST 99.01B

    • C. 

      ISO 9660

    • D. 

      NIST 99.001B

  • 292. 
    $Bitmap is in:
    • A. 

      LILO

    • B. 

      EXT2

    • C. 

      NTFS

    • D. 

      FAT

  • 293. 
    RAID 10 requires this number of drives to implement.
    • A. 

      5

    • B. 

      10

    • C. 

      9

    • D. 

      4

  • 294. 
    Which is a file system for Linux OS?
    • A. 

      FAT

    • B. 

      FAT32

    • C. 

      HFS

    • D. 

      CDFS

  • 295. 
    In ISO 9660, what two file systems add more descriptors to the sequence?
    • A. 

      Roneo and Juliet

    • B. 

      Joliet and UDF

    • C. 

      Joliet and Rumero

    • D. 

      UDF and TDF

  • 296. 
    PNG files start with a hex value of:
    • A. 

      89 50 4e

    • B. 

      89 50 4d

    • C. 

      54 dd 4f

    • D. 

      Df 88 df

  • 297. 
    This TSK command lists file and directory names in a disk image.
    • A. 

      Fsstat

    • B. 

      Istat

    • C. 

      Fls

    • D. 

      Img_list

  • 298. 
    Tasha arrives on scene and notices the suspect computer is still on.  She begins the data acquisition.  What best describes the type of data acquisition she is doing?
    • A. 

      Volatile memory collection

    • B. 

      Static data acquisition

    • C. 

      Live data acquisition

    • D. 

      Warrantless data acquisition

  • 299. 
    A boot from restarting the OS is considered:
    • A. 

      Cold boot

    • B. 

      Complete boot

    • C. 

      Warm boot

    • D. 

      Digital forensics boot process

  • 300. 
    Object Linking and Embedding is not used by:
    • A. 

      Word

    • B. 

      Excel

    • C. 

      Office products

    • D. 

      PDF

  • 301. 
    Fred needs to recover a RAID drive.  Which tool can he use?
    • A. 

      RAID23

    • B. 

      RAID64

    • C. 

      EaseUS

    • D. 

      TotalRecall

  • 302. 
    An attacker is using every possible combination of characters to crack a password.  This method is known as:
    • A. 

      Hybrid attack

    • B. 

      Abley cain attack

    • C. 

      Brute force

    • D. 

      Rainbow attack

  • 303. 
    Registry Editor
    • A. 

      Reg_1

    • B. 

      Reg 3000

    • C. 

      Registry 3000

    • D. 

      RegEdit

  • 304. 
    What is not a recovery tool for Windows?
    • A. 

      EaseUS

    • B. 

      Recover My Files

    • C. 

      File Salvage

    • D. 

      File Scavenger

  • 305. 
    Tracked user activities can be found in this file:
    • A. 

      SAM

    • B. 

      NTUSER.DAT

    • C. 

      NTUSER.ACT

    • D. 

      LoggedUsers.dll

  • 306. 
    Johnny has been caught with child porn.  This investigation would be:
    • A. 

      Criminal AND Administrative

    • B. 

      Civil

    • C. 

      Criminal

    • D. 

      Administrative

  • 307. 
    Network sniffing tools include all of the following EXCEPT:
    • A. 

      Wireshark

    • B. 

      Capsa

    • C. 

      EaseUS

    • D. 

      Windump

  • 308. 
    Poor controls around passwords and accounts in general would be considered this type of Web application threat.
    • A. 

      SQL injection

    • B. 

      Broken account management

    • C. 

      XSS

    • D. 

      CSRF

  • 309. 
    This carries out data duplication AND acquisition:
    • A. 

      File Salvage

    • B. 

      EaseUS

    • C. 

      Recuva

    • D. 

      Drivespy

  • 310. 
    ETI allows the investigator to:
    • A. 

      Take down an entire criminal organization

    • B. 

      Drop criminal charges

    • C. 

      Investigate petty criminals

    • D. 

      Treat all crime as a single criminal act

  • 311. 
    ____ launched the CFTT.
    • A. 

      ISO/IEC

    • B. 

      NIST

    • C. 

      ECC

    • D. 

      GLBA

  • 312. 
    This rule covers evidence of character and the conduct of the witness.
    • A. 

      Rule 1018

    • B. 

      Rule 608

    • C. 

      Rule 699

    • D. 

      Rule 184

  • 313. 
    Stacey wants to obtain data from social media websites.  Which tool can she NOT use for this?
    • A. 

      Netvizz

    • B. 

      Twecoll

    • C. 

      Geo360

    • D. 

      DiskDigger

  • 314. 
    Which of the following is true regarding digital evidence?
    • A. 

      Investigators should only use the original for the investigation

    • B. 

      Investigators should not worry about the integrity of evidence

    • C. 

      A duplicate copy should be made for analysis

    • D. 

      The investigator does not need a search warrant if they deem the investigation necessary

  • 315. 
    This tool can recover all types of lost files from disk or removable media.
    • A. 

      Netlytic

    • B. 

      Recuva

    • C. 

      Recova

    • D. 

      Capsa

  • 316. 
    Which one do you like?
    • A. 

      Option 1

    • B. 

      Option 2

    • C. 

      Option 3

    • D. 

      Option 4