1.
Which tool can help the investigator if he wants to examine changes made to the system’s registry by the suspect program?
A. 
B. 
C. 
D. 
2.
This ISO standard defines file systems and protocols for exchanging data between optical disks. What is it?
A. 
B. 
C. 
D. 
3.
A forensic examiner is examining a Windows system seized from a crime scene. During the examination of a suspect file, he discovered that the file is password protected. He tried guessing the password using the suspect's available information but without any success. Which of the following tool can help the investigator to solve this issue?
A. 
B. 
C. 
D. 
4.
Which of the following tasks DOES NOT come under the investigation phase of a cybercrime forensics investigation case?
A. 
B. 
C. 
D. 
5.
On Linux/Unix based Web servers, what privilege should the daemon service be run under?
A. 
B. 
C. 
You cannot determine what privilege runs the daemon service
D. 
Something other than root
6.
What is the target host IP in the following command?
A. 
B. 
C. 
Firewalk does not scan target hosts
D. 
This command is using FIN packets, which cannot scan target hosts
7.
Which one of the following is not a first response procedure?
A. 
B. 
C. 
D. 
8.
What must an investigator do before disconnecting an iPod from any type of computer?
A. 
B. 
C. 
D. 
9.
When investigating a computer forensics case where Microsoft Exchange and Blackberry Enterprise server are used, where would investigator need to search to find email sent from a Blackberry device?
A. 
B. 
Blackberry Enterprise server
C. 
Microsoft Exchange server
D. 
Blackberry desktop redirector
10.
What happens when a file is deleted by a Microsoft operating system using the FAT file system?
A. 
Only the reference to the file is removed from the FAT
B. 
The file is erased and cannot be recovered
C. 
A copy of the file is stored and the original file is erased
D. 
The file is erased but can be recovered
11.
Billy, a computer forensics expert, has recovered a large number of DBX files during the forensic investigation of a laptop. Which of the following email clients can he use to analyze the DBX files?
A. 
B. 
C. 
D. 
Microsoft Outlook Express
12.
Which code does the FAT file system use to mark the file as deleted?
A. 
B. 
C. 
D. 
13.
An investigator has extracted the device descriptor for a 1GB thumb drive that looks like: Disk&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15. What does the "Geek_Squad" part represent?
A. 
B. 
C. 
D. 
14.
You have been given the task to investigate web attacks on a Windows-based server. Which of the following commands will you use to look at the sessions the machine has opened with other systems?
A. 
B. 
C. 
D. 
15.
When a user deletes a file, the system creates a $1 file to store its details. What detail does the $1 file not contain?
A. 
B. 
File origin and modification
C. 
Time and date of deletion
D. 
16.
Which one d
Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers?
A. 
B. 
C. 
D. 
17.
What will the following command produce on a website login page? SELECT email, passwd, login_id, full_name FROM members WHERE email = 'someonecgsomehwere com'; DROP TABLE members;
A. 
Deletes the entire members table
B. 
Inserts the Error! Reference source not found.email address into the members table
C. 
Retrieves the password for the first user in the members table
D. 
This command will not produce anything since the syntax is incorrect Answer: A
18.
Ron, a computer forensics expert, is investigating a case involving corporate espionage. He has recovered several mobile computing devices from the crime scene. One of the evidence that Ron possesses is a mobile phone from Nokia that was left in ON condition. Ron needs to recover the I MEI number of the device to establish the identity of the device owner. Which of the following key combinations can he use to recover the IMEI number?
A. 
B. 
C. 
D. 
19.
Which password cracking technique uses details such as length of password, character sets used to construct the password, etc.?
A. 
B. 
C. 
D. 
20.
Which of the following attack uses HTML tags like <script></script>?
A. 
B. 
C. 
D. 
21.
What file structure database would you expect to find on floppy disks?
A. 
B. 
C. 
D. 
22.
If a PDA is seized in an investigation while the device is turned on, what would be the proper procedure?
A. 
Keep the device powered on
B. 
Turn off the device immediately
C. 
Remove the battery immediately
D. 
Remove any memory cards immediately
23.
A state department site was recently attacked and all the servers had their disks erased. The incident response team sealed the area and commenced investigation. During evidence collection they came across a zip disks that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong?
A. 
They examined the actual evidence on an unrelated system
B. 
They attempted to implicate personnel without proof
C. 
They tampered with evidence by using it
D. 
They called in the FBI without correlating with the fingerprint data
24.
When investigating a wireless attack, what information can be obtained from the DHCP logs?
A. 
The operating system of the attacker and victim computers
B. 
IP traffic between the attacker and the victim
C. 
MAC address of the attacker
D. 
If any computers on the network are running in promiscuous mode
25.
Jacob is a computer forensics investigator with over 10 years experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob testimony in this case?
A. 
B. 
C. 
D.