IP address of a remote computer Trivia Quiz

1. The investigator is looking to detect something after the incident has ended.

Real-time analysis

Post-trial analysis

Post-mortem analysis

After-action anaylsis

(Chapter 7): Investigators perform post-mortem analysis after an incident has already occurred. Real-Time analysis is used while an incident is taking place, so there can be an immediate response. Post-trial and After-action are not mentioned in the ECC text.

Explanation

(Chapter 7): Investigators perform post-mortem analysis after an incident has already occurred. Real-Time analysis is used while an incident is taking place, so there can be an immediate response. Post-trial and After-action are not mentioned in the ECC text.

2. This is used to perform a Quick Analysis of a crash dump file.

RegEdit

DumpChk

MBR

NBC 3000

(Chapter 6): DumpChk is correct. RegEdit is the registry editor. MBR is the Master Boot Record and this is not a tool. NBC 3000 is made up.

Explanation

(Chapter 6): DumpChk is correct. RegEdit is the registry editor. MBR is the Master Boot Record and this is not a tool. NBC 3000 is made up.

3. Shamika is the VP of Technology at XYZ, Inc. She suspects that her newest employee, David, may be using his work computer to look at child pornography. What type of investigation(s) should be started?

Civil

Criminal and civil

Administrative and civil

Criminal and administrative

(Chapter 1): David is using his work computer inappropriately, which would mean and Administrative investigation should be undertaken. David is also looking at child pornography, which is a crime and requires a criminal investigation.

Explanation

(Chapter 1): David is using his work computer inappropriately, which would mean and Administrative investigation should be undertaken. David is also looking at child pornography, which is a crime and requires a criminal investigation.

4. This law subsection covers child pornography.

1030

123

2252A

476

(Chapter 12): 18 USC §2252A covers child pornography. 1030 covers fraud and abuse using computers. 123 is made up as is 476.

Explanation

(Chapter 12): 18 USC §2252A covers child pornography. 1030 covers fraud and abuse using computers. 123 is made up as is 476.

5. This displays all commands stored in memory.

Memory key command

Doskey history

-l display

Regedit

(Chapter 6): The doskey history displays all commands stored in memory. Regedit is used to edit the System Registry. The memory key command and -l display are made up.

Explanation

(Chapter 6): The doskey history displays all commands stored in memory. Regedit is used to edit the System Registry. The memory key command and -l display are made up.

6. An internal investigation, undertaken by an organization, to determine if employees are following rules and/or policies is called.

Criminal

Frye

Administrative

Civil

(Chapter 1): Administrative investigations involve an internal investigation, where the organization attempts to discover if employees are following rules/policies. Frye is the standard for scientific testimony. Criminal investigations are undertaken by law enforcement and Civil investigations are usually the result of some kind of IP theft or other non-employee related matter (though they can involve employees). The best answer here is Administrative.

Explanation

(Chapter 1): Administrative investigations involve an internal investigation, where the organization attempts to discover if employees are following rules/policies. Frye is the standard for scientific testimony. Criminal investigations are undertaken by law enforcement and Civil investigations are usually the result of some kind of IP theft or other non-employee related matter (though they can involve employees). The best answer here is Administrative.

7. This type of warrant is used to get records from service providers.

Super Warrant

Felony Warrant

Electronic storage device warrant

Service provider search warrant

(Chapter 2): The service provider search warrant allows the investigator to obtain records from the service provider, including things like billing records and subscriber information. Electronic storage device warrant is used for the actual hardware. Felony and Super warrants do not apply to service providers, with Super warrant being made up.

Explanation

(Chapter 2): The service provider search warrant allows the investigator to obtain records from the service provider, including things like billing records and subscriber information. Electronic storage device warrant is used for the actual hardware. Felony and Super warrants do not apply to service providers, with Super warrant being made up.

8. This type of attack is a combination of both a brute force attack and dictionary attack.

Hybrid

Syllable

Rule-based

Dictionary

(Chapter 5): A syllable attack is a combination of the brute force and dictionary attacks. The hybrid attack is based on the dictionary and brute force attacks. Rule-based is based on knowing something, like a birthday. Dictionary would not be a combination of itself and a brute force attack.

Explanation

(Chapter 5): A syllable attack is a combination of the brute force and dictionary attacks. The hybrid attack is based on the dictionary and brute force attacks. Rule-based is based on knowing something, like a birthday. Dictionary would not be a combination of itself and a brute force attack.

9. The $l file contains all of the following EXCEPT:

The original file size

The date the file was sent to the recycle bin

The length of the files as 344 bytes long

The original file path

(Chapter 5): The $I file is 544 bytes long. In Windows 7 and Vista, when a file is deleted, it is renamed $R, followed by random characters, then the file extension. At the same time, a $I file is created that contains the same random characters and the same file extension.

Explanation

(Chapter 5): The $I file is 544 bytes long. In Windows 7 and Vista, when a file is deleted, it is renamed $R, followed by random characters, then the file extension. At the same time, a $I file is created that contains the same random characters and the same file extension.

10. Simple, sequential, flat files of a data set is called:

Blank format

Raw format

MBR format

First data format

(Chapter 4): Raw format creates simple, sequential, flat files of a data set. The other formats stated are made up. MBR stands for Master Boot record, but it is not a flat file data set.

Explanation

(Chapter 4): Raw format creates simple, sequential, flat files of a data set. The other formats stated are made up. MBR stands for Master Boot record, but it is not a flat file data set.

11. Johnny has been with the DEA for 17 years. He shows up on the scene and notices the suspect's computer is turned on. After securing the scene, Johnny should:

Turn the computer off and unplug the power cords

Leave the computer on and document the scene

Turn the computer off and document the scene

Pull the power cord and place the computer in an anti-static box

(Chapter 2): An investigator should not turn off a suspect's computer. The current state of the device should be documented. EC-Council hammers this hard in its official material. If a device is on leave it on. Turning off the device can destroy volatile evidence, which is why the other answers are wrong.

Explanation

(Chapter 2): An investigator should not turn off a suspect's computer. The current state of the device should be documented. EC-Council hammers this hard in its official material. If a device is on leave it on. Turning off the device can destroy volatile evidence, which is why the other answers are wrong.

12. This file system uses journaling.

HXS

FAT

UFS

NTFS

(Chapter 3): NTFS (New Technology File System) uses journaling. FAT and UFS (Unix File System) do not offer this. HXS is made up and is incorrect.

Explanation

(Chapter 3): NTFS (New Technology File System) uses journaling. FAT and UFS (Unix File System) do not offer this. HXS is made up and is incorrect.

13. The zz in exhibit numbering stands for:

The investigator's initials

The data of the evidence collection

The date of evidence seizure

The sequence number for parts of the same exhibit

(Chapter 2): The "zz" refers to the sequence number for parts of the same exhibit. The investigator's initials are shown with aaa and dd/mm/yy is the date of evidence seizure/collection.

Explanation

(Chapter 2): The "zz" refers to the sequence number for parts of the same exhibit. The investigator's initials are shown with aaa and dd/mm/yy is the date of evidence seizure/collection.

14. The attorney that calls the witness to the stand is asking the questions

Cross-examination

Direct examination

Deposition

Expert testimony

(Chapter 14): Direct examination occurs, when the attorney that calls the witness to the stand is asking the questions. Cross-Examination is when the attorney that did not call the witness to the stand is asking the questions. Deposition is not a form of asking questions of a witness. Expert testimony involves direct and cross examination, but is not the definition described in the question.

Explanation

(Chapter 14): Direct examination occurs, when the attorney that calls the witness to the stand is asking the questions. Cross-Examination is when the attorney that did not call the witness to the stand is asking the questions. Deposition is not a form of asking questions of a witness. Expert testimony involves direct and cross examination, but is not the definition described in the question.

15. In this stage of the Linux boot process, information is retrieved from the CMOS chip.

Kernel

Bec

Bios

Bootloader

(chapter 3): In the BIOS stage, the BIOS retrieves information stored in the CMOS chip and performs a POST test. There is not a BEC stage. In the Bootloader stage, the kernel is loaded. In the Kernel stage, the Kernel mounts the actual root file system.

Explanation

(chapter 3): In the BIOS stage, the BIOS retrieves information stored in the CMOS chip and performs a POST test. There is not a BEC stage. In the Bootloader stage, the kernel is loaded. In the Kernel stage, the Kernel mounts the actual root file system.

16. This approach monitors a computer and user's behavior for anomalies.

Bayesian coorelation

Access-control based

Role-based

Route-correlation

(Chapter 7): A role-based approach monitors computer and user behavior for anomalies. route correlation extracts the attack route information to single out other attack data. Bayesian Correlation uses statistics and probability to predict the next steps of an attack. Access-control based is not a real option for event correlation and is incorrect.

Explanation

(Chapter 7): A role-based approach monitors computer and user behavior for anomalies. route correlation extracts the attack route information to single out other attack data. Bayesian Correlation uses statistics and probability to predict the next steps of an attack. Access-control based is not a real option for event correlation and is incorrect.

17. The Master Boot Record (MBR) starts at this sector.

Sector 8

Sector 1

Sector 0

Sector 32

(Chapter 3): The MBR refers to a hard disk's first sector, also called sector zero. This specifies the location of an operating system for the system to load into the main storage. Sector 1 is incorrect, since it is not the first sector of a hard disk and the other answers are made up.

Explanation

(Chapter 3): The MBR refers to a hard disk's first sector, also called sector zero. This specifies the location of an operating system for the system to load into the main storage. Sector 1 is incorrect, since it is not the first sector of a hard disk and the other answers are made up.

18. The attorney that called the witness to the stand is asking the questions, this would be called:

Cross examination

Direct examination

Contempt of court

E Pluribus Unum

(Chapter 14): This would be considered direct examination. Cross-Examination is when the witness is questioned by the attorney that DID NOT call them to the stand. The other answers are made up.

Explanation

(Chapter 14): This would be considered direct examination. Cross-Examination is when the witness is questioned by the attorney that DID NOT call them to the stand. The other answers are made up.

19. This is the person initiating a lawsuit.

Defendant

Plaintiff

Judge

Respondent

(Chapter 1): Plaintiff is correct. The defendant, as the name implies, is defended themselves from the lawsuit. They are also called the respondent. A judge could be a plaintiff in a lawsuit, but would not be known as the judge in the lawsuit, but rather as the plaintiff.

Explanation

(Chapter 1): Plaintiff is correct. The defendant, as the name implies, is defended themselves from the lawsuit. They are also called the respondent. A judge could be a plaintiff in a lawsuit, but would not be known as the judge in the lawsuit, but rather as the plaintiff.

20. In a deposition, the following is true:

A judge is present

A jury may be present

Both attorneys are present

Opposing counsel is not allowed to ask questions

(Chapter 14): A deposition differs from a trial in that both attorneys are present.

Explanation

(Chapter 14): A deposition differs from a trial in that both attorneys are present.

21. These are bootloaders for Linux.

LILO and STITCH

GRUB and HUBB

LILI and GRUB

LILO and GRUB

(Chapter 3): Linux Loader (LILO) and Grand Unified Bootloader (GRUB) are correct. The other answers do not contain both of the bootloaders and are therefore incorrect.

Explanation

(Chapter 3): Linux Loader (LILO) and Grand Unified Bootloader (GRUB) are correct. The other answers do not contain both of the bootloaders and are therefore incorrect.

22. An investigator needs to jailbreak an iOS phone.

Yellow_Root

RedSn0w

Winter_Time 3000

King_Root

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android. That being said, the other answers in the question are made up.

Explanation

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android. That being said, the other answers in the question are made up.

23. This type of analysis is ongoing and returns simultaneously, so that attacks can be responded to immediately.

Postmortem analysis

Real-Time analysis

Deceased analysis

Disk Removal analysis

(Chapter 7): Real-Time analysis is correct. Postmortem analysis occurs after the incident has taken place. The other two answers are made up and are incorrect.

Explanation

(Chapter 7): Real-Time analysis is correct. Postmortem analysis occurs after the incident has taken place. The other two answers are made up and are incorrect.

24. UTC stands for which of the following:

Universal Computing Time

Universal Computer Time

Coordinated Universal Time

Computer Universal Time

(Chapter 6): UTC stands for Coordinated Universal Time. The other answer choices are made up.

Explanation

(Chapter 6): UTC stands for Coordinated Universal Time. The other answer choices are made up.

25. Tanisha wants to recover files with their original file name. She should use which of the following tools to accomplish this (choose the best answer)?

Data rescue 4

Stellar phoenix

Total recall

Quick recovery

(Chapter 5): Stellar Phoenix recovers file with their original file name and supports RAW recovery on lost volumes. Total Recall is used for RAID. Data Rescue 4 recovers files form accidently re-formatted drives. Quick Recovery can recover encrypted files.

Explanation

(Chapter 5): Stellar Phoenix recovers file with their original file name and supports RAW recovery on lost volumes. Total Recall is used for RAID. Data Rescue 4 recovers files form accidently re-formatted drives. Quick Recovery can recover encrypted files.

26. Misuse of a work computer generally can lead to this type of investigation.

Civil

Administrative

Criminal

Criminal and Civil

(Chapter 1): An employee misusing a work computer (i.e.- checking Facebook when it is against company policy) generally leads to an Administrative investigation. It could also lead to Civil and Criminal investigations, but the best answer, according to the ECC text, is Administrative.

Explanation

(Chapter 1): An employee misusing a work computer (i.e.- checking Facebook when it is against company policy) generally leads to an Administrative investigation. It could also lead to Civil and Criminal investigations, but the best answer, according to the ECC text, is Administrative.

27. Object Linking and Embedding is not used by:

Word

Excel

Office products

PDF

(Chapter 3): OLE (Object Linking and Embedding) is not used in PDF, but is used in Microsoft Office applications, specifically Word and Excel.

Explanation

(Chapter 3): OLE (Object Linking and Embedding) is not used in PDF, but is used in Microsoft Office applications, specifically Word and Excel.

28. The forensic investigator uses this command to see what sessions are open.

Net session

Net open

Net run

Net sessioning

Option 5

(Chapter 8): The net session command can be used to verify users with open sessions and to see all open sessions.

Explanation

(Chapter 8): The net session command can be used to verify users with open sessions and to see all open sessions.

29. This tool can be used to display details about GPT partition tables in Mac OS.

Diskdigger

Recover my files

Windows super disk recovery

Disk utility

(Chapter 3): Disk Utility displays details about GPT partition tables in Mac OS. Recover My Files is used for file recovery, not GPT partition table data. DiskDigger offers file recovery and also offers thumbnail previews. Windows Super Disk Recovery is made up and the question asks about Mac OS, so this answer is incorrect.

Explanation

(Chapter 3): Disk Utility displays details about GPT partition tables in Mac OS. Recover My Files is used for file recovery, not GPT partition table data. DiskDigger offers file recovery and also offers thumbnail previews. Windows Super Disk Recovery is made up and the question asks about Mac OS, so this answer is incorrect.

30. This Federal statute covers child pornography

18 USC 2252A

18 USC 2252B

Texas Penal Code 2281

18 USC 20000AB

(Chapter 12): 18 USC §2252A covers child pornography. §2252B covers misleading domains. The Texas Penal Code answer and §20000AB are made up answers and are incorrect.

Explanation

(Chapter 12): 18 USC §2252A covers child pornography. §2252B covers misleading domains. The Texas Penal Code answer and §20000AB are made up answers and are incorrect.

31. This person provides legal advice about the investigation and any potential legal issues in the forensic investigation process.

Photographer

Investigator

Attorney

Incident responder

(Chapter 2): An attorney or legal adviser provides legal advice about the investigation and any potential legal issues. A photographer is helping to document evidence, the investigator is performing the actual investigation, and the Incident Responder is responding to the incident itself. With the statement of "legal advice," your focus should be on attorney.

Explanation

(Chapter 2): An attorney or legal adviser provides legal advice about the investigation and any potential legal issues. A photographer is helping to document evidence, the investigator is performing the actual investigation, and the Incident Responder is responding to the incident itself. With the statement of "legal advice," your focus should be on attorney.

32. How can you find scheduled and unscheduled tasks on the local host?

Net local.host

Schtasks.exe

Find schtasks.exe

Use schtasks.exe

(Chapter 8): schtasks.exe allows you to find scheduled and unscheduled tasks on the local host. The other commands are using made up syntax.

Explanation

(Chapter 8): schtasks.exe allows you to find scheduled and unscheduled tasks on the local host. The other commands are using made up syntax.

33. GIF has how many bits per pixel

16

24

8

32

(Chapter 3): GIF has 8 bits per pixel and 256 colors per frame.

Explanation

(Chapter 3): GIF has 8 bits per pixel and 256 colors per frame.

34. A computer forensics lab should have windows all around the perimeter.

True

False

Option 3

Option 4

(Chapter 2): A CFL should not have any windows around the perimeter. Lab work areas should also contain 50-63 square feet per workstation. This is found in Chapter 2 of the official EC-Council material.

Explanation

(Chapter 2): A CFL should not have any windows around the perimeter. Lab work areas should also contain 50-63 square feet per workstation. This is found in Chapter 2 of the official EC-Council material.

35. This rule governs proceedings in the courts of the United States.

Rule 101

Rule 103

Rule 493

Rule 622

(Chapter 1): Rule 101 governs proceedings in the courts of the United States. Rule 103 covers the Rulings on Evidence. Rule 493 and Rule 622 are just made up answers and are incorrect.

Explanation

(Chapter 1): Rule 101 governs proceedings in the courts of the United States. Rule 103 covers the Rulings on Evidence. Rule 493 and Rule 622 are just made up answers and are incorrect.

36. In FAT, the first letter of the deleted file name is replaced with:

X5h

E5h

Esh

Exy

(Chapter 5): In FAT, the OS replaces the first letter of the deleted file name with E5H. The other answer choices are all made up and are incorrect.

Explanation

(Chapter 5): In FAT, the OS replaces the first letter of the deleted file name with E5H. The other answer choices are all made up and are incorrect.

37. Tasha is looking for the UEFI phase that involves clearing UEFI from memory.

Dxe

Sec

Rt

Bsd

(Chapter 3): The runtime (RT) phase is where UEFI is cleared from memory. The SEC (security) phase is where code is initialized. BSD is not a UEFI phase, but BDS is, so this answer is incorrect. DXE (Driver Execution Environment) contains HOBL and does not involve clearing the UEFI from memory.

Explanation

(Chapter 3): The runtime (RT) phase is where UEFI is cleared from memory. The SEC (security) phase is where code is initialized. BSD is not a UEFI phase, but BDS is, so this answer is incorrect. DXE (Driver Execution Environment) contains HOBL and does not involve clearing the UEFI from memory.

38. This does not use OLE.

Word

Excel

PDF

MS Office

(Chapter 3): OLE (Object Linking and Embedding) is not used in PDF, but is used in Microsoft Office applications, specifically Word and Excel.

Explanation

(Chapter 3): OLE (Object Linking and Embedding) is not used in PDF, but is used in Microsoft Office applications, specifically Word and Excel.

39. Which of the following is not a benefit of cloud computing?

Scalability

Elasticity

Less security risk

Availability

(Chapter 10): Cloud storage has a greater security risk, in most cases, since you are reliant upon the CSP (cloud service provider) to protect your data. Cloud computing DOES offer scalability, elasticity, and generally, greater availability.

Explanation

(Chapter 10): Cloud storage has a greater security risk, in most cases, since you are reliant upon the CSP (cloud service provider) to protect your data. Cloud computing DOES offer scalability, elasticity, and generally, greater availability.

40. A warrantless seizure of digital evidence is used when:

(Chapter 2): According to the United States v. David, a warrantless seizure is used when the destruction of evidence is imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity.

Explanation

(Chapter 2): According to the United States v. David, a warrantless seizure is used when the destruction of evidence is imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity.

41. You can detect Trojans with which of the following?

Tripwire

Capsa

Belkasoft RAM Cap

Regshot

(Chapter 11): Capsa can be used to detect Trojans. Tripwire is for file integrity, Belkasoft RAM Capturer is self-explanatory, and Regshot monitors registry changes.

Explanation

(Chapter 11): Capsa can be used to detect Trojans. Tripwire is for file integrity, Belkasoft RAM Capturer is self-explanatory, and Regshot monitors registry changes.

42. A deposition is different from a regular trial in that:

Both attorneys are present

A judge is present

The jury is present

Both the judge and jury are present

(Chapter 14): Both attorneys are present in a deposition. The other answers are incorrect because a judge and/or jury are also present at the trial. This is found in Chapter 14 of the official EC-Council material.

Explanation

(Chapter 14): Both attorneys are present in a deposition. The other answers are incorrect because a judge and/or jury are also present at the trial. This is found in Chapter 14 of the official EC-Council material.

43. This is an IDS:

Kismet

Snort

Accountix Pro

Nikto 1000

(Chapter 8): Snort is a popular IDS. Kismet is for wireless sniffing. Accountix Pro and Nikto 1000 are made up and are incorrect.

Explanation

(Chapter 8): Snort is a popular IDS. Kismet is for wireless sniffing. Accountix Pro and Nikto 1000 are made up and are incorrect.

44. MIME stream is found:

PRIVE.EDB

PRIVE.STM

PUB.EDB

PRIB.STM

(Chapter 12): PRIV.STM is correct. PRIV.EDB contains the message headers. PUB.EDB stores public folder hierarchies. PRIB.STM is made up.

Explanation

(Chapter 12): PRIV.STM is correct. PRIV.EDB contains the message headers. PUB.EDB stores public folder hierarchies. PRIB.STM is made up.

45. This extracts data contained from an internet traffic capture

X data extract

Xplico

Sysanalyzer

Web syssol

(Chapter 2): Xplico is a network forensics analysis tool that extracts this type of data. SysAnalyzer is for malware analysis. The other two answers are made up tools and are incorrect.

Explanation

(Chapter 2): Xplico is a network forensics analysis tool that extracts this type of data. SysAnalyzer is for malware analysis. The other two answers are made up tools and are incorrect.

46. The first file system developed for Linux in 1992 was:

EXT3

HFS

NTFS

EXT

(Chapter 3): EXT is correct. HFS is for Mac OS. NTFS is for Windows. EXT3 came after EXT.

Explanation

(Chapter 3): EXT is correct. HFS is for Mac OS. NTFS is for Windows. EXT3 came after EXT.

47. Google Drive Configuration files are stored at this path:

C:\Google\Drive\User\Default

C:\Google Drive\<user default>

C:\Users\<username>\AppData\Local\Google\Drive\user_default

C:\Users\AppData\Local\Google Drive\user

Chapter 10: The other answers are made up.

Explanation

Chapter 10: The other answers are made up.

48. Cisco shows this: %SEC-6-IPACCESSLOGP

IP invalid

File Corrupt

Packet matching log criteria for the given access list has been detected (TCP or UDP)

IP Access log is alerting on the stored P drive

(Chapter 7): packet matching log criteria for the given access list has been detected (TCP or UDP) is correct. The other answers here are incorrect. For your exam, memorize this Cisco log output.

Explanation

(Chapter 7): packet matching log criteria for the given access list has been detected (TCP or UDP) is correct. The other answers here are incorrect. For your exam, memorize this Cisco log output.

49. This Android library is used to render 2D (SGL) or 3D (OpenGL/ES) graphics to the screen.

DVM

FreeType

Libc

Open GL/ES and SGL

(Chapter 13): Open GL/ES and SGL is correct. DVM (Dalvik Virtual Machine) is a type of JAVA virtual machine responsible for power and memory management. FreeType renders bitmap and vector fonts. Libc is a C system library tuned for embedded Linux-based devices. You will likely see Open GL/ES and SGL on the real exam.

Explanation

(Chapter 13): Open GL/ES and SGL is correct. DVM (Dalvik Virtual Machine) is a type of JAVA virtual machine responsible for power and memory management. FreeType renders bitmap and vector fonts. Libc is a C system library tuned for embedded Linux-based devices. You will likely see Open GL/ES and SGL on the real exam.

50. Sectors are how many bytes long.

256

512

128

32

(Chapter 3): Sectors are the smallest physical storage units on a hard disk platter and are 512 bytes long. Newer format sectors are 8 of the 512 byte sectors and they make up one 4KB sector, which is more efficient. This is in Chapter 3 of the official EC-Council material.

Explanation

(Chapter 3): Sectors are the smallest physical storage units on a hard disk platter and are 512 bytes long. Newer format sectors are 8 of the 512 byte sectors and they make up one 4KB sector, which is more efficient. This is in Chapter 3 of the official EC-Council material.

51. The installation of Google Drive Client Version in Windows 10 creates this (choose the best answer):

Problems

Sync_log.log

Config.exe

Gd.exe

Chapter 10: The Sync_log.log file is created. This file contains information about the client sync session. Problems is wrong for obvious reasons. The other two answers are made up.

Explanation

Chapter 10: The Sync_log.log file is created. This file contains information about the client sync session. Problems is wrong for obvious reasons. The other two answers are made up.

52. POP3 is used for:

Sending emails

Retrieving emails

Deleting emails

IMAP emails only

(Chapter 12): POP3 is used for retrieving emails form the email server. SMTP is used for sending emails. The other answers are not applicable.

Explanation

(Chapter 12): POP3 is used for retrieving emails form the email server. SMTP is used for sending emails. The other answers are not applicable.

53. An investigator should use ______ imaging for copying data.

MBR

Bit Stream

Crest Stream

RegEdit

(Chapters 3 and 4): Bit stream is correct. MBR is the Master Boot Record. RegEdit is the registry editor. Crest stream is a made up answer.

Explanation

(Chapters 3 and 4): Bit stream is correct. MBR is the Master Boot Record. RegEdit is the registry editor. Crest stream is a made up answer.

54. Google Drive logs are:

Google_drive.log

Vmos.log

Sync_log.log

Syn_log

(Chapter 10 p858): sync_log.log is the correct answer. google_drive.log, vmos.log, and syn_log are all made up answers.

Explanation

(Chapter 10 p858): sync_log.log is the correct answer. google_drive.log, vmos.log, and syn_log are all made up answers.

55. 18 USC p1030 covers:

Child pornography

Malicious mischief

Misleading domain activity

Fraud and related activity in connection with computers

(Chapter 2): 18 USC §1030 covers fraud and related activity in connection with computers. §2252A is child pornography. Malicious mischief is covered in §1361-1362. Misleading domains are covered under §2252B.

Explanation

(Chapter 2): 18 USC §1030 covers fraud and related activity in connection with computers. §2252A is child pornography. Malicious mischief is covered in §1361-1362. Misleading domains are covered under §2252B.

56. How many bits per pixel does GIF contain?

16

32

8

64

(Chapter 3): GIF contains 8 bits per pixel. The other answers are made up and are incorrect.

Explanation

(Chapter 3): GIF contains 8 bits per pixel. The other answers are made up and are incorrect.

57. David needs a tool that contains an ISO image. He knows that ______ offers this.

Diskdigger

Active@ file recovery

Recuva

Easeus

(Chapter 5): Of the choices listed, only Active@ File Recovery offers the CD/DVD ISO image. DiskDigger offers the thumbnail previews. Recuva offers secure file deletion. EaseUS supports large hard disks.

Explanation

(Chapter 5): Of the choices listed, only Active@ File Recovery offers the CD/DVD ISO image. DiskDigger offers the thumbnail previews. Recuva offers secure file deletion. EaseUS supports large hard disks.

58. UTC stands for:

Universal Coordinate Tasks

Coordinated Universal Time

Coordinated User Time

Universal Computer Time

(Chapter 6): UTC stands for Coordinated Universal Time. The other choices are made up answers.

Explanation

(Chapter 6): UTC stands for Coordinated Universal Time. The other choices are made up answers.

59. When a file is deleted in FAT, the first letter of the deleted filename is changed to:

H5H

E5H

ESH

ESE

(Chapter 5): E5H is put at the front of a deleted FAT file. Memorize this as you will likely see it on your exam. The other answers are made up and are incorrect.

Explanation

(Chapter 5): E5H is put at the front of a deleted FAT file. Memorize this as you will likely see it on your exam. The other answers are made up and are incorrect.

60. The nbtstat command can be used for:

Linux servers

NBT servers

NetBIOS

Malware execution

(Chapter 6 and Chapter 8): The best answer here is NetBIOS. NBT servers is made up. you could technically give a Linux machine a NetBIOS name by installing SAMBA, but this is not what the nbtstat command can be used for. Malware execution is not relevant to the nbtstat command and is also incorrect.

Explanation

(Chapter 6 and Chapter 8): The best answer here is NetBIOS. NBT servers is made up. you could technically give a Linux machine a NetBIOS name by installing SAMBA, but this is not what the nbtstat command can be used for. Malware execution is not relevant to the nbtstat command and is also incorrect.

61. Poor controls around passwords and accounts in general would be considered this type of Web application threat.

SQL injection

Broken account management

XSS

CSRF

(Chapter 8): Broken account management would involve poor controls around passwords and accounts in general. The other attacks do not involve poor control around passwords and accounts.

Explanation

(Chapter 8): Broken account management would involve poor controls around passwords and accounts in general. The other attacks do not involve poor control around passwords and accounts.

62. This verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in unix.

RegEdit

CHKDSK

Disk Integrity

Lsck

(Chapter 3): CHKDSK verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in Unix. RegEdit (Registry Editor) is used to load registry hives. lsck is made up as is Disk Integrity.

Explanation

(Chapter 3): CHKDSK verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in Unix. RegEdit (Registry Editor) is used to load registry hives. lsck is made up as is Disk Integrity.

63. Which of the following is true regarding digital evidence?

Investigators should only use the original for the investigation

Investigators should not worry about the integrity of evidence

A duplicate copy should be made for analysis

The investigator does not need a search warrant if they deem the investigation necessary

(Chapter 1): An investigator should always have a duplicate copy of the digital evidence and should use the duplicate for analysis.

Explanation

(Chapter 1): An investigator should always have a duplicate copy of the digital evidence and should use the duplicate for analysis.

64. This contains the manufacturer's information

ICCID

ESN

EIR

IMSI

(Chapter 13): The ESN (Electronic Serial Number) has the manufacturer’s code. ICCID (Integrated Circuit Card Identifier) is printed on the SIM to identify the SIM internationally. EIR is made up. IMSI (International Mobile Subscriber Identity) defines the subscriber in the wireless world, including the country and mobile network that the subscriber belongs to.

Explanation

(Chapter 13): The ESN (Electronic Serial Number) has the manufacturer’s code. ICCID (Integrated Circuit Card Identifier) is printed on the SIM to identify the SIM internationally. EIR is made up. IMSI (International Mobile Subscriber Identity) defines the subscriber in the wireless world, including the country and mobile network that the subscriber belongs to.

65. This tool can recover all types of lost files from disk or removable media.

Netlytic

Recuva

Recova

Capsa

(Chapters 2 and 5): Recuva can be used to recover all types of lost files from disk or removable media. Capsa is a network analyzer. Netlytic and Recova are made up.

Explanation

(Chapters 2 and 5): Recuva can be used to recover all types of lost files from disk or removable media. Capsa is a network analyzer. Netlytic and Recova are made up.

66. For a router, the investigator should:

Cut the power cord with a 3b72 knife

Unplug the network cable from the router

Search the closest PC for the router password

Leave the router at the site as it does not contain any evidence

(Chapter 2): The investigator should unplug the network cable from the router to prevent additional attacks. Routers do contain potential evidence, so it should not be left at the scene. Cutting the power cord with a knife is just silly and dangerous. The router password should not be on the local PC and the investigator's focus should be to preserve evidence. The best answer (and the one ECC uses) is to unplug the network cable form the router.

Explanation

(Chapter 2): The investigator should unplug the network cable from the router to prevent additional attacks. Routers do contain potential evidence, so it should not be left at the scene. Cutting the power cord with a knife is just silly and dangerous. The router password should not be on the local PC and the investigator's focus should be to preserve evidence. The best answer (and the one ECC uses) is to unplug the network cable form the router.

67. 18 USC p 2252A covers

Small Business Loans

Fraud

Abuse

Child Porn

(Chapter 12): Child porn is correct. § 1030 covers Fraud and related activity in connection with computers. The other two answers are made up.

Explanation

(Chapter 12): Child porn is correct. § 1030 covers Fraud and related activity in connection with computers. The other two answers are made up.

68. BigCHFIDog.com is an e-Commerce business with $500,000 in annual revenue. Last night, for about 4 hours, their customers were unable to access the website for shopping. What type of attack did they most likely experience?

DTC

DDoS

SQL

XSS

(Chapter 8): From the description, this is most likely a denial of service type attack. Since DDoS is the only denial of service attack listed, this is the correct answer.

Explanation

(Chapter 8): From the description, this is most likely a denial of service type attack. Since DDoS is the only denial of service attack listed, this is the correct answer.

69. This tool can be used to restore emails

Quick recovery

File salvage

Data recovery pro

Total recall

(Chapter 5): Data Recovery Pro can be used to restore deleted emails and email attachments. Quick Recovery can be used to recover encrypted files and restore them. File Salvage recovers lost files in Mac OS. Total Recall can be used for RAID.

Explanation

(Chapter 5): Data Recovery Pro can be used to restore deleted emails and email attachments. Quick Recovery can be used to recover encrypted files and restore them. File Salvage recovers lost files in Mac OS. Total Recall can be used for RAID.

70. A report, presented orally, to a board of directors, jury, or managers would be called.

Formal verbal report

Informal verbal report

Formal written report

Informal written report

(Chapter 14): A formal verbal report is given orally to the board, a jury, or managers.

Explanation

(Chapter 14): A formal verbal report is given orally to the board, a jury, or managers.

71. These are saved in the installation folder in the user profile for Google Drive

Backup files

Configuration files

Log files

Image files

Chapter 10: Configuration files is correct. The other files are not saved in the installation folder.

Explanation

Chapter 10: Configuration files is correct. The other files are not saved in the installation folder.

72. This is a sequence of bytes, organized into blocks understandable by the system's Linker.

HDTV

Object file

Object oriented database

Snort

(Note: not seen in the official EC-Council material, but it was reported being seen on the exam): Object file is correct. Snort is an IDS. HDTV and Object oriented database are made up.

Explanation

(Note: not seen in the official EC-Council material, but it was reported being seen on the exam): Object file is correct. Snort is an IDS. HDTV and Object oriented database are made up.

73. POP3 runs on port:

125

25

23

110

(Chapter 12): POP3 (Post Office Protocol) runs on port 110. SMTP is port 25. Telnet is port 23. Port is 125 is also incorrect.

Explanation

(Chapter 12): POP3 (Post Office Protocol) runs on port 110. SMTP is port 25. Telnet is port 23. Port is 125 is also incorrect.

74. This tool restores deleted emails and email attachments

Quick recovery

Total recall

Data recovery pro

R-studio

(Chapter 5): Data Recovery Pro specifically mentions email recovery in its use. TotalRecall can be used to recover RAID drives. R-Studio and Quick recovery are for file recovery.

Explanation

(Chapter 5): Data Recovery Pro specifically mentions email recovery in its use. TotalRecall can be used to recover RAID drives. R-Studio and Quick recovery are for file recovery.

75. Paco needs to open an Android phone. He should use:

Pangu Jail Break

GeekSn0w

TowelRoot

Redsn0w

(Chapter 13): Any jailbreak tool with "Root" in it should mean Android on your exam. The other choices are all used for iOS.

Explanation

(Chapter 13): Any jailbreak tool with "Root" in it should mean Android on your exam. The other choices are all used for iOS.

76. SMTP normally runs on this port:

23

110

143

25

(Chapter 12): SMTP (Simple Mail Transfer Protocol) normally runs on port 25. Telnet is 23. POP3 is 110. Know your most common ports for the exam. You will probably only see one or two on there.

Explanation

(Chapter 12): SMTP (Simple Mail Transfer Protocol) normally runs on port 25. Telnet is 23. POP3 is 110. Know your most common ports for the exam. You will probably only see one or two on there.

77. Which Windows version boots in either UEFI-GPT or BIOS-MBR?

Xp

Vista

7

10

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR. Windows XP, Vista, and 7 boot with BIOS-MBR.

Explanation

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR. Windows XP, Vista, and 7 boot with BIOS-MBR.

78. Keira is an investigator with the FBI that needs to recover lost files from a USB flash drive. Which tool can help her do this?

R-studio

Diskdigger

Capsa

Tripwire

(Chapter 5): Disk Digger can help recover lost files from hard drives, memory cards, and USB flash drives. R-Studio recovers data from disks. Capsa is a network analyzer that can be used to detect Trojans. Tripwire can be used for file integrity.

Explanation

(Chapter 5): Disk Digger can help recover lost files from hard drives, memory cards, and USB flash drives. R-Studio recovers data from disks. Capsa is a network analyzer that can be used to detect Trojans. Tripwire can be used for file integrity.

79. This is the starting point of a database.

MDF

LDF

NDF

ADF

(Chapter 9): The MDF (primary data file) is the starting point of a database and points to all other files in the database.

Explanation

(Chapter 9): The MDF (primary data file) is the starting point of a database and points to all other files in the database.

80. Johnny has been caught with child porn. This investigation would be:

Criminal AND Administrative

Civil

Criminal

Administrative

(Chapter 1): There is no indication that Johnny inappropriately used a work computer for this crime, so it would just be a criminal investigation. Child porn is a crime, so Civil and Administrative would not be the best choice here.

Explanation

(Chapter 1): There is no indication that Johnny inappropriately used a work computer for this crime, so it would just be a criminal investigation. Child porn is a crime, so Civil and Administrative would not be the best choice here.

81. What does ETI stand for?

Extra-Technology Investigator

Enterprise Technology Investigator

Enterprise Theory of Investigation

Elite and Tactical Investigation Team

(Chapter 1): ETI stands for Enterprise Theory of Investigation. ETI is a powerful methodology that adopts a holistic approach to criminal activity as a criminal operation and not just as a single criminal act.

Explanation

(Chapter 1): ETI stands for Enterprise Theory of Investigation. ETI is a powerful methodology that adopts a holistic approach to criminal activity as a criminal operation and not just as a single criminal act.

82. A warrantless seizure can be used when

The instruction of evidence is imminent

The destruction of evidence is imminent

Evidence is already collected

The item being seized is not evidence of criminal activity

(Chapter 2): According to the United States v. David, a warrantless seizure is used when the destruction of evidence is imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity. If evidence is already collected, a warrant will generally not do any good and the evidence will likely be inadmissible. If no criminal activity has occurred then there is no justification to seize evidence. Instruction of evidence is a silly answer, since you are not instructing the evidence to do anything.

Explanation

(Chapter 2): According to the United States v. David, a warrantless seizure is used when the destruction of evidence is imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity. If evidence is already collected, a warrant will generally not do any good and the evidence will likely be inadmissible. If no criminal activity has occurred then there is no justification to seize evidence. Instruction of evidence is a silly answer, since you are not instructing the evidence to do anything.

83. When a FAT file is deleted, what is placed at the front?

ELH

E5H

EH5

ESH

(Chapter 5): E5H is put at the front of a deleted FAT file. The other answers are incorrect because they do not contain the correct sequence.

Explanation

(Chapter 5): E5H is put at the front of a deleted FAT file. The other answers are incorrect because they do not contain the correct sequence.

84. A deleted file in the Recycle Bin is named RIYH6VR.doc. This tells us:

The file was deleted from the Y drive in the 6th order

The deleted file is a document file

The file was deleted with Recuva

None of the above

(Chapter 5): We can infer that this is a document file, based on the extension of .doc. Recuva does not leave a particular file name when performing recovery. The other answers do not make sense, since we do not see Dy5, which indicate a file deleted form the Y drive in the 6th order, and since we know this is a document file.

Explanation

(Chapter 5): We can infer that this is a document file, based on the extension of .doc. Recuva does not leave a particular file name when performing recovery. The other answers do not make sense, since we do not see Dy5, which indicate a file deleted form the Y drive in the 6th order, and since we know this is a document file.

85. This event correlation approach monitors computer and user behavior for anomalies.

Ronald-based approach

Role-based approach

Bayesian correlation

Payload correlation approach

(Chapter 7): Role-based approach is correct. Bayesian correlation uses statistics. Payload correlation compares packets with signatures (i.e.- IPS/IDS). Ronald-based is made up.

Explanation

(Chapter 7): Role-based approach is correct. Bayesian correlation uses statistics. Payload correlation compares packets with signatures (i.e.- IPS/IDS). Ronald-based is made up.

86. Stacey needs to crack a Windows password. She can use which tool to do this?

MBR Crack

EaseUS

Cain & Abel

CHS Crack

(Chapter 5): Cain & Abel is the only password cracking tool in this list. CHS and MBR crack are made up. EaseUS is used for recovery, not passwords.

Explanation

(Chapter 5): Cain & Abel is the only password cracking tool in this list. CHS and MBR crack are made up. EaseUS is used for recovery, not passwords.

87. This requires financial institutions to protect their customers' information against security threats.

SOX

NIST

GLBA

HIPAA

(Chapter 7): The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect their customers' information against security threats. HIPAA is for healthcare. SOX is to protect investors from account fraud. NIST is a set of standards for security policies, standards, and best practices.

Explanation

(Chapter 7): The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect their customers' information against security threats. HIPAA is for healthcare. SOX is to protect investors from account fraud. NIST is a set of standards for security policies, standards, and best practices.

88. The Superblock in UFS has:

Seven triangles

Non-magic number

Magic number

Size and shape of EXT2

(Chapter 3): Magic number is correct. The Superblock in Linux EXT2 stores information about the size and shape of EXT2. seven triangles and non-magic number are made up.

Explanation

(Chapter 3): Magic number is correct. The Superblock in Linux EXT2 stores information about the size and shape of EXT2. seven triangles and non-magic number are made up.

89. Dropbox Client path:

C:\Program Files(x86)\Dropbox\Client

C:\Program Files\Dropbox\Client

C:\Dropbox\Client

C:\Dropbox\Client\Config

Chapter 10: The other paths are made up.

Explanation

Chapter 10: The other paths are made up.

90. David needs to recover lost files from a USB flash drive. Which tool will help him?

Partition ranger

Diskdigger

Easeus

Data recovery pro

(Chapter 5): Disk Digger can help recover lost files from hard drives, memory cards, and USB flash drives. Data Recovery Pro recovers deleted emails/email attachments. EaseUS allows for precise searching. Partition Ranger is made up and is incorrect as well.

Explanation

(Chapter 5): Disk Digger can help recover lost files from hard drives, memory cards, and USB flash drives. Data Recovery Pro recovers deleted emails/email attachments. EaseUS allows for precise searching. Partition Ranger is made up and is incorrect as well.

91. Circular, metal disks mounted into the drive enclosure are called:

Plates

Tracks

Platters

Clusters

(Chapter 3): Platters are circular, metal disks that are mounted into a drive enclosure. Tracks are concentric rings on the platters. Clusters are the smallest accessible logical storage units on the hard disk. Plates is a made up answer and is incorrect.

Explanation

(Chapter 3): Platters are circular, metal disks that are mounted into a drive enclosure. Tracks are concentric rings on the platters. Clusters are the smallest accessible logical storage units on the hard disk. Plates is a made up answer and is incorrect.

92. In Windows Server 2012 (IIS), log files are stored at:

SystemDrive%\inetpub\Logs\LogFiles

%SystemDrive%\Logs\LogFiles

%SystemDrive%\inetpub\Logs\LogFiles

%SystemDrive\inetpub\Logs\LogFiles

(Chapter 8): Windows Server 2012 log files are stored at %SystemDrive%\inetpub\Logs\LogFiles. You should memorize this path for the CHFI exam. Two of the other answers are missing a percentage (%) sign in the path. The other path is missing the inetpub, which it incorrect.

Explanation

(Chapter 8): Windows Server 2012 log files are stored at %SystemDrive%\inetpub\Logs\LogFiles. You should memorize this path for the CHFI exam. Two of the other answers are missing a percentage (%) sign in the path. The other path is missing the inetpub, which it incorrect.

93. Scientific testimony.

Daubert

Frye

Willie

00AB Standard

(Chapter 14): Frye is the standard for scientific testimony. Daubert covers Expert Witness testimony. Know these for your exam. The other answers are made up.

Explanation

(Chapter 14): Frye is the standard for scientific testimony. Daubert covers Expert Witness testimony. Know these for your exam. The other answers are made up.

94. Tools designated as software tools include all of the following EXCEPT:

TULP2G

Phone Image Carver

Paraben's Phone Recovery Stick

Scalpel

(Chapter 13): Paraben's Phone Recovery Stick is considered a hardware tool.

Explanation

(Chapter 13): Paraben's Phone Recovery Stick is considered a hardware tool.

95. The Daubert standard pertains to:

Scientific testimony

Expert witness testimony

Admissibility of evidence

Legal proceedings

(Chapter 14): Daubert pertains to expert witness and Frye pertains to scientific evidence. The other answers are not applicable to testimony of witnesses.

Explanation

(Chapter 14): Daubert pertains to expert witness and Frye pertains to scientific evidence. The other answers are not applicable to testimony of witnesses.

96. This tool displays details about GPT partition tables in Mac OS

VFS Rider

DiskDrill

File Salvage

Disk Utility

Option 5

(chapter 3): Disk Utility is the only selection that displays details about partition tables in Mac. VFS Rider is a made up tool. DiskDrill can recover from corrupted memory cards. File Salvage is also a Mac tool, but is used for file recovery.

Explanation

(chapter 3): Disk Utility is the only selection that displays details about partition tables in Mac. VFS Rider is a made up tool. DiskDrill can recover from corrupted memory cards. File Salvage is also a Mac tool, but is used for file recovery.

97. This is wasted area of the disk cluster, lying between the end of the file and end of the cluster.

Spare space

Recycled space

Slack space

Stream space

(Chapter 3): Slack space is the wasted area of the disk cluster that lies between the end of the file and end of the cluster, when the file system allocates a full cluster to a file, which is smaller than the cluster size. The other answers here are made up.

Explanation

(Chapter 3): Slack space is the wasted area of the disk cluster that lies between the end of the file and end of the cluster, when the file system allocates a full cluster to a file, which is smaller than the cluster size. The other answers here are made up.

98. The attacker uses exploits to access other directories. This is known as:

SQL injection attack

Directory traversal attack

Insecure storage

Cookie poisoning

(Chapter 8): Look for the keyword of the question, like directory in this one, on the actual exam. It will help you answer correctly. SQL injection involves injecting SQL commands via input data. Insecure storage involves a lack of control around stored data (credit card numbers). Cookie poisoning involves modifying information in cookies.

Explanation

(Chapter 8): Look for the keyword of the question, like directory in this one, on the actual exam. It will help you answer correctly. SQL injection involves injecting SQL commands via input data. Insecure storage involves a lack of control around stored data (credit card numbers). Cookie poisoning involves modifying information in cookies.

99. This RAID level uses byte-level data striping across multiple drives and distributes parity information among all member drives.

6

5

1

2

(Chapter 3): RAID 5 uses byte-level data striping across multiple drives and distributes parity information among all member drives. RAID 1 offers mirroring. RAID 2 does not implement parity, mirroring, or striping. RAID 6 is made up.

Explanation

(Chapter 3): RAID 5 uses byte-level data striping across multiple drives and distributes parity information among all member drives. RAID 1 offers mirroring. RAID 2 does not implement parity, mirroring, or striping. RAID 6 is made up.

100. Registry Editor

Reg_1

Reg 3000

Registry 3000

RegEdit

(Chapter 6): The Registry Editor is also known by RegEdit. The other answers are made up and are incorrect.

Explanation

(Chapter 6): The Registry Editor is also known by RegEdit. The other answers are made up and are incorrect.

101. A Digital Forensic Investigator investigates this type of crime (choose the best answer).

Gang violence

Narcotics

Digital crime

Crime not involving computers

(Chapter 1): A digital forensic investigator investigates digital crimes.

Explanation

(Chapter 1): A digital forensic investigator investigates digital crimes.

102. Nasir is needing to recover lost data from RAID. He knows that this tool will be needed.

Total Recall

DiskDigger

Advanced Disk Recovery

Comodo Programs Manager

(Chapter 5): Total Recall is used for RAID. Comodo Programs Manager is used for dynamic malware analysis. DiskDigger offers thumbnail previews of recovered files. Advanced Disk Recovery offers the Quick and Deep scans.

Explanation

(Chapter 5): Total Recall is used for RAID. Comodo Programs Manager is used for dynamic malware analysis. DiskDigger offers thumbnail previews of recovered files. Advanced Disk Recovery offers the Quick and Deep scans.

103. Bob arrives on the scene of a large corporation after an attack. His analysis of the affected devices is considered:

Pre-mortem analysis

Live analysis

Real-time analysis

Post-mortem analysis

(Chapter 7): This would be considered post-mortem analysis, since it is after the attack. Real-time analysis is when the incident is occurring and data is being obtained in real-time, so action can be taken. Live analysis would be similar to static analysis. Pre-mortem analysis is made up.

Explanation

(Chapter 7): This would be considered post-mortem analysis, since it is after the attack. Real-time analysis is when the incident is occurring and data is being obtained in real-time, so action can be taken. Live analysis would be similar to static analysis. Pre-mortem analysis is made up.

104. John wants to root an Apple phone. Which tool should he use?

OneClickRoot

TowelRoot

RescuRoot

RedSn0w

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android.

Explanation

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android.

105. Tracked user activities can be found in this file:

SAM

NTUSER.DAT

NTUSER.ACT

LoggedUsers.dll

(Chapter 6): NTUSER.DAT is the correct answer. The SAM file contains user credential information. The other answers are made up.

Explanation

(Chapter 6): NTUSER.DAT is the correct answer. The SAM file contains user credential information. The other answers are made up.

106. John is a forensic investigator working on a case for a WHC hospital. John finds a USB drive sitting behind an access control door in the server room. The hospital provides John access to retrieve the device. John knows that the USB represents:

Non-volatile data

Volatile data

A cluster

A partition

(Chapter 1): A USB is a secondary storage device that represents non-volatile data. Other forms of non-volatile data include hidden files, slack space, swap file, event logs, registry settings, and unused partitions.

Explanation

(Chapter 1): A USB is a secondary storage device that represents non-volatile data. Other forms of non-volatile data include hidden files, slack space, swap file, event logs, registry settings, and unused partitions.

107. This is used to render 2D (SGL) or 3D graphics to the screen.

Webkit

Freetype

OpenGL/ES and SGL

Libc

(Chapter 13): All of these are Android libraries. OpenGL/ES and SGL is the correct answer. WebKit is the browser engine used to display web pages. FreeType renders bitmap and vector fonts. Libc is a C system library tuned for embedded Linux-based devices.

Explanation

(Chapter 13): All of these are Android libraries. OpenGL/ES and SGL is the correct answer. WebKit is the browser engine used to display web pages. FreeType renders bitmap and vector fonts. Libc is a C system library tuned for embedded Linux-based devices.

108. CAN-SPAM requires senders to honor opt-out requests within:

6 months

3 months

10 business days

30 business days

(Chapter 12): The CAN-SPAM act requires opt-out requests be honored within 10 business days. The other choices are incorrect because they do not meet this criteria.

Explanation

(Chapter 12): The CAN-SPAM act requires opt-out requests be honored within 10 business days. The other choices are incorrect because they do not meet this criteria.

109. This can do data acquisition and duplication.

Capsa

Drivespy

Wireshark

Xplico

(Chapter 4): Drivespy can do data acquisition and duplication. Wireshark is for network sniffing. Capsa is a network analyzer and can detect Trojans. Xplico is a network forensics analysis tool.

Explanation

(Chapter 4): Drivespy can do data acquisition and duplication. Wireshark is for network sniffing. Capsa is a network analyzer and can detect Trojans. Xplico is a network forensics analysis tool.

110. All investigators keep track of the evidence path by using the:

Exhibit numbering standard

Chain of custody document

Evidence progression document

Evidence path document

(Chapter 1 and Chapter 2): The chain of custody document is used to demonstrate the progression of evidence from the original evidence location to the forensic lab. The evidence progression and evidence path documents do not exist. Exhibit numbering is part of collecting the evidence and labeling it for use in court.

Explanation

(Chapter 1 and Chapter 2): The chain of custody document is used to demonstrate the progression of evidence from the original evidence location to the forensic lab. The evidence progression and evidence path documents do not exist. Exhibit numbering is part of collecting the evidence and labeling it for use in court.

111. A small law firm suspects an incident, where there was potential criminal action, and wants to investigate themselves. Why should they avoid doing so? (choose the best answer)

Law firms should not perform digital forensic investigations

They may alter the date or timestamp information of the evidence

They can prosecute the attack

They have a conflict of interest, since they are involved in real estate law

(Chapter 2): The law firm may alter the data, so it will then be inadmissible in a criminal case.

Explanation

(Chapter 2): The law firm may alter the data, so it will then be inadmissible in a criminal case.

112. All of the following are Android rooting tools EXCEPT

OneClickRoot

TowelRoot

Redsn0w

RescuRoot

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android.

Explanation

(Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android.

113. A first responder secures the scene perimeter. This is:

Pre-investigation phase

Post-investigation phase

Investigation phase

Securing the scene phase

(Chapter 2): In the pre-investigation phase, the scene perimeter is secured. The Investigation phase is when the evidence is being collected and analyzed. There is not a phase named Securing the scene.

Explanation

(Chapter 2): In the pre-investigation phase, the scene perimeter is secured. The Investigation phase is when the evidence is being collected and analyzed. There is not a phase named Securing the scene.

114. David is looking for a tool that contains an ISO image, so he can burn a bootable CD. What tool is he looking for?

CD Boot

Active@ File Recovery

Pandora Recovery

Data Rescue 4

(Chapter 5): Active@ File Recovery is the only answer here that contains a CD/DVD ISO image that allows you to burn a bootable CD.

Explanation

(Chapter 5): Active@ File Recovery is the only answer here that contains a CD/DVD ISO image that allows you to burn a bootable CD.

115. This is part of Metasploit that can be used to hide data in the slack space of FAT and NTFS

RuneFS

Slacker

FragFS

WaffenFS

(Note: the only Metasploit tool mentioned in the ECC official material is Timestomp-- used to change the timestamp, mentioned in Chapter 5, but you will likely see Slacker mentioned on the exam. Welcome to ECC exams): Slacker is the tool in Metasploit that will hide data in the slack space of FAT or NTFS file systems, WaffenFS stores data in the EXT3 journal file, FragFS hides data within the NTFS Master file table, RuneFS stores data in bad blocks.

Explanation

(Note: the only Metasploit tool mentioned in the ECC official material is Timestomp-- used to change the timestamp, mentioned in Chapter 5, but you will likely see Slacker mentioned on the exam. Welcome to ECC exams): Slacker is the tool in Metasploit that will hide data in the slack space of FAT or NTFS file systems, WaffenFS stores data in the EXT3 journal file, FragFS hides data within the NTFS Master file table, RuneFS stores data in bad blocks.

116. This mobile API provides telephony services, like making calls, receiving calls, and SMS.

Phone

GUI

OS

Kernel

(Chapter 13): The Phone API provides telephony services, like making calls, receiving calls, and SMS. The GUI API is responsible for creating menus and submenus in designing applications. The OS API schedules multiple tasks, offers synchronization, and priority allocation. Kernel API is a made up answer.

Explanation

(Chapter 13): The Phone API provides telephony services, like making calls, receiving calls, and SMS. The GUI API is responsible for creating menus and submenus in designing applications. The OS API schedules multiple tasks, offers synchronization, and priority allocation. Kernel API is a made up answer.

117. This can be used to dump password hashes from the SAM file.

Winhex

Pwdump7

Mbr v6

H_attack

(Chapter 5): PWdump7 can be used to dump password hashes from the SAM file. WinHex is a disk editor tool for file headers. MBRv6 and H_attack are made up answers and are incorrect.

Explanation

(Chapter 5): PWdump7 can be used to dump password hashes from the SAM file. WinHex is a disk editor tool for file headers. MBRv6 and H_attack are made up answers and are incorrect.

118. Which command can be used to look for suspicious connections and the process ID

Netstat -nan

Netstat -ano

Netgift -ano

Netrenew -ano

(Chapter 6): netstat -ano is the command used to look for suspicious connections and the process ID. netgift and netrenew are made up commands and are incorrect. netstat -nan is not a valid syntax for the netstat command.

Explanation

(Chapter 6): netstat -ano is the command used to look for suspicious connections and the process ID. netgift and netrenew are made up commands and are incorrect. netstat -nan is not a valid syntax for the netstat command.

119. This Tasklist command is used to run the command with the account permissions of the user specified.

/user_special

/v

/s

/u

(Chapter 6): /u is correct. /s is used to specify the name or IP address of a remote computer. /v specifies that verbose task information be displayed in the output. /user_special is made up.

Explanation

(Chapter 6): /u is correct. /s is used to specify the name or IP address of a remote computer. /v specifies that verbose task information be displayed in the output. /user_special is made up.

120. Mila wants to boot with either BIOS-MBR or UEFI-GPT. Which Windows OS should she use?

7

Vista

10

XP

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR.

Explanation

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR.

121. UTC stands for:

Universal Computer Time

Coordinated Universal Time

Universal Time to Compute figures

Coordinated Universe Timing

(Chapter 6) UTC stands for Coordinated Universal Time.

Explanation

(Chapter 6) UTC stands for Coordinated Universal Time.

122. System time is an example of non-volatile data.

True

False

Option 3

Option 4

(Chapter 1): System time is actually a form of volatile data that can be lost, when the system is turned off. Other volatile data includes open files, network information, logged on users, process information, process memory, clipboard contents, command history, and more.

Explanation

(Chapter 1): System time is actually a form of volatile data that can be lost, when the system is turned off. Other volatile data includes open files, network information, logged on users, process information, process memory, clipboard contents, command history, and more.

123. ETI allows the investigator to:

Take down an entire criminal organization

Drop criminal charges

Investigate petty criminals

Treat all crime as a single criminal act

(Chapter 1): By using ETI, the investigator has a better chance of dismantling an entire criminal organization.

Explanation

(Chapter 1): By using ETI, the investigator has a better chance of dismantling an entire criminal organization.

124. Jamie is analyzing malware, but not executing it on his computer. What best describes the type of analysis he is doing?

Dynamic analysis

Reversal analysis

Static analysis

BEC analysis

(Chapter 11): Jamie is not actually running the malware, so the best choice would be static analysis. Dynamic analysis would involve executing the malware to see its behavior. Reversal analysis and BEC analysis are made up answers.

Explanation

(Chapter 11): Jamie is not actually running the malware, so the best choice would be static analysis. Dynamic analysis would involve executing the malware to see its behavior. Reversal analysis and BEC analysis are made up answers.

125. This standard defines the use for file systems of CD-ROM and DVD media.

ISO/IEC 9960

ISO 9660

ISO 3287

NIST 800-9934

(Chapter 3): ISO 9660 is a standard that defines the use for file systems of CD-ROM and DVD media. The other answers are made up.

Explanation

(Chapter 3): ISO 9660 is a standard that defines the use for file systems of CD-ROM and DVD media. The other answers are made up.

126. Jv16 can be used for

Static malware analysis

Registry

Efi

Vfs

Option 5

(Chapter 11): jv16 is a registry tool. Memorize this for your exam. Virtual file system and EFI are not valid choices. jv16 is not used for malware analysis--again, remember that for your exam.

Explanation

(Chapter 11): jv16 is a registry tool. Memorize this for your exam. Virtual file system and EFI are not valid choices. jv16 is not used for malware analysis--again, remember that for your exam.

127. Rob wants to discover potential hidden information in an image file. He would use this to see it.

Stegasorous

Steganography

Steganalysis

Stegographic

(Chapter 5): Steganalysis is the process of discovering the existence of hidden information within a covered medium (i.e.- an image file). Steganography is the practice of hiding information. The other answers are not applicable to forensics.

Explanation

(Chapter 5): Steganalysis is the process of discovering the existence of hidden information within a covered medium (i.e.- an image file). Steganography is the practice of hiding information. The other answers are not applicable to forensics.

128. This command can be used to see the names of all open shared files and the number of file locks.

PsFile

Net stat

Net file

Ls

(Chapter 6): The net file command displays the names of all open shared files and the number of file locks. netstat is a command to look for suspicious connections, but this answer shows "net stat," which is not a valid command. ls is used to list files in Linux. PsFile shows files opened remotely.

Explanation

(Chapter 6): The net file command displays the names of all open shared files and the number of file locks. netstat is a command to look for suspicious connections, but this answer shows "net stat," which is not a valid command. ls is used to list files in Linux. PsFile shows files opened remotely.

129. James enjoys this tool that offers thumbnail previews

Revuca preview mode

Diskdigger

Stellar phoenix

Xplico

(Chapter 5): DiskDigger offers thumbnail previews of recovered files. None of the other options offer thumbnail previews, so they are incorrect.

Explanation

(Chapter 5): DiskDigger offers thumbnail previews of recovered files. None of the other options offer thumbnail previews, so they are incorrect.

130. This is the smallest physical storage unit on the hard disk platter.

Sector

Cluster

Track

Platter

(Chapter 3): Sectors are the smallest physical storage units located on the hard disk platter. Clusters are the smallest logical storage unit. Tracks contain sectors. Platters are circular metal disks mounted into a drive enclosure.

Explanation

(Chapter 3): Sectors are the smallest physical storage units located on the hard disk platter. Clusters are the smallest logical storage unit. Tracks contain sectors. Platters are circular metal disks mounted into a drive enclosure.

131. RAPID IMAGE 7020 X2 is designed to copy how many "Master" hard drives?

Two

One

Three

Unlimited

Option 5

(Chapter 2 and Chapter 4-- both have the same information): RAPID IMAGE 7020 X2 is designed to copy 1 Master hard drive and up to 19 Target hard drives. The other answers are incorrect, based on Chapter 2 of the EC-Council material.

Explanation

(Chapter 2 and Chapter 4-- both have the same information): RAPID IMAGE 7020 X2 is designed to copy 1 Master hard drive and up to 19 Target hard drives. The other answers are incorrect, based on Chapter 2 of the EC-Council material.

132. This file is found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.

Passware file

Handle file

Slack file

Page file

(Chapter 6): The page file is found at this location. There is not a "slack file," but rather it is the slack space (wasted area between the end of a file and cluster). Passware and handle files are made up.

Explanation

(Chapter 6): The page file is found at this location. There is not a "slack file," but rather it is the slack space (wasted area between the end of a file and cluster). Passware and handle files are made up.

133. In exhibit numbering, the zz is for:

Investigator initials

Year of collection

Number of exhibits in sequence

Sequence number of parts of the same exhibit

Option 5

(Chapter 2): The "zz" refers to the sequence number for parts of the same exhibit. aaa is for the investigator's initials. The date of the seizure is in day, month, year (dd/mm/yy) format. The number of exhibits is nnnn.

Explanation

(Chapter 2): The "zz" refers to the sequence number for parts of the same exhibit. aaa is for the investigator's initials. The date of the seizure is in day, month, year (dd/mm/yy) format. The number of exhibits is nnnn.

134. CD-ROM/DVD standard.

NIST 99.01A

NIST 99.01B

ISO 9660

NIST 99.001B

(Chapter 3): ISO 9660 is correct. The other answer choices are made up.

Explanation

(Chapter 3): ISO 9660 is correct. The other answer choices are made up.

135. Which is not a file system?

HFS

EXT

EVT4

UFS

(Chapter 3): There is not an EVT4 file system. There is an EXT4 file system. UFS is Unix File System. HFS is for Mac OS. EXT is a Linux file system.

Explanation

(Chapter 3): There is not an EVT4 file system. There is an EXT4 file system. UFS is Unix File System. HFS is for Mac OS. EXT is a Linux file system.

136. Rule 1003 covers:

Admissibility of original evidence

Definitions

Admissibility of other evidence

Admissibility of duplicates

(Chapter 2): Rule 1003 covers the Admissibility of Duplicate evidence. The admissibility of original evidence is covered in 1002. Other evidence admissibility is covered under 1004. Definitions are covered under 1001.

Explanation

(Chapter 2): Rule 1003 covers the Admissibility of Duplicate evidence. The admissibility of original evidence is covered in 1002. Other evidence admissibility is covered under 1004. Definitions are covered under 1001.

137. An attacker is using every possible combination of characters to crack a password. This method is known as:

Hybrid attack

Abley cain attack

Brute force

Rainbow attack

(Chapter 5): This is known as a brute force attack. Hybrid is a combination of brute force and dictionary attacks. Abley cain is not a real tool. Rainbow attacks use rainbow tables.

Explanation

(Chapter 5): This is known as a brute force attack. Hybrid is a combination of brute force and dictionary attacks. Abley cain is not a real tool. Rainbow attacks use rainbow tables.

138. This is the Amendment that protects again unlawful search and seizure.

2nd

1st

13th

4th

(Chapter 1): The 4th Amendment protects against unlawful search and seizure by government officials. The 1st Amendment covers free speech. The 2nd Amendment covers the right to bear arms. The 13th Amendment abolished slavery.

Explanation

(Chapter 1): The 4th Amendment protects against unlawful search and seizure by government officials. The 1st Amendment covers free speech. The 2nd Amendment covers the right to bear arms. The 13th Amendment abolished slavery.

139. This can be used for Last access time change in Windows 10.

Win_10.exe

Fsutil

T_change

Latc

(Chapter 6): fsutil is the correct answer. The other provided answers are made up.

Explanation

(Chapter 6): fsutil is the correct answer. The other provided answers are made up.

140. Phil is a digital forensic investigator that needs to obtain information from a suspect's service provider about billing records and subscriber information. What type of warrant would Phil need to obtain in this case?

Electronic storage device warrant

Search warrant

Service provider search warrant

Felony warrant

(Chapter 2): The service provider search warrant allows the investigator to obtain records from the service provider, including things like billing records and subscriber information. An electronic storage device warrant is for the suspect's hardware. A felony warrant is too broad and would cover non-digital crimes as well. Likewise, a search warrant is too broad. The best answer is the Service Provider search warrant.

Explanation

(Chapter 2): The service provider search warrant allows the investigator to obtain records from the service provider, including things like billing records and subscriber information. An electronic storage device warrant is for the suspect's hardware. A felony warrant is too broad and would cover non-digital crimes as well. Likewise, a search warrant is too broad. The best answer is the Service Provider search warrant.

141. The FBI is investigating Sally for hacking her school's network. What type of warrant should they obtain in order to search and seize Sally's personal laptop?

Felony warrant

Federal warrant

Electronic storage device warrant

Powerless warrant

(Chapter 2): The electronic storage device warrant is used to search and seize hardware. Felony warrant is too broad and also covers non-Digital crime. A Federal warrant is not relevant, since there can be many kinds issued. Powerless warrant is a made up answer and not correct.

Explanation

(Chapter 2): The electronic storage device warrant is used to search and seize hardware. Felony warrant is too broad and also covers non-Digital crime. A Federal warrant is not relevant, since there can be many kinds issued. Powerless warrant is a made up answer and not correct.

142. Stacey wants to obtain data from social media websites. Which tool can she NOT use for this?

Netvizz

Twecoll

Geo360

DiskDigger

(Chapter 2): Disk Digger is not a tool used for obtaining data from social media websites.

Explanation

(Chapter 2): Disk Digger is not a tool used for obtaining data from social media websites.

143. Jv16 tool is used for

Malware reversing

Dynamic analysis

Registry

Bit-to-bit mapping

(Chapter 11): jv16 is a registry tool. It is not used for malware analysis or reversing, and also is not used to make bit copies. Remember that it is not used for malware for your CHFI exam.

Explanation

(Chapter 11): jv16 is a registry tool. It is not used for malware analysis or reversing, and also is not used to make bit copies. Remember that it is not used for malware for your CHFI exam.

144. What is not one of the MS Exchange archive data files?

PRIV.STM

PUB.EDB

PRIV.EDB

PUB.STM

(Chapter 12): PUB.STM is incorrect. The other three choices ARE the MS Exchange archive data files.

Explanation

(Chapter 12): PUB.STM is incorrect. The other three choices ARE the MS Exchange archive data files.

145. Jonathan is an investigator, but he is not the first one on the scene. He wants to show the path of evidence collected from the scene to the forensic lab. What should he use?

Criminal Report

Daubert standard report

Chain of custody

Exhibit numbering

(Chapter 1 and Chapter 2): The chain of custody document is used to demonstrate the progression of evidence from the original evidence location to the forensic lab. Exhibit numbering is for marking evidence. Criminal report and Daubert standard report are made up answers.

Explanation

(Chapter 1 and Chapter 2): The chain of custody document is used to demonstrate the progression of evidence from the original evidence location to the forensic lab. Exhibit numbering is for marking evidence. Criminal report and Daubert standard report are made up answers.

146. Intel is to EFI as PowerPC is to:

VFS

Open Firmware

CSH

CDD

(Chapter 3): On PowerPC-based Mac computers, Open Firmware initializes the rest of the hardware interfaces. On Intel-based Mac computers, EFI performs this same function. VFS is for virtual file system. CSH and CDD are made up.

Explanation

(Chapter 3): On PowerPC-based Mac computers, Open Firmware initializes the rest of the hardware interfaces. On Intel-based Mac computers, EFI performs this same function. VFS is for virtual file system. CSH and CDD are made up.

147. Used for registry and not malware installation file analysis.

GIF

SysAnalyzer

JPEG

Jv16

(Chapter 11): jv16 is correct. SysAnalyzer IS USED for malware analysis and looks at the installation files. The other two answers are image file types.

Explanation

(Chapter 11): jv16 is correct. SysAnalyzer IS USED for malware analysis and looks at the installation files. The other two answers are image file types.

148. This tool is used to open registry hives

MySQLlog Editor

Registry Editor

Reg_HIV OpenPS

Hiveopener 3000

(Chapter 5): Registry Editor is used to open registry hives (hives start with HKEY..). The other answers are made up and are incorrect.

Explanation

(Chapter 5): Registry Editor is used to open registry hives (hives start with HKEY..). The other answers are made up and are incorrect.

149. This tool can be used to restore emails.

FSSTAT

File Salvage

Data Recovery Pro

EaseUS

(Chapter 5): Data Recovery Pro can be used to restore emails. EaseUS offers precise searching. File Salvage is used to recover file in Mac. FSSTAT is made up.

Explanation

(Chapter 5): Data Recovery Pro can be used to restore emails. EaseUS offers precise searching. File Salvage is used to recover file in Mac. FSSTAT is made up.

150. These determine the sector addressing for individual sectors on a disk.

Clusters, heads, and sectors (CHS)

Heads, sectors, and tracks (HST)

Cylinders, heads, and sectors (CHS)

Clusters, cylinders, and tracks (CCT)

(Chapter 3): Cylinders, Heads, and Sectors (CHS) determine the sector addressing for individual sectors on a disk. The other answers are incorrect, since they do not contain all three of these. This is covered in Chapter 3 of the official EC-Council material.

Explanation

(Chapter 3): Cylinders, Heads, and Sectors (CHS) determine the sector addressing for individual sectors on a disk. The other answers are incorrect, since they do not contain all three of these. This is covered in Chapter 3 of the official EC-Council material.

151. Opposing attorney, that did not call the witness to the stand, is doing this:

Cross-Examination

Direct-Examination

Daubert

Frye

(Chapter 14): Cross-Examination is correct. Direct-Examination is when the attorney that called the witness to the stand is doing the questioning. Daubert is the standard on Expert Witness testimony and Frye is the standard on Scientific testimony.

Explanation

(Chapter 14): Cross-Examination is correct. Direct-Examination is when the attorney that called the witness to the stand is doing the questioning. Daubert is the standard on Expert Witness testimony and Frye is the standard on Scientific testimony.

152. This is a tool used for monitoring log files, produced by UNIX syslog facility.

Logcheck

RegEdit

Swatch

Watch

(Chapter 7): Swatch is correct. Logcheck allows system Admins to view log files, which are produced by hosts under their control. RegEdit is the registry editor for Windows. Watch is a made up answer.

Explanation

(Chapter 7): Swatch is correct. Logcheck allows system Admins to view log files, which are produced by hosts under their control. RegEdit is the registry editor for Windows. Watch is a made up answer.

153. The img_stat command:

Displays details of an image file

Lists file and directory names in an image

Displays general details of a file system

Displays metadata

(Chapter 3): The img_stat of TSK (The Sleuth Kit) displays details of an image file. General details of a file system are displayed with the fsstat command. istat displays metadata. fls lists file and directory names in a disk image.

Explanation

(Chapter 3): The img_stat of TSK (The Sleuth Kit) displays details of an image file. General details of a file system are displayed with the fsstat command. istat displays metadata. fls lists file and directory names in a disk image.

154. This can be used to detect Trojans.

Capsa

Trojan_Detect 3000

Recuva

MESN

(Chapter 11): Capsa is correct. Recuva is for data/file recovery. The other two answers are made up.

Explanation

(Chapter 11): Capsa is correct. Recuva is for data/file recovery. The other two answers are made up.

155. Which of the following is a starting hex value of an image file:

99 xd 54

Ff d8 ff

Xx c9 53

If d9 ff

(Chapter 3): ff d8 ff is the starting hex value of JPEG files. The other choices are made up answers.

Explanation

(Chapter 3): ff d8 ff is the starting hex value of JPEG files. The other choices are made up answers.

156. This contains the configuration information related to the user currently logged on (i.e.- wallpaper, display settings, etc...)

HKEY_LOCAL_MACHINE

HKEY_VALID_USER

HKEY_CURRENT_USER

HKEY_LOCAL_PC

(Chapter 6): HKEY_CURRENT_USER is correct. HKEY_LOCAL_MACHINE contains most of the configuration information for installed software, which includes type, installed cards, memory type, startup control parameters, and device drives. The other answers are made up.

Explanation

(Chapter 6): HKEY_CURRENT_USER is correct. HKEY_LOCAL_MACHINE contains most of the configuration information for installed software, which includes type, installed cards, memory type, startup control parameters, and device drives. The other answers are made up.

157. The insider threat caused a lot of chaos. Sally, the digital forensic investigator, needs a tool that can repair and recover disk bad sectors. Which tool should she use?

Quick recovery

Sysanalyzer

Jv16

Total recall

(Chapter 5): Quick Recovery can recover and repair disk bad sectors. jv16 is a registry tool. SysAnalyzer is a malware analysis tool. Total recall is used for RAID.

Explanation

(Chapter 5): Quick Recovery can recover and repair disk bad sectors. jv16 is a registry tool. SysAnalyzer is a malware analysis tool. Total recall is used for RAID.

158. In FHS, essential user command binaries are in this.

/bin

\bin

/shin

\binary

(Chapter 3): /bin is correct. The other answers are all incorrect, since they contain a backwards slash and not a forward slash.

Explanation

(Chapter 3): /bin is correct. The other answers are all incorrect, since they contain a backwards slash and not a forward slash.

159. Sara is investigating an incident and needs to display information about all logged in sessions on a local Windows computer. Which command should she use?

Net view

Net session

Net use

Net log

(Chapter 8): net session is used to display information about logged in sessions. net view is used to review file shares and ensure their purpose. net use is used to see if sessions have been opened with other systems. net log is a made up command.

Explanation

(Chapter 8): net session is used to display information about logged in sessions. net view is used to review file shares and ensure their purpose. net use is used to see if sessions have been opened with other systems. net log is a made up command.

160. You can use this to see the last access time change for win10

Devcon

Fsutil

Wmic service

Reg.exe

Option 5

(Chapter 6): fsutil can be used to see the last access time change for Windows 10. reg.exe is Window's Console Registry Tool. WMIC stands for Windows Management Instrumentation Command-line, "wmic service" is not valid. devcon (devcon.exe) is a command used in Windows to see details about connected devices.

Explanation

(Chapter 6): fsutil can be used to see the last access time change for Windows 10. reg.exe is Window's Console Registry Tool. WMIC stands for Windows Management Instrumentation Command-line, "wmic service" is not valid. devcon (devcon.exe) is a command used in Windows to see details about connected devices.

161. You can view DBX files in:

Adobe Acrobat Reader

Thunderbird

MS Outlook Express

Thundercats

(Chapter 12): DBX files are viewed with Microsoft Outlook Express. Adobe Acrobat Reader is PDF. Thundercats was a cartoon in the 1980's. Thunderbird does not open DBX files.

Explanation

(Chapter 12): DBX files are viewed with Microsoft Outlook Express. Adobe Acrobat Reader is PDF. Thundercats was a cartoon in the 1980's. Thunderbird does not open DBX files.

162. Lenny needs to reset an Administrator password in order to access a device during an investigation. He knows that this tool can be used (choose the BEST answer).

Disk Drill

Active@ Password changer

Cain & Abel

Stego77

(Chapter 5): While Cain & Abel can be used to crack passwords, the best option here is to use Active@ Password changer. DiskDrill is used for file recovery. Stego77 is made up.

Explanation

(Chapter 5): While Cain & Abel can be used to crack passwords, the best option here is to use Active@ Password changer. DiskDrill is used for file recovery. Stego77 is made up.

163. Show active network connections with this:

Tripwire

503 connector

Netstat

Nbtstat

(Chapter 6): netstat is correct. nbtstat is for NetBIOS. Tripwire is for file integrity. 503 connector is made up.

Explanation

(Chapter 6): netstat is correct. nbtstat is for NetBIOS. Tripwire is for file integrity. 503 connector is made up.

164. This requires Federal agencies to develop, document, and implement information security programs.

HIPAA

GLBA

SOX

FISMA

(Chapter 7): The Federal Information Security Management Act (FISMA) requires Federal agencies to develop, document, and implement information security programs. HIPAA is for healthcare. GLBA requires financial institutions to protect their customers' information against security threats. SOX is to protect investors from fraudulent accounting.

Explanation

(Chapter 7): The Federal Information Security Management Act (FISMA) requires Federal agencies to develop, document, and implement information security programs. HIPAA is for healthcare. GLBA requires financial institutions to protect their customers' information against security threats. SOX is to protect investors from fraudulent accounting.

165. This has journaling:

Ext1

NTFS

FAT

FAT32

(Chapter 3): NTFS is the only answer here that offers journaling. EXT3 offers journaling, not EXT1. FAT and FAT32 also do not offer journaling.

Explanation

(Chapter 3): NTFS is the only answer here that offers journaling. EXT3 offers journaling, not EXT1. FAT and FAT32 also do not offer journaling.

166. Julie wants to use an open-source format. What should she choose?

EnCase

AFF

TFF

AutoBahn 2.9

(Chapter 4): AFF (Advanced Forensics Format) is an open source format. Encase is a forensics tool. AutoBahn 2.9 sounds cool, but it is made up. Likewise, TFF is made up.

Explanation

(Chapter 4): AFF (Advanced Forensics Format) is an open source format. Encase is a forensics tool. AutoBahn 2.9 sounds cool, but it is made up. Likewise, TFF is made up.

167. Sally is an investigator working for Diamond Corp. She needs to restore lost emails and their attachments. Which tool should she use (choose the best answer)?

File Salvage

DiskDigger

Data Recovery Pro

Data Rescue 4

(Chapter 5): Data Recovery Pro can be used to restore emails and email attachments. File Salvage recovers lost files in Mac OS. DiskDigger recovers lost files and offers thumbnail previews. Data Rescue 4 is for file recovery in Mac and Windows.

Explanation

(Chapter 5): Data Recovery Pro can be used to restore emails and email attachments. File Salvage recovers lost files in Mac OS. DiskDigger recovers lost files and offers thumbnail previews. Data Rescue 4 is for file recovery in Mac and Windows.

168. In Windows 7, deleted files are named $Ry.ext, where the y stands for the:

Drive number

Sequence number

File abbreviation

File type

(Chapter 5): The "y" stands for the sequence number. The driver number is in Windows 98 and earlier (Dxy.ext). The other two answers are made up.

Explanation

(Chapter 5): The "y" stands for the sequence number. The driver number is in Windows 98 and earlier (Dxy.ext). The other two answers are made up.

169. Internal server error is error code:

648

502

500

503

(Chapter 8): Code 500 is the answer. 502 is Bad Gateway. 503 is Service Unavailable. 648 is made up.

Explanation

(Chapter 8): Code 500 is the answer. 502 is Bad Gateway. 503 is Service Unavailable. 648 is made up.

170. Sara is an Assistant U.S. Attorney. She knows that this rule covers the general admissibility of relevant evidence.

Rule 402

Rule 701

Rule 804

Rule 502

(Chapter 2): Rule 402 covers the general admissibility of relevant evidence. Rule 701 covers opinion testimony by a lay witness. Rule 804 is related to hearsay. Rule 502 covers attorney-client privilege.

Explanation

(Chapter 2): Rule 402 covers the general admissibility of relevant evidence. Rule 701 covers opinion testimony by a lay witness. Rule 804 is related to hearsay. Rule 502 covers attorney-client privilege.

171. A boot from restarting the OS is considered:

Cold boot

Complete boot

Warm boot

Digital forensics boot process

(Chapter 3): A warm boot is the restart of the computer. You will likely see an exam question about this.

Explanation

(Chapter 3): A warm boot is the restart of the computer. You will likely see an exam question about this.

172. All of the following are Registry tools EXCEPT:

Jv16

Jv22

RegRipper

ProDiscover

(Chapter 11): jv16 is a registry tool, not jv22. RegRipper and ProDiscover are also registry tools. Others include Process Monitor, RegScanner, RegEdit, and Registry Viewer.

Explanation

(Chapter 11): jv16 is a registry tool, not jv22. RegRipper and ProDiscover are also registry tools. Others include Process Monitor, RegScanner, RegEdit, and Registry Viewer.

173. This saves data about programs, so programs load faster at boot:

PasswareKit 47

Prefetch folder

Recuva

RegEdit

(Chapter 6 and Chapter 10): The Prefetch folder is correct. Recuva is for data recovery. regEdit is the registry editor. PasswareKit 47 is made up. There is a Passware Kit 4, which is used for password cracking.

Explanation

(Chapter 6 and Chapter 10): The Prefetch folder is correct. Recuva is for data recovery. regEdit is the registry editor. PasswareKit 47 is made up. There is a Passware Kit 4, which is used for password cracking.

174. Roberta suspects the company's network has been compromised. How can she look for unusual network services running?

Net start

Net service

Net process

Net run

(chapter 8): net start allows you to look for unusual network services that are running. The other answers are made up commands and are incorrect.

Explanation

(chapter 8): net start allows you to look for unusual network services that are running. The other answers are made up commands and are incorrect.

175. David has been called to the stand to offer scientific testimony. This is an example of:

Daubert

Robert

Frye

Pierre

(Chapter 14): This is an example of the Frye standard, which covers scientific testimony. Daubert is for Expert Witness testimony. Robert and Pierre are made up.

Explanation

(Chapter 14): This is an example of the Frye standard, which covers scientific testimony. Daubert is for Expert Witness testimony. Robert and Pierre are made up.

176. Tools involved in Hashing include all of the following EXCEPT:

Hashcalc

Md5 calculator

Hashmyfiles

Superhasher

(Chapter 2): SuperHasher is made up and is not a tool involved in hashing. HashCalc, MD5 Calculator, and HashMyFiles are all used for hashing and are mentioned in Chapter 2 of the official ECC material.

Explanation

(Chapter 2): SuperHasher is made up and is not a tool involved in hashing. HashCalc, MD5 Calculator, and HashMyFiles are all used for hashing and are mentioned in Chapter 2 of the official ECC material.

177. Data rescue 4 is:

A new movie coming out

A file recovery tool only for windows

A file recovery tool used for mac

A new forensic tool used to sanitize digital media

(Chapter 5): Data Rescue 4 is a file recovery tool used in Mac OS. The Windows answer is incorrect, since it is a Mac tool. A tool to sanitize digital media is incorrect, since this tool is used for recovery. The answer about a new movie coming out is incorrect and silly.

Explanation

(Chapter 5): Data Rescue 4 is a file recovery tool used in Mac OS. The Windows answer is incorrect, since it is a Mac tool. A tool to sanitize digital media is incorrect, since this tool is used for recovery. The answer about a new movie coming out is incorrect and silly.

178. Windows Event Log text file output format is:

XVTX

EVTX

A.TXT

.DOC

(Chapter 9): EVTX is the correct format. .DOC is a document file format. The other options are made up answers.

Explanation

(Chapter 9): EVTX is the correct format. .DOC is a document file format. The other options are made up answers.

179. Which one do you like?

Option 1

Option 2

Option 3

Option 4

The explanation for the given correct answer, Option 1, is not available as the question does not provide any context or criteria for selecting a preference.

Explanation

The explanation for the given correct answer, Option 1, is not available as the question does not provide any context or criteria for selecting a preference.

180. Which wondows version can use uefi-gpt or bios-mbr

Xp

10

7

95

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR. Windows XP, Vista, and 7 boot with BIOS-MBR.

Explanation

(Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR. Windows XP, Vista, and 7 boot with BIOS-MBR.

181. Richard wants to look for unusual network services. What command should he use?

Net stat

Net start

Nbtstat

Net view

(Chapter 8): The net start command can be used to look for unusual network services. nbtstat is for NetBIOS. net view is to review file shares and ensure their purpose. "netstat" would be used in combination with -na to see if TCP/UDP ports have unusual listening; however, the answer here is listed as "net stat," which is not proper syntax for this command.

Explanation

(Chapter 8): The net start command can be used to look for unusual network services. nbtstat is for NetBIOS. net view is to review file shares and ensure their purpose. "netstat" would be used in combination with -na to see if TCP/UDP ports have unusual listening; however, the answer here is listed as "net stat," which is not proper syntax for this command.

182. The max single file size in EXT3 is

2GB

20TB

2TB

1EiB

(Chapter 3): The question asks for the max single file size, not the max file system size. Pay attention to the verbiage in questions on the actual exam.

Explanation

(Chapter 3): The question asks for the max single file size, not the max file system size. Pay attention to the verbiage in questions on the actual exam.

183. Which of the following is known for providing quick and deep scanning?

Easeuk

Easeus

Advanced disk recovery

Recover my files

(Chapter 2 and Chapter 5): Advanced Disk recovery offers two scans; quick and deep scanning. Recover My Files offers the ability to preview data-on-the-fly. EaseUS supports large hard disks. EaseUK is made up and is incorrect.

Explanation

(Chapter 2 and Chapter 5): Advanced Disk recovery offers two scans; quick and deep scanning. Recover My Files offers the ability to preview data-on-the-fly. EaseUS supports large hard disks. EaseUK is made up and is incorrect.

184. Jamie needs a tool that can recover files with their original file name

Diskdigger

Stellar phoenix

Total recall

Sysanalyzer

(Chapter 5): The correct answer is Stellar Phoenix. SysAnalyzer is used for malware analysis. Total Recall is used for RAID. DiskDigger offers the thumbnail previews.

Explanation

(Chapter 5): The correct answer is Stellar Phoenix. SysAnalyzer is used for malware analysis. Total Recall is used for RAID. DiskDigger offers the thumbnail previews.

185. The IMEI is obtained with:

*#06#

*#06#*

#06*#

#06#x

(Chapter 13): The correct command is *#06# . The other answer choices are made up.

Explanation

(Chapter 13): The correct command is *#06# . The other answer choices are made up.

186. This command can be used to obtain details about partitions.

Get-detailspartition

Get-gpt

Get-gpt-partition

Get-partitiontable

(Chapter 3): The Get-PartitionTable command provides details about partitions. The Get-GPT command is used for partitioning. The other two commands are made up and are incorrect.

Explanation

(Chapter 3): The Get-PartitionTable command provides details about partitions. The Get-GPT command is used for partitioning. The other two commands are made up and are incorrect.

187. This tool can be used to recover lost data from RAID and hard drives:

EaseUS

Total Recall

DiskDigger

File Salvage

(Chapter 5): Total Recall can be used for RAID. Memorize this for your exam. File Salvage is a Mac OS file recovery tool. DiskDigger offers thumbnail previews of recovered files. EaseUS supports large hard drives.

Explanation

(Chapter 5): Total Recall can be used for RAID. Memorize this for your exam. File Salvage is a Mac OS file recovery tool. DiskDigger offers thumbnail previews of recovered files. EaseUS supports large hard drives.

188. $Bitmap is in:

LILO

EXT2

NTFS

FAT

(Chapter 3): NTFS is correct. LILO is one of the Linux bootloaders. EXT2 is a Linux file system. FAT and also FAT32 would not be correct, since NTFS contains $Bitmap, which is used to keep track of used and unused clusters.

Explanation

(Chapter 3): NTFS is correct. LILO is one of the Linux bootloaders. EXT2 is a Linux file system. FAT and also FAT32 would not be correct, since NTFS contains $Bitmap, which is used to keep track of used and unused clusters.

189. In ISO 9660, what two file systems add more descriptors to the sequence?

Roneo and Juliet

Joliet and UDF

Joliet and Rumero

UDF and TDF

(Chapter 3): Joliet and UDF are the correct answers. None of the other answers contain both of these. You will likely see a question about this on the real exam.

Explanation

(Chapter 3): Joliet and UDF are the correct answers. None of the other answers contain both of these. You will likely see a question about this on the real exam.

190. William needs a tool that can allow him to specify a specific file type for precise search results. What tool is this?

Undelete plus

Easeus

R-studio

File salvage

(Chapter 2 and Chapter 5): EaseUS offers the ability to obtain precise search results on files. Undelete Plus recovers files emptied from the Recycle Bin. R-Studio can be used for heavily damaged file systems. File Salvage is a Mac OS tool to recover files.

Explanation

(Chapter 2 and Chapter 5): EaseUS offers the ability to obtain precise search results on files. Undelete Plus recovers files emptied from the Recycle Bin. R-Studio can be used for heavily damaged file systems. File Salvage is a Mac OS tool to recover files.

191. A hacker commits a DDoS attack against a specific IP address of a company's Web server. This is considered what type of attack?

APT attack

Network attack

Web application attack

Ids attack

(Chapter 7 and 8): The attack is against a specific IP address and is not exploiting an application vulnerability (notice it shows Web application attack in the other answer), so it would fall under the realm of a network attack. The DDoS attack may also be affecting an IDS, but that is not the true target of the attack described. It could be an APT (Advanced Persistent Threat) group performing the attack, but it could also just be a simple teenager.

Explanation

(Chapter 7 and 8): The attack is against a specific IP address and is not exploiting an application vulnerability (notice it shows Web application attack in the other answer), so it would fall under the realm of a network attack. The DDoS attack may also be affecting an IDS, but that is not the true target of the attack described. It could be an APT (Advanced Persistent Threat) group performing the attack, but it could also just be a simple teenager.

192. What file type is this? FF D8 FF E1

BMP

JPEG

GIF

PNG

(Chapter 3): The FF D8 FF is the hex format for JPEG files. BMP starts with 42 4d. GIF starts with 47 49 46. PNG starts with 89 50 4e.

Explanation

(Chapter 3): The FF D8 FF is the hex format for JPEG files. BMP starts with 42 4d. GIF starts with 47 49 46. PNG starts with 89 50 4e.

193. ____ launched the CFTT.

ISO/IEC

NIST

ECC

GLBA

(Chapter 2): NIST launched the Computer Forensic Tool Testing Project (CFTT). ISO/IEC is a separate standards body. GLBA is the Gramm-Leach Bliley Act. ECC stands for EC-Council.

Explanation

(Chapter 2): NIST launched the Computer Forensic Tool Testing Project (CFTT). ISO/IEC is a separate standards body. GLBA is the Gramm-Leach Bliley Act. ECC stands for EC-Council.

194. This is a network sniffer that can support several hundred network protocols.

Cain & Abel

Recuva

Capsa

Snort

(Chapter 7): Capsa is a network sniffer that supports over 300 network protocols, which can also be used to detect Trojans. Cain & Abel is a password cracker. Snort is an IDS. Recuva is for recovering lost files.

Explanation

(Chapter 7): Capsa is a network sniffer that supports over 300 network protocols, which can also be used to detect Trojans. Cain & Abel is a password cracker. Snort is an IDS. Recuva is for recovering lost files.

195. The first __ bits of the ESN is the manufacturer's code

32

8

16

24

(Chapter 13): The first 8 bits of the ESN is the manufacturer’s code. The other answers are made up and are incorrect.

Explanation

(Chapter 13): The first 8 bits of the ESN is the manufacturer’s code. The other answers are made up and are incorrect.

196. This is a tool for Mac OS

Recover my files

Windows defender

File ravage

Disk utility

(Chapter 3): Disk Utility is a tool used in Mac OS to get details about GPT partition tables. recover My Files is for Windows. Windows Defender is a anti-malware program. File Ravage is made up and is incorrect.

Explanation

(Chapter 3): Disk Utility is a tool used in Mac OS to get details about GPT partition tables. recover My Files is for Windows. Windows Defender is a anti-malware program. File Ravage is made up and is incorrect.

197. In Windows 98 and earlier, deleted files are named in Dxy.ext format. What does the x stand for?

Sequence number

Original extension

File name

Drive

(Chapter 5): In the Dxy.ext format, the x stands for the drive. For example, the first document file deleted from the C: drive would be Dc0.doc . The sequence number is "y" and the original extension is the "ext" option, both being incorrect for the question asked. The original file name is not included in Dxy.ext, so this answer is also incorrect.

Explanation

(Chapter 5): In the Dxy.ext format, the x stands for the drive. For example, the first document file deleted from the C: drive would be Dc0.doc . The sequence number is "y" and the original extension is the "ext" option, both being incorrect for the question asked. The original file name is not included in Dxy.ext, so this answer is also incorrect.

198. Jason is an investigator with over 10 years of experience. He needs to find a tool that will help him recover a RAID drive. Which tool can help him?

Quick recovery

Quick RAID recovery

Total recall

Diskdigger

(Chapter 5): Total Recall can be used to recover RAID drives. DiskDigger is used to recover files and offers thumbnail previews. Quick Recovery can recover password-protected files. The other answer is made up and is incorrect.

Explanation

(Chapter 5): Total Recall can be used to recover RAID drives. DiskDigger is used to recover files and offers thumbnail previews. Quick Recovery can recover password-protected files. The other answer is made up and is incorrect.

199. Sara wants to perform a deep scan that scans the entire system. She should use:

Recover my files

Total recall

Diskdigger

Advanced disk recovery

(Chapter 2 and Chapter 5): Advanced Disk Recovery can be used to perform a deep scan of the entire system. Total Recall is used for RAID. DiskDigger is used for recovery and offers thumbnail previews. Recover My Files does not offer a quick and deep scan.

Explanation

(Chapter 2 and Chapter 5): Advanced Disk Recovery can be used to perform a deep scan of the entire system. Total Recall is used for RAID. DiskDigger is used for recovery and offers thumbnail previews. Recover My Files does not offer a quick and deep scan.

200. HFS+ uses:

Windows OS

B-tree structure to store data

UEFI

MBR partitions

(Chapter 3): HFS+ (Mac OS) uses a b-tree structure to store data. Windows OS is wrong, since HFS+ is for Mac OS. UEFI and MBR partitions are also incorrect.

Explanation

(Chapter 3): HFS+ (Mac OS) uses a b-tree structure to store data. Windows OS is wrong, since HFS+ is for Mac OS. UEFI and MBR partitions are also incorrect.

IP Address Of A Remote Computer Trivia Quiz