Computer Hacking Forensic Investigator (CHFI) Version 9

A deposition is different from a regular trial in that:

Options are :

  • Both attorneys are present (Correct)
  • A judge is present
  • The jury is present
  • Both the judge and jury are present

Answer : Both attorneys are present

Explanation (Chapter 14): Both attorneys are present in a deposition. The other answers are incorrect because a judge and/or jury are also present at the trial. This is found in Chapter 14 of the official EC-Council material.

This rule governs proceedings in the courts of the United States.

Options are :

  • Rule 101 (Correct)
  • Rule 103
  • Rule 493
  • Rule 622

Answer : Rule 101

Explanation (Chapter 1): Rule 101 governs proceedings in the courts of the United States. Rule 103 covers the Rulings on Evidence. Rule 493 and Rule 622 are just made up answers and are incorrect.

HFS+ uses:

Options are :

  • b-tree structure to store data (Correct)
  • UEFI
  • Windows OS
  • MBR partitions

Answer : b-tree structure to store data

Explanation (Chapter 3): HFS+ (Mac OS) uses a b-tree structure to store data. Windows OS is wrong, since HFS+ is for Mac OS. UEFI and MBR partitions are also incorrect.

Jennifer needs to repair and recover bad disk sectors.  Which tool should she use?

Options are :

  • Total Recall
  • Quick Recovery (Correct)
  • Windows Super File Recovery
  • File Salvage

Answer : Quick Recovery

Explanation (Chapter 5): Quick Recovery repairs and recovers bad disk sectors, and files that are lost, deleted, corrupted, or deteriorated. Windows Super File Recovery is made up. Total Recall can be used for RAID. File Salvage is used to recover files in Mac OS.

John wants to root an Apple phone.  Which tool should he use?

Options are :

  • RescuRoot
  • RedSn0w (Correct)
  • TowelRoot
  • OneClickRoot

Answer : RedSn0w

Explanation (Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android.

Which command can be used to look for suspicious connections and the process ID.

Options are :

  • netstat -nan
  • netrenew -ano
  • netgift -ano
  • netstat -ano (Correct)

Answer : netstat -ano

Explanation (Chapter 6): netstat -ano is the command used to look for suspicious connections and the process ID. netgift and netrenew are made up commands and are incorrect. netstat -nan is not a valid syntax for the netstat command.

Which of the following is known for providing quick and deep scanning?

Options are :

  • Advanced Disk Recovery (Correct)
  • Recover My Files
  • EaseUS
  • EaseUK

Answer : Advanced Disk Recovery

Explanation (Chapter 2 and Chapter 5): Advanced Disk recovery offers two scans; quick and deep scanning. Recover My Files offers the ability to preview data-on-the-fly. EaseUS supports large hard disks. EaseUK is made up and is incorrect.

For Windows 2000, deleted files are found in:

Options are :

  • C:\$Recycle.Bin
  • C:/Recycler
  • C:\Recycler (Correct)
  • C:\Recycle.Bin$

Answer : C:\Recycler

Explanation (Chapter 5): In Windows 2000, XP, and NT, deleted files are found at C:\Recycler. In Windows Vista, 7, 8, and 10 the location is C:\$Recycle.Bin. The other locations are made up and incorrect.

In Windows Server 2012 (IIS), log files are stored at:

Options are :

  • %SystemDrive%\Logs\LogFiles
  • %SystemDrive\inetpub\Logs\LogFiles
  • %SystemDrive%\inetpub\Logs\LogFiles (Correct)
  • SystemDrive%\inetpub\Logs\LogFiles

Answer : %SystemDrive%\inetpub\Logs\LogFiles

Explanation (Chapter 8): Windows Server 2012 log files are stored at %SystemDrive%\inetpub\Logs\LogFiles. You should memorize this path for the CHFI exam. Two of the other answers are missing a percentage (%) sign in the path. The other path is missing the inetpub, which it incorrect.

Simple, sequential, flat files of a data set is called:

Options are :

  • MBR format
  • Raw format (Correct)
  • First data format
  • Blank format

Answer : Raw format

Explanation (Chapter 4): Raw format creates simple, sequential, flat files of a data set. The other formats stated are made up. MBR stands for Master Boot record, but it is not a flat file data set.

This Microsoft Exchange archive data file contains message headers, message text, and standard attachments.

Options are :

  • PUB.EDB
  • PRIV.EDA
  • PRIV.EDB (Correct)
  • PRIV.STM

Answer : PRIV.EDB

Explanation (Chapter 12): PRIV.EDB contains the message headers, text, and standard attachments. PRIV.STM contains streaming MIME (videos, audio, etc...) content. PUB.EDB is a database file that stores public folder hierarchies. PRIV.EDA is a made up file name.

This is a tool for Mac OS.

Options are :

  • Disk Utility (Correct)
  • Recover My Files
  • Windows Defender
  • File Ravage

Answer : Disk Utility

Explanation (Chapter 3): Disk Utility is a tool used in Mac OS to get details about GPT partition tables. recover My Files is for Windows. Windows Defender is a anti-malware program. File Ravage is made up and is incorrect.

Sara wants to perform a deep scan that scans the entire system.  She should use:

Options are :

  • Total Recall
  • Recover My Files
  • DiskDigger
  • Advanced Disk Recovery (Correct)

Answer : Advanced Disk Recovery

Explanation (Chapter 2 and Chapter 5): Advanced Disk Recovery can be used to perform a deep scan of the entire system. Total Recall is used for RAID. DiskDigger is used for recovery and offers thumbnail previews. Recover My Files does not offer a quick and deep scan.

Data Rescue 4 is:

Options are :

  • a file recovery tool used for Mac (Correct)
  • a file recovery tool only for Windows
  • a new movie coming out
  • a new forensic tool used to sanitize digital media

Answer : a file recovery tool used for Mac

Explanation (Chapter 5): Data Rescue 4 is a file recovery tool used in Mac OS. The Windows answer is incorrect, since it is a Mac tool. A tool to sanitize digital media is incorrect, since this tool is used for recovery. The answer about a new movie coming out is incorrect and silly.

Disk Editor tools for file headers include all of the following EXCEPT:

Options are :

  • Hex Workshop
  • WinHex
  • Windows Hex Editor (Correct)
  • DiskEdit

Answer : Windows Hex Editor

Explanation (Chapter 3): Windows Hex Editor is made up and is not a tool used for file headers.

David needs to recover lost files from a USB flash drive.  Which tool will help him?

Options are :

  • Data Recovery Pro
  • DiskDigger (Correct)
  • EaseUS
  • Partition Ranger

Answer : DiskDigger

Explanation (Chapter 5): Disk Digger can help recover lost files from hard drives, memory cards, and USB flash drives. Data Recovery Pro recovers deleted emails/email attachments. EaseUS allows for precise searching. Partition Ranger is made up and is incorrect as well.

This can be used to dump password hashes from the SAM file.

Options are :

  • H_attack
  • PWdump7 (Correct)
  • WinHex
  • MBR v6

Answer : PWdump7

Explanation (Chapter 5): PWdump7 can be used to dump password hashes from the SAM file. WinHex is a disk editor tool for file headers. MBRv6 and H_attack are made up answers and are incorrect.

POP3 runs on port:

Options are :

  • 23
  • 110 (Correct)
  • 125
  • 25

Answer : 110

Explanation (Chapter 12): POP3 (Post Office Protocol) runs on port 110. SMTP is port 25. Telnet is port 23. Port is 125 is also incorrect.

This tool can be used to display details about GPT partition tables in Mac OS.

Options are :

  • DiskDigger
  • Recover My Files
  • Windows Super Disk Recovery
  • Disk Utility (Correct)

Answer : Disk Utility

Explanation (Chapter 3): Disk Utility displays details about GPT partition tables in Mac OS. Recover My Files is used for file recovery, not GPT partition table data. DiskDigger offers file recovery and also offers thumbnail previews. Windows Super Disk Recovery is made up and the question asks about Mac OS, so this answer is incorrect.

In this stage of the Linux boot process, information is retrieved from the CMOS chip.

Options are :

  • Bootloader
  • BEC
  • Kernel
  • BIOS (Correct)

Answer : BIOS

Explanation (chapter 3): In the BIOS stage, the BIOS retrieves information stored in the CMOS chip and performs a POST test. There is not a BEC stage. In the Bootloader stage, the kernel is loaded. In the Kernel stage, the Kernel mounts the actual root file system.

What is not one of the three tiers of log management infrastructure.

Options are :

  • Log protection (Correct)
  • Log generation
  • Log monitoring
  • Log analysis/storage

Answer : Log protection

Explanation (Chapter 7): Log protection is not one of the 3 tiers of log management infrastructure. It is; however, one of the log management challenges. The other choices are ll tiers of log management infrastructure.

Lisa is investigating a phishing email attack at a company.  She knows the first step in the email investigation process is:

Options are :

  • examining email messages
  • obtaining a search warrant (Correct)
  • tracing the email origin
  • examining email logs

Answer : obtaining a search warrant

Explanation (Chapter 1 and Chapter 2): An investigator should always obtain a search warrant first before starting an email investigation and any other type of digital investigation. All of the other steps come after obtaining the search warrant, since the evidence would be inadmissible if the warrant was not obtained first.

In FAT, the first letter of the deleted file name is replaced with:

Options are :

  • Exy
  • ESH
  • X5H
  • E5H (Correct)

Answer : E5H

Explanation (Chapter 5): In FAT, the OS replaces the first letter of the deleted file name with E5H. The other answer choices are all made up and are incorrect.

This approach monitors a computer and user's behavior for anomalies.

Options are :

  • Bayesian correlation
  • role-based (Correct)
  • Access-control based
  • Route correlation

Answer : role-based

Explanation (Chapter 7): A role-based approach monitors computer and user behavior for anomalies. route correlation extracts the attack route information to single out other attack data. Bayesian Correlation uses statistics and probability to predict the next steps of an attack. Access-control based is not a real option for event correlation and is incorrect.

Jason is an investigator with over 10 years of experience.  He needs to find a tool that will help him recover a RAID drive.  Which tool can help him?

Options are :

  • DiskDigger
  • Quick RAID Recovery
  • Quick Recovery
  • Total Recall (Correct)

Answer : Total Recall

Explanation (Chapter 5): Total Recall can be used to recover RAID drives. DiskDigger is used to recover files and offers thumbnail previews. Quick Recovery can recover password-protected files. The other answer is made up and is incorrect.

This tool can be used to restore emails.

Options are :

  • File Salvage
  • Quick Recovery
  • Total Recall
  • Data Recovery Pro (Correct)

Answer : Data Recovery Pro

Explanation (Chapter 5): Data Recovery Pro can be used to restore deleted emails and email attachments. Quick Recovery can be used to recover encrypted files and restore them. File Salvage recovers lost files in Mac OS. Total Recall can be used for RAID.

In Windows 98 and earlier, deleted files are named in Dxy.ext format.  What does the x stand for?

Options are :

  • file name
  • drive (Correct)
  • sequence number
  • original extension

Answer : drive

Explanation (Chapter 5): In the Dxy.ext format, the x stands for the drive. For example, the first document file deleted from the C: drive would be Dc0.doc . The sequence number is "y" and the original extension is the "ext" option, both being incorrect for the question asked. The original file name is not included in Dxy.ext, so this answer is also incorrect.

The investigator has performed a bit-by-bit copy of a drive.  Now the investigator wants to look for unusual network services.  What command should be used?

Options are :

  • net start (Correct)
  • net stat
  • net session
  • netstat

Answer : net start

Explanation (Chapter 8): net start allows you to look for unusual network services. netstat can be used with things like -na to look for unusual listening on TCP/UDP ports. net stat is not valid syntax. net session lets you see open sessions.

Nasir is needing to recover lost data from RAID.  He knows that this tool will be needed.

Options are :

  • Comodo Programs Manager
  • Advanced Disk Recovery
  • Total Recall (Correct)
  • DiskDigger

Answer : Total Recall

Explanation (Chapter 5): Total Recall is used for RAID. Comodo Programs Manager is used for dynamic malware analysis. DiskDigger offers thumbnail previews of recovered files. Advanced Disk Recovery offers the Quick and Deep scans.

This tool restores deleted emails and email attachments.

Options are :

  • Data Recovery Pro (Correct)
  • Quick Recovery
  • R-Studio
  • Total Recall

Answer : Data Recovery Pro

Explanation (Chapter 5): Data Recovery Pro specifically mentions email recovery in its use. TotalRecall can be used to recover RAID drives. R-Studio and Quick recovery are for file recovery.

RAPID IMAGE 7020 X2 is designed to copy how many “Master? hard drives?

Options are :

  • two
  • one (Correct)
  • three
  • an unlimited amount, based on memory storage

Answer : one

Explanation (Chapter 2 and Chapter 4-- both have the same information): RAPID IMAGE 7020 X2 is designed to copy 1 Master hard drive and up to 19 Target hard drives. The other answers are incorrect, based on Chapter 2 of the EC-Council material.

Which Windows version can use UEFI-GPT or BIOS-MBR?

Options are :

  • 7
  • 10 (Correct)
  • 95
  • XP

Answer : 10

Explanation (Chapter 3): Windows 8 and later boot with either UEFI-GPT or BIOS-MBR. Windows XP, Vista, and 7 boot with BIOS-MBR.

This rule covers limited admissibility.

Options are :

  • Rule 401
  • Rule 103
  • Rule 105 (Correct)
  • Rule 402

Answer : Rule 105

Explanation (Chapter 1): Rule 105 covers limited admissibility. Rule 402 covers the general admissibility of relevant evidence. Rule 103 is for the rulings on evidence. Rule 401 is not mentioned in the ECC text.

This tool displays details about GPT partition tables in Mac OS.

Options are :

  • Disk Utility (Correct)
  • VFS Rider
  • DiskDrill
  • File Salvage

Answer : Disk Utility

Explanation (chapter 3): Disk Utility is the only selection that displays details about partition tables in Mac. VFS Rider is a made up tool. DiskDrill can recover from corrupted memory cards. File Salvage is also a Mac tool, but is used for file recovery.

This can recover documents, even if Windows is reinstalled.

Options are :

  • Active@ File Recovery
  • UndeletePlus (Correct)
  • Pandora Recovery
  • R-Studio

Answer : UndeletePlus

Explanation (Chapter 2): UndeletePlus is the correct answer. Active@ File Recovery contains the ISO image. Panda Recovery allows you to recover from FAT and NTFS-formatted drives. R-Studio can recover from heavily damaged systems.

David is looking for a tool that contains an ISO image, so he can burn a bootable CD.  What tool is he looking for?

Options are :

  • CD Boot
  • Data Rescue 4
  • Active@ File Recovery (Correct)
  • Pandora Recovery

Answer : Active@ File Recovery

Explanation (Chapter 5): Active@ File Recovery is the only answer here that contains a CD/DVD ISO image that allows you to burn a bootable CD.

Samuel has completed static analysis of a new malware strain.  He is now going to perform dynamic analysis.  Which tool can he use to monitor for installations, while performing dynamic analysis?

Options are :

  • SysAnalyzer (Correct)
  • Data Recovery Pro
  • jv16
  • Stellar Phoenix

Answer : SysAnalyzer

Explanation (Chapter 11): SysAnalyzer is used for dynamic malware analysis, specifically for monitoring installations, like Comodo Program Manager also does. jv16 is used for Registry. You want to know that for your exam. Data Recovery Pro and Stellar Phoenix are used for file recovery and not malware analysis.

This extracts data contained from an internet traffic capture.

Options are :

  • Xplico (Correct)
  • SysAnalyzer
  • X Data Extract
  • Web SysSol

Answer : Xplico

Explanation (Chapter 2): Xplico is a network forensics analysis tool that extracts this type of data. SysAnalyzer is for malware analysis. The other two answers are made up tools and are incorrect.

jv16 can be used for:

Options are :

  • registry (Correct)
  • VFS
  • Static Malware analysis
  • EFI

Answer : registry

Explanation (Chapter 11): jv16 is a registry tool. Memorize this for your exam. Virtual file system and EFI are not valid choices. jv16 is not used for malware analysis--again, remember that for your exam.

This tool recovers all file types from a HFS formatted drive.

Options are :

  • Data Rescue 4 (Correct)
  • Disk Utility
  • Recuva
  • Total Recall

Answer : Data Rescue 4

Explanation (Chapter 5): Data Rescue 4 is the Mac OS tool listed that recovers from HFS drives. Total Recall is for RAID. Recuva is used for Windows. Disk Utility is incorrect.

Jamie needs a tool that can recover files with their original file name.

Options are :

  • SysAnalyzer
  • DiskDigger
  • Stellar Phoenix (Correct)
  • Total Recall

Answer : Stellar Phoenix

Explanation (Chapter 5): The correct answer is Stellar Phoenix. SysAnalyzer is used for malware analysis. Total Recall is used for RAID. DiskDigger offers the thumbnail previews.

Jennifer is an investigator with the FBI. She is performing dynamic analysis on malware and wants to know the dependencies.  What tool should she use?

Options are :

  • Dependency Walker (Correct)
  • Dependency Crawler
  • jv16 Power Tools
  • Xplico

Answer : Dependency Walker

Explanation (Chapter 11): Dependency Walker is the correct answer. Dependency Crawler is made up. jv16 is used for Registry. Xplico is a network forensics analysis tool.

This is an open source NFAT.

Options are :

  • Install Watch
  • Xplico (Correct)
  • Comodo Programs Manager
  • Snort

Answer : Xplico

Explanation (Chapter 2): Xplico is a network forensics analysis tool. Comodo Programs Manager is used for dynamic malware analysis. Snort is an IDS. Install Watch is also used for dynamic malware analysis.

This tool can be used for dynamic malware analysis.

Options are :

  • R-Studio
  • EaseUS
  • MBR
  • Install Watch (Correct)

Answer : Install Watch

Explanation (Chapter 11): Install Watch is one of the tools that can be used for dynamic malware analysis, similar to SysAnalyzer and Comodo Programs Manager. R-Studio and EaseUS are used for recovery. MBR stands for Master Boot record and is not a tool.

This type of password attack uses a combination of dictionary and brute force techniques.

Options are :

  • rule-based
  • dictionary-brute
  • hybrid
  • syllable (Correct)

Answer : syllable

Explanation (Chapter 5): Syllable is the only one that is a combination of brute force and dictionary techniques. Dictionary-brute is not valid as these are separate attacks. Rule-based is based on knowing something like a birthday. Hybrid is based off the dictionary and brute force.

This can recover files from newly formatted drives.

Options are :

  • Recuva (Correct)
  • EaseUS
  • Pandora Recovery
  • Undelete Plus

Answer : Recuva

Explanation (Chapter 2 and Chapter 5): Recuva is the answer. Pandora Recovery allows you to recover from FAT and NTFS-formatted drives. EaseUS offers a precise search. Undelete Plus offers recovery even if Windows is reinstalled.

Max has arrived on scene and sees that the computer is turned on.  His first step should be to (choose the best answer):

Options are :

  • leave the computer on, but look at Task Manager to see if any programs are running
  • perform a bit by bit copy of the drive
  • power off the computer to preserve evidence
  • photograph the current computer state (Correct)

Answer : photograph the current computer state

Explanation (Chapter 2): The computer must be photographed to show its state before evidence is gathered. Powering off the computer is not the answer, since if the computer is on, we always leave it on. The other answers are incorrect because they are later steps in the investigation.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions