Computer Hacking Forensic Investigator (CHFI) Version 9

You can view DBX files in:

Options are :

  • Adobe Acrobat Reader
  • MS Outlook Express (Correct)
  • Thunderbird
  • Thundercats

Answer : MS Outlook Express

Explanation (Chapter 12): DBX files are viewed with Microsoft Outlook Express. Adobe Acrobat Reader is PDF. Thundercats was a cartoon in the 1980's. Thunderbird does not open DBX files.

The attorney that calls the witness to the stand is asking the questions.

Options are :

  • Expert testimony
  • Deposition
  • Direct examination (Correct)
  • Cross-examination

Answer : Direct examination

Explanation (Chapter 14): Direct examination occurs, when the attorney that calls the witness to the stand is asking the questions. Cross-Examination is when the attorney that did not call the witness to the stand is asking the questions. Deposition is not a form of asking questions of a witness. Expert testimony involves direct and cross examination, but is not the definition described in the question.

The default Google Drive installation location in Windows 10 OS.

Options are :

  • C:\Program Files (x86)\Google\Drive (Correct)
  • C:\Program Files (x64)\Google Driver
  • C:\Program Files (x86)\Google\Drive\Config
  • C:\Program Files\System 32\Google Drive

Answer : C:\Program Files (x86)\Google\Drive

Explanation Chapter 10: The other answers are made up paths.

The Linux bootloader is active in this stage.

Options are :

  • Bootloader stage (Correct)
  • BIOS stage
  • Kernel stage
  • GLUC stage

Answer : Bootloader stage

Explanation (Chapter 3): The Linux bootloader (LILO and GRUB) are active in the Bootloader stage as these load the Kernel. GLUC is not a stage of the Linux boot process.

This verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in Unix.

Options are :

  • lsck
  • Disk Integrity
  • RegEdit
  • CHKDSK (Correct)

Answer : CHKDSK

Explanation (Chapter 3): CHKDSK verifies the file system integrity of a volume, fixes logical file system errors, and is similar to the fsck command in Unix. RegEdit (Registry Editor) is used to load registry hives. lsck is made up as is Disk Integrity.

The $I file contains all of the following EXCEPT:

Options are :

  • the length of the file as 344 bytes long (Correct)
  • the original file path
  • the date the file was sent to the recycle bin
  • the original file size

Answer : the length of the file as 344 bytes long

Explanation (Chapter 5): The $I file is 544 bytes long. In Windows 7 and Vista, when a file is deleted, it is renamed $R, followed by random characters, then the file extension. At the same time, a $I file is created that contains the same random characters and the same file extension.

This contains the Google Drive version, the local sync root path, and user’s email address.

Options are :

  • Sync_config.db (Correct)
  • config.db
  • snapshot.db
  • sync_config.db

Answer : Sync_config.db

Explanation Chapter 10: Sync_config.db is correct. The sync_config.db stores details about local entry and cloud entry along with snapshot.db. config.db is made up.

A web analytics solution for small and medium sized websites.

Options are :

  • Clickfunnels
  • XRY Log
  • Deep Log Analyzer (Correct)
  • LAN Who

Answer : Deep Log Analyzer

Explanation (Chapter 8): The Deep Log Analyzer is a web analytics solution for small and medium sized websites. XRY Log is used for mobile device extraction. Clickfunnels is a software used to build sales funnels. LAN Who is made up. There is a LAN Whois, but this is not listed and is not a web analytics solution.

Jv16 tool is used for:

Options are :

  • registry (Correct)
  • dynamic analysis
  • bit-to-bit mapping
  • malware reversing

Answer : registry

Explanation (Chapter 11): jv16 is a registry tool. It is not used for malware analysis or reversing, and also is not used to make bit copies. Remember that it is not used for malware for your CHFI exam.

This contains executables, libraries, Program Files, LiNK files, links of user profiles, and application shortcuts in Dropbox.

Options are :

  • Dropbox.dbl
  • Program File
  • Dropbox Client (Correct)
  • Google Client

Answer : Dropbox Client

Explanation Chapter 10: Dropbox Client is correct. The question asks about Dropbox, so the Google Client answer is obviously incorrect. Dropbox.dbl is made up and Program File is also incorrect.

The installation of Google Drive Client Version in Windows 10 creates this (choose the best answer):

Options are :

  • config.exe
  • problems
  • gd.exe
  • Sync_log.log (Correct)

Answer : Sync_log.log

Explanation Chapter 10: The Sync_log.log file is created. This file contains information about the client sync session. Problems is wrong for obvious reasons. The other two answers are made up.

This is an IDS:

Options are :

  • Accountix Pro
  • Nikto 1000
  • Snort (Correct)
  • Kismet

Answer : Snort

Explanation (Chapter 8): Snort is a popular IDS. Kismet is for wireless sniffing. Accountix Pro and Nikto 1000 are made up and are incorrect.

This has journaling:

Options are :

  • FAT32
  • EXT1
  • FAT
  • NTFS (Correct)

Answer : NTFS

Explanation (Chapter 3): NTFS is the only answer here that offers journaling. EXT3 offers journaling, not EXT1. FAT and FAT32 also do not offer journaling.

This tool is used to open registry hives.

Options are :

  • MySQLlog Editor
  • Registry Editor (Correct)
  • Reg_HIV OpenPS
  • Hiveopener 3000

Answer : Registry Editor

Explanation (Chapter 5): Registry Editor is used to open registry hives (hives start with HKEY..). The other answers are made up and are incorrect.

The forensic investigator uses this command to see what sessions are open.

Options are :

  • net open
  • net run
  • net session (Correct)
  • net sessioning

Answer : net session

Explanation (Chapter 8): The net session command can be used to verify users with open sessions and to see all open sessions.

You can use this to see the last access time change for Windows 10.

Options are :

  • reg.exe
  • devcon
  • wmic service
  • fsutil (Correct)

Answer : fsutil

Explanation (Chapter 6): fsutil can be used to see the last access time change for Windows 10. reg.exe is Window's Console Registry Tool. WMIC stands for Windows Management Instrumentation Command-line, "wmic service" is not valid. devcon (devcon.exe) is a command used in Windows to see details about connected devices.

Exchange server email header information is located here.

Options are :

  • PRIV.EDB (Correct)
  • PUB.EDB
  • PRIB.EDB
  • PRIV.STM

Answer : PRIV.EDB

Explanation (Chapter 12) The PRIV.EDB file contains the message headers, message text, and standard attachments. PRIV.STM is for streaming MIME content (video, audio, etc...). PUB.EDB is a database file that stores hierarchies. PRIB.EDB is made up and is incorrect.

This displays all commands stored in memory.

Options are :

  • memory key command
  • doskey history (Correct)
  • Regedit
  • -l display

Answer : doskey history

Explanation (Chapter 6): The doskey history displays all commands stored in memory. Regedit is used to edit the System Registry. The memory key command and -l display are made up.

You can detect Trojans with which of the following?

Options are :

  • Tripwire
  • Regshot
  • Belkasoft RAM Cap
  • Capsa (Correct)

Answer : Capsa

Explanation (Chapter 11): Capsa can be used to detect Trojans. Tripwire is for file integrity, Belkasoft RAM Capturer is self-explanatory, and Regshot monitors registry changes.

UTC stands for:

Options are :

  • Universal Computer Time
  • Coordinated Universal Time (Correct)
  • Coordinated User Time
  • Universal Coordinate Tasks

Answer : Coordinated Universal Time

Explanation (Chapter 6): UTC stands for Coordinated Universal Time. The other choices are made up answers.

These files are located within an instance (n) of Dropbox folder in AppData of the user’s profile.

Options are :

  • configuration (Correct)
  • executables
  • n-instance files
  • user files

Answer : configuration

Explanation Chapter 10: configuration files are correct. No other files listed are located within the instance.

This contains the manufacturer’s information (choose the best answer).

Options are :

  • IMSI
  • EIR
  • ICCID
  • ESN (Correct)

Answer : ESN

Explanation (Chapter 13): The ESN (Electronic Serial Number) has the manufacturer’s code. ICCID (Integrated Circuit Card Identifier) is printed on the SIM to identify the SIM internationally. EIR is made up. IMSI (International Mobile Subscriber Identity) defines the subscriber in the wireless world, including the country and mobile network that the subscriber belongs to.

This Tasklist command specifies the name or IP address of a remote computer.

Options are :

  • /v
  • /s (Correct)
  • /r
  • /u

Answer : /s

Explanation (Chapter 6): The /s command specifies the name or IP address of a remote computer. The /v specifies that verbose task information be displayed in the output. The /u command runs the command with the account permissions of the specified user. The /r command is made up.

When a FAT file is deleted, what is placed at the front?

Options are :

  • EH5
  • ELH
  • ESH
  • E5H (Correct)

Answer : E5H

Explanation (Chapter 5): E5H is put at the front of a deleted FAT file. The other answers are incorrect because they do not contain the correct sequence.

Google Drive Configuration files are stored at this path:

Options are :

  • C:\Google Drive\
  • C:\Google\Drive\User\Default
  • C:\Users\AppData\Local\Google Drive\user
  • C:\Users\\AppData\Local\Google\Drive\user_default (Correct)

Answer : C:\Users\\AppData\Local\Google\Drive\user_default

Explanation Chapter 10: The other answers are made up.

Dropbox Client path:

Options are :

  • C:\Dropbox\Client
  • C:\Program Files\Dropbox\Client
  • C:\Dropbox\Client\Config
  • C:\Program Files(x86)\Dropbox\Client (Correct)

Answer : C:\Program Files(x86)\Dropbox\Client

Explanation Chapter 10: The other paths are made up.

This does not use OLE.

Options are :

  • Word
  • PDF (Correct)
  • MS Office
  • Excel

Answer : PDF

Explanation (Chapter 3): OLE (Object Linking and Embedding) is not used in PDF, but is used in Microsoft Office applications, specifically Word and Excel.

This is the default folder path for used for syncing files in Dropbox.

Options are :

  • C:\Users\Admin\sync\Dropbox\Client
  • C:\Users\Dropbox\sync.config
  • C:\Users\\Dropbox (Correct)
  • C:\Dropbox\Client\sync

Answer : C:\Users\\Dropbox

Explanation Chapter 10: The other answers are made up.

This can do data acquisition and duplication.

Options are :

  • Drivespy (Correct)
  • wireshark
  • Capsa
  • Xplico

Answer : Drivespy

Explanation (Chapter 4): Drivespy can do data acquisition and duplication. Wireshark is for network sniffing. Capsa is a network analyzer and can detect Trojans. Xplico is a network forensics analysis tool.

A hacker commits a DDoS attack against a specific IP address of a company’s Web server.  This is considered what type of attack?

Options are :

  • APT attack
  • Network attack (Correct)
  • Web application attack
  • IDS attack

Answer : Network attack

Explanation (Chapter 7 and 8): The attack is against a specific IP address and is not exploiting an application vulnerability (notice it shows Web application attack in the other answer), so it would fall under the realm of a network attack. The DDoS attack may also be affecting an IDS, but that is not the true target of the attack described. It could be an APT (Advanced Persistent Threat) group performing the attack, but it could also just be a simple teenager.

The first __ bits of the ESN is the manufacturer’s code.

Options are :

  • 24 bits
  • 32 bits
  • 8 bits (Correct)
  • 16 bits

Answer : 8 bits

Explanation (Chapter 13): The first 8 bits of the ESN is the manufacturer’s code. The other answers are made up and are incorrect.

This is part of Metasploit that can be used to hide data in the slack space of FAT and NTFS.

Options are :

  • FragFS
  • WaffenFS
  • Slacker (Correct)
  • RuneFS

Answer : Slacker

Explanation (Note: the only Metasploit tool mentioned in the ECC official material is Timestomp-- used to change the timestamp, mentioned in Chapter 5, but you will likely see Slacker mentioned on the exam. Welcome to ECC exams): Slacker is the tool in Metasploit that will hide data in the slack space of FAT or NTFS file systems, WaffenFS stores data in the EXT3 journal file, FragFS hides data within the NTFS Master file table, RuneFS stores data in bad blocks.

GIF has how many bits per pixel.

Options are :

  • 16
  • 24
  • 8 (Correct)
  • 32

Answer : 8

Explanation (Chapter 3): GIF has 8 bits per pixel and 256 colors per frame.

What file type is this? FF D8 FF E1

Options are :

  • BMP
  • GIF
  • PNG
  • JPEG (Correct)

Answer : JPEG

Explanation (Chapter 3): The FF D8 FF is the hex format for JPEG files. BMP starts with 42 4d. GIF starts with 47 49 46. PNG starts with 89 50 4e.

A deleted file in the Recycle Bin is named RIYH6VR.doc .  This tells us:

Options are :

  • The file was deleted with Recuva
  • The deleted file is a document file (Correct)
  • none of the above
  • The file was deleted from the Y drive in the 6th order

Answer : The deleted file is a document file

Explanation (Chapter 5): We can infer that this is a document file, based on the extension of .doc. Recuva does not leave a particular file name when performing recovery. The other answers do not make sense, since we do not see Dy5, which indicate a file deleted form the Y drive in the 6th order, and since we know this is a document file.

This is a type of anti-forensic technique with malware.

Options are :

  • vacationing
  • static analysis
  • packing (Correct)
  • $Rxyte provisioning

Answer : packing

Explanation (Chapter 5 and Chapter 11): Many attackers use a packer to try and prevent forensic analysis of the malware. Static analysis is a form of malware analysis. The other two choices are made up and are incorrect.

A small law firm suspects an incident, where there was potential criminal action, and wants to investigate themselves.  Why should they avoid doing so? (choose the best answer)

Options are :

  • law firms should not perform digital forensic investigations
  • they may alter the date or timestamp information of the evidence (Correct)
  • they can prosecute the attack
  • they have a conflict of interest, since they are involved in real estate law

Answer : they may alter the date or timestamp information of the evidence

Explanation (Chapter 2): The law firm may alter the data, so it will then be inadmissible in a criminal case.

These are saved in the installation folder in the user profile for Google Drive.

Options are :

  • Backup files
  • Configuration files (Correct)
  • image files
  • Log files

Answer : Configuration files

Explanation Chapter 10: Configuration files is correct. The other files are not saved in the installation folder.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions