1.
What does the acronym POST mean as it relates to a PC?
A. 
Primary Operations Short Test
B. 
C. 
Pre Operational Situation Test
D. 
Primary Operating System Test
2.
If you see the files ZerO.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?
A. 
The system files have been copied by a remote attacker
B. 
The system administrator has created an incremental backup
C. 
The system has been compromised using a tOrnrootkit
D. 
Nothing in particular as these can be operational files
3.
Adam, a forensic investigator, is investigating an attack on Microsoft Exchange Server of a large organization. As the first step of the investigation, he examined the PRIV.EDB file and found the source from where the mail originated and the name of the file that disappeared upon execution. Now, he wants to examine the MIME stream content. Which of the following files is he going to examine?
A. 
B. 
C. 
D. 
4.
Which of the following files gives information about the client sync sessions in Google Drive on Windows?
A. 
B. 
C. 
D. 
5.
How many possible sequence number combinations are there in TCP/IP protocol?
A. 
B. 
C. 
D. 
6.
Which of the following technique creates a replica of an evidence media?
A. 
B. 
C. 
D. 
7.
To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software?
A. 
Computer Forensics Tools and Validation Committee (CFTVC)
B. 
Association of Computer Forensics Software Manufactures (ACFSM)
C. 
National Institute of Standards and Technology (NIST)
D. 
Society for Valid Forensics Tools and Testing (SVFTT)
8.
Which of the following commands shows you the names of all open shared files on a server and the number of file locks on each file?
A. 
B. 
C. 
D. 
9.
You have been called in to help with an investigation of an alleged network intrusion. After questioning the members of the company IT department, you search through the server log files to find any trace of the intrusion. After that you decide to telnet into one of the company routers to see if there is any evidence to be found. While connected to the router, you see some unusual activity and believe that the attackers are currently connected to that router. You start up an ethereal session to begin capturing traffic on the router that could be used in the investigation. At what layer of the OSI model are you monitoring while watching traffic to and from the router?
A. 
B. 
C. 
D. 
10.
Which of the following tools is not a data acquisition hardware tool?
A. 
B. 
C. 
D. 
11.
You are running known exploits against your network to test for possible vulnerabilities. To test the strength of your virus software, you load a test network to mimic your production network. Your software successfully blocks some simple macro and encrypted viruses. You decide to really test the software by using virus code where the code rewrites itself entirely and the signatures change from child to child, but the functionality stays the same. What type of virus is this that you are testing?
A. 
B. 
C. 
D. 
12.
Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM files on a computer. Where should Harold navigate on the computer to find the file?
A. 
%systemroot%\system32\LSA
B. 
%systemroot%\system32\drivers\etc
C. 
D. 
13.
This ISO standard defines file systems and protocols for exchanging data between optical disks. What is it?
A. 
B. 
C. 
D. 
14.
The MD5 program is used to:
A. 
Wipe magnetic media before recycling it
B. 
Make directories on an evidence disk
C. 
View graphics files on an evidence drive
D. 
Verify that a disk is not altered when you examine it
15.
If an attacker's computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning, what will be the response?
A. 
The zombie will not send a response
B. 
C. 
D. 
16.
Which of the following should a computer forensics lab used for investigations have?
A. 
B. 
C. 
D. 
17.
Sectors are pie-shaped regions on a hard disk that store data. Which of the following parts of a hard disk do not contribute in determining the addresses of data?
A. 
B. 
C. 
D. 
18.
The given image displays information about date and time of installation of the OS along with service packs, patches, and sub-directories. What command or tool did the investigator use to view this output?
SI Administrator Command Prompt - □ X
03/10/2016
03:30 AH
<DIR>
migration
03/10/2016
03:32 AH
352,136
FNTCACHE.DAT
03/25/2016
08:09 PH
140,098
perfc009.dat
03/25/2016
08:09 PH
746,532
perfh009.dat
03/25/2016
08:09 PH
883,572
PerfStringBackup. Illi
04/06/2016
04:54 PH
<DIR>
Driverstore
04/13/2016
11:27 AH
<DIR>
catroot2
04/13/2016
12:33 PH
135,176,864
HRT.exe
04/13/2016
12:33 PH
<DIR>
HRT
04/14/2016
09:36 AH
<DIR>
config
04/14/2016
03:06 PH
<OIR>
drivers
04/14/2016
04:02 PH
<OIR>
04/14/2016
04:02 PH
<DIR>
04/14/2016
04:02 PH
324
pid.dump
04/14/2016
05:51 PH
<OIR>
sru
3866 File(s) 1,727,891,022 bytes ■
116 Dir(s)
63,601,328,128 bytes free ■
C:\WINOOWS\system32>_
____________
___________________
A. 
B. 
C. 
D. 
19.
Andie, a network administrator, suspects unusual network services running on a windows system. Which of the following commands should he use to verify unusual network services started on a Windows system?
A. 
B. 
C. 
D. 
20.
Why should you note all cable connections for a computer you want to seize as evidence?
A. 
To know what outside connections existed
B. 
In case other devices were connected
C. 
To know what peripheral devices exist
D. 
To know what hardware existed
21.
What stage of the incident handling process involves reporting events?
A. 
B. 
C. 
D. 
22.
Which of the following is a MAC-based File Recovery Tool?
A. 
B. 
C. 
D. 
23.
What does the superblock in Linux define?
A. 
B. 
C. 
Location of the firstinode
D. 
24.
With the standard Linux second extended file system (Ext2fs), a file is deleted when the inode internal link count reaches .
A. 
B. 
C. 
D. 
25.
Chong-lee, a forensics executive, suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. What type of test would confirm his claim?
A. 
B. 
Identifying file obfuscation
C. 
D.