IP Address Of A Remote Computer Trivia Quiz
- 1.
Exchange server email header information is located here.
- A.
PRIV.STM
- B.
PRIV.EDB
- C.
PUB.EDB
- D.
PRIB.EDB
Correct Answer
B. PRIV.EDBExplanation
(Chapter 12) The PRIV.EDB file contains the message headers, message text, and standard attachments. PRIV.STM is for streaming MIME content (video, audio, etc...). PUB.EDB is a database file that stores hierarchies. PRIB.EDB is made up and is incorrect.Rate this question:
-
- 2.
UTC stands for:
- A.
Universal Coordinate Tasks
- B.
Coordinated Universal Time
- C.
Coordinated User Time
- D.
Universal Computer Time
Correct Answer
B. Coordinated Universal TimeExplanation
(Chapter 6): UTC stands for Coordinated Universal Time. The other choices are made up answers.Rate this question:
-
- 3.
The forensic investigator uses this command to see what sessions are open.
- A.
Net session
- B.
Net open
- C.
Net run
- D.
Net sessioning
- E.
Option 5
Correct Answer
A. Net sessionExplanation
(Chapter 8): The net session command can be used to verify users with open sessions and to see all open sessions.Rate this question:
-
- 4.
This is a type of anti-forensic technique with malware.
- A.
Packing
- B.
Vacationing
- C.
$Rxyte provisioning
- D.
Static analysis
Correct Answer
A. PackingExplanation
(Chapter 5 and Chapter 11): Many attackers use a packer to try and prevent forensic analysis of the malware. Static analysis is a form of malware analysis. The other two choices are made up and are incorrect.Rate this question:
-
- 5.
This does not use OLE.
- A.
Word
- B.
Excel
- C.
PDF
- D.
MS Office
Correct Answer
C. PDFExplanation
(Chapter 3): OLE (Object Linking and Embedding) is not used in PDF, but is used in Microsoft Office applications, specifically Word and Excel.Rate this question:
-
- 6.
This verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in unix.
- A.
RegEdit
- B.
CHKDSK
- C.
Disk Integrity
- D.
Lsck
Correct Answer
B. CHKDSKExplanation
(Chapter 3): CHKDSK verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in Unix. RegEdit (Registry Editor) is used to load registry hives. lsck is made up as is Disk Integrity.Rate this question:
-
- 7.
The investigator is looking to detect something after the incident has ended.
- A.
Real-time analysis
- B.
Post-trial analysis
- C.
Post-mortem analysis
- D.
After-action anaylsis
Correct Answer
C. Post-mortem analysisExplanation
(Chapter 7): Investigators perform post-mortem analysis after an incident has already occurred. Real-Time analysis is used while an incident is taking place, so there can be an immediate response. Post-trial and After-action are not mentioned in the ECC text.Rate this question:
-
- 8.
A hacker commits a DDoS attack against a specific IP address of a company's Web server. This is considered what type of attack?
- A.
APT attack
- B.
Network attack
- C.
Web application attack
- D.
Ids attack
Correct Answer
B. Network attackExplanation
(Chapter 7 and 8): The attack is against a specific IP address and is not exploiting an application vulnerability (notice it shows Web application attack in the other answer), so it would fall under the realm of a network attack. The DDoS attack may also be affecting an IDS, but that is not the true target of the attack described. It could be an APT (Advanced Persistent Threat) group performing the attack, but it could also just be a simple teenager.Rate this question:
-
- 9.
What file type is this? FF D8 FF E1
- A.
BMP
- B.
JPEG
- C.
GIF
- D.
PNG
Correct Answer
B. JPEGExplanation
(Chapter 3): The FF D8 FF is the hex format for JPEG files. BMP starts with 42 4d. GIF starts with 47 49 46. PNG starts with 89 50 4e.Rate this question:
-
- 10.
This tasklist command specifies the name or IP address of a remote computer.
- A.
/v
- B.
/s
- C.
/u
- D.
/r
Correct Answer
B. /sExplanation
(Chapter 6): The /s command specifies the name or IP address of a remote computer. The /v specifies that verbose task information be displayed in the output. The /u command runs the command with the account permissions of the specified user. The /r command is made up.Rate this question:
-
- 11.
You can use this to see the last access time change for win10
- A.
Devcon
- B.
Fsutil
- C.
Wmic service
- D.
Reg.exe
- E.
Option 5
Correct Answer
B. FsutilExplanation
(Chapter 6): fsutil can be used to see the last access time change for Windows 10. reg.exe is Window's Console Registry Tool. WMIC stands for Windows Management Instrumentation Command-line, "wmic service" is not valid. devcon (devcon.exe) is a command used in Windows to see details about connected devices.Rate this question:
-
- 12.
This displays all commands stored in memory.
- A.
Memory key command
- B.
Doskey history
- C.
-l display
- D.
Regedit
Correct Answer
B. Doskey historyExplanation
(Chapter 6): The doskey history displays all commands stored in memory. Regedit is used to edit the System Registry. The memory key command and -l display are made up.Rate this question:
-
- 13.
GIF has how many bits per pixel
- A.
16
- B.
24
- C.
8
- D.
32
Correct Answer
C. 8Explanation
(Chapter 3): GIF has 8 bits per pixel and 256 colors per frame.Rate this question:
-
- 14.
Jv16 tool is used for
- A.
Malware reversing
- B.
Dynamic analysis
- C.
Registry
- D.
Bit-to-bit mapping
Correct Answer
C. RegistryExplanation
(Chapter 11): jv16 is a registry tool. It is not used for malware analysis or reversing, and also is not used to make bit copies. Remember that it is not used for malware for your CHFI exam.Rate this question:
-
- 15.
You can detect Trojans with which of the following?
- A.
Tripwire
- B.
Capsa
- C.
Belkasoft RAM Cap
- D.
Regshot
Correct Answer
B. CapsaExplanation
(Chapter 11): Capsa can be used to detect Trojans. Tripwire is for file integrity, Belkasoft RAM Capturer is self-explanatory, and Regshot monitors registry changes.Rate this question:
-
- 16.
A web analytics solution for small and medium sized websites.
- A.
Clickfunnels
- B.
Deep Log Analyzer
- C.
XRY log
- D.
LAN Who
Correct Answer
B. Deep Log AnalyzerExplanation
(Chapter 8): The Deep Log Analyzer is a web analytics solution for small and medium sized websites. XRY Log is used for mobile device extraction. Clickfunnels is a software used to build sales funnels. LAN Who is made up. There is a LAN Whois, but this is not listed and is not a web analytics solution.Rate this question:
-
- 17.
This contains the manufacturer's information
- A.
ICCID
- B.
ESN
- C.
EIR
- D.
IMSI
Correct Answer
B. ESNExplanation
(Chapter 13): The ESN (Electronic Serial Number) has the manufacturer’s code. ICCID (Integrated Circuit Card Identifier) is printed on the SIM to identify the SIM internationally. EIR is made up. IMSI (International Mobile Subscriber Identity) defines the subscriber in the wireless world, including the country and mobile network that the subscriber belongs to.Rate this question:
-
- 18.
You can view DBX files in:
- A.
Adobe Acrobat Reader
- B.
Thunderbird
- C.
MS Outlook Express
- D.
Thundercats
Correct Answer
C. MS Outlook ExpressExplanation
(Chapter 12): DBX files are viewed with Microsoft Outlook Express. Adobe Acrobat Reader is PDF. Thundercats was a cartoon in the 1980's. Thunderbird does not open DBX files.Rate this question:
-
- 19.
When a FAT file is deleted, what is placed at the front?
- A.
ELH
- B.
E5H
- C.
EH5
- D.
ESH
Correct Answer
B. E5HExplanation
(Chapter 5): E5H is put at the front of a deleted FAT file. The other answers are incorrect because they do not contain the correct sequence.Rate this question:
-
- 20.
This can do data acquisition and duplication.
- A.
Capsa
- B.
Drivespy
- C.
Wireshark
- D.
Xplico
Correct Answer
B. DrivespyExplanation
(Chapter 4): Drivespy can do data acquisition and duplication. Wireshark is for network sniffing. Capsa is a network analyzer and can detect Trojans. Xplico is a network forensics analysis tool.Rate this question:
-
- 21.
A deleted file in the Recycle Bin is named RIYH6VR.doc. This tells us:
- A.
The file was deleted from the Y drive in the 6th order
- B.
The deleted file is a document file
- C.
The file was deleted with Recuva
- D.
None of the above
Correct Answer
B. The deleted file is a document fileExplanation
(Chapter 5): We can infer that this is a document file, based on the extension of .doc. Recuva does not leave a particular file name when performing recovery. The other answers do not make sense, since we do not see Dy5, which indicate a file deleted form the Y drive in the 6th order, and since we know this is a document file.Rate this question:
-
- 22.
This is an IDS:
- A.
Kismet
- B.
Snort
- C.
Accountix Pro
- D.
Nikto 1000
Correct Answer
B. SnortExplanation
(Chapter 8): Snort is a popular IDS. Kismet is for wireless sniffing. Accountix Pro and Nikto 1000 are made up and are incorrect.Rate this question:
-
- 23.
The $l file contains all of the following EXCEPT:
- A.
The original file size
- B.
The date the file was sent to the recycle bin
- C.
The length of the files as 344 bytes long
- D.
The original file path
Correct Answer
C. The length of the files as 344 bytes longExplanation
(Chapter 5): The $I file is 544 bytes long. In Windows 7 and Vista, when a file is deleted, it is renamed $R, followed by random characters, then the file extension. At the same time, a $I file is created that contains the same random characters and the same file extension.Rate this question:
-
- 24.
This has journaling:
- A.
Ext1
- B.
NTFS
- C.
FAT
- D.
FAT32
Correct Answer
B. NTFSExplanation
(Chapter 3): NTFS is the only answer here that offers journaling. EXT3 offers journaling, not EXT1. FAT and FAT32 also do not offer journaling.Rate this question:
-
- 25.
A small law firm suspects an incident, where there was potential criminal action, and wants to investigate themselves. Why should they avoid doing so? (choose the best answer)
- A.
Law firms should not perform digital forensic investigations
- B.
They may alter the date or timestamp information of the evidence
- C.
They can prosecute the attack
- D.
They have a conflict of interest, since they are involved in real estate law
Correct Answer
B. They may alter the date or timestamp information of the evidenceExplanation
(Chapter 2): The law firm may alter the data, so it will then be inadmissible in a criminal case.Rate this question:
-
- 26.
This is part of Metasploit that can be used to hide data in the slack space of FAT and NTFS
- A.
RuneFS
- B.
Slacker
- C.
FragFS
- D.
WaffenFS
Correct Answer
B. SlackerExplanation
(Note: the only Metasploit tool mentioned in the ECC official material is Timestomp-- used to change the timestamp, mentioned in Chapter 5, but you will likely see Slacker mentioned on the exam. Welcome to ECC exams): Slacker is the tool in Metasploit that will hide data in the slack space of FAT or NTFS file systems, WaffenFS stores data in the EXT3 journal file, FragFS hides data within the NTFS Master file table, RuneFS stores data in bad blocks.Rate this question:
-
- 27.
The attorney that calls the witness to the stand is asking the questions
- A.
Cross-examination
- B.
Direct examination
- C.
Deposition
- D.
Expert testimony
Correct Answer
B. Direct examinationExplanation
(Chapter 14): Direct examination occurs, when the attorney that calls the witness to the stand is asking the questions. Cross-Examination is when the attorney that did not call the witness to the stand is asking the questions. Deposition is not a form of asking questions of a witness. Expert testimony involves direct and cross examination, but is not the definition described in the question.Rate this question:
-
- 28.
The first __ bits of the ESN is the manufacturer's code
- A.
32
- B.
8
- C.
16
- D.
24
Correct Answer
B. 8Explanation
(Chapter 13): The first 8 bits of the ESN is the manufacturer’s code. The other answers are made up and are incorrect.Rate this question:
-
- 29.
The linux bootloader is active in this stage
- A.
Kernel stage
- B.
Bootloader stage
- C.
Bios stage
- D.
Gluc stage
Correct Answer
B. Bootloader stageExplanation
(Chapter 3): The Linux bootloader (LILO and GRUB) are active in the Bootloader stage as these load the Kernel. GLUC is not a stage of the Linux boot process.Rate this question:
-
- 30.
This tool is used to open registry hives
- A.
MySQLlog Editor
- B.
Registry Editor
- C.
Reg_HIV OpenPS
- D.
Hiveopener 3000
Correct Answer
B. Registry EditorExplanation
(Chapter 5): Registry Editor is used to open registry hives (hives start with HKEY..). The other answers are made up and are incorrect.Rate this question:
-
- 31.
This is the default folder path used for syncing files in Dropbox
- A.
C:\Users\$user\Dropbox
- B.
C:\Users\Dropbox\sync.config
- C.
C:\Dropbox\Client\sync
- D.
C:\Users\Admin\sync\Dropbox\Client
Correct Answer
A. C:\Users\$user\DropboxExplanation
Chapter 10: The other answers are made up.Rate this question:
-
- 32.
These files are located within an instance (n) of Dropbox folder in AppData of the user's profile
- A.
Executables
- B.
Configuration
- C.
User files
- D.
N-instance files
Correct Answer
B. ConfigurationExplanation
Chapter 10: configuration files are correct. No other files listed are located within the instance.Rate this question:
-
- 33.
This contains executables, libraries, Program Files, LiNK files, links of user profiles, and application shortcuts in Dropbox.
- A.
Google Client
- B.
Dropbox.dbl
- C.
Dropbox Client
- D.
Program File
Correct Answer
C. Dropbox ClientExplanation
Chapter 10: Dropbox Client is correct. The question asks about Dropbox, so the Google Client answer is obviously incorrect. Dropbox.dbl is made up and Program File is also incorrect.Rate this question:
-
- 34.
Dropbox Client path:
- A.
C:\Program Files(x86)\Dropbox\Client
- B.
C:\Program Files\Dropbox\Client
- C.
C:\Dropbox\Client
- D.
C:\Dropbox\Client\Config
Correct Answer
A. C:\Program Files(x86)\Dropbox\ClientExplanation
Chapter 10: The other paths are made up.Rate this question:
-
- 35.
These store information of files synced ot the cloud using Dropbox.
- A.
Store.db and dropbox.db
- B.
Store.dbx and dropbox.dbx
- C.
Filecache.dbx and config.dbx
- D.
Config.dbx and Filesystem.dbx
Correct Answer
C. Filecache.dbx and config.dbxExplanation
Chapter 10: While config.dbx is correct Filesystem.dbx is not. The other answers are made up.Rate this question:
-
- 36.
The default Google Drive installation location in win10 OS
- A.
C:\Program Files (x86)\Google\Drive
- B.
C:\Program Files(x64)\Google Driver
- C.
C:\Progarm Files\System32\Google Drive
- D.
C:\Program Files (x86)\Google\Drive\Config
Correct Answer
A. C:\Program Files (x86)\Google\DriveExplanation
Chapter 10: The other answers are made up paths.Rate this question:
-
- 37.
These are saved in the installation folder in the user profile for Google Drive
- A.
Backup files
- B.
Configuration files
- C.
Log files
- D.
Image files
Correct Answer
B. Configuration filesExplanation
Chapter 10: Configuration files is correct. The other files are not saved in the installation folder.Rate this question:
-
- 38.
Google Drive Configuration files are stored at this path:
- A.
C:\Google\Drive\User\Default
- B.
C:\Google Drive\<user default>
- C.
C:\Users\<username>\AppData\Local\Google\Drive\user_default
- D.
C:\Users\AppData\Local\Google Drive\user
Correct Answer
C. C:\Users\<username>\AppData\Local\Google\Drive\user_defaultExplanation
Chapter 10: The other answers are made up.Rate this question:
-
- 39.
This contains the Google Drive version, the local sync root path, and user's email address
- A.
Snapshot.db
- B.
Sync_config.db
- C.
Sync_config.db
- D.
Config.db
Correct Answer
C. Sync_config.dbExplanation
Chapter 10: Sync_config.db is correct. The sync_config.db stores details about local entry and cloud entry along with snapshot.db. config.db is made up.Rate this question:
-
- 40.
The installation of Google Drive Client Version in Windows 10 creates this (choose the best answer):
- A.
Problems
- B.
Sync_log.log
- C.
Config.exe
- D.
Gd.exe
Correct Answer
B. Sync_log.logExplanation
Chapter 10: The Sync_log.log file is created. This file contains information about the client sync session. Problems is wrong for obvious reasons. The other two answers are made up.Rate this question:
-
- 41.
RAPID IMAGE 7020 X2 is designed to copy how many “Master” hard drives?
- A.
Two
- B.
One
- C.
Three
- D.
Unlimited
- E.
Option 5
Correct Answer
B. OneExplanation
(Chapter 2 and Chapter 4-- both have the same information): RAPID IMAGE 7020 X2 is designed to copy 1 Master hard drive and up to 19 Target hard drives. The other answers are incorrect, based on Chapter 2 of the EC-Council material.Rate this question:
-
- 42.
This rule covers limited admissibility
- A.
Rule 401
- B.
Rule 402
- C.
Rule 105
- D.
Rule 103
Correct Answer
C. Rule 105Explanation
(Chapter 1): Rule 105 covers limited admissibility. Rule 402 covers the general admissibility of relevant evidence. Rule 103 is for the rulings on evidence. Rule 401 is not mentioned in the ECC text.Rate this question:
-
- 43.
Which one do you like?Max has arrived on scene and sees that the computer is turned on. His first step should be to (choose the best answer):``
- A.
Power off the computer to preserve evidence
- B.
Leave the computer on, but look at task manager to see if any programs are running
- C.
Photograph the current computer state
- D.
Perform a bit by bit copy of the drive
Correct Answer
C. Photograph the current computer stateExplanation
(Chapter 2): The computer must be photographed to show its state before evidence is gathered. Powering off the computer is not the answer, since if the computer is on, we always leave it on. The other answers are incorrect because they are later steps in the investigation.Rate this question:
-
- 44.
Samuel has completed static analysis of a new malware strain. He is now going to perform dynamic analysis. Which tool can he use to monitor for installations, while performing dynamic analysis?
- A.
Jv16
- B.
Sysanalyzer
- C.
Data recovery pro
- D.
Stellar phoenix
Correct Answer
B. SysanalyzerExplanation
(Chapter 11): SysAnalyzer is used for dynamic malware analysis, specifically for monitoring installations, like Comodo Program Manager also does. jv16 is used for Registry. You want to know that for your exam. Data Recovery Pro and Stellar Phoenix are used for file recovery and not malware analysis.Rate this question:
-
- 45.
This tool displays details about GPT partition tables in Mac OS
- A.
VFS Rider
- B.
DiskDrill
- C.
File Salvage
- D.
Disk Utility
- E.
Option 5
Correct Answer
D. Disk UtilityExplanation
(chapter 3): Disk Utility is the only selection that displays details about partition tables in Mac. VFS Rider is a made up tool. DiskDrill can recover from corrupted memory cards. File Salvage is also a Mac tool, but is used for file recovery.Rate this question:
-
- 46.
Nasir is needing to recover lost data from RAID. He knows that this tool will be needed.
- A.
Total Recall
- B.
DiskDigger
- C.
Advanced Disk Recovery
- D.
Comodo Programs Manager
Correct Answer
A. Total RecallExplanation
(Chapter 5): Total Recall is used for RAID. Comodo Programs Manager is used for dynamic malware analysis. DiskDigger offers thumbnail previews of recovered files. Advanced Disk Recovery offers the Quick and Deep scans.Rate this question:
-
- 47.
Jennifer is an investigator with the FBI. She is performing dynamic analysis on malware and wants to know the dependencies. What tool should she use?
- A.
Jv16 power tools
- B.
Xplico
- C.
Dependency walker
- D.
Dependency crawler
Correct Answer
C. Dependency walkerExplanation
(Chapter 11): Dependency Walker is the correct answer. Dependency Crawler is made up. jv16 is used for Registry. Xplico is a network forensics analysis tool.Rate this question:
-
- 48.
Which wondows version can use uefi-gpt or bios-mbr
- A.
Xp
- B.
10
- C.
7
- D.
95
Correct Answer
B. 10Explanation
(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR. Windows XP, Vista, and 7 boot with BIOS-MBR.Rate this question:
-
- 49.
This tool can recover deleted files emptied from the Recycle Bin, or lost because of the formatting/corruption of a hard drive, virus or Trojan infection, and unexpected system shutdowns.
- A.
File Salvage
- B.
DiskDigger
- C.
Recover My Files
- D.
Recuva
Correct Answer
C. Recover My FilesExplanation
(Chapter 2): Recover My files is correct. File Salvage is a Mac Tool. DiskDigger recovers from hard drives, memory cards, and USB. Recuva offers the Advanced Deep Scan.Rate this question:
-
- 50.
David is looking for a tool that contains an ISO image, so he can burn a bootable CD. What tool is he looking for?
- A.
CD Boot
- B.
Active@ File Recovery
- C.
Pandora Recovery
- D.
Data Rescue 4
Correct Answer
B. Active@ File RecoveryExplanation
(Chapter 5): Active@ File Recovery is the only answer here that contains a CD/DVD ISO image that allows you to burn a bootable CD.Rate this question:
-
Quiz Review Timeline +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Mar 20, 2023Quiz Edited by
ProProfs Editorial Team -
Feb 20, 2019Quiz Created by
Catherine Halcomb
Back to top