IP Address Of A Remote Computer Trivia Quiz

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Catherine Halcomb
Catherine Halcomb
Community Contributor
Quizzes Created: 1443 | Total Attempts: 6,714,231
| Attempts: 215 | Questions: 200
Please wait...
Question 1 / 200
0 %
0/100
Score 0/100
1. The investigator is looking to detect something after the incident has ended.

Explanation

(Chapter 7): Investigators perform post-mortem analysis after an incident has already occurred. Real-Time analysis is used while an incident is taking place, so there can be an immediate response. Post-trial and After-action are not mentioned in the ECC text.

Submit
Please wait...
About This Quiz
IP Address Of A Remote Computer Trivia Quiz - Quiz

Explore the IP address of a remote computer through this trivia quiz, focusing on digital forensics. Assess your knowledge on server email headers, UTC, anti-forensic techniques, and system integrity commands. Ideal for learners interested in cybersecurity and forensic investigation.

Personalize your quiz and earn a certificate with your name on it!
2. This is used to perform a Quick Analysis of a crash dump file.

Explanation

(Chapter 6): DumpChk is correct. RegEdit is the registry editor. MBR is the Master Boot Record and this is not a tool. NBC 3000 is made up.

Submit
3. Shamika is the VP of Technology at XYZ, Inc.  She suspects that her newest employee, David, may be using his work computer to look at child pornography.  What type of investigation(s) should be started?

Explanation

(Chapter 1): David is using his work computer inappropriately, which would mean and Administrative investigation should be undertaken. David is also looking at child pornography, which is a crime and requires a criminal investigation.

Submit
4. This law subsection covers child pornography.

Explanation

(Chapter 12): 18 USC §2252A covers child pornography. 1030 covers fraud and abuse using computers. 123 is made up as is 476.

Submit
5. This displays all commands stored in memory.

Explanation

(Chapter 6): The doskey history displays all commands stored in memory. Regedit is used to edit the System Registry. The memory key command and -l display are made up.

Submit
6. An internal investigation, undertaken by an organization,  to determine if employees are following rules and/or policies is called.

Explanation

(Chapter 1): Administrative investigations involve an internal investigation, where the organization attempts to discover if employees are following rules/policies. Frye is the standard for scientific testimony. Criminal investigations are undertaken by law enforcement and Civil investigations are usually the result of some kind of IP theft or other non-employee related matter (though they can involve employees). The best answer here is Administrative.

Submit
7. This type of warrant is used to get records from service providers.

Explanation

(Chapter 2): The service provider search warrant allows the investigator to obtain records from the service provider, including things like billing records and subscriber information. Electronic storage device warrant is used for the actual hardware. Felony and Super warrants do not apply to service providers, with Super warrant being made up.

Submit
8. This type of attack is a combination of both a brute force attack and dictionary attack.

Explanation

(Chapter 5): A syllable attack is a combination of the brute force and dictionary attacks. The hybrid attack is based on the dictionary and brute force attacks. Rule-based is based on knowing something, like a birthday. Dictionary would not be a combination of itself and a brute force attack.

Submit
9. The $l file contains all of the following EXCEPT:

Explanation

(Chapter 5): The $I file is 544 bytes long. In Windows 7 and Vista, when a file is deleted, it is renamed $R, followed by random characters, then the file extension. At the same time, a $I file is created that contains the same random characters and the same file extension.

Submit
10. Simple, sequential, flat files of a data set is called:

Explanation

(Chapter 4): Raw format creates simple, sequential, flat files of a data set. The other formats stated are made up. MBR stands for Master Boot record, but it is not a flat file data set.

Submit
11. Johnny has been with the DEA for 17 years.  He shows up on the scene and notices the suspect's computer is turned on.  After securing the scene, Johnny should:

Explanation

(Chapter 2): An investigator should not turn off a suspect's computer. The current state of the device should be documented. EC-Council hammers this hard in its official material. If a device is on leave it on. Turning off the device can destroy volatile evidence, which is why the other answers are wrong.

Submit
12. This file system uses journaling.

Explanation

(Chapter 3): NTFS (New Technology File System) uses journaling. FAT and UFS (Unix File System) do not offer this. HXS is made up and is incorrect.

Submit
13. The zz in exhibit numbering stands for:

Explanation

(Chapter 2): The "zz" refers to the sequence number for parts of the same exhibit. The investigator's initials are shown with aaa and dd/mm/yy is the date of evidence seizure/collection.

Submit
14. The attorney that calls the witness to the stand is asking the questions

Explanation

(Chapter 14): Direct examination occurs, when the attorney that calls the witness to the stand is asking the questions. Cross-Examination is when the attorney that did not call the witness to the stand is asking the questions. Deposition is not a form of asking questions of a witness. Expert testimony involves direct and cross examination, but is not the definition described in the question.

Submit
15. In this stage of the Linux boot process, information is retrieved from the CMOS chip.

Explanation

(chapter 3): In the BIOS stage, the BIOS retrieves information stored in the CMOS chip and performs a POST test. There is not a BEC stage. In the Bootloader stage, the kernel is loaded. In the Kernel stage, the Kernel mounts the actual root file system.

Submit
16. This approach monitors a computer and user's behavior for anomalies.

Explanation

(Chapter 7): A role-based approach monitors computer and user behavior for anomalies. route correlation extracts the attack route information to single out other attack data. Bayesian Correlation uses statistics and probability to predict the next steps of an attack. Access-control based is not a real option for event correlation and is incorrect.

Submit
17. The Master Boot Record (MBR) starts at this sector.

Explanation

(Chapter 3): The MBR refers to a hard disk's first sector, also called sector zero. This specifies the location of an operating system for the system to load into the main storage. Sector 1 is incorrect, since it is not the first sector of a hard disk and the other answers are made up.

Submit
18. The attorney that called the witness to the stand is asking the questions, this would be called:

Explanation

(Chapter 14): This would be considered direct examination. Cross-Examination is when the witness is questioned by the attorney that DID NOT call them to the stand. The other answers are made up.

Submit
19. This is the person initiating a lawsuit.

Explanation

(Chapter 1): Plaintiff is correct. The defendant, as the name implies, is defended themselves from the lawsuit. They are also called the respondent. A judge could be a plaintiff in a lawsuit, but would not be known as the judge in the lawsuit, but rather as the plaintiff.

Submit
20. In a deposition, the following is true:

Explanation

(Chapter 14): A deposition differs from a trial in that both attorneys are present.

Submit
21. These are bootloaders for Linux.

Explanation

(Chapter 3): Linux Loader (LILO) and Grand Unified Bootloader (GRUB) are correct. The other answers do not contain both of the bootloaders and are therefore incorrect.

Submit
22. An investigator needs to jailbreak an iOS phone.

Explanation

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android. That being said, the other answers in the question are made up.

Submit
23. This type of analysis is ongoing and returns simultaneously, so that attacks can be responded to immediately. 

Explanation

(Chapter 7): Real-Time analysis is correct. Postmortem analysis occurs after the incident has taken place. The other two answers are made up and are incorrect.

Submit
24. UTC stands for which of the following:

Explanation

(Chapter 6): UTC stands for Coordinated Universal Time. The other answer choices are made up.

Submit
25. Tanisha wants to recover files with their original file name.  She should use which of the following tools to accomplish this (choose the best answer)?

Explanation

(Chapter 5): Stellar Phoenix recovers file with their original file name and supports RAW recovery on lost volumes. Total Recall is used for RAID. Data Rescue 4 recovers files form accidently re-formatted drives. Quick Recovery can recover encrypted files.

Submit
26. Misuse of a work computer generally can lead to this type of investigation.

Explanation

(Chapter 1): An employee misusing a work computer (i.e.- checking Facebook when it is against company policy) generally leads to an Administrative investigation. It could also lead to Civil and Criminal investigations, but the best answer, according to the ECC text, is Administrative.

Submit
27. Object Linking and Embedding is not used by:

Explanation

(Chapter 3): OLE (Object Linking and Embedding) is not used in PDF, but is used in Microsoft Office applications, specifically Word and Excel.

Submit
28. The forensic investigator uses this command to see what sessions are open.

Explanation

(Chapter 8): The net session command can be used to verify users with open sessions and to see all open sessions.

Submit
29. This tool can be used to display details about GPT partition tables in Mac OS.

Explanation

(Chapter 3): Disk Utility displays details about GPT partition tables in Mac OS. Recover My Files is used for file recovery, not GPT partition table data. DiskDigger offers file recovery and also offers thumbnail previews. Windows Super Disk Recovery is made up and the question asks about Mac OS, so this answer is incorrect.

Submit
30. This Federal statute covers child pornography

Explanation

(Chapter 12): 18 USC §2252A covers child pornography. §2252B covers misleading domains. The Texas Penal Code answer and §20000AB are made up answers and are incorrect.

Submit
31. This person provides legal advice about the investigation and any potential legal issues in the forensic investigation process.

Explanation

(Chapter 2): An attorney or legal adviser provides legal advice about the investigation and any potential legal issues. A photographer is helping to document evidence, the investigator is performing the actual investigation, and the Incident Responder is responding to the incident itself. With the statement of "legal advice," your focus should be on attorney.

Submit
32. How can you find scheduled and unscheduled tasks on the local host?

Explanation

(Chapter 8): schtasks.exe allows you to find scheduled and unscheduled tasks on the local host. The other commands are using made up syntax.

Submit
33. GIF has how many bits per pixel

Explanation

(Chapter 3): GIF has 8 bits per pixel and 256 colors per frame.

Submit
34. A computer forensics lab should have windows all around the perimeter.

Explanation

(Chapter 2): A CFL should not have any windows around the perimeter. Lab work areas should also contain 50-63 square feet per workstation. This is found in Chapter 2 of the official EC-Council material.

Submit
35. This rule governs proceedings in the courts of the United States.

Explanation

(Chapter 1): Rule 101 governs proceedings in the courts of the United States. Rule 103 covers the Rulings on Evidence. Rule 493 and Rule 622 are just made up answers and are incorrect.

Submit
36. In FAT, the first letter of the deleted file name is replaced with:

Explanation

(Chapter 5): In FAT, the OS replaces the first letter of the deleted file name with E5H. The other answer choices are all made up and are incorrect.

Submit
37. Tasha is looking for the UEFI phase that involves clearing UEFI from memory.

Explanation

(Chapter 3): The runtime (RT) phase is where UEFI is cleared from memory. The SEC (security) phase is where code is initialized. BSD is not a UEFI phase, but BDS is, so this answer is incorrect. DXE (Driver Execution Environment) contains HOBL and does not involve clearing the UEFI from memory.

Submit
38. This does not use OLE.

Explanation

(Chapter 3): OLE (Object Linking and Embedding) is not used in PDF, but is used in Microsoft Office applications, specifically Word and Excel.

Submit
39. Which of the following is not a benefit of cloud computing?

Explanation

(Chapter 10): Cloud storage has a greater security risk, in most cases, since you are reliant upon the CSP (cloud service provider) to protect your data. Cloud computing DOES offer scalability, elasticity, and generally, greater availability.

Submit
40. A warrantless seizure of digital evidence is used when:

Explanation

(Chapter 2): According to the United States v. David, a warrantless seizure is used when the destruction of evidence is imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity.

Submit
41. You can detect Trojans with which of the following?

Explanation

(Chapter 11): Capsa can be used to detect Trojans. Tripwire is for file integrity, Belkasoft RAM Capturer is self-explanatory, and Regshot monitors registry changes.

Submit
42. A deposition is different from a regular trial in that:

Explanation

(Chapter 14): Both attorneys are present in a deposition. The other answers are incorrect because a judge and/or jury are also present at the trial. This is found in Chapter 14 of the official EC-Council material.

Submit
43. This is an IDS:

Explanation

(Chapter 8): Snort is a popular IDS. Kismet is for wireless sniffing. Accountix Pro and Nikto 1000 are made up and are incorrect.

Submit
44. MIME stream is found:

Explanation

(Chapter 12): PRIV.STM is correct. PRIV.EDB contains the message headers. PUB.EDB stores public folder hierarchies. PRIB.STM is made up.

Submit
45. This extracts data contained from an internet traffic capture

Explanation

(Chapter 2): Xplico is a network forensics analysis tool that extracts this type of data. SysAnalyzer is for malware analysis. The other two answers are made up tools and are incorrect.

Submit
46. The first file system developed for Linux in 1992 was:

Explanation

(Chapter 3): EXT is correct. HFS is for Mac OS. NTFS is for Windows. EXT3 came after EXT.

Submit
47. Google Drive Configuration files are stored at this path:

Explanation

Chapter 10: The other answers are made up.

Submit
48. Cisco shows this: %SEC-6-IPACCESSLOGP

Explanation

(Chapter 7): packet matching log criteria for the given access list has been detected (TCP or UDP) is correct. The other answers here are incorrect. For your exam, memorize this Cisco log output.

Submit
49. This Android library is used to render 2D (SGL) or 3D (OpenGL/ES) graphics to the screen.

Explanation

(Chapter 13): Open GL/ES and SGL is correct. DVM (Dalvik Virtual Machine) is a type of JAVA virtual machine responsible for power and memory management. FreeType renders bitmap and vector fonts. Libc is a C system library tuned for embedded Linux-based devices. You will likely see Open GL/ES and SGL on the real exam.

Submit
50. Sectors are how many bytes long.

Explanation

(Chapter 3): Sectors are the smallest physical storage units on a hard disk platter and are 512 bytes long. Newer format sectors are 8 of the 512 byte sectors and they make up one 4KB sector, which is more efficient. This is in Chapter 3 of the official EC-Council material.

Submit
51. The installation of Google Drive Client Version in Windows 10 creates this (choose the best answer):

Explanation

Chapter 10: The Sync_log.log file is created. This file contains information about the client sync session. Problems is wrong for obvious reasons. The other two answers are made up.

Submit
52. POP3 is used for:

Explanation

(Chapter 12): POP3 is used for retrieving emails form the email server. SMTP is used for sending emails. The other answers are not applicable.

Submit
53. An investigator should use ______ imaging for copying data.

Explanation

(Chapters 3 and 4): Bit stream is correct. MBR is the Master Boot Record. RegEdit is the registry editor. Crest stream is a made up answer.

Submit
54. Google Drive logs are:

Explanation

(Chapter 10 p858): sync_log.log is the correct answer. google_drive.log, vmos.log, and syn_log are all made up answers.

Submit
55. 18 USC p1030 covers:

Explanation

(Chapter 2): 18 USC §1030 covers fraud and related activity in connection with computers. §2252A is child pornography. Malicious mischief is covered in §1361-1362. Misleading domains are covered under §2252B.

Submit
56. How many bits per pixel does GIF contain?

Explanation

(Chapter 3): GIF contains 8 bits per pixel. The other answers are made up and are incorrect.

Submit
57. David needs a tool that contains an ISO image.  He knows that ______ offers this.

Explanation

(Chapter 5): Of the choices listed, only Active@ File Recovery offers the CD/DVD ISO image. DiskDigger offers the thumbnail previews. Recuva offers secure file deletion. EaseUS supports large hard disks.

Submit
58. UTC stands for:

Explanation

(Chapter 6): UTC stands for Coordinated Universal Time. The other choices are made up answers.

Submit
59. When a file is deleted in FAT, the first letter of the deleted filename is changed to:

Explanation

(Chapter 5): E5H is put at the front of a deleted FAT file. Memorize this as you will likely see it on your exam. The other answers are made up and are incorrect.

Submit
60. The nbtstat command can be used for:

Explanation

(Chapter 6 and Chapter 8): The best answer here is NetBIOS. NBT servers is made up. you could technically give a Linux machine a NetBIOS name by installing SAMBA, but this is not what the nbtstat command can be used for. Malware execution is not relevant to the nbtstat command and is also incorrect.

Submit
61. Poor controls around passwords and accounts in general would be considered this type of Web application threat.

Explanation

(Chapter 8): Broken account management would involve poor controls around passwords and accounts in general. The other attacks do not involve poor control around passwords and accounts.

Submit
62. This verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in unix.

Explanation

(Chapter 3): CHKDSK verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in Unix. RegEdit (Registry Editor) is used to load registry hives. lsck is made up as is Disk Integrity.

Submit
63. Which of the following is true regarding digital evidence?

Explanation

(Chapter 1): An investigator should always have a duplicate copy of the digital evidence and should use the duplicate for analysis.

Submit
64. This contains the manufacturer's information

Explanation

(Chapter 13): The ESN (Electronic Serial Number) has the manufacturer’s code. ICCID (Integrated Circuit Card Identifier) is printed on the SIM to identify the SIM internationally. EIR is made up. IMSI (International Mobile Subscriber Identity) defines the subscriber in the wireless world, including the country and mobile network that the subscriber belongs to.

Submit
65. This tool can recover all types of lost files from disk or removable media.

Explanation

(Chapters 2 and 5): Recuva can be used to recover all types of lost files from disk or removable media.​ Capsa is a network analyzer. Netlytic and Recova are made up.

Submit
66. For a router, the investigator should:

Explanation

(Chapter 2): The investigator should unplug the network cable from the router to prevent additional attacks. Routers do contain potential evidence, so it should not be left at the scene. Cutting the power cord with a knife is just silly and dangerous. The router password should not be on the local PC and the investigator's focus should be to preserve evidence. The best answer (and the one ECC uses) is to unplug the network cable form the router.

Submit
67. 18 USC p 2252A covers

Explanation

(Chapter 12): Child porn is correct. § 1030 covers Fraud and related activity in connection with computers. The other two answers are made up.

Submit
68. BigCHFIDog.com is an e-Commerce business with $500,000 in annual revenue.  Last night, for about 4 hours, their customers were unable to access the website for shopping.  What type of attack did they most likely experience?

Explanation

(Chapter 8): From the description, this is most likely a denial of service type attack. Since DDoS is the only denial of service attack listed, this is the correct answer.

Submit
69. This tool can be used to restore emails

Explanation

(Chapter 5): Data Recovery Pro can be used to restore deleted emails and email attachments. Quick Recovery can be used to recover encrypted files and restore them. File Salvage recovers lost files in Mac OS. Total Recall can be used for RAID.

Submit
70. A report, presented orally, to a board of directors, jury, or managers would be called.

Explanation

(Chapter 14): A formal verbal report is given orally to the board, a jury, or managers.

Submit
71. These are saved in the installation folder in the user profile for Google Drive

Explanation

Chapter 10: Configuration files is correct. The other files are not saved in the installation folder.

Submit
72. This is a sequence of bytes, organized into blocks understandable by the system's Linker.

Explanation

(Note: not seen in the official EC-Council material, but it was reported being seen on the exam): Object file is correct. Snort is an IDS. HDTV and Object oriented database are made up.

Submit
73. POP3 runs on port:

Explanation

(Chapter 12): POP3 (Post Office Protocol) runs on port 110. SMTP is port 25. Telnet is port 23. Port is 125 is also incorrect.

Submit
74. This tool restores deleted emails and email attachments

Explanation

(Chapter 5): Data Recovery Pro specifically mentions email recovery in its use. TotalRecall can be used to recover RAID drives. R-Studio and Quick recovery are for file recovery.

Submit
75. Paco needs to open an Android phone. He should use:

Explanation

(Chapter 13): Any jailbreak tool with "Root" in it should mean Android on your exam. The other choices are all used for iOS.

Submit
76. SMTP normally runs on this port:

Explanation

(Chapter 12): SMTP (Simple Mail Transfer Protocol) normally runs on port 25. Telnet is 23. POP3 is 110. Know your most common ports for the exam. You will probably only see one or two on there.

Submit
77. Which Windows version boots in either UEFI-GPT or BIOS-MBR?

Explanation

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR. Windows XP, Vista, and 7 boot with BIOS-MBR.

Submit
78. Keira is an investigator with the FBI that needs to recover lost files from a USB flash drive.  Which tool can help her do this?

Explanation

(Chapter 5): Disk Digger can help recover lost files from hard drives, memory cards, and USB flash drives. R-Studio recovers data from disks. Capsa is a network analyzer that can be used to detect Trojans. Tripwire can be used for file integrity.

Submit
79. This is the starting point of a database.

Explanation

(Chapter 9): The MDF (primary data file) is the starting point of a database and points to all other files in the database.

Submit
80. Johnny has been caught with child porn.  This investigation would be:

Explanation

(Chapter 1): There is no indication that Johnny inappropriately used a work computer for this crime, so it would just be a criminal investigation. Child porn is a crime, so Civil and Administrative would not be the best choice here.

Submit
81. What does ETI stand for?

Explanation

(Chapter 1): ETI stands for Enterprise Theory of Investigation. ETI is a powerful methodology that adopts a holistic approach to criminal activity as a criminal operation and not just as a single criminal act.

Submit
82. A warrantless seizure can be used when

Explanation

(Chapter 2): According to the United States v. David, a warrantless seizure is used when the destruction of evidence is imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity. If evidence is already collected, a warrant will generally not do any good and the evidence will likely be inadmissible. If no criminal activity has occurred then there is no justification to seize evidence. Instruction of evidence is a silly answer, since you are not instructing the evidence to do anything.

Submit
83. When a FAT file is deleted, what is placed at the front?

Explanation

(Chapter 5): E5H is put at the front of a deleted FAT file. The other answers are incorrect because they do not contain the correct sequence.

Submit
84. A deleted file in the Recycle Bin is named RIYH6VR.doc. This tells us:

Explanation

(Chapter 5): We can infer that this is a document file, based on the extension of .doc. Recuva does not leave a particular file name when performing recovery. The other answers do not make sense, since we do not see Dy5, which indicate a file deleted form the Y drive in the 6th order, and since we know this is a document file.

Submit
85. This event correlation approach monitors computer and user behavior for anomalies.

Explanation

(Chapter 7): Role-based approach is correct. Bayesian correlation uses statistics. Payload correlation compares packets with signatures (i.e.- IPS/IDS). Ronald-based is made up.

Submit
86. Stacey needs to crack a Windows password.  She can use which tool to do this?

Explanation

(Chapter 5): Cain & Abel is the only password cracking tool in this list. CHS and MBR crack are made up. EaseUS is used for recovery, not passwords.

Submit
87. This requires financial institutions to protect their customers' information against security threats.

Explanation

(Chapter 7): The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect their customers' information against security threats. HIPAA is for healthcare. SOX is to protect investors from account fraud. NIST is a set of standards for security policies, standards, and best practices.

Submit
88. The Superblock in UFS has:

Explanation

(Chapter 3): Magic number is correct. The Superblock in Linux EXT2 stores information about the size and shape of EXT2. seven triangles and non-magic number are made up.

Submit
89. Dropbox Client path:

Explanation

Chapter 10: The other paths are made up.

Submit
90. David needs to recover lost files from a USB flash drive.  Which tool will help him?

Explanation

(Chapter 5): Disk Digger can help recover lost files from hard drives, memory cards, and USB flash drives. Data Recovery Pro recovers deleted emails/email attachments. EaseUS allows for precise searching. Partition Ranger is made up and is incorrect as well.

Submit
91. Circular, metal disks mounted into the drive enclosure are called:

Explanation

(Chapter 3): Platters are circular, metal disks that are mounted into a drive enclosure. Tracks are concentric rings on the platters. Clusters are the smallest accessible logical storage units on the hard disk. Plates is a made up answer and is incorrect.

Submit
92. In Windows Server 2012 (IIS), log files are stored at:

Explanation

(Chapter 8): Windows Server 2012 log files are stored at %SystemDrive%\inetpub\Logs\LogFiles. You should memorize this path for the CHFI exam. Two of the other answers are missing a percentage (%) sign in the path. The other path is missing the inetpub, which it incorrect.

Submit
93. Scientific testimony.

Explanation

(Chapter 14): Frye is the standard for scientific testimony. Daubert covers Expert Witness testimony. Know these for your exam. The other answers are made up.

Submit
94. Tools designated as software tools include all of the following EXCEPT:

Explanation

(Chapter 13): ​Paraben's Phone Recovery Stick is considered a hardware tool.

Submit
95. The Daubert standard pertains to:

Explanation

(Chapter 14): Daubert pertains to expert witness and Frye pertains to scientific evidence. The other answers are not applicable to testimony of witnesses.

Submit
96. This tool displays details about GPT partition tables in Mac OS

Explanation

(chapter 3): Disk Utility is the only selection that displays details about partition tables in Mac. VFS Rider is a made up tool. DiskDrill can recover from corrupted memory cards. File Salvage is also a Mac tool, but is used for file recovery.

Submit
97. This is wasted area of the disk cluster, lying between the end of the file and end of the cluster.

Explanation

(Chapter 3): Slack space is the wasted area of the disk cluster that lies between the end of the file and end of the cluster, when the file system allocates a full cluster to a file, which is smaller than the cluster size. The other answers here are made up.

Submit
98. The attacker uses exploits to access other directories.  This is known as:

Explanation

(Chapter 8): Look for the keyword of the question, like directory in this one, on the actual exam. It will help you answer correctly. SQL injection involves injecting SQL commands via input data. Insecure storage involves a lack of control around stored data (credit card numbers). Cookie poisoning involves modifying information in cookies.

Submit
99. This RAID level uses byte-level data striping across multiple drives and distributes parity information among all member drives.

Explanation

(Chapter 3): RAID 5 uses byte-level data striping across multiple drives and distributes parity information among all member drives. RAID 1 offers mirroring. RAID 2 does not implement parity, mirroring, or striping. RAID 6 is made up.

Submit
100. Registry Editor

Explanation

(Chapter 6): The Registry Editor is also known by RegEdit. The other answers are made up and are incorrect.

Submit
101. A Digital Forensic Investigator investigates this type of crime (choose the best answer).

Explanation

(Chapter 1): A digital forensic investigator investigates digital crimes.

Submit
102. Nasir is needing to recover lost data from RAID. He knows that this tool will be needed.

Explanation

(Chapter 5): Total Recall is used for RAID. Comodo Programs Manager is used for dynamic malware analysis. DiskDigger offers thumbnail previews of recovered files. Advanced Disk Recovery offers the Quick and Deep scans.

Submit
103. Bob arrives on the scene of a large corporation after an attack.  His analysis of the affected devices is considered:

Explanation

(Chapter 7): This would be considered post-mortem analysis, since it is after the attack. Real-time analysis is when the incident is occurring and data is being obtained in real-time, so action can be taken. Live analysis would be similar to static analysis. Pre-mortem analysis is made up.

Submit
104. John wants to root an Apple phone.  Which tool should he use?

Explanation

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android.

Submit
105. Tracked user activities can be found in this file:

Explanation

(Chapter 6): NTUSER.DAT is the correct answer. The SAM file contains user credential information. The other answers are made up.

Submit
106. John is a forensic investigator working on a case for a WHC hospital.  John finds a USB drive sitting behind an access control door in the server room.  The hospital provides John access to retrieve the device.  John knows that the USB represents:

Explanation

(Chapter 1): A USB is a secondary storage device that represents non-volatile data. Other forms of non-volatile data include hidden files, slack space, swap file, event logs, registry settings, and unused partitions.

Submit
107. This is used to render 2D (SGL) or 3D graphics to the screen.

Explanation

(Chapter 13): All of these are Android libraries. OpenGL/ES and SGL is the correct answer. WebKit is the browser engine used to display web pages. FreeType renders bitmap and vector fonts. Libc is a C system library tuned for embedded Linux-based devices.

Submit
108. CAN-SPAM requires senders to honor opt-out requests within:

Explanation

(Chapter 12): The CAN-SPAM act requires opt-out requests be honored within 10 business days. The other choices are incorrect because they do not meet this criteria.

Submit
109. This can do data acquisition and duplication.

Explanation

(Chapter 4): Drivespy can do data acquisition and duplication. Wireshark is for network sniffing. Capsa is a network analyzer and can detect Trojans. Xplico is a network forensics analysis tool.

Submit
110. All investigators keep track of the evidence path by using the:

Explanation

(Chapter 1 and Chapter 2): The chain of custody document is used to demonstrate the progression of evidence from the original evidence location to the forensic lab. The evidence progression and evidence path documents do not exist. Exhibit numbering is part of collecting the evidence and labeling it for use in court.

Submit
111. A small law firm suspects an incident, where there was potential criminal action, and wants to investigate themselves.  Why should they avoid doing so? (choose the best answer)

Explanation

(Chapter 2): The law firm may alter the data, so it will then be inadmissible in a criminal case.

Submit
112. All of the following are Android rooting tools EXCEPT

Explanation

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android.

Submit
113. A first responder secures the scene perimeter.  This is:

Explanation

(Chapter 2): In the pre-investigation phase, the scene perimeter is secured. The Investigation phase is when the evidence is being collected and analyzed. There is not a phase named Securing the scene.

Submit
114. David is looking for a tool that contains an ISO image, so he can burn a bootable CD. What tool is he looking for?

Explanation

(Chapter 5): Active@ File Recovery is the only answer here that contains a CD/DVD ISO image that allows you to burn a bootable CD.

Submit
115. This is part of Metasploit that can be used to hide data in the slack space of FAT and NTFS

Explanation

(Note: the only Metasploit tool mentioned in the ECC official material is Timestomp-- used to change the timestamp, mentioned in Chapter 5, but you will likely see Slacker mentioned on the exam. Welcome to ECC exams): Slacker is the tool in Metasploit that will hide data in the slack space of FAT or NTFS file systems, WaffenFS stores data in the EXT3 journal file, FragFS hides data within the NTFS Master file table, RuneFS stores data in bad blocks.

Submit
116. This mobile API provides telephony services, like making calls, receiving calls, and SMS.

Explanation

(Chapter 13): The Phone API provides telephony services, like making calls, receiving calls, and SMS. The GUI API is responsible for creating menus and submenus in designing applications. The OS API schedules multiple tasks, offers synchronization, and priority allocation. Kernel API is a made up answer.

Submit
117. This can be used to dump password hashes from the SAM file.

Explanation

(Chapter 5): PWdump7 can be used to dump password hashes from the SAM file. WinHex is a disk editor tool for file headers. MBRv6 and H_attack are made up answers and are incorrect.

Submit
118. Which command can be used to look for suspicious connections and the process ID

Explanation

(Chapter 6): netstat -ano is the command used to look for suspicious connections and the process ID. netgift and netrenew are made up commands and are incorrect. netstat -nan is not a valid syntax for the netstat command.

Submit
119. This Tasklist command is used to run the command with the account permissions of the user specified.

Explanation

(Chapter 6): /u is correct. /s is used to specify the name or IP address of a remote computer. /v specifies that verbose task information be displayed in the output. /user_special is made up.

Submit
120. Mila wants to boot with either BIOS-MBR or UEFI-GPT.  Which Windows OS should she use?

Explanation

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR.

Submit
121. UTC stands for: 

Explanation

(Chapter 6) UTC stands for Coordinated Universal Time.

Submit
122. System time is an example of non-volatile data.

Explanation

(Chapter 1): System time is actually a form of volatile data that can be lost, when the system is turned off. Other volatile data includes open files, network information, logged on users, process information, process memory, clipboard contents, command history, and more.

Submit
123. ETI allows the investigator to:

Explanation

(Chapter 1): By using ETI, the investigator has a better chance of dismantling an entire criminal organization.

Submit
124. Jamie is analyzing malware, but not executing it on his computer.  What best describes the type of analysis he is doing?

Explanation

(Chapter 11): Jamie is not actually running the malware, so the best choice would be static analysis. Dynamic analysis would involve executing the malware to see its behavior. Reversal analysis and BEC analysis are made up answers.

Submit
125. This standard defines the use for file systems of CD-ROM and DVD media.

Explanation

(Chapter 3): ISO 9660 is a standard that defines the use for file systems of CD-ROM and DVD media. The other answers are made up.

Submit
126. Jv16 can be used for 

Explanation

(Chapter 11): jv16 is a registry tool. Memorize this for your exam. Virtual file system and EFI are not valid choices. jv16 is not used for malware analysis--again, remember that for your exam.

Submit
127. Rob wants to discover potential hidden information in an image file.  He would use this to see it.

Explanation

(Chapter 5): Steganalysis is the process of discovering the existence of hidden information within a covered medium (i.e.- an image file). Steganography is the practice of hiding information. The other answers are not applicable to forensics.

Submit
128. This command can be used to see the names of all open shared files and the number of file locks.

Explanation

(Chapter 6): The net file command displays the names of all open shared files and the number of file locks. netstat is a command to look for suspicious connections, but this answer shows "net stat," which is not a valid command. ls is used to list files in Linux. PsFile shows files opened remotely.

Submit
129. James enjoys this tool that offers thumbnail previews

Explanation

(Chapter 5): DiskDigger offers thumbnail previews of recovered files. None of the other options offer thumbnail previews, so they are incorrect.

Submit
130. This is the smallest physical storage unit on the hard disk platter.

Explanation

(Chapter 3): Sectors are the smallest physical storage units located on the hard disk platter. Clusters are the smallest logical storage unit. Tracks contain sectors. Platters are circular metal disks mounted into a drive enclosure.

Submit
131. RAPID IMAGE 7020 X2 is designed to copy how many "Master" hard drives?

Explanation

(Chapter 2 and Chapter 4-- both have the same information): RAPID IMAGE 7020 X2 is designed to copy 1 Master hard drive and up to 19 Target hard drives. The other answers are incorrect, based on Chapter 2 of the EC-Council material.

Submit
132. This file is found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.

Explanation

(Chapter 6): The page file is found at this location. There is not a "slack file," but rather it is the slack space (wasted area between the end of a file and cluster). Passware and handle files are made up.

Submit
133. In exhibit numbering, the zz is for:

Explanation

(Chapter 2): The "zz" refers to the sequence number for parts of the same exhibit. aaa is for the investigator's initials. The date of the seizure is in day, month, year (dd/mm/yy) format. The number of exhibits is nnnn.

Submit
134. CD-ROM/DVD standard.

Explanation

(Chapter 3): ISO 9660 is correct. The other answer choices are made up.

Submit
135. Which is not a file system?

Explanation

(Chapter 3): There is not an EVT4 file system. There is an EXT4 file system. UFS is Unix File System. HFS is for Mac OS. EXT is a Linux file system.

Submit
136. Rule 1003 covers:

Explanation

(Chapter 2): Rule 1003 covers the Admissibility of Duplicate evidence. The admissibility of original evidence is covered in 1002. Other evidence admissibility is covered under 1004. Definitions are covered under 1001.

Submit
137. An attacker is using every possible combination of characters to crack a password.  This method is known as:

Explanation

(Chapter 5): This is known as a brute force attack. Hybrid is a combination of brute force and dictionary attacks. Abley cain is not a real tool. Rainbow attacks use rainbow tables.

Submit
138. This is the Amendment that protects again unlawful search and seizure.

Explanation

(Chapter 1): The 4th Amendment protects against unlawful search and seizure by government officials. The 1st Amendment covers free speech. The 2nd Amendment covers the right to bear arms. The 13th Amendment abolished slavery.

Submit
139. This can be used for Last access time change in Windows 10.

Explanation

(Chapter 6): fsutil is the correct answer. The other provided answers are made up.

Submit
140. Phil is a digital forensic investigator that needs to obtain information from a suspect's service provider about billing records and subscriber information.  What type of warrant would Phil need to obtain in this case?

Explanation

(Chapter 2): The service provider search warrant allows the investigator to obtain records from the service provider, including things like billing records and subscriber information. An electronic storage device warrant is for the suspect's hardware. A felony warrant is too broad and would cover non-digital crimes as well. Likewise, a search warrant is too broad. The best answer is the Service Provider search warrant.

Submit
141. The FBI is investigating Sally for hacking her school's network.  What type of warrant should they obtain in order to search and seize Sally's personal laptop?

Explanation

(Chapter 2): The electronic storage device warrant is used to search and seize hardware. Felony warrant is too broad and also covers non-Digital crime. A Federal warrant is not relevant, since there can be many kinds issued. Powerless warrant is a made up answer and not correct.

Submit
142. Stacey wants to obtain data from social media websites.  Which tool can she NOT use for this?

Explanation

(Chapter 2): Disk Digger is not a tool used for obtaining data from social media websites.

Submit
143. Jv16 tool is used for

Explanation

(Chapter 11): jv16 is a registry tool. It is not used for malware analysis or reversing, and also is not used to make bit copies. Remember that it is not used for malware for your CHFI exam.

Submit
144. What is not one of the MS Exchange archive data files?

Explanation

(Chapter 12): PUB.STM is incorrect. The other three choices ARE the MS Exchange archive data files.

Submit
145. Jonathan is an investigator, but he is not the first one on the scene.  He wants to show the path of evidence collected from the scene to the forensic lab.  What should he use?

Explanation

(Chapter 1 and Chapter 2): The chain of custody document is used to demonstrate the progression of evidence from the original evidence location to the forensic lab. Exhibit numbering is for marking evidence. Criminal report and Daubert standard report are made up answers.

Submit
146. Intel is to EFI as PowerPC is to:

Explanation

(Chapter 3): On PowerPC-based Mac computers, Open Firmware initializes the rest of the hardware interfaces. On Intel-based Mac computers, EFI performs this same function. VFS is for virtual file system. CSH and CDD are made up.

Submit
147. Used for registry and not malware installation file analysis.

Explanation

(Chapter 11): jv16 is correct. SysAnalyzer IS USED for malware analysis and looks at the installation files. The other two answers are image file types.

Submit
148. This tool is used to open registry hives

Explanation

(Chapter 5): Registry Editor is used to open registry hives (hives start with HKEY..). The other answers are made up and are incorrect.

Submit
149. This tool can be used to restore emails.

Explanation

(Chapter 5): Data Recovery Pro can be used to restore emails. EaseUS offers precise searching. File Salvage is used to recover file in Mac. FSSTAT is made up.

Submit
150. These determine the sector addressing for individual sectors on a disk.

Explanation

(Chapter 3): Cylinders, Heads, and Sectors (CHS) determine the sector addressing for individual sectors on a disk. The other answers are incorrect, since they do not contain all three of these. This is covered in Chapter 3 of the official EC-Council material.

Submit
151. Opposing attorney, that did not call the witness to the stand, is doing this:

Explanation

(Chapter 14): Cross-Examination is correct. Direct-Examination is when the attorney that called the witness to the stand is doing the questioning. Daubert is the standard on Expert Witness testimony and Frye is the standard on Scientific testimony.

Submit
152. This is a tool used for monitoring log files, produced by UNIX syslog facility.

Explanation

(Chapter 7): Swatch is correct. Logcheck allows system Admins to view log files, which are produced by hosts under their control. RegEdit is the registry editor for Windows. Watch is a made up answer.

Submit
153. The img_stat command:

Explanation

(Chapter 3): The img_stat of TSK (The Sleuth Kit) displays details of an image file. General details of a file system are displayed with the fsstat command. istat displays metadata. fls lists file and directory names in a disk image.

Submit
154. This can be used to detect Trojans.

Explanation

(Chapter 11): Capsa is correct. Recuva is for data/file recovery. The other two answers are made up.

Submit
155. Which of the following is a starting hex value of an image file:

Explanation

(Chapter 3): ff d8 ff is the starting hex value of JPEG files. The other choices are made up answers.

Submit
156. This contains the configuration information related to the user currently logged on (i.e.- wallpaper, display settings, etc...)

Explanation

(Chapter 6): HKEY_CURRENT_USER is correct. HKEY_LOCAL_MACHINE contains most of the configuration information for installed software, which includes type, installed cards, memory type, startup control parameters, and device drives. The other answers are made up.

Submit
157. The insider threat caused a lot of chaos.  Sally, the digital forensic investigator, needs a tool that can repair and recover disk bad sectors.  Which tool should she use?

Explanation

(Chapter 5): Quick Recovery can recover and repair disk bad sectors. jv16 is a registry tool. SysAnalyzer is a malware analysis tool. Total recall is used for RAID.

Submit
158. In FHS, essential user command binaries are in this.

Explanation

(Chapter 3): /bin is correct. The other answers are all incorrect, since they contain a backwards slash and not a forward slash.

Submit
159. Sara is investigating an incident and needs to display information about all logged in sessions on a local Windows computer.  Which command should she use?

Explanation

(Chapter 8): net session is used to display information about logged in sessions. net view is used to review file shares and ensure their purpose. net use is used to see if sessions have been opened with other systems. net log is a made up command.

Submit
160. You can use this to see the last access time change for win10

Explanation

(Chapter 6): fsutil can be used to see the last access time change for Windows 10. reg.exe is Window's Console Registry Tool. WMIC stands for Windows Management Instrumentation Command-line, "wmic service" is not valid. devcon (devcon.exe) is a command used in Windows to see details about connected devices.

Submit
161. You can view DBX files in:

Explanation

(Chapter 12): DBX files are viewed with Microsoft Outlook Express. Adobe Acrobat Reader is PDF. Thundercats was a cartoon in the 1980's. Thunderbird does not open DBX files.

Submit
162. Lenny needs to reset an Administrator password in order to access a device during an investigation.  He knows that this tool can be used (choose the BEST answer).

Explanation

(Chapter 5): While Cain & Abel can be used to crack passwords, the best option here is to use Active@ Password changer. DiskDrill is used for file recovery. Stego77 is made up.

Submit
163. Show active network connections with this:

Explanation

(Chapter 6): netstat is correct. nbtstat is for NetBIOS. Tripwire is for file integrity. 503 connector is made up.

Submit
164. This requires Federal agencies to develop, document, and implement information security programs.

Explanation

(Chapter 7): The Federal Information Security Management Act (FISMA) requires Federal agencies to develop, document, and implement information security programs. HIPAA is for healthcare. GLBA requires financial institutions to protect their customers' information against security threats. SOX is to protect investors from fraudulent accounting.

Submit
165. This has journaling:

Explanation

(Chapter 3): NTFS is the only answer here that offers journaling. EXT3 offers journaling, not EXT1. FAT and FAT32 also do not offer journaling.

Submit
166. Julie wants to use an open-source format.  What should she choose?

Explanation

(Chapter 4): AFF (Advanced Forensics Format) is an open source format. Encase is a forensics tool. AutoBahn 2.9 sounds cool, but it is made up. Likewise, TFF is made up.

Submit
167. Sally is an investigator working for Diamond Corp.  She needs to restore lost emails and their attachments.  Which tool should she use (choose the best answer)?

Explanation

(Chapter 5): Data Recovery Pro can be used to restore emails and email attachments. File Salvage recovers lost files in Mac OS. DiskDigger recovers lost files and offers thumbnail previews. Data Rescue 4 is for file recovery in Mac and Windows.

Submit
168. In Windows 7, deleted files are named $Ry.ext, where the y stands for the:

Explanation

(Chapter 5): The "y" stands for the sequence number. The driver number is in Windows 98 and earlier (Dxy.ext). The other two answers are made up.

Submit
169. Internal server error is error code:

Explanation

(Chapter 8): Code 500 is the answer. 502 is Bad Gateway. 503 is Service Unavailable. 648 is made up.

Submit
170. Sara is an Assistant U.S. Attorney.  She knows that this rule covers the general admissibility of relevant evidence.

Explanation

(Chapter 2): Rule 402 covers the general admissibility of relevant evidence. Rule 701 covers opinion testimony by a lay witness. Rule 804 is related to hearsay. Rule 502 covers attorney-client privilege.

Submit
171. A boot from restarting the OS is considered:

Explanation

(Chapter 3): A warm boot is the restart of the computer. You will likely see an exam question about this.

Submit
172. All of the following are Registry tools EXCEPT:

Explanation

(Chapter 11): jv16 is a registry tool, not jv22. RegRipper and ProDiscover are also registry tools. Others include Process Monitor, RegScanner, RegEdit, and Registry Viewer.

Submit
173. This saves data about programs, so programs load faster at boot:

Explanation

(Chapter 6 and Chapter 10): The Prefetch folder is correct. Recuva is for data recovery. regEdit is the registry editor. PasswareKit 47 is made up. There is a Passware Kit 4, which is used for password cracking.

Submit
174. Roberta suspects the company's network has been compromised.  How can she look for unusual network services running?

Explanation

(chapter 8): net start allows you to look for unusual network services that are running. The other answers are made up commands and are incorrect.

Submit
175. David has been called to the stand to offer scientific testimony.  This is an example of:

Explanation

(Chapter 14): This is an example of the Frye standard, which covers scientific testimony. Daubert is for Expert Witness testimony. Robert and Pierre are made up.

Submit
176. Tools involved in Hashing include all of the following EXCEPT:

Explanation

(Chapter 2): SuperHasher is made up and is not a tool involved in hashing. HashCalc, MD5 Calculator, and HashMyFiles are all used for hashing and are mentioned in Chapter 2 of the official ECC material.

Submit
177. Data rescue 4 is:

Explanation

(Chapter 5): Data Rescue 4 is a file recovery tool used in Mac OS. The Windows answer is incorrect, since it is a Mac tool. A tool to sanitize digital media is incorrect, since this tool is used for recovery. The answer about a new movie coming out is incorrect and silly.

Submit
178. Windows Event Log text file output format is:

Explanation

(Chapter 9): EVTX is the correct format. .DOC is a document file format. The other options are made up answers.

Submit
179. Which one do you like?

Explanation

The explanation for the given correct answer, Option 1, is not available as the question does not provide any context or criteria for selecting a preference.

Submit
180. Which wondows version can use uefi-gpt or bios-mbr

Explanation

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR. Windows XP, Vista, and 7 boot with BIOS-MBR.

Submit
181. Richard wants to look for unusual network services.  What command should he use?

Explanation

(Chapter 8): The net start command can be used to look for unusual network services. nbtstat is for NetBIOS. net view is to review file shares and ensure their purpose. "netstat" would be used in combination with -na to see if TCP/UDP ports have unusual listening; however, the answer here is listed as "net stat," which is not proper syntax for this command.

Submit
182. The max single file size in EXT3 is 

Explanation

(Chapter 3): The question asks for the max single file size, not the max file system size. Pay attention to the verbiage in questions on the actual exam.

Submit
183. Which of the following is known for providing quick and deep scanning?

Explanation

(Chapter 2 and Chapter 5): Advanced Disk recovery offers two scans; quick and deep scanning. Recover My Files offers the ability to preview data-on-the-fly. EaseUS supports large hard disks. EaseUK is made up and is incorrect.

Submit
184. Jamie needs a tool that can recover files with their original file name

Explanation

(Chapter 5): The correct answer is Stellar Phoenix. SysAnalyzer is used for malware analysis. Total Recall is used for RAID. DiskDigger offers the thumbnail previews.

Submit
185. The IMEI is obtained with:

Explanation

(Chapter 13): The correct command is *#06# . The other answer choices are made up.

Submit
186. This command can be used to obtain details about partitions.

Explanation

(Chapter 3): The Get-PartitionTable command provides details about partitions. The Get-GPT command is used for partitioning. The other two commands are made up and are incorrect.

Submit
187. This tool can be used to recover lost data from RAID and hard drives:

Explanation

(Chapter 5): Total Recall can be used for RAID. Memorize this for your exam. File Salvage is a Mac OS file recovery tool. DiskDigger offers thumbnail previews of recovered files. EaseUS supports large hard drives.

Submit
188. $Bitmap is in:

Explanation

(Chapter 3): NTFS is correct. LILO is one of the Linux bootloaders. EXT2 is a Linux file system. FAT and also FAT32 would not be correct, since NTFS contains $Bitmap, which is used to keep track of used and unused clusters.

Submit
189. In ISO 9660, what two file systems add more descriptors to the sequence?

Explanation

(Chapter 3): Joliet and UDF are the correct answers. None of the other answers contain both of these. You will likely see a question about this on the real exam.

Submit
190. William needs a tool that can allow him to specify a specific file type for precise search results.  What tool is this?

Explanation

(Chapter 2 and Chapter 5): EaseUS offers the ability to obtain precise search results on files. Undelete Plus recovers files emptied from the Recycle Bin. R-Studio can be used for heavily damaged file systems. File Salvage is a Mac OS tool to recover files.

Submit
191. A hacker commits a DDoS attack against a specific IP address of a company's Web server. This is considered what type of attack?

Explanation

(Chapter 7 and 8): The attack is against a specific IP address and is not exploiting an application vulnerability (notice it shows Web application attack in the other answer), so it would fall under the realm of a network attack. The DDoS attack may also be affecting an IDS, but that is not the true target of the attack described. It could be an APT (Advanced Persistent Threat) group performing the attack, but it could also just be a simple teenager.

Submit
192. What file type is this? FF D8 FF E1

Explanation

(Chapter 3): The FF D8 FF is the hex format for JPEG files. BMP starts with 42 4d. GIF starts with 47 49 46. PNG starts with 89 50 4e.

Submit
193. ____ launched the CFTT.

Explanation

(Chapter 2): NIST launched the Computer Forensic Tool Testing Project (CFTT). ISO/IEC is a separate standards body. GLBA is the Gramm-Leach Bliley Act. ECC stands for EC-Council.

Submit
194. This is a network sniffer that can support several hundred network protocols.

Explanation

(Chapter 7): Capsa is a network sniffer that supports over 300 network protocols, which can also be used to detect Trojans. Cain & Abel is a password cracker. Snort is an IDS. Recuva is for recovering lost files.

Submit
195. The first __ bits of the ESN is the manufacturer's code

Explanation

(Chapter 13): The first 8 bits of the ESN is the manufacturer’s code. The other answers are made up and are incorrect.

Submit
196. This is a tool for Mac OS

Explanation

(Chapter 3): Disk Utility is a tool used in Mac OS to get details about GPT partition tables. recover My Files is for Windows. Windows Defender is a anti-malware program. File Ravage is made up and is incorrect.

Submit
197. In Windows 98 and earlier, deleted files are named in Dxy.ext format.  What does the x stand for?

Explanation

(Chapter 5): In the Dxy.ext format, the x stands for the drive. For example, the first document file deleted from the C: drive would be Dc0.doc . The sequence number is "y" and the original extension is the "ext" option, both being incorrect for the question asked. The original file name is not included in Dxy.ext, so this answer is also incorrect.

Submit
198. Jason is an investigator with over 10 years of experience.  He needs to find a tool that will help him recover a RAID drive.  Which tool can help him?

Explanation

(Chapter 5): Total Recall can be used to recover RAID drives. DiskDigger is used to recover files and offers thumbnail previews. Quick Recovery can recover password-protected files. The other answer is made up and is incorrect.

Submit
199. Sara wants to perform a deep scan that scans the entire system.  She should use:

Explanation

(Chapter 2 and Chapter 5): Advanced Disk Recovery can be used to perform a deep scan of the entire system. Total Recall is used for RAID. DiskDigger is used for recovery and offers thumbnail previews. Recover My Files does not offer a quick and deep scan.

Submit
200. HFS+ uses:

Explanation

(Chapter 3): HFS+ (Mac OS) uses a b-tree structure to store data. Windows OS is wrong, since HFS+ is for Mac OS. UEFI and MBR partitions are also incorrect.

Submit
View My Results

Quiz Review Timeline (Updated): Oct 25, 2024 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Oct 25, 2024
    Quiz Edited by
    ProProfs Editorial Team
  • Feb 20, 2019
    Quiz Created by
    Catherine Halcomb
Cancel
  • All
    All (200)
  • Unanswered
    Unanswered ()
  • Answered
    Answered ()
The investigator is looking to detect something after the incident has...
This is used to perform a Quick Analysis of a crash dump file.
Shamika is the VP of Technology at XYZ, Inc.  She suspects that...
This law subsection covers child pornography.
This displays all commands stored in memory.
An internal investigation, undertaken by an organization,  to...
This type of warrant is used to get records from service providers.
This type of attack is a combination of both a brute force attack and...
The $l file contains all of the following EXCEPT:
Simple, sequential, flat files of a data set is called:
Johnny has been with the DEA for 17 years.  He shows up on the...
This file system uses journaling.
The zz in exhibit numbering stands for:
The attorney that calls the witness to the stand is asking the...
In this stage of the Linux boot process, information is retrieved from...
This approach monitors a computer and user's behavior for...
The Master Boot Record (MBR) starts at this sector.
The attorney that called the witness to the stand is asking the...
This is the person initiating a lawsuit.
In a deposition, the following is true:
These are bootloaders for Linux.
An investigator needs to jailbreak an iOS phone.
This type of analysis is ongoing and returns simultaneously, so that...
UTC stands for which of the following:
Tanisha wants to recover files with their original file name....
Misuse of a work computer generally can lead to this type of...
Object Linking and Embedding is not used by:
The forensic investigator uses this command to see what sessions are...
This tool can be used to display details about GPT partition tables in...
This Federal statute covers child pornography
This person provides legal advice about the investigation and any...
How can you find scheduled and unscheduled tasks on the local host?
GIF has how many bits per pixel
A computer forensics lab should have windows all around the perimeter.
This rule governs proceedings in the courts of the United States.
In FAT, the first letter of the deleted file name is replaced with:
Tasha is looking for the UEFI phase that involves clearing UEFI from...
This does not use OLE.
Which of the following is not a benefit of cloud computing?
A warrantless seizure of digital evidence is used when:
You can detect Trojans with which of the following?
A deposition is different from a regular trial in that:
This is an IDS:
MIME stream is found:
This extracts data contained from an internet traffic capture
The first file system developed for Linux in 1992 was:
Google Drive Configuration files are stored at this path:
Cisco shows this: %SEC-6-IPACCESSLOGP
This Android library is used to render 2D (SGL) or 3D (OpenGL/ES)...
Sectors are how many bytes long.
The installation of Google Drive Client Version in Windows 10 creates...
POP3 is used for:
An investigator should use ______ imaging for copying data.
Google Drive logs are:
18 USC p1030 covers:
How many bits per pixel does GIF contain?
David needs a tool that contains an ISO image.  He knows that...
UTC stands for:
When a file is deleted in FAT, the first letter of the deleted...
The nbtstat command can be used for:
Poor controls around passwords and accounts in general would be...
This verifies the file system integrity of a volume, fixes logical...
Which of the following is true regarding digital evidence?
This contains the manufacturer's information
This tool can recover all types of lost files from disk or removable...
For a router, the investigator should:
18 USC p 2252A covers
BigCHFIDog.com is an e-Commerce business with $500,000 in annual...
This tool can be used to restore emails
A report, presented orally, to a board of directors, jury, or managers...
These are saved in the installation folder in the user profile for...
This is a sequence of bytes, organized into blocks understandable by...
POP3 runs on port:
This tool restores deleted emails and email attachments
Paco needs to open an Android phone. He should use:
SMTP normally runs on this port:
Which Windows version boots in either UEFI-GPT or BIOS-MBR?
Keira is an investigator with the FBI that needs to recover lost files...
This is the starting point of a database.
Johnny has been caught with child porn.  This investigation would...
What does ETI stand for?
A warrantless seizure can be used when
When a FAT file is deleted, what is placed at the front?
A deleted file in the Recycle Bin is named RIYH6VR.doc. This tells us:
This event correlation approach monitors computer and user behavior...
Stacey needs to crack a Windows password.  She can use which tool...
This requires financial institutions to protect their customers'...
The Superblock in UFS has:
Dropbox Client path:
David needs to recover lost files from a USB flash drive.  Which...
Circular, metal disks mounted into the drive enclosure are called:
In Windows Server 2012 (IIS), log files are stored at:
Scientific testimony.
Tools designated as software tools include all of the following...
The Daubert standard pertains to:
This tool displays details about GPT partition tables in Mac OS
This is wasted area of the disk cluster, lying between the end of the...
The attacker uses exploits to access other directories.  This is...
This RAID level uses byte-level data striping across multiple drives...
Registry Editor
A Digital Forensic Investigator investigates this type of crime...
Nasir is needing to recover lost data from RAID. He knows that this...
Bob arrives on the scene of a large corporation after an...
John wants to root an Apple phone.  Which tool should he use?
Tracked user activities can be found in this file:
John is a forensic investigator working on a case for a WHC...
This is used to render 2D (SGL) or 3D graphics to the screen.
CAN-SPAM requires senders to honor opt-out requests within:
This can do data acquisition and duplication.
All investigators keep track of the evidence path by using the:
A small law firm suspects an incident, where there was potential...
All of the following are Android rooting tools EXCEPT
A first responder secures the scene perimeter.  This is:
David is looking for a tool that contains an ISO image, so he can burn...
This is part of Metasploit that can be used to hide data in the slack...
This mobile API provides telephony services, like making calls,...
This can be used to dump password hashes from the SAM file.
Which command can be used to look for suspicious connections and the...
This Tasklist command is used to run the command with the account...
Mila wants to boot with either BIOS-MBR or UEFI-GPT.  Which...
UTC stands for: 
System time is an example of non-volatile data.
ETI allows the investigator to:
Jamie is analyzing malware, but not executing it on his...
This standard defines the use for file systems of CD-ROM and DVD...
Jv16 can be used for 
Rob wants to discover potential hidden information in an image...
This command can be used to see the names of all open shared files and...
James enjoys this tool that offers thumbnail previews
This is the smallest physical storage unit on the hard...
RAPID IMAGE 7020 X2 is designed to copy how many "Master" hard drives?
This file is found at...
In exhibit numbering, the zz is for:
CD-ROM/DVD standard.
Which is not a file system?
Rule 1003 covers:
An attacker is using every possible combination of characters to crack...
This is the Amendment that protects again unlawful search and seizure.
This can be used for Last access time change in Windows 10.
Phil is a digital forensic investigator that needs to obtain...
The FBI is investigating Sally for hacking her school's...
Stacey wants to obtain data from social media websites.  Which...
Jv16 tool is used for
What is not one of the MS Exchange archive data files?
Jonathan is an investigator, but he is not the first one on the...
Intel is to EFI as PowerPC is to:
Used for registry and not malware installation file analysis.
This tool is used to open registry hives
This tool can be used to restore emails.
These determine the sector addressing for individual sectors on a...
Opposing attorney, that did not call the witness to the stand, is...
This is a tool used for monitoring log files, produced by UNIX...
The img_stat command:
This can be used to detect Trojans.
Which of the following is a starting hex value of an image file:
This contains the configuration information related to the user...
The insider threat caused a lot of chaos.  Sally, the digital...
In FHS, essential user command binaries are in this.
Sara is investigating an incident and needs to display information...
You can use this to see the last access time change for win10
You can view DBX files in:
Lenny needs to reset an Administrator password in order to access a...
Show active network connections with this:
This requires Federal agencies to develop, document, and implement...
This has journaling:
Julie wants to use an open-source format.  What should she...
Sally is an investigator working for Diamond Corp.  She needs to...
In Windows 7, deleted files are named $Ry.ext, where the y stands for...
Internal server error is error code:
Sara is an Assistant U.S. Attorney.  She knows that this rule...
A boot from restarting the OS is considered:
All of the following are Registry tools EXCEPT:
This saves data about programs, so programs load faster at boot:
Roberta suspects the company's network has been compromised.  How...
David has been called to the stand to offer scientific...
Tools involved in Hashing include all of the following EXCEPT:
Data rescue 4 is:
Windows Event Log text file output format is:
Which one do you like?
Which wondows version can use uefi-gpt or bios-mbr
Richard wants to look for unusual network services.  What command...
The max single file size in EXT3 is 
Which of the following is known for providing quick and deep scanning?
Jamie needs a tool that can recover files with their original file...
The IMEI is obtained with:
This command can be used to obtain details about partitions.
This tool can be used to recover lost data from RAID and hard drives:
$Bitmap is in:
In ISO 9660, what two file systems add more descriptors to the...
William needs a tool that can allow him to specify a specific file...
A hacker commits a DDoS attack against a specific IP address of a...
What file type is this? FF D8 FF E1
____ launched the CFTT.
This is a network sniffer that can support several hundred network...
The first __ bits of the ESN is the manufacturer's code
This is a tool for Mac OS
In Windows 98 and earlier, deleted files are named in Dxy.ext...
Jason is an investigator with over 10 years of experience.  He...
Sara wants to perform a deep scan that scans the entire system. ...
HFS+ uses:
Alert!

Advertisement