New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

312-49v10 Computer Hacking Forensic Investigator (CHFI-v10) Questions and Answers

Questions 4

A cybercriminal is attempting to remove evidence from a Windows computer. He deletes the file evldence1.doc. sending it to Windows Recycle Bin. The cybercriminal then empties the Recycle Bin. After having been removed from the Recycle Bin. what will happen to the data?

Options:

A.

The data will remain in its original clusters until it is overwritten

B.

The data will be moved to new clusters in unallocated space

C.

The data will become corrupted, making it unrecoverable

D.

The data will be overwritten with zeroes

Buy Now
Questions 5

Which is a standard procedure to perform during all computer forensics investigations?

Options:

A.

with the hard drive removed from the suspect PC, check the date and time in the system's CMOS

B.

with the hard drive in the suspect PC, check the date and time in the File Allocation Table

C.

with the hard drive removed from the suspect PC, check the date and time in the system's RAM

D.

with the hard drive in the suspect PC, check the date and time in the system's CMOS

Buy Now
Questions 6

Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

Options:

A.

HKEY_LOCAL_MACHINE\hardware\windows\start

B.

HKEY_LOCAL_USERS\Software\Microsoft\old\Version\Load

C.

HKEY_CURRENT_USER\Microsoft\Default

D.

HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run

Buy Now
Questions 7

When investigating a Windows System, it is important to view the contents of the page or swap file because:

Options:

A.

Windows stores all of the systems configuration information in this file

B.

This is file that windows use to communicate directly with Registry

C.

A Large volume of data can exist within the swap file of which the computer user has no knowledge

D.

This is the file that windows use to store the history of the last 100 commands that were run from the command line

Buy Now
Questions 8

As a security analyst, you setup a false survey website that will require users to create a username and a strong password. You send the link to all the employees of the company. What information will you be able to gather?

Options:

A.

The IP address of the employees’ computers

B.

Bank account numbers and the corresponding routing numbers

C.

The employees network usernames and passwords

D.

The MAC address of the employees’ computers

Buy Now
Questions 9

You work as an IT security auditor hired by a law firm in Boston to test whether you can gain access to sensitive information about the company clients. You have rummaged through their trash and found very little information. You do not want to set off any alarms on their network, so you plan on performing passive foot printing against their Web servers. What tool should you use?

Options:

A.

Ping sweep

B.

Nmap

C.

Netcraft

D.

Dig

Buy Now
Questions 10

Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?

Options:

A.

bench warrant

B.

wire tap

C.

subpoena

D.

search warrant

Buy Now
Questions 11

A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker. Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you are required to infer only what is explicit in the excerpt.

(Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)

03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111

TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF

***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32

TCP Options (3) => NOP NOP TS: 23678634 2878772

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111

UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84

Len: 64

01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................

00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................

00 00 00 11 00 00 00 00 ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773

UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104

Len: 1084

47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8

Options:

A.

The attacker has conducted a network sweep on port 111

B.

The attacker has scanned and exploited the system using Buffer Overflow

C.

The attacker has used a Trojan on port 32773

D.

The attacker has installed a backdoor

Buy Now
Questions 12

You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

Options:

A.

The registry

B.

The swap file

C.

The recycle bin

D.

The metadata

Buy Now
Questions 13

When a file is deleted by Windows Explorer or through the MS-DOS delete command, the operating system inserts _______________ in the first letter position of the filename in the FAT database.

Options:

A.

A Capital X

B.

A Blank Space

C.

The Underscore Symbol

D.

The lowercase Greek Letter Sigma (s)

Buy Now
Questions 14

What type of file is represented by a colon (:) with a name following it in the Master File Table of NTFS disk?

Options:

A.

A compressed file

B.

A Data stream file

C.

An encrypted file

D.

A reserved file

Buy Now
Questions 15

Windows identifies which application to open a file with by examining which of the following?

Options:

A.

The File extension

B.

The file attributes

C.

The file Signature at the end of the file

D.

The file signature at the beginning of the file

Buy Now
Questions 16

Jim performed a vulnerability analysis on his network and found no potential problems. He runs another utility that executes exploits against his system to verify the results of the vulnerability test.

The second utility executes five known exploits against his network in which the vulnerability analysis said were not exploitable. What kind of results did Jim receive from his vulnerability analysis?

Options:

A.

False negatives

B.

False positives

C.

True negatives

D.

True positives

Buy Now
Questions 17

A computer forensics investigator is inspecting the firewall logs for a large financial institution that has employees working 24 hours a day, 7 days a week.

What can the investigator infer from the screenshot seen below?

Options:

A.

A smurf attack has been attempted

B.

A denial of service has been attempted

C.

Network intrusion has occurred

D.

Buffer overflow attempt on the firewall.

Buy Now
Questions 18

Which of the following Event Correlation Approach checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields?

Options:

A.

Rule-Based Approach

B.

Automated Field Correlation

C.

Field-Based Approach

D.

Graph-Based Approach

Buy Now
Questions 19

Which of the following options will help users to enable or disable the last access time on a system running Windows 10 OS?

Options:

A.

wmic service

B.

Reg.exe

C.

fsutil

D.

Devcon

Buy Now
Questions 20

Which among the following files provides email header information in the Microsoft Exchange server?

Options:

A.

gwcheck.db

B.

PRIV.EDB

C.

PUB.EDB

D.

PRIV.STM

Buy Now
Questions 21

When a router receives an update for its routing table, what is the metric value change to that path?

Options:

A.

Increased by 2

B.

Decreased by 1

C.

Increased by 1

D.

Decreased by 2

Buy Now
Questions 22

Amber, a black hat hacker, has embedded a malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?

Options:

A.

Click-jacking

B.

Compromising a legitimate site

C.

Spearphishing

D.

Malvertising

Buy Now
Questions 23

Cylie is investigating a network breach at a state organization in Florida. She discovers that the intruders were able to gain access into the company firewalls by overloading them with IP packets. Cylie then discovers through her investigation that the intruders hacked into the company phone system and used the hard drives on their PBX system to store shared music files. What would this attack on the company PBX system be called?

Options:

A.

Phreaking

B.

Squatting

C.

Crunching

D.

Pretexting

Buy Now
Questions 24

Why would you need to find out the gateway of a device when investigating a wireless attack?

Options:

A.

The gateway will be the IP of the proxy server used by the attacker to launch the attack

B.

The gateway will be the IP of the attacker computer

C.

The gateway will be the IP used to manage the RADIUS server

D.

The gateway will be the IP used to manage the access point

Buy Now
Questions 25

John is working on his company policies and guidelines. The section he is currently working on covers company documents; how they should be handled, stored, and eventually destroyed. John is concerned about the process whereby outdated documents are destroyed. What type of shredder should John write in the guidelines to be used when destroying documents?

Options:

A.

Strip-cut shredder

B.

Cross-cut shredder

C.

Cross-hatch shredder

D.

Cris-cross shredder

Buy Now
Questions 26

What is one method of bypassing a system BIOS password?

Options:

A.

Removing the processor

B.

Removing the CMOS battery

C.

Remove all the system memory

D.

Login to Windows and disable the BIOS password

Buy Now
Questions 27

Pagefile.sys is a virtual memory file used to expand the physical memory of a computer. Select the registry path for the page file:

Options:

A.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

B.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\System Management

C.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Device Management

D.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

Buy Now
Questions 28

A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?

Options:

A.

Searching for evidence themselves would not have any ill effects

B.

Searching could possibly crash the machine or device

C.

Searching creates cache files, which would hinder the investigation

D.

Searching can change date/time stamps

Buy Now
Questions 29

In a virtual test environment, Michael is testing the strength and security of BGP using multiple routers to mimic the backbone of the Internet. This project will help him write his doctoral thesis on "bringing down the Internet". Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in an attempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What will the other routers communicate between themselves?

Options:

A.

The change in the routing fabric to bypass the affected router

B.

More RESET packets to the affected router to get it to power back up

C.

RESTART packets to the affected router to get it to power back up

D.

STOP packets to all other routers warning of where the attack originated

Buy Now
Questions 30

Which of the following is NOT a part of pre-investigation phase?

Options:

A.

Building forensics workstation

B.

Gathering information about the incident

C.

Gathering evidence data

D.

Creating an investigation team

Buy Now
Questions 31

Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?

Options:

A.

Network

B.

Transport

C.

Physical

D.

Data Link

Buy Now
Questions 32

Why would a company issue a dongle with the software they sell?

Options:

A.

To provide source code protection

B.

To provide wireless functionality with the software

C.

To provide copyright protection

D.

To ensure that keyloggers cannot be used

Buy Now
Questions 33

While presenting his case to the court, Simon calls many witnesses to the stand to testify. Simon decides to call Hillary Taft, a lay witness, to the stand. Since Hillary is a lay witness, what field would she be considered an expert in?

Options:

A.

Technical material related to forensics

B.

No particular field

C.

Judging the character of defendants/victims

D.

Legal issues

Buy Now
Questions 34

Which of the following attacks allows an attacker to access restricted directories, including application source code, configuration and critical system files, and to execute commands outside of the web server’s root directory?

Options:

A.

Parameter/form tampering

B.

Unvalidated input

C.

Directory traversal

D.

Security misconfiguration

Buy Now
Questions 35

While looking through the IIS log file of a web server, you find the following entries:

What is evident from this log file?

Options:

A.

Web bugs

B.

Cross site scripting

C.

Hidden fields

D.

SQL injection is possible

Buy Now
Questions 36

What stage of the incident handling process involves reporting events?

Options:

A.

Containment

B.

Follow-up

C.

Identification

D.

Recovery

Buy Now
Questions 37

Madison is on trial for allegedly breaking into her university’s internal network. The police raided her dorm room and seized all of her computer equipment. Madison’s lawyer is trying to convince the judge that the seizure was unfounded and baseless. Under which US Amendment is Madison’s lawyer trying to prove the police violated?

Options:

A.

The 4th Amendment

B.

The 1st Amendment

C.

The 10th Amendment

D.

The 5th Amendment

Buy Now
Questions 38

Tyler is setting up a wireless network for his business that he runs out of his home. He has followed all the directions from the ISP as well as the wireless router manual. He does not have any encryption set and the SSID is being broadcast. On his laptop, he can pick up the wireless signal for short periods of time, but then the connection drops and the signal goes away.

Eventually the wireless signal shows back up, but drops intermittently. What could be Tyler issue with his home wireless network?

Options:

A.

Computers on his wired network

B.

Satellite television

C.

2.4Ghz Cordless phones

D.

CB radio

Buy Now
Questions 39

How many times can data be written to a DVD+R disk?

Options:

A.

Twice

B.

Once

C.

Zero

D.

Infinite

Buy Now
Questions 40

Which of the following Event Correlation Approach is an advanced correlation method that assumes and predicts what an attacker can do next after the attack by studying the statistics and probability and uses only two variables?

Options:

A.

Bayesian Correlation

B.

Vulnerability-Based Approach

C.

Rule-Based Approach

D.

Route Correlation

Buy Now
Questions 41

What hashing method is used to password protect Blackberry devices?

Options:

A.

AES

B.

RC5

C.

MD5

D.

SHA-1

Buy Now
Questions 42

Charles has accidentally deleted an important file while working on his Mac computer. He wants to recover the deleted file as it contains some of his crucial business secrets. Which of the following tool will help Charles?

Options:

A.

Xplico

B.

Colasoft’s Capsa

C.

FileSalvage

D.

DriveSpy

Buy Now
Questions 43

What type of attack sends spoofed UDP packets (instead of ping packets) with a fake source address to the IP broadcast address of a large network?

Options:

A.

Fraggle

B.

Smurf scan

C.

SYN flood

D.

Teardrop

Buy Now
Questions 44

Adam Is thinking of establishing a hospital In the US and approaches John, a software developer to build a site and host it for him on one of the servers, which would be used to store patient health records. He has learned from his legal advisors that he needs to have the server's log data reviewed and managed according to certain standards and regulations. Which of the following regulations are the legal advisors referring to?

Options:

A.

Data Protection Act of 2018

B.

Payment Card Industry Data Security Standard (PCI DSS)

C.

Electronic Communications Privacy Act

D.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Buy Now
Questions 45

To understand the impact of a malicious program after the booting process and to collect recent information from the disk partition, an Investigator should evaluate the content of the:

Options:

A.

MBR

B.

GRUB

C.

UEFI

D.

BIOS

Buy Now
Questions 46

When installed on a Windows machine, which port does the Tor browser use to establish a network connection via Tor nodes?

Options:

A.

7680

B.

49667/49668

C.

9150/9151

D.

49664/49665

Buy Now
Questions 47

Which of the following tools is used to dump the memory of a running process, either immediately or when an error condition occurs?

Options:

A.

FATKit

B.

Coreography

C.

Belkasoft Live RAM Capturer

D.

Cachelnf

Buy Now
Questions 48

Chloe is a forensic examiner who is currently cracking hashed passwords for a crucial mission and hopefully solve the case. She is using a lookup table used for recovering a plain text password from cipher text; it contains word list and brute-force list along with their computed hash values. Chloe Is also using a graphical generator that supports SHA1.

a. What password technique is being used?

b. What tool is Chloe using?

Options:

A.

Dictionary attack b. Cisco PIX

B.

Cain & Able b. Rten

C.

Brute-force b. MScache

D.

Rainbow Tables b. Winrtgen

Buy Now
Questions 49

For the purpose of preserving the evidentiary chain of custody, which of the following labels is not appropriate?

Options:

A.

Relevant circumstances surrounding the collection

B.

General description of the evidence

C.

Exact location the evidence was collected from

D.

SSN of the person collecting the evidence

Buy Now
Questions 50

"No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court" - this principle Is advocated by which of the following?

Options:

A.

The Association of Chief Police Officers (ACPO) Principles of Digital Evidence

B.

Locard's exchange principle

C.

Scientific Working Group on Imaging Technology (SWGIT)

D.

FBI Cyber Division

Buy Now
Questions 51

Fill In the missing Master Boot Record component.

1. Master boot code

2. Partition table

3._______________

Options:

A.

Boot loader

B.

Signature word

C.

Volume boot record

D.

Disk signature

Buy Now
Questions 52

Donald made an OS disk snapshot of a compromised Azure VM under a resource group being used by the affected company as a part of forensic analysis process. He then created a vhd file out of the snapshot and stored it in a file share and as a page blob as backup in a storage account under different region. What Is the next thing he should do as a security measure?

Options:

A.

Recommend changing the access policies followed by the company

B.

Delete the snapshot from the source resource group

C.

Delete the OS disk of the affected VM altogether

D.

Create another VM by using the snapshot

Buy Now
Questions 53

Rule 1002 of Federal Rules of Evidence (US) talks about_____

Options:

A.

Admissibility of original

B.

Admissibility of duplicates

C.

Requirement of original

D.

Admissibility of other evidence of contents

Buy Now
Questions 54

An investigator needs to perform data acquisition from a storage media without altering its contents to maintain the Integrity of the content. The approach adopted by the Investigator relies upon the capacity of enabling read-only access to the storage media. Which tool should the Investigator Integrate Into his/her procedures to accomplish this task?

Options:

A.

BitLocker

B.

Data duplication tool

C.

Backup tool

D.

Write blocker

Buy Now
Questions 55

Which of the following methods of mobile device data acquisition captures all the data present on the device, as well as all deleted data and access to unallocated space?

Options:

A.

Manual acquisition

B.

Logical acquisition

C.

Direct acquisition

D.

Physical acquisition

Buy Now
Questions 56

The working of the Tor browser is based on which of the following concepts?

Options:

A.

Both static and default routing

B.

Default routing

C.

Static routing

D.

Onion routing

Buy Now
Questions 57

A file requires 10 KB space to be saved on a hard disk partition. An entire cluster of 32 KB has been allocated for this file. The remaining, unused space of 22 KB on this cluster will be Identified as______.

Options:

A.

Swap space

B.

Cluster space

C.

Slack space

D.

Sector space

Buy Now
Questions 58

Which of the following directory contains the binary files or executables required for system maintenance and administrative tasks on a Linux system?

Options:

A.

/sbin

B.

/bin

C.

/usr

D.

/lib

Buy Now
Questions 59

You are the incident response manager at a regional bank. While performing routine auditing of web application logs, you find several attempted login submissions that contain the following strings:

What kind of attack has occurred?

Options:

A.

SQL injection

B.

Buffer overflow

C.

Cross-size scripting

D.

Cross-size request forgery

Buy Now
Questions 60

Before accessing digital evidence from victims, witnesses, or suspects, on their electronic devices, what should the Investigator do first to respect legal privacy requirements?

Options:

A.

Notify the fact to the local authority or employer

B.

Remove the battery or turn-off the device

C.

Protect the device against external communication

D.

Obtain formal written consent to search

Buy Now
Questions 61

During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to Identify attributes such as "author name," "organization name." "network name," or any additional supporting data that is meant for the owner's Identification purpose. Which term describes these attributes?

Options:

A.

Data header

B.

Data index

C.

Metabase

D.

Metadata

Buy Now
Questions 62

Consider a scenario where a forensic investigator is performing malware analysis on a memory dump acquired from a victims computer. The investigator uses Volatility Framework to analyze RAM contents; which plugin helps investigator to identify hidden processes or injected code/DLL in the memory dump?

Options:

A.

pslist

B.

malscan

C.

mallist

D.

malfind

Buy Now
Questions 63

Maria has executed a suspicious executable file In a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for In this scenario?

Options:

A.

Event ID 4657

B.

Event ID 4624

C.

Event ID 4688

D.

Event ID 7040

Buy Now
Questions 64

Cloud forensic investigations impose challenges related to multi-jurisdiction and multi-tenancy aspects. To have a better understanding of the roles and responsibilities between the cloud service provider (CSP) and the client, which document should the forensic investigator review?

Options:

A.

Service level agreement

B.

Service level management

C.

National and local regulation

D.

Key performance indicator

Buy Now
Questions 65

______allows a forensic investigator to identify the missing links during investigation.

Options:

A.

Evidence preservation

B.

Chain of custody

C.

Evidence reconstruction

D.

Exhibit numbering

Buy Now
Questions 66

Frank, a cloud administrator in his company, needs to take backup of the OS disks of two Azure VMs that store business-critical data. Which type of Azure blob storage can he use for this purpose?

Options:

A.

Append blob

B.

Medium blob

C.

Block blob

D.

Page blob

Buy Now
Questions 67

The objective of this act was to protect consumers’ personal financial information held by financial institutions and their service providers.

Options:

A.

Gramm-Leach-Bliley Act

B.

Sarbanes-Oxley 2002

C.

California SB 1386

D.

HIPAA

Buy Now
Questions 68

After passing her CEH exam, Carol wants to ensure that her network is completely secure. She implements a DMZ, stateful firewall, NAT, IPSEC, and a packet filtering firewall. Since all security measures were taken, none of the hosts on her network can reach the Internet. Why is that?

Options:

A.

Stateful firewalls do not work with packet filtering firewalls

B.

NAT does not work with stateful firewalls

C.

IPSEC does not work with packet filtering firewalls

D.

NAT does not work with IPSEC

Buy Now
Questions 69

This organization maintains a database of hash signatures for known software.

Options:

A.

International Standards Organization

B.

Institute of Electrical and Electronics Engineers

C.

National Software Reference Library

D.

American National standards Institute

Buy Now
Questions 70

During the course of a corporate investigation, you find that an Employee is committing a crime.

Can the Employer file a criminal complaint with Police?

Options:

A.

Yes, and all evidence can be turned over to the police

B.

Yes, but only if you turn the evidence over to a federal law enforcement agency

C.

No, because the investigation was conducted without following standard police procedures

D.

No, because the investigation was conducted without warrant

Buy Now
Questions 71

Why should you note all cable connections for a computer you want to seize as evidence?

Options:

A.

to know what outside connections existed

B.

in case other devices were connected

C.

to know what peripheral devices exist

D.

to know what hardware existed

Buy Now
Questions 72

You work as a penetration tester for Hammond Security Consultants. You are currently working on a contract for the state government of California. Your next step is to initiate a DoS attack on their network. Why would you want to initiate a DoS attack on a system you are testing?

Options:

A.

Show outdated equipment so it can be replaced

B.

List weak points on their network

C.

Use attack as a launching point to penetrate deeper into the network

D.

Demonstrate that no system can be protected against DoS attacks

Buy Now
Questions 73

James is testing the ability of his routers to withstand DoS attacks. James sends ICMP ECHO requests to the broadcast address of his network. What type of DoS attack is James testing against his network?

Options:

A.

Smurf

B.

Trinoo

C.

Fraggle

D.

SYN flood

Buy Now
Questions 74

You are a security analyst performing a penetration tests for a company in the Midwest. After some initial reconnaissance, you discover the IP addresses of some Cisco routers used by the company. You type in the following URL that includes the IP address of one of the routers:

http://172.168.4.131/level/99/exec/show/config

After typing in this URL, you are presented with the entire configuration file for that router. What have you discovered?

Options:

A.

HTTP Configuration Arbitrary Administrative Access Vulnerability

B.

HTML Configuration Arbitrary Administrative Access Vulnerability

C.

Cisco IOS Arbitrary Administrative Access Online Vulnerability

D.

URL Obfuscation Arbitrary Administrative Access Vulnerability

Buy Now
Questions 75

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

Options:

A.

one who has NTFS 4 or 5 partitions

B.

one who uses dynamic swap file capability

C.

one who uses hard disk writes on IRQ 13 and 21

D.

one who has lots of allocation units per block or cluster

Buy Now
Questions 76

After passively scanning the network of Department of Defense (DoD), you switch over to active scanning to identify live hosts on their network. DoD is a large organization and should respond to any number of scans. You start an ICMP ping sweep by sending an IP packet to the broadcast address. Only five hosts respond to your ICMP pings; definitely not the number of hosts you were expecting. Why did this ping sweep only produce a few responses?

Options:

A.

Only IBM AS/400 will reply to this scan

B.

Only Windows systems will reply to this scan

C.

A switched network will not respond to packets sent to the broadcast address

D.

Only Unix and Unix-like systems will reply to this scan

Buy Now
Questions 77

A state department site was recently attacked and all the servers had their disks erased. The incident response team sealed the area and commenced investigation. During evidence collection they came across a zip disks that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong?

Options:

A.

They examined the actual evidence on an unrelated system

B.

They attempted to implicate personnel without proof

C.

They tampered with evidence by using it

D.

They called in the FBI without correlating with the fingerprint data

Buy Now
Questions 78

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

Options:

A.

Use VMware to be able to capture the data in memory and examine it

B.

Give the Operating System a minimal amount of memory, forcing it to use a swap file

C.

Create a Separate partition of several hundred megabytes and place the swap file there

D.

Use intrusion forensic techniques to study memory resident infections

Buy Now
Questions 79

George is performing security analysis for Hammond and Sons LLC. He is testing security vulnerabilities of their wireless network. He plans on remaining as "stealthy" as possible during the scan. Why would a scanner like Nessus is not recommended in this situation?

Options:

A.

Nessus is too loud

B.

Nessus cannot perform wireless testing

C.

Nessus is not a network scanner

D.

There are no ways of performing a "stealthy" wireless scan

Buy Now
Questions 80

What does mactime, an essential part of the coroner's toolkit do?

Options:

A.

It traverses the file system and produces a listing of all files based on the modification, access and change timestamps

B.

It can recover deleted file space and search it for data. However, it does not allow the investigator to preview them

C.

The tools scans for i-node information, which is used by other tools in the tool kit

D.

It is too specific to the MAC OS and forms a core component of the toolkit

Buy Now
Questions 81

As a CHFI professional, which of the following is the most important to your professional reputation?

Options:

A.

Your Certifications

B.

The correct, successful management of each and every case

C.

The free that you charge

D.

The friendship of local law enforcement officers

Buy Now
Questions 82

In which implementation of RAID will the image of a Hardware RAID volume be different from the image taken separately from the disks?

Options:

A.

RAID 1

B.

The images will always be identical because data is mirrored for redundancy

C.

RAID 0

D.

It will always be different

Buy Now
Questions 83

Which of the following techniques delete the files permanently?

Options:

A.

Steganography

B.

Artifact Wiping

C.

Data Hiding

D.

Trail obfuscation

Buy Now
Questions 84

What does the bytes 0x0B-0x53 represent in the boot sector of NTFS volume on Windows 2000?

Options:

A.

Jump instruction and the OEM ID

B.

BIOS Parameter Block (BPB) and the OEM ID

C.

BIOS Parameter Block (BPB) and the extended BPB

D.

Bootstrap code and the end of the sector marker

Buy Now
Questions 85

BMP (Bitmap) is a standard file format for computers running the Windows operating system. BMP images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors). Each bitmap file contains a header, the RGBQUAD array, information header, and image data. Which of the following element specifies the dimensions, compression type, and color format for the bitmap?

Options:

A.

Information header

B.

Image data

C.

The RGBQUAD array

D.

Header

Buy Now
Questions 86

Which of the following standard represents a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases?

Options:

A.

SWGDE & SWGIT

B.

Daubert

C.

Frye

D.

IOCE

Buy Now
Questions 87

Which of the following tool can reverse machine code to assembly language?

Options:

A.

PEiD

B.

RAM Capturer

C.

IDA Pro

D.

Deep Log Analyzer

Buy Now
Questions 88

A section of your forensics lab houses several electrical and electronic equipment. Which type of fire extinguisher you must install in this area to contain any fire incident?

Options:

A.

Class B

B.

Class D

C.

Class C

D.

Class A

Buy Now
Questions 89

Which among the following web application threats is resulted when developers expose various internal implementation objects, such as files, directories, database records, or key-through references?

Options:

A.

Remote File Inclusion

B.

Cross Site Scripting

C.

Insecure Direct Object References

D.

Cross Site Request Forgery

Buy Now
Questions 90

Graphics Interchange Format (GIF) is a ____ RGB bitmap image format for images with up to 256 distinct colors per frame.

Options:

A.

8-bit

B.

32-bit

C.

16-bit

D.

24-bit

Buy Now
Questions 91

What is the investigator trying to view by issuing the command displayed in the following screenshot?

Options:

A.

List of services stopped

B.

List of services closed recently

C.

List of services recently started

D.

List of services installed

Buy Now
Questions 92

An investigator has found certain details after analysis of a mobile device. What can reveal the manufacturer information?

Options:

A.

Equipment Identity Register (EIR)

B.

Electronic Serial Number (ESN)

C.

International mobile subscriber identity (IMSI)

D.

Integrated circuit card identifier (ICCID)

Buy Now
Questions 93

Analyze the hex representation of mysql-bin.000013 file in the screenshot below. Which of the following will be an inference from this analysis?

Options:

A.

A user with username bad_guy has logged into the WordPress web application

B.

A WordPress user has been created with the username anonymous_hacker

C.

An attacker with name anonymous_hacker has replaced a user bad_guy in the WordPress database

D.

A WordPress user has been created with the username bad_guy

Buy Now
Questions 94

Which program uses different techniques to conceal a malware's code, thereby making it difficult for security mechanisms to detect or remove it?

Options:

A.

Dropper

B.

Packer

C.

Injector

D.

Obfuscator

Buy Now
Questions 95

In a Linux-based system, what does the command “Last -F” display?

Options:

A.

Login and logout times and dates of the system

B.

Last run processes

C.

Last functions performed

D.

Recently opened files

Buy Now
Questions 96

Which of the following files store the MySQL database data permanently, including the data that had been deleted, helping the forensic investigator in examining the case and finding the culprit?

Options:

A.

mysql-bin

B.

mysql-log

C.

iblog

D.

ibdata1

Buy Now
Questions 97

The MAC attributes are timestamps that refer to a time at which the file was last modified or last accessed or originally created. Which of the following file systems store MAC attributes in Coordinated Universal Time (UTC) format?

Options:

A.

File Allocation Table (FAT

B.

New Technology File System (NTFS)

C.

Hierarchical File System (HFS)

D.

Global File System (GFS)

Buy Now
Questions 98

Which of the following web browser uses the Extensible Storage Engine (ESE) database format to store browsing records, including history, cache, and cookies?

Options:

A.

Safari

B.

Mozilla Firefox

C.

Microsoft Edge

D.

Google Chrome

Buy Now
Questions 99

Email archiving is a systematic approach to save and protect the data contained in emails so that it can be accessed fast at a later date. There are two main archive types, namely Local Archive and Server Storage Archive. Which of the following statements is correct while dealing with local archives?

Options:

A.

Server storage archives are the server information and settings stored on a local system, whereas the local archives are the local email client information stored on the mail server

B.

It is difficult to deal with the webmail as there is no offline archive in most cases. So consult your counsel on the case as to the best way to approach and gain access to the required data on servers

C.

Local archives should be stored together with the server storage archives in order to be admissible in a court of law

D.

Local archives do not have evidentiary value as the email client may alter the message data

Buy Now
Questions 100

Data Files contain Multiple Data Pages, which are further divided into Page Header, Data Rows, and Offset Table. Which of the following is true for Data Rows?

Options:

A.

Data Rows store the actual data

B.

Data Rows present Page type. Page ID, and so on

C.

Data Rows point to the location of actual data

D.

Data Rows spreads data across multiple databases

Buy Now
Questions 101

Which of the following Perl scripts will help an investigator to access the executable image of a process?

Options:

A.

Lspd.pl

B.

Lpsi.pl

C.

Lspm.pl

D.

Lspi.pl

Buy Now
Questions 102

CAN-SPAM act requires that you:

Options:

A.

Don’t use deceptive subject lines

B.

Don’t tell the recipients where you are located

C.

Don’t identify the message as an ad

D.

Don’t use true header information

Buy Now
Questions 103

An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s"," -E as part of collecting the primary data file and logs from a database. What does the "WIN-CQQMK62867E” represent?

Options:

A.

Name of the Database

B.

Name of SQL Server

C.

Operating system of the system

D.

Network credentials of the database

Buy Now
Questions 104

Which of the following is NOT an anti-forensics technique?

Options:

A.

Data Deduplication

B.

Steganography

C.

Encryption

D.

Password Protection

Buy Now
Questions 105

Which of the following tools is not a data acquisition hardware tool?

Options:

A.

UltraKit

B.

Atola Insight Forensic

C.

F-Response Imager

D.

Triage-Responder

Buy Now
Exam Code: 312-49v10
Exam Name: Computer Hacking Forensic Investigator (CHFI-v10)
Last Update: Dec 30, 2024
Questions: 704

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99