National Polytechnic Institute CHFI Practice Test

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Dale
D
Dale
Community Contributor
Quizzes Created: 6 | Total Attempts: 4,372
| Attempts: 916
SettingsSettings
Please wait...
  • 1/150 Questions

    Which command line tool is used to determine active network connections?

    • ARP
    • Ps
    • Netstat
    • Lsof
Please wait...
About This Quiz

The National Polytechnic Institute CHFI Practice Test assesses knowledge in cybercrime forensic investigation. It covers tasks in investigation phases, tools like Wireshark, Linux commands for data copying, and Android graphics libraries. Ideal for enhancing forensic investigation skills relevant to cybersecurity professionals.

National Polytechnic Institute CHFI Practice Test - Quiz

Quiz Preview

  • 2. 

    Which network attack is described by the following statement? ⟦"At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries."⟧

    • Buffer Overflow

    • Sniffer Attack

    • Man-in-the-Middle Attack

    • DDoS

    Correct Answer
    A. DDoS
    Explanation
    The given statement describes a DDoS (Distributed Denial of Service) attack. In this type of attack, a large number of compromised computers, known as a botnet, are used to flood a target system or network with a high volume of traffic, overwhelming its resources and causing disruption. In this case, the Russian major banks experienced a continuous hacker attack from a botnet consisting of 24,000 computers located in 30 countries, but their online client services were not disrupted. This aligns with the characteristics of a DDoS attack.

    Rate this question:

  • 3. 

    Report writing is a crucial stage in the outcome of an investigation. Which information should NOT be included in the report section?

    • Purpose of the report

    • Author of the report

    • Incident summary

    • Speculation or opinion as to the cause of the incident

    Correct Answer
    A. Speculation or opinion as to the cause of the incident
    Explanation
    In a report section, it is important to provide factual information based on evidence rather than speculation or personal opinions. Including speculation or opinions as to the cause of the incident can undermine the credibility and objectivity of the report. The purpose of the report, the author, and an incident summary are all relevant and necessary information to include in a report.

    Rate this question:

  • 4. 

    Which of the following is a part of a Solid-State Drive (SSD)?

    • Cylinder

    • Head

    • Spindle

    • NAND-based flash memory

    Correct Answer
    A. NAND-based flash memory
    Explanation
    NAND-based flash memory is a type of non-volatile storage technology that is commonly used in Solid-State Drives (SSDs). Unlike traditional hard disk drives (HDDs) that use spinning disks, SSDs use NAND flash memory chips to store data. NAND flash memory is known for its fast read and write speeds, durability, and low power consumption, making it an ideal choice for SSDs. It allows for faster boot-up times, quicker data transfer rates, and improved overall performance compared to HDDs. Therefore, NAND-based flash memory is an essential component of a Solid-State Drive.

    Rate this question:

  • 5. 

    Which of the following tool captures and allows you to interactively browse the traffic on a network?

    • RegScanner

    • ThumbsDisplay

    • Wireshark

    • Security Task Manager

    Correct Answer
    A. Wireshark
    Explanation
    Wireshark is a tool that captures and allows users to interactively browse network traffic. It is a popular network protocol analyzer that can be used to monitor and analyze network packets in real-time. Wireshark provides detailed information about network protocols, packet headers, and data payload, allowing users to troubleshoot network issues, detect network attacks, and analyze network performance. It is widely used by network administrators and security professionals to gain insights into network traffic and identify potential security vulnerabilities.

    Rate this question:

  • 6. 

    An expert witness is a ____________ who is normally appointed by a party to assist the formulation and preparation of a party’s claim or defense.

    • Expert advisor

    • Crime scene spectator

    • Ex-criminal

    • Government officer

    Correct Answer
    A. Expert advisor
    Explanation
    An expert witness is someone who is appointed by a party to assist in the formulation and preparation of their claim or defense. They provide specialized knowledge and expertise in a particular field relevant to the case. They are not a crime scene spectator or an ex-criminal, and while a government officer may sometimes serve as an expert witness, the term "expert advisor" more accurately describes the role and responsibilities of an expert witness.

    Rate this question:

  • 7. 

    Which of the following techniques delete the files permanently?

    • Trail obfuscation

    • Data Hiding

    • Steganography

    • Artifact Wiping

    Correct Answer
    A. Artifact Wiping
    Explanation
    Artifact wiping is a technique that permanently deletes files by overwriting them with random data, making the original data unrecoverable. This process ensures that the deleted files cannot be recovered using any data recovery methods or tools. Unlike other techniques mentioned, such as trail obfuscation, data hiding, and steganography, which aim to conceal or hide files, artifact wiping focuses on completely removing the files from the system, leaving no trace behind.

    Rate this question:

  • 8. 

    POP3 (Post Office Protocol 3) is a standard protocol for receiving an email that deletes mail on the server as soon as the user downloads it. When a message arrives, the POP3 server appends it to the bottom of the recipient's account file, which can be retrieved by the email client at any preferred time. Email client connects to the POP3 server at __________ by default to fetch emails.

    • Port 123

    • Port 110

    • Port 115

    • Port 109

    Correct Answer
    A. Port 110
    Explanation
    The correct answer is Port 110. POP3 uses Port 110 by default for the email client to connect to the POP3 server and fetch emails. This port allows the email client to establish a connection with the server and retrieve the emails from the recipient's account file.

    Rate this question:

  • 9. 

    Adam, a forensic analyst, is preparing VMs for analyzing malware. Which of the following is NOT a best practice?

    • Enabling shared folders

    • Installing malware analysis tools

    • Using network simulation tools

    • Isolating the host device

    Correct Answer
    A. Enabling shared folders
    Explanation
    Enabling shared folders is not a best practice when preparing VMs for analyzing malware. This is because shared folders can potentially allow malware to spread from the VM to the host device or other VMs. It is important to isolate the host device and the VMs to prevent any contamination or unauthorized access. Installing malware analysis tools, using network simulation tools, and isolating the host device are all considered best practices for analyzing malware in VMs.

    Rate this question:

  • 10. 

    Which of the following tools will help the investigator to analyze web server logs?

    • LanWhoIs

    • Deep Log Analyzer

    • Towelroot

    • XRY LOGICAL

    Correct Answer
    A. Deep Log Analyzer
    Explanation
    Deep Log Analyzer is the correct answer because it is a tool specifically designed for analyzing web server logs. It provides detailed insights into website visitor behavior, traffic sources, and other important metrics. It helps investigators to identify potential security threats, track user activities, and analyze server performance. With its advanced features and intuitive interface, Deep Log Analyzer is a valuable tool for analyzing and understanding web server logs.

    Rate this question:

  • 11. 

    Sheila is a forensics trainee and is searching for hidden image files on a hard disk. She used a forensic investigation tool to view the media in hexadecimal code for simplifying the search process. Which of the following hex codes should she look for to identify image files?

    • D0 cf 11 e0

    • Ff d8 ff

    • 25 50 44 46

    • 50 4b 03 04

    Correct Answer
    A. Ff d8 ff
    Explanation
    https://www.garykessler.net/library/file_sigs.html
    PDF = [25 50 44 46]
    jpeg = [ff d8 ff]
    ZIP = [50 4B 03 04]
    Object Linking and Embedding (OLE) Compound File (CF) = [d0 cf 11 e0]

    Rate this question:

  • 12. 

    When a file or folder is deleted, the complete path, including the original file name, is stored in a special hidden file called “INFO2” in the Recycled folder. If the INFO2 file is deleted, it is re-created when you ________.

    • Run the anti-spyware tool on the system

    • Restart Windows

    • Kill the running processes in Windows task manager

    • Run the antivirus tool on the system

    Correct Answer
    A. Restart Windows
    Explanation
    When you restart Windows, the INFO2 file is re-created. This file is responsible for storing the complete path and original file name of deleted files or folders. Restarting Windows allows the system to recreate this hidden file, ensuring that the information of deleted files and folders can be stored properly in the Recycled folder.

    Rate this question:

  • 13. 

    Smith, a network administrator with a large MNC, was the first to arrive at a suspected crime scene involving criminal use of compromised computers. What should be his first response while maintaining the integrity of evidence?

    • Perform data acquisition without disturbing the state of the systems

    • Open the systems, remove the hard disk and secure it

    • Switch off the systems and carry them to the laboratory

    • Record the system state by taking photographs of physical system and the display

    Correct Answer
    A. Record the system state by taking photographs of physical system and the display
    Explanation
    Smith's first response should be to record the system state by taking photographs of the physical system and the display. This is important for maintaining the integrity of the evidence as it captures the current state of the systems and provides a visual record of any potential tampering or changes that may occur during the investigation. It allows for a detailed analysis and comparison of the system's state before and after any potential actions are taken.

    Rate this question:

  • 14. 

    To which phase of the Computer Forensic Investigation Process does the Planning and Budgeting of a Forensics Lab belong?

    • Pre-investigation Phase

    • Investigation Phase

    • Reporting Phase

    • Post-investigation Phase

    Correct Answer
    A. Pre-investigation Phase
    Explanation
    The Planning and Budgeting of a Forensics Lab belongs to the Pre-investigation Phase of the Computer Forensic Investigation Process. This phase involves preparing for the investigation by determining the scope, objectives, and resources required. Planning and budgeting are essential steps in this phase as they help in allocating the necessary resources, setting timelines, and ensuring that the investigation is conducted efficiently and effectively.

    Rate this question:

  • 15. 

    Which of the following techniques can be used to beat steganography?

    • Encryption

    • Steganalysis

    • Cryptanalysis

    • Decryption

    Correct Answer
    A. Steganalysis
    Explanation
    Steganalysis is the correct answer because it refers to the process of detecting and analyzing hidden information within digital media, such as images or audio files, that has been concealed using steganography techniques. Steganalysis techniques can help identify the presence of steganographic content, thereby "beating" steganography by revealing its hidden messages. Encryption, cryptanalysis, and decryption are not specifically related to steganography, although they may be used in combination with steganalysis to further analyze and understand the hidden information.

    Rate this question:

  • 16. 

    Stephen is checking an image using Compare Files by The Wizard, and he sees the file signature is shown as: FF D8 FF E1 What is the file type of the image?

    • GIF

    • JPEG

    • PNG

    • BMP

    Correct Answer
    A. JPEG
    Explanation
    GIF [Hex: 47 49 46]
    JPEG [Hex: ff d8 ff]
    PNG [Hex: 89 50 4e]
    BMP [Hex: 42 4d]

    Rate this question:

  • 17. 

    Which of the following are small pieces of data sent from a website and stored on the user's computer by the user's web browser to track, validate, and maintain specific user information?

    • Cookies

    • Open files

    • Web Browser Cache

    • Temporary Files

    Correct Answer
    A. Cookies
    Explanation
    Cookies are small pieces of data that are sent from a website and stored on the user's computer by the user's web browser. They are used to track, validate, and maintain specific user information. Cookies enable websites to remember user preferences, track user behavior, and provide personalized experiences. They are commonly used for authentication, session management, and storing user-specific settings.

    Rate this question:

  • 18. 

    If the partition size is 4 GB, each cluster will be 32 K. Even if a file needs only 10 K, the entire 32 K will be allocated, resulting in 22 K of ________.

    • Deleted space

    • Slack space

    • Sector space

    • Cluster space

    Correct Answer
    A. Slack space
    Explanation
    When a file is stored on a partition with a cluster size of 32 K, even if the file is smaller (10 K in this case), the entire cluster (32 K) will be allocated for it. This means that there will be unused space within the cluster, which is known as slack space. In this scenario, the 22 K of unused space within the allocated cluster is referred to as slack space.

    Rate this question:

  • 19. 

    Which of the following attack uses HTML tags like:

    • XSS attack

    • Spam

    • SQL injection

    • Phishing

    Correct Answer
    A. XSS attack
    Explanation
    Normal XSS script: alert(“XSS”)
    Hex encoded XSS script: %3cscript%3ealert(”XSS”)%3c/script%3e>

    Rate this question:

  • 20. 

    Which of the following is a precomputed table containing word lists like dictionary files and brute force lists and their hash values?

    • Directory Table

    • Rainbow Table

    • Partition Table

    • Master File Table (MFT)

    Correct Answer
    A. Rainbow Table
    Explanation
    A rainbow table is a precomputed table that contains word lists like dictionary files and brute force lists, along with their corresponding hash values. It is used in password cracking to quickly find the plaintext value of a given hash. By comparing the hash values in the table with the target hash, the corresponding plaintext value can be determined. This table saves time and computational resources by eliminating the need to compute hash values for each password attempt.

    Rate this question:

  • 21. 

    Which of the following acts as a network intrusion detection system as well as network intrusion prevention system?

    • Acunetix

    • Kismet

    • Snort

    • Nikto

    Correct Answer
    A. Snort
    Explanation
    Acunetix: is an advanced web vulnerability scanner used to discover SQL injection and XSS black boxes. It automatically crawls your websites and performs black box AND grey box hacking techniques which finds dangerous vulnerabilities that can compromise your website and data. It also tests for SQL Injection, XSS, XXE, SSRF, Host Header Injection and over 4500 other web vulnerabilities. It has the most advanced scanning techniques generating the least false positives possible. Simplifies the web application security process through its inbuilt vulnerability management features that help you prioritize and manage vulnerability resolution.

    Kismet: is a wireless network detector, sniffer, and intrusion detection system. Kismet works predominately with Wi-Fi networks; however, we can expand it via plug-ins to handle other network types.

    Snort: is a network intrusion detection system and intrusion prevention system created in 1998 by Martin Roesch, former founder and CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013, at which Roesch is a chief security architect.

    Nikto: is a command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.

    Rate this question:

  • 22. 

    What is a cold boot (hard boot)?

    • It is the process of restarting a computer that is already in sleep mode

    • It is the process of starting a computer from a powered-down or off state

    • It is the process of restarting a computer that is already turned on through the operating system

    • It is the process of shutting down a computer from a powered-on or on state

    Correct Answer
    A. It is the process of starting a computer from a powered-down or off state
  • 23. 

    Which of the following is a command line packet sniffer that runs on Linux and UNIX systems?

    • RemPass

    • CmosPwd

    • TCPDump

    • WinDump

    Correct Answer
    A. TCPDump
    Explanation
    TCPDump is a command line packet sniffer that is specifically designed to run on Linux and UNIX systems. It allows users to capture and analyze network traffic in real-time, providing detailed information about the packets being transmitted over the network. TCPDump is widely used by network administrators and security professionals for troubleshooting network issues, monitoring network activity, and detecting potential security threats. It offers a wide range of powerful features and options, making it a popular choice for network analysis on Linux and UNIX platforms.

    Rate this question:

  • 24. 

    Which of the following Android libraries are used to render 2D (SGL) or 3D (OpenGL/ES) graphics content to the screen?

    • OpenGL/ES and SGL

    • WebKit

    • Surface Manager

    • Media framework

    Correct Answer
    A. OpenGL/ES and SGL
    Explanation
    The correct answer is OpenGL/ES and SGL. These two Android libraries are used to render 2D or 3D graphics content to the screen. OpenGL/ES is a widely used graphics API that allows developers to create high-performance 2D and 3D graphics on Android devices. SGL (Software Graphics Library) is a software-based graphics library that provides a simplified interface for rendering 2D graphics. Both libraries are essential for creating visually appealing and interactive graphics applications on Android.

    Rate this question:

  • 25. 

    An executive had leaked the company trade secrets through an external drive. What process should the investigation team take if they could retrieve his system?

    • Malware Analysis

    • Real-Time Analysis

    • Postmortem Analysis

    • Packet Analysis

    Correct Answer
    A. Postmortem Analysis
    Explanation
    Postmortem analysis refers to the investigation and analysis of an incident after it has occurred. In this scenario, the investigation team should conduct a postmortem analysis of the executive's system to gather evidence and understand the extent of the trade secret leak. This process involves examining the system's logs, files, and any other relevant data to determine how the leak occurred, identify any vulnerabilities or security breaches, and develop strategies to prevent similar incidents in the future.

    Rate this question:

  • 26. 

    Smith, an employee of a reputed forensic investigation firm, has been hired by a private organization to investigate a laptop that is suspected to be involved in the hacking of the organization’s DC server. Smith wants to find all the values typed into the Run box in the Start menu. Which of the following registry keys will Smith check to find the above information?

    • RunMRU key

    • MountedDevices key

    • TypedURLs key

    • UserAssist Key

    Correct Answer
    A. RunMRU key
    Explanation
    Smith, as a forensic investigator, is looking for values typed into the Run box in the Start menu on a laptop suspected of being involved in hacking. To find this information, Smith will check the "RunMRU" key in the registry. The RunMRU key stores a list of the most recently used programs and commands that have been executed using the Run box. By examining this key, Smith can identify the values that have been typed into the Run box and gather evidence related to the hacking incident.

    Rate this question:

  • 27. 

    A state department site was recently attacked, and all the servers had their hard disks erased. The incident response team sealed the area and commenced an investigation. During evidence collection, they came across a USB flash drive that did not have the standard labeling on it. The incident team inserted the flash drive into an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they shortlisted possible suspects including three summer interns. Where did the incident team go wrong?

    • They tampered with the evidence by using it

    • They called in the FBI without correlating with the fingerprint data

    • They examined the actual evidence on an unrelated system

    • They attempted to implicate personnel without proof

    Correct Answer
    A. They tampered with the evidence by using it
    Explanation
    The incident team went wrong by tampering with the evidence by using the USB flash drive. By inserting the flash drive into an isolated system, they unintentionally erased the system disk, which could potentially compromise the integrity of the evidence. It is crucial to handle and preserve evidence carefully to ensure its admissibility and maintain the chain of custody.

    Rate this question:

  • 28. 

    What must an attorney do first before you are called to testify as an expert?

    • Engage in damage control

    • Qualify you as an expert witness

    • Read your curriculum vitae to the jury

    • Prove that the tools you used to conduct your examination are perfect

    Correct Answer
    A. Qualify you as an expert witness
    Explanation
    Before you are called to testify as an expert, an attorney must first qualify you as an expert witness. This involves establishing your credentials, expertise, and experience in the relevant field to ensure that you possess the necessary knowledge and qualifications to provide expert testimony. This step is crucial in establishing your credibility and allowing the court to recognize you as an expert in order to give weight to your testimony.

    Rate this question:

  • 29. 

    Which of the following is an iOS Jailbreaking tool?

    • Redsn0w

    • One Click Root

    • Kingo Android ROOT

    • Towelroot

    Correct Answer
    A. Redsn0w
    Explanation
    RedSn0w allows the investigator to jailbreak into an iPhone, iPod Touch, or iPad by running a variety of firmware versions. Maintained and created by the Dev-Team, RedSn0w has become one of the most used jail-breaking tools to jailbreak iOS firmware.

    Rate this question:

  • 30. 

    You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a “simple backup copy” of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a “simple backup copy” will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?

    • Bit-stream copy

    • Robust copy

    • Full backup copy

    • Incremental backup copy

    Correct Answer
    A. Bit-stream copy
    Explanation
    A bit-stream copy is needed to ensure that the evidence found is complete and admissible in future proceedings. A bit-stream copy is an exact replica of the original hard drive, including all the data, files, and file fragments. It captures every bit of information from the source drive, including deleted files and file fragments, making it the most comprehensive and accurate copy for forensic analysis. Other types of copies, such as a simple backup copy or incremental backup copy, may not capture all the necessary information and may not be admissible in court.

    Rate this question:

  • 31. 

    Lynne receives the following email: Dear [email protected]! We are sorry to inform you that your ID has been temporarily frozen due to incorrect or missing information saved at 2016/11/10 20:40:24 You have 24 hours to fix this problem or risk to be closed permanently! To proceed Please Connect >> My Apple ID Thank You The link to My Apple ID shows http://byggarbetsplatsen.se/backup/signon/ What type of attack is this?

    • Phishing

    • Email Spamming

    • Email Spoofing

    • Mail Bombing

    Correct Answer
    A. Phishing
    Explanation
    This is a phishing attack. Phishing is a type of cyber attack where the attacker impersonates a legitimate organization or individual in order to trick the recipient into revealing sensitive information, such as passwords or credit card numbers. In this case, the email claims to be from Apple and asks the recipient to click on a link to fix a problem with their account. However, the link leads to a suspicious website that is not associated with Apple, indicating that it is a phishing attempt.

    Rate this question:

  • 32. 

    Which of the following built-in Linux commands can be used by forensic investigators to copy data from a disk drive?

    • Expr

    • Diff

    • Lprm

    • Dd and dcfldd

    Correct Answer
    A. Dd and dcfldd
    Explanation
    The correct answer is "dd and dcfldd". These are built-in Linux commands that can be used by forensic investigators to copy data from a disk drive. The "dd" command is commonly used for creating disk images or copying data from one location to another, while "dcfldd" is an enhanced version of "dd" with additional features for forensic purposes. These commands are essential tools for investigators to preserve and analyze data without altering the original source.

    Rate this question:

  • 33. 

    Which of the following files DOES NOT use Object Linking and Embedding (OLE) technology to embed and link to other objects?

    • MS-office Word Document

    • Portable Document Format

    • MS-office Word PowerPoint

    • MS-office Word OneNote

    Correct Answer
    A. Portable Document Format
    Explanation
    The Portable Document Format (PDF) does not use Object Linking and Embedding (OLE) technology to embed and link to other objects. While MS-office Word Document, MS-office Word PowerPoint, and MS-office Word OneNote all use OLE technology to embed and link to other objects, PDF files do not have this functionality. PDF files are designed to be platform-independent and retain their formatting regardless of the software or hardware used to view them, which is why they do not rely on OLE technology.

    Rate this question:

  • 34. 

    What is the purpose of using an obfuscator in malware?

    • Execute malicious code in the system

    • Propagate malware to other connected devices

    • Avoid detection by security mechanisms

    • Avoid encryption while passing through a VPN

    Correct Answer
    A. Avoid detection by security mechanisms
    Explanation
    An obfuscator is used in malware to avoid detection by security mechanisms. By obfuscating the code, the malware becomes more difficult to analyze and understand, making it harder for security systems to detect and block. This allows the malware to bypass security measures and carry out its malicious activities without being detected.

    Rate this question:

  • 35. 

    A suspect is accused of violating the acceptable use of computing resources as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation? (Choose the most feasible option)

    • Seek the help of co-workers who are eye-witnesses

    • Approach the websites for evidence

    • Image the disk and try to recover deleted files

    • Check the Windows registry for connection data (You may or may not recover)

    Correct Answer
    A. Image the disk and try to recover deleted files
    Explanation
    The most feasible option to prove the violation is to image the disk and try to recover deleted files. By creating a forensic image of the suspect's disk, the investigator can preserve the current state of the disk and prevent any further changes. This allows for the possibility of recovering deleted files, including any evidence of visiting adult websites and downloading images. This method provides a solid chance of finding the necessary evidence, even if the suspect has cleared search history and removed downloaded images.

    Rate this question:

  • 36. 

    Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox, or overwhelm the server where the email address is hosted, to cause a denial-of-service attack?

    • Email spamming

    • Phishing

    • Mail bombing

    • Email spoofing

    Correct Answer
    A. Mail bombing
    Explanation
    Mail bombing refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted, causing a denial-of-service attack. This attack can disrupt the normal functioning of the email server, making it difficult for legitimate users to access their emails. It is a form of cyber attack that aims to disrupt the communication channels and cause inconvenience or damage to the targeted individual or organization.

    Rate this question:

  • 37. 

     A forensic examiner is examining a Windows system seized from a crime scene. During the examination of a suspect file, he discovered that the file is password protected. He tried guessing the password using the suspect’s available information but without any success. Which of the following tool can help the investigator to solve this issue?

    • Cain & Abel

    • Colasoft’s Capsa

    • Xplico

    • Recuva

    Correct Answer
    A. Cain & Abel
    Explanation
    Cain & Abel is a tool commonly used by forensic investigators to recover passwords. It can perform various password cracking techniques, such as dictionary attacks and brute-force attacks, to attempt to guess the password of a protected file. This tool would be helpful in this scenario as the forensic examiner can use it to try different password combinations and potentially gain access to the suspect file.

    Rate this question:

  • 38. 

    Which of the following Windows-based tools displays who is logged onto a computer, either locally or remotely?

    • TCPView

    • Process Monitor

    • Tokenmon

    • PSLoggedon

    Correct Answer
    A. PSLoggedon
    Explanation
    PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on.

    Rate this question:

  • 39. 

    Shane, a forensic specialist, is investigating an ongoing attack on a MySQL database server hosted on a Windows machine with SID “WIN-ABCDE12345F.” Which of the following log files will help Shane in tracking all the client connections and activities performed on the database server?

    • WIN-ABCDE12345F.pid

    • WIN-ABCDE12345F.log

    • WIN-ABCDE12345F-bin.n

    • WIN-ABCDE12345F.err

    Correct Answer
    A. WIN-ABCDE12345F.log
    Explanation
    Status and log files stored in data directory include:
        1. Process ID file (HOSTNAME.pid), contains the process ID created when the server starts
        2. Error log (HOSTNAME.err), contains the information associated with the startup and shutdown events, and errors
        3. General query log (HOSTNAME.log), logs the client connections and activities
        4. Binary log (HOSTNAME-bin.nnnnnn), contains the events that describe the changes occurred in the database
        5. Binary log index (HOSTNAME-bin.index), contains the list of all the binary log files currently available in the data directory
        6. Relay log (HOSTNAMErelay-bin.n), contains the events that describe the changes occurred in the database
        7. Relay log index (HOSTNAMErelay-bin.index), contains the list of all the relay log files currently available in the data directory
        8. Master info file (master.info) created by a replication slave server, that contains the essential parameters used for
    connecting to the master slave
        9. Relay log info file (relay-log.info) created by a replication slave server, that contains the status of relay log processing
        10. Slow query log (HOSTNAMEslow.log), a text file that contains statements which take longer processing time

    Rate this question:

  • 40. 

    The process of restarting a computer that is already turned on through the operating system is called?

    • Cold boot

    • Hot Boot

    • Warm boot

    • Ice boot

    Correct Answer
    A. Warm boot
    Explanation
    A warm boot refers to the process of restarting a computer that is already turned on through the operating system. This type of reboot allows the computer to restart without completely shutting down and starting up again. It is a quicker and more efficient way to resolve certain issues or apply changes to the system. Unlike a cold boot, which involves starting the computer from a powered-off state, a warm boot retains the current system state and allows for a seamless transition back into the operating system.

    Rate this question:

  • 41. 

    Ron, a computer forensics expert, is investigating a case involving corporate espionage. He has recovered several mobile computing devices from the crime scene. One of the evidence that Ron possesses is a mobile phone from Nokia that was left in ON condition. Ron needs to recover the IMEI number of the device to establish the identity of the device owner.  Which of the following key combinations can he use to recover the IMEI number?

    • *IMEI#

    • #*06*#

    • #06#*

    • *#06#

    Correct Answer
    A. *#06#
    Explanation
    Ron can use the key combination *#06# to recover the IMEI number of the Nokia mobile phone.

    Rate this question:

  • 42. 

    Which among the following search warrants allows the first responder to search and seize the victim’s computer components such as hardware, software, storage devices, and documentation?

    • Citizen Informant Search Warrant

    • Electronic Storage Device Search Warrant

    • IT Bench Search Warrant

    • Service Provider Search Warrant

    Correct Answer
    A. Electronic Storage Device Search Warrant
    Explanation
    An Electronic Storage Device Search Warrant allows the first responder to search and seize the victim’s computer components such as:
    • Hardware
    • Software
    • Storage devices
    • Documentation

    If the crime involves the Internet, the first responder needs information about the victim’s computer from the service provider end. A Service Provider Search Warrant allows first responders or investigators to consult the service provider and obtain the available victim’s computer information.
    First responders can obtain the following information from the service provider:
    • Service records
    • Billing records
    • Subscriber information

    Rate this question:

  • 43. 

    Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration, and critical system files, and to execute commands outside of the web server's root directory?

    • Unvalidated input

    • Directory traversal

    • Security misconfiguration

    • Parameter/form tampering

    Correct Answer
    A. Directory traversal
    Explanation
    Directory traversal is an attack that allows an attacker to access restricted directories and execute commands outside of the web server's root directory. This attack takes advantage of vulnerabilities in the application's input validation and file path handling. By manipulating file paths, the attacker can bypass security measures and gain unauthorized access to sensitive files, such as application source code, configuration files, and critical system files. This can lead to further exploitation and compromise of the system's integrity and confidentiality.

    Rate this question:

  • 44. 

    Which of the following techniques creates a replica of an evidence media?

    • Data Extraction

    • Data Deduplication

    • Bit Stream Imaging

    • Backup

    Correct Answer
    A. Bit Stream Imaging
    Explanation
    Bit Stream Imaging is a technique that creates a replica of an evidence media. It involves creating a bit-by-bit copy of the entire storage device, including both allocated and unallocated space. This process ensures that all data, including deleted or hidden files, is preserved in its original form. By creating a replica, investigators can analyze the evidence without altering or damaging the original media, maintaining its integrity for legal purposes.

    Rate this question:

  • 45. 

    Which of the following tool is used to locate IP addresses?

    • Towelroot

    • Deep Log Analyzer

    • SmartWhois

    • XRY LOGICAL

    Correct Answer
    A. SmartWhois
    Explanation
    SmartWhois is a tool that is used to locate IP addresses. It provides detailed information about IP addresses, domain names, and network providers. With SmartWhois, users can easily find the owner of a specific IP address, track the location of an IP address, and obtain information about the organization or individual associated with it. This tool is commonly used by network administrators, cybersecurity professionals, and website owners to gather information about IP addresses and ensure network security.

    Rate this question:

  • 46. 

    Richard is extracting volatile data from a system and uses the command: doskey /history What is he trying to extract?

    • Passwords used across the system

    • Previously typed commands

    • Events history

    • History of the browser

    Correct Answer
    A. Previously typed commands
    Explanation
    The investigator should use the doskey /history command, which shows the history of the commands typed into that prompt.

    Rate this question:

  • 47. 

    Which of the following statements is INCORRECT when preserving digital evidence?

    • Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals

    • Verify if the monitor is in on, off, or in sleep mode

    • Remove the plug from the power router or modem

    • Turn on the computer and extract Windows event viewer log files

    Correct Answer
    A. Turn on the computer and extract Windows event viewer log files
    Explanation
    When preserving digital evidence, it is important not to turn on the computer or make any changes to the system. Extracting Windows event viewer log files should be done using a forensically sound method, such as creating a forensic image of the hard drive. Turning on the computer and extracting log files can potentially alter or destroy evidence, making it unreliable for investigation purposes.

    Rate this question:

  • 48. 

    Which of the following files gives information about the client sync sessions in Google Drive on Windows?

    • Synclog.log

    • Sync.log

    • Sync.log

    • Sync_log.log

    Correct Answer
    A. Sync_log.log
    Explanation
    Installing the Google Drive Client version in windows10 OS, creates Sync_log.log file in a user_default folder of Drive. The log file contains the information about the client sync session.

    Rate this question:

  • 49. 

    Which of the following is NOT a part of the pre-investigation phase?

    • Creating an investigation team

    • Building forensics workstation

    • Gathering information about the incident

    • Gathering evidence data

    Correct Answer
    A. Gathering evidence data
    Explanation
    Pre-investigation Phase
    This phase involves all the tasks performed prior to the commencement of the actual investigation. It involves setting up a computer forensics lab, building a forensics workstation, investigation toolkit, the investigation team, getting approval from the relevant authority, etc.. This phase also includes steps such as planning the process, defining mission goals, and securing the case perimeter and devices involved.
    1 Setting Up a Computer Forensics Lab
    1.1 Planning and Budgeting
    1.2 Physical Location and Structural Design Considerations
    1.3 Work Area Considerations
    1.4 Physical Security Recommendations
    1.5 Fire-Suppression Systems
    1.6 Evidence Locker Recommendations
    1.7 Auditing the Security of a Forensics Lab
    1.8 Human Resource Considerations
    1.9 Building a Forensics Workstation
    1.10 Basic Workstation Requirements in a Forensics Lab
    1.11 Build a Computer Forensics Toolkit
    1.12 Forensics Hardware
    1.13 Forensics Software
    2 Build the Investigation Team
    2.1 Forensic Practitioner Certification and Licensing
    3 Review Policies and Laws
    3.1 Forensics Laws
    4 Establish Quality Assurance Processes
    4.1 Quality Assurance Practices in Digital Forensics
    4.2 General Quality Assurance in the Digital Forensic Process
    4.3 Quality Assurance Practices: Laboratory Software and Hardware
    4.4 Laboratory Accreditation Programs
    5 Data Destruction Industry Standards
    6 Risk Assessment

    Rate this question:

Quiz Review Timeline (Updated): Mar 15, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 15, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • May 29, 2019
    Quiz Created by
    Dale
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.