Download CHFI-5 Questions and Answers: Computer Forensics Exam Preparation and more Exams Computer Science in PDF only on Docsity!
CHFI- 5 Questions and Answers Already
Passed
What information do you need to recover when searching a victim's computer for a crime committed with specific e-mail message?
A. Internet service provider information B. E-mail header C. Username and password D. Firewall log ✔✔E-mail header
Melanie was newly assigned to an investigation and asked to make a copy of all the evidence from the compromised system. Melanie did a DOS copy of all the files on the system. What would be the primary reason for you to recommend a disk imaging tool?
A. A disk imaging tool would check for CRC32s for internal self-checking and validation and have MD5 checksum
B. Evidence file format will contain case data entered by the examiner and encrypted at the beginning of the evidence file
C. A simple DOS copy will not include deleted files, file slack and other information
D. There is no case for an imaging tool as it will use a closed, proprietary format that if compared to the original will not match up sector for sector ✔✔A simple DOS copy will not
include deleted files, file slack and other information
You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacture. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO?
A. the attorney-work-product rule B. Good manners C. Trade secrets D. ISO 17799 ✔✔the attorney-work-product rule
One technique for hiding information is to change the file extension from the correct one to one that might not be noticed by an investigator. For example,[1]extension?
A. the File Allocation Table B. the file header C. the file footer D. the sector map ✔✔the file header
A. Inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned
B. Inform the owner that conducting an investigation without a policy is a violation of the 4th amendment
C. Inform the owner that conducting an investigation without a policy is a violation of the employee's expectation of privacy
D. Inform the owner that conducting an investigation without a policy is not a problem because
a policy is only necessary for government agencies ✔✔Inform the owner that conducting an
investigation without a policy is a violation of the 4th amendment
During the course of a corporate investigation, you find that an Employee is committing a crime.Can the Employer file a criminal complaint with Police?
A. Yes, and all evidence can be turned over to the police B. Yes, but only if you turn the evidence over to a federal law enforcement agency C. No, because the investigation was conducted without following standard police procedures D. No, because the investigation was conducted without warrant ✔✔Yes, and all evidence can
be turned over to the police
____________________ is simply the application of Computer Investigation and analysis techniques in the interests of determining potential legal evidence.
A. Network Forensics B. Computer Forensics C. Incident Response D. Event Reaction ✔✔Computer Forensics
What is the name of the Standard Linux Command that is also available as windows application that can be used to create bit-stream images?
A. mcopy B. image C. MD D. dd ✔✔dd
To preserve digital evidence, an investigator should ____________________.
A. Make two copies of each evidence item using a single imaging tool B. Make a single copy of each evidence item using an approved imaging tool C. Make two copies of each evidence item using different imaging tools D. Only store the original evidence item ✔✔Make two copies of each evidence item using
different imaging tools
B. To define the issues of the case for determination by the finder of fact C. To stimulate discussion between the consulting expert and the expert witness D. To deter the witness form expanding the scope of his or her investigation beyond the
requirements of the case ✔✔The Opinion, inferences or conclusions depend on special knowledge, skill or training not within the ordinary experience of lay jurors
When using Windows acquisitions tools to acquire digital evidence, it is important to use a well- tested hardware write-blocking device to:
A. Automate Collection from image files B. Avoiding copying data from the boot partition C. Acquire data from host-protected area on a disk D. Prevent Contamination to the evidence drive ✔✔Prevent Contamination to the evidence
drive
Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?
A. Globally unique ID B. Microsoft Virtual Machine Identifier C. Personal Application Protocol
D. Individual ASCII string ✔✔Globally unique ID
You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case.How would you permanently erase the data on the hard disk?
A. Throw the hard disk into the fire B. Run the powerful magnets over the hard disk C. Format the hard disk multiple times using a low level disk utility D. Overwrite the contents of the hard disk with Junk data ✔✔Overwrite the contents of the hard
disk with Junk data
You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?
A. The X509 Address B. The SMTP reply Address C. The E-mail Header D. The Host Domain Name ✔✔The E-mail Header
The police believe that Melvin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers and Educational Institutions. They also suspect that he has been stealing, copying and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant?
A. The Fourth Amendment B. The USA patriot Act C. The Good Samaritan Laws D. The Federal Rules of Evidence ✔✔The Fourth Amendment
When cataloging digital evidence, the primary goal is to
A. Make bit-stream images of all hard drives B. Preserve evidence integrity C. Not remove the evidence from the scene D. Not allow the computer to be turned off ✔✔Preserve evidence integrity
You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents.Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?
A. Stringsearch B. grep C. dir D. vim ✔✔grep
As a CHFI professional, which of the following is the most important to your professional reputation?
A. Your Certifications B. The correct, successful management of each and every case C. The free that you charge D. The friendship of local law enforcement officers ✔✔The correct, successful management of each and every case
In conducting a computer abuse investigation you become aware that the suspect of the investigation is using ABC Company as his Internet Service Provider(ISP). You contact ISP and
D. IP Spoofing ✔✔DNS Poisoning
You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a simple backup copy of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a simple backup copy will not provide deleted files or recover file fragments.What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings?
A. Bit-stream Copy B. Robust Copy C. Full backup Copy D. Incremental Backup Copy ✔✔Bit-stream Copy
Law enforcement officers are conducting a legal search for which a valid warrant was obtained.While conducting the search, officers observe an item of evidence for an unrelated crime that was not included in the warrant. The item was clearly visible to the officers and immediately identified as evidence. What is the term used to describe how this evidence is admissible?
A. Plain view doctrine B. Corpus delicti C. Locard Exchange Principle D. Ex Parte Order ✔✔Plain view doctrine
Microsoft Outlook maintains email messages in a proprietary format in what type of file?
A. .email B. .mail C. .pst D. .doc ✔✔.pst
The efforts to obtain information before a trail by demanding documents, depositions, questioned and answers written under oath, written requests for admissions of fact and examination of the scene is a description of what legal term?
A. Detection B. Hearsay C. Spoliation D. Discovery ✔✔Discovery
Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:
A. HKEY_LOCAL_MACHINE\hardware\windows\start B. HKEY_LOCAL_USERS\Software\Microsoft\old\Version\Load C. HKEY_CURRENT_USER\Microsoft\Default D. HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run
✔✔HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run
Which of the following file system is used by Mac OS X?
A. EFS B. HFS+ C. EXT D. NFS ✔✔HFS+
When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?
A. Passive IDS
B. Active IDS C. Progressive IDS D. NIPS ✔✔Active IDS
Simon is a former employee of Trinitron XML Inc. He feels he was wrongly terminated and wants to hack into his former company's network. Since Simon remembers some of the server names, he attempts to run the axfr and ixfr commands using DIG. What is Simon trying to accomplish here?
A. Send DOS commands to crash the DNS servers B. Perform DNS poisoning C. Perform a zone transfer D. Enumerate all the users in the domain ✔✔Perform a zone transfer
What will the following command produce on a website login page? SELECT email, passwd, login_id, full_name FROM members WHERE email ='someone@somehwere.com'; DROP TABLE members; --'
A. Deletes the entire members table B. Inserts the Error! Reference source not found.email address into the members table C. Retrieves the password for the first user in the members table
If an attacker's computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning, what will be the response?
A. The zombie will not send a response B. 31402 C. 31399 D. 31401 ✔✔31402. Open port should be IPID +2 and close port should be IPID +1.
Michael works for Kimball Construction Company as senior security analyst. As part of yearly security audit, Michael scans his network for vulnerabilities. UsingNmap, Michael conducts XMAS scan and most of the ports scanned do not give a response. In what state are these ports?
A. Closed B. Open C. Stealth D. Filtered ✔✔Open
You are assisting a Department of Defense contract company to become compliant with the stringent security policies set by the DoD. One such strict rule is that firewalls must only allow
incoming connections that were first initiated by internal computers. What type of firewall must you implement to abide by this policy?
A. Packet filtering firewall B. Circuit-level proxy firewall C. Application-level proxy firewall D. Stateful firewall ✔✔Stateful firewall
Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests.What type of scan is Jessica going to perform?
A. Tracert B. Smurf scan C. Ping trace D. ICMP ping sweep ✔✔ICMP ping sweep
You work as an IT security auditor hired by a law firm in Boston to test whether you can gain access to sensitive information about the company clients. You have rummaged through their trash and found very little information. You do not want to set off any alarms on their network, so you plan on performing passive foot printing against their Web servers. What tool should you use?
