Computer Hacking Forensic Investigator (CHFI) Version 9 Mock Test

Jonathan is an investigator, but he is not the first one on the scene.  He wants to show the path of evidence collected from the scene to the forensic lab.  What should he use?

Options are :

  • criminal report
  • exhibit numbering
  • Daubert standard report
  • chain of custody (Correct)

Answer : chain of custody

Explanation (Chapter 1 and Chapter 2): The chain of custody document is used to demonstrate the progression of evidence from the original evidence location to the forensic lab. Exhibit numbering is for marking evidence. Criminal report and Daubert standard report are made up answers.

This command can be used to analyze NetBIOS over TCP/IP activity.

Options are :

  • netstat -na
  • nbtstat -w
  • nbtstat -S (Correct)
  • net session

Answer : nbtstat -S

Explanation (Chapter 8): nbtstat -S can be used to analyze NetBIOS over TCP/IP activity. nbtstat -w is not a valid command. netstat and net session are not used for NetBIOS.

This is an abstract layer that resides on top of a complete file system and allows the client to access various file systems.

Options are :

  • VFS (Correct)
  • EXT
  • MBR
  • EXT2

Answer : VFS

Explanation (Chapter 3): Virtual File System (VFS) is the correct answer. MBR is the Master Boot Record. Both EXT and EXT2 are Linux file systems.

This requires financial institutions to protect their customers' information against security threats.

Options are :

  • SOX
  • GLBA (Correct)
  • NIST

Answer : GLBA

Explanation (Chapter 7): The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect their customers' information against security threats. HIPAA is for healthcare. SOX is to protect investors from account fraud. NIST is a set of standards for security policies, standards, and best practices.

MySQL server start and stop can be found in which log file?

Options are :

  • advanced log file
  • general query log file (Correct)
  • query6.log
  • mysqldump.log

Answer : general query log file

Explanation (Chapter 9): General Query log file is correct. The other answers are made up and are incorrect.

This command can be used to take a backup of the database.

Options are :

  • mysqldump (Correct)
  • myisamlog
  • mysqlexport
  • mysqlbackup

Answer : mysqldump

Explanation (Chapter 9): mysqldump is used to backup the database.

This was designed to replace ISO 9660 on optical media.

Options are :

  • ISO/IEC27001
  • UDF (Correct)
  • ISO 13491
  • CDFS

Answer : UDF

Explanation (Chapter 3): Universal Disk Format File System (UDF) was designed to replace the ISO 9660 file system on optical media. CDFS is a Linux file system. ISO/IEC 27001 is a standard.

SMTP normally runs on this port:

Options are :

  • 23
  • 143
  • 110
  • 25 (Correct)

Answer : 25

Explanation (Chapter 12): SMTP (Simple Mail Transfer Protocol) normally runs on port 25. Telnet is 23. POP3 is 110. Know your most common ports for the exam. You will probably only see one or two on there.

This tool can recover all types of lost files from disk or removable media.

Options are :

  • Capsa
  • Netlytic
  • Recova
  • Recuva (Correct)

Answer : Recuva

Explanation (Chapters 2 and 5): Recuva can be used to recover all types of lost files from disk or removable media. Capsa is a network analyzer. Netlytic and Recova are made up.

A warrantless seizure can be used when

Options are :

  • The destruction of evidence is imminent. (Correct)
  • The item being seized is not evidence of criminal activity.
  • The instruction of evidence is imminent.
  • Evidence is already collected.

Answer : The destruction of evidence is imminent.

Explanation (Chapter 2): According to the United States v. David, a warrantless seizure is used when the destruction of evidence is imminent and there is cause to believe that the item being seized constitutes evidence of criminal activity. If evidence is already collected, a warrant will generally not do any good and the evidence will likely be inadmissible. If no criminal activity has occurred then there is no justification to seize evidence. Instruction of evidence is a silly answer, since you are not instructing the evidence to do anything.

This stores information about the current hardware profile of the system.

Options are :



Explanation (Chapter 6): HKEY_CURRENT_CONFIG stores this information. HKEY_CURRENT_USER contains the configuration information related to the user currently logged on. HKEY_LOCAL_MACHINE contains most of the configuration information for installed software. HKEY_CURRENT_HARDWARE is a made up answer.

____ launched the CFTT.

Options are :

  • ECC
  • GLBA
  • NIST (Correct)

Answer : NIST

Explanation (Chapter 2): NIST launched the Computer Forensic Tool Testing Project (CFTT). ISO/IEC is a separate standards body. GLBA is the Gramm-Leach Bliley Act. ECC stands for EC-Council.

Johnny has been caught with child porn.  This investigation would be:

Options are :

  • Criminal AND Administrative
  • Civil
  • Criminal (Correct)
  • Administrative

Answer : Criminal

Explanation (Chapter 1): There is no indication that Johnny inappropriately used a work computer for this crime, so it would just be a criminal investigation. Child porn is a crime, so Civil and Administrative would not be the best choice here.

The first file system developed for Linux in 1992 was:

Options are :

  • HFS
  • NTFS
  • EXT (Correct)
  • EXT3

Answer : EXT

Explanation (Chapter 3): EXT is correct. HFS is for Mac OS. NTFS is for Windows. EXT3 came after EXT.

This TSK command lists file and directory names in a disk image.

Options are :

  • istat
  • fls (Correct)
  • fsstat
  • img_list

Answer : fls

Explanation (Chapter 3): fls is the command that lists file and directory names in a disk image. fsstat displays general details of a file system. istat displays details of a metadata structure. img_list is a made up answer.

Julie wants to use an open-source format.  What should she choose?

Options are :

  • AFF (Correct)
  • TFF
  • EnCase
  • AutoBahn 2.9

Answer : AFF

Explanation (Chapter 4): AFF (Advanced Forensics Format) is an open source format. Encase is a forensics tool. AutoBahn 2.9 sounds cool, but it is made up. Likewise, TFF is made up.

Registry Editor

Options are :

  • Registry 3000
  • RegEdit (Correct)
  • Reg 3000
  • Reg_1

Answer : RegEdit

Explanation (Chapter 6): The Registry Editor is also known by RegEdit. The other answers are made up and are incorrect.

Internal server error is error code:

Options are :

  • 503
  • 502
  • 500 (Correct)
  • 648

Answer : 500

Explanation (Chapter 8): Code 500 is the answer. 502 is Bad Gateway. 503 is Service Unavailable. 648 is made up.

David has been called to the stand to offer scientific testimony.  This is an example of:

Options are :

  • Pierre
  • Robert
  • Daubert
  • Frye (Correct)

Answer : Frye

Explanation (Chapter 14): This is an example of the Frye standard, which covers scientific testimony. Daubert is for Expert Witness testimony. Robert and Pierre are made up.

Richard wants to look for unusual network services.  What command should he use?

Options are :

  • nbtstat
  • net view
  • net start (Correct)
  • net stat

Answer : net start

Explanation (Chapter 8): The net start command can be used to look for unusual network services. nbtstat is for NetBIOS. net view is to review file shares and ensure their purpose. "netstat" would be used in combination with -na to see if TCP/UDP ports have unusual listening; however, the answer here is listed as "net stat," which is not proper syntax for this command.

Opposing attorney, that did not call the witness to the stand, is doing this:

Options are :

  • Frye
  • Cross-Examination (Correct)
  • Daubert
  • Direct-Examination

Answer : Cross-Examination

Explanation (Chapter 14): Cross-Examination is correct. Direct-Examination is when the attorney that called the witness to the stand is doing the questioning. Daubert is the standard on Expert Witness testimony and Frye is the standard on Scientific testimony.

PNG files start with a hex value of:

Options are :

  • 89 50 4e (Correct)
  • df 88 df
  • 54 dd 4f
  • 89 50 4d

Answer : 89 50 4e

Explanation (Chapter 3): PNG files start with a hex value of 89 50 4e. The other listed hex values are made up. Know the image hex values, especially JPEG, for the real exam.

This RAID level uses byte-level data striping across multiple drives and distributes parity information among all member drives.

Options are :

  • RAID 6
  • RAID 2
  • RAID 1
  • RAID 5 (Correct)

Answer : RAID 5

Explanation (Chapter 3): RAID 5 uses byte-level data striping across multiple drives and distributes parity information among all member drives. RAID 1 offers mirroring. RAID 2 does not implement parity, mirroring, or striping. RAID 6 is made up.

An attacker has used the cloud to commit a DDoS attack against the CSP.  This is:

Options are :

  • cloud as a tool
  • cloud as an object (Correct)
  • cloud as a subject
  • cloud DDoS use

Answer : cloud as an object

Explanation (Chapter 10): This action describes the cloud as an object. Cloud as a Subject refers to a crime in which attackers try to compromise the security of a cloud environment to steal data or inject malware. Cloud as a Tool is when an attacker uses one compromised cloud account to attack other accounts. Cloud DDoS use is just a form of attack and is not mentioned in the EC-Council text for Cloud Crime.

This tool can be used to recover from partition loss.

Options are :

  • File Salvage
  • EaseUS (Correct)
  • DiskDigger
  • Recover My Files

Answer : EaseUS

Explanation (Chapter 2 and Chapter 5): EaseUS can be used to recover files from partition loss. File Salvage is a Mac tool for recovery. Recovery My Files offers preview on-the-fly. DiskDigger offers thumbnail previews.

How many bits per pixel does GIF contain?

Options are :

  • 16
  • 64
  • 8 (Correct)
  • 32

Answer : 8

Explanation (Chapter 3): GIF contains 8 bits per pixel. The other answers are made up and are incorrect.

The attacker uses exploits to access other directories.  This is known as:

Options are :

  • Cookie poisoning
  • Insecure storage
  • Directory traversal attack (Correct)
  • SQL injection attack

Answer : Directory traversal attack

Explanation (Chapter 8): Look for the keyword of the question, like directory in this one, on the actual exam. It will help you answer correctly. SQL injection involves injecting SQL commands via input data. Insecure storage involves a lack of control around stored data (credit card numbers). Cookie poisoning involves modifying information in cookies.

Bob arrives on the scene of a large corporation after an attack.  His analysis of the affected devices is considered:

Options are :

  • real-time analysis
  • pre-mortem analysis
  • live analysis
  • post-mortem analysis (Correct)

Answer : post-mortem analysis

Explanation (Chapter 7): This would be considered post-mortem analysis, since it is after the attack. Real-time analysis is when the incident is occurring and data is being obtained in real-time, so action can be taken. Live analysis would be similar to static analysis. Pre-mortem analysis is made up.

Network sniffing tools include all of the following EXCEPT:

Options are :

  • Windump
  • Wireshark
  • Capsa
  • EaseUS (Correct)

Answer : EaseUS

Explanation (Chapter 2 and Chapter 5): EaseUS is a data recovery tool and not a network sniffer.

Tasha arrives on scene and notices the suspect computer is still on.  She begins the data acquisition.  What best describes the type of data acquisition she is doing?

Options are :

  • live data acquisition (Correct)
  • warrantless data acquisition
  • volatile memory collection
  • static data acquisition

Answer : live data acquisition

Explanation (Chapter 4): Live data acquisition involves the computer being powered on. While it does consist of acquiring volatile data, the best answer here is live data acquisition.

Which is a file system for Linux OS?

Options are :

  • CDFS (Correct)
  • HFS
  • FAT
  • FAT32

Answer : CDFS

Explanation (Chapter 3): CD File System (CDFS) is used in the Linux operating system. HFS is for Mac OS. FAT and FAT32 are for Windows.

Which of the following is true regarding digital evidence?

Options are :

  • the investigator does not need a search warrant if they deem the investigation necessary
  • investigators should not worry about the integrity of evidence
  • a duplicate copy should be made for analysis (Correct)
  • investigators should only use the original for the investigation

Answer : a duplicate copy should be made for analysis

Explanation (Chapter 1): An investigator should always have a duplicate copy of the digital evidence and should use the duplicate for analysis.

The Microsoft Exchange archive data file that stores public folder hierarchies and contents is:

Options are :

  • PUB.EDB (Correct)

Answer : PUB.EDB

Explanation (Chapter 12): PUB.EDB is the Microsoft Exchange archive data file that stores public folder hierarchies and contents. PRIV.EDB contains the message headers. PUB.STM and PUB.EVTM are made up answers.

This type of event correlation extracts the attack route information to single out other attack data.

Options are :

  • Role-based
  • Bayesian
  • Time-based
  • Route (Correct)

Answer : Route

Explanation (Chapter 7): Route is correct. Bayesian correlation uses statistical analysis. Role and Time-based are the same thing and monitor computer and user behavior for anomalies.

In Ubuntu Linux, Apache error logs are stored at:

Options are :

  • /var/log/httpd/access_log
  • /var/log/apache2/error.log (Correct)
  • /var/log/httpd-error.log
  • /var/log/http/apache/error_log

Answer : /var/log/apache2/error.log

Explanation (Chapter 8): This is the correct path. The other paths are made up.

ETI allows the investigator to:

Options are :

  • drop criminal charges
  • treat all crime as a single criminal act
  • investigate petty criminals
  • take down an entire criminal organization (Correct)

Answer : take down an entire criminal organization

Explanation (Chapter 1): By using ETI, the investigator has a better chance of dismantling an entire criminal organization.

The TSK command used to display general details about a file system is:

Options are :

  • fsstat (Correct)
  • flsstat
  • istat
  • img_stat

Answer : fsstat

Explanation (Chapter 3): The fsstat command displays general details of a file system. istat is used to display details of a meta-data structure (inode). img_stat displays details of an image file. flsstat is a made up answer.

This is a sequence of bytes, organized into blocks understandable by the system's Linker.

Options are :

  • Object file (Correct)
  • Snort
  • Object oriented database
  • HDTV

Answer : Object file

Explanation (Note: not seen in the official EC-Council material, but it was reported being seen on the exam): Object file is correct. Snort is an IDS. HDTV and Object oriented database are made up.

This is a library and collection of command line tools for investigating disk images.

Options are :

  • TPS
  • TKS
  • TPF
  • TSK (Correct)

Answer : TSK

Explanation (Chapter 3): The Sleuth Kit (TSK) is a library and collection of command line tools for investigating disk images. TPS is the name for the reports in the movie Office Space. TKS and TPF are made up answers.

RAID 10 requires this number of drives to implement.

Options are :

  • 4 (Correct)
  • 5
  • 10
  • 9

Answer : 4

Explanation (Chapter 3): RAID 10 (RAID 1+0) requires at least four drives to implement. The other answer choices are made up.

MIME stream is found:

Options are :

  • PRIV.STM (Correct)

Answer : PRIV.STM

Explanation (Chapter 12): PRIV.STM is correct. PRIV.EDB contains the message headers. PUB.EDB stores public folder hierarchies. PRIB.STM is made up.

A first responder secures the scene perimeter.  This is:

Options are :

  • Post-investigation phase
  • Investigation phase
  • Securing the scene phase
  • Pre-investigation phase (Correct)

Answer : Pre-investigation phase

Explanation (Chapter 2): In the pre-investigation phase, the scene perimeter is secured. The Investigation phase is when the evidence is being collected and analyzed. There is not a phase named Securing the scene.

What determines the sector addressing for individual sectors on a disk?

Options are :

  • CEH
  • CHS (Correct)
  • DPC
  • HCS

Answer : CHS

Explanation (Chapter 3): Cylinders, Heads, and Sectors (CHS) determine the sector addressing for individual sectors on a disk. The other answers are incorrect, since they do not contain all of these.

Which of the following is not a benefit of cloud computing?

Options are :

  • availability
  • elasticity
  • scalability
  • less security risk (Correct)

Answer : less security risk

Explanation (Chapter 10): Cloud storage has a greater security risk, in most cases, since you are reliant upon the CSP (cloud service provider) to protect your data. Cloud computing DOES offer scalability, elasticity, and generally, greater availability.

Used for registry and not malware installation file analysis.

Options are :

  • SysAnalyzer
  • jv16 (Correct)
  • JPEG
  • GIF

Answer : jv16

Explanation (Chapter 11): jv16 is correct. SysAnalyzer IS USED for malware analysis and looks at the installation files. The other two answers are image file types.

This Android library is used to render 2D (SGL) or 3D (OpenGL/ES) graphics to the screen.

Options are :

  • Libc
  • FreeType
  • Open GL/ES and SGL (Correct)
  • DVM

Answer : Open GL/ES and SGL

Explanation (Chapter 13): Open GL/ES and SGL is correct. DVM (Dalvik Virtual Machine) is a type of JAVA virtual machine responsible for power and memory management. FreeType renders bitmap and vector fonts. Libc is a C system library tuned for embedded Linux-based devices. You will likely see Open GL/ES and SGL on the real exam.

This is the starting point of a database.

Options are :

  • ADF
  • LDF
  • NDF
  • MDF (Correct)

Answer : MDF

Explanation (Chapter 9): The MDF (primary data file) is the starting point of a database and points to all other files in the database.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions