Computer Hacking Forensic Investigator (CHFI) Version 9 Test Practice

Paco needs to open an Android phone.  He should use:

Options are :

  • TowelRoot (Correct)
  • Redsn0w
  • Pangu Jail Break
  • GeekSn0w

Answer : TowelRoot

Explanation (Chapter 13): Any jailbreak tool with "Root" in it should mean Android on your exam. The other choices are all used for iOS.

CAN-SPAM requires senders to honor opt-out requests within:

Options are :

  • 3 months
  • 10 business days (Correct)
  • 6 months
  • 30 business days

Answer : 10 business days

Explanation (Chapter 12): The CAN-SPAM act requires opt-out requests be honored within 10 business days. The other choices are incorrect because they do not meet this criteria.

James enjoys this tool that offers thumbnails previews.

Options are :

  • Revuca Preview Mode
  • Xplico
  • Stellar Phoenix
  • DiskDigger (Correct)

Answer : DiskDigger

Explanation (Chapter 5): DiskDigger offers thumbnail previews of recovered files. None of the other options offer thumbnail previews, so they are incorrect.


Options are :

  • stores public folder hierarchies and contents (Correct)
  • publishes email message content
  • contains message headers and message text
  • streams Internet content files, like video and audio

Answer : stores public folder hierarchies and contents

Explanation (Chapter 12): PUB.EDB is a database file that stores public folder hierarchies. PRIV.EDB contains the message headers, text, and standard attachments. PRIV.STM contains streaming MIME (videos, audio, etc...) content.

This tool can recover deleted files emptied from the Recycle Bin, or lost because of the formatting/corruption of a hard drive, virus or Trojan infection, and unexpected system shutdowns.

Options are :

  • File Salvage
  • DiskDigger
  • Recover My Files (Correct)
  • Recuva

Answer : Recover My Files

Explanation (Chapter 2): Recover My files is correct. File Salvage is a Mac Tool. DiskDigger recovers from hard drives, memory cards, and USB. Recuva offers the Advanced Deep Scan.

Rob wants to discover potential hidden information in an image file.  He would use this to see it.

Options are :

  • Steganalysis (Correct)
  • Stegographic
  • Stegasorous
  • Steganography

Answer : Steganalysis

Explanation (Chapter 5): Steganalysis is the process of discovering the existence of hidden information within a covered medium (i.e.- an image file). Steganography is the practice of hiding information. The other answers are not applicable to forensics.

This type of attack is a combination of both a brute force attack and dictionary attack.

Options are :

  • dictionary
  • rule-based
  • hybrid
  • syllable (Correct)

Answer : syllable

Explanation (Chapter 5): A syllable attack is a combination of the brute force and dictionary attacks. The hybrid attack is based on the dictionary and brute force attacks. Rule-based is based on knowing something, like a birthday. Dictionary would not be a combination of itself and a brute force attack.

A 32 bit number placed on the chip by the manufacturer is called.

Options are :

  • ESN (Correct)
  • IMEI
  • IMSI

Answer : ESN

Explanation (Chapter 13): The electronic serial number (ESN) is a 32 bit number attached on the chip by the manufacturer. The IMEI is a 15 digit number that identifies the mobile equipment. The IMSI is a 15-digit number that defines the subscriber in the wireless world. The ICCID is a 19 or 20 digit number printed on the SIM that identifies the SIM internationally.

The General Query Log file is for:

Options are :

  • VFS
  • BIOS
  • MySQL (Correct)
  • Kernel

Answer : MySQL

Explanation (Chapter 9): MySQL is correct. The General Query Log contains the server start and stop. VFS is virtual file system. BIO and Kernel are also incorrect.

Show active network connections with this:

Options are :

  • Tripwire
  • nbtstat
  • 503 connector
  • netstat (Correct)

Answer : netstat

Explanation (Chapter 6): netstat is correct. nbtstat is for NetBIOS. Tripwire is for file integrity. 503 connector is made up.

Lenny needs to reset an Administrator password in order to access a device during an investigation.  He knows that this tool can be used (choose the BEST answer).

Options are :

  • Disk Drill
  • Cain & Abel
  • Stego77
  • Active@ Password changer (Correct)

Answer : Active@ Password changer

Explanation (Chapter 5): While Cain & Abel can be used to crack passwords, the best option here is to use Active@ Password changer. DiskDrill is used for file recovery. Stego77 is made up.

Object Linking and Embedding is not used by:

Options are :

  • PDF (Correct)
  • Word
  • Excel
  • Office products

Answer : PDF

Explanation (Chapter 3): OLE (Object Linking and Embedding) is not used in PDF, but is used in Microsoft Office applications, specifically Word and Excel.

A file system used by Sun Microsystems is:

Options are :

  • EXT
  • SMFS
  • UFS
  • ZFS (Correct)

Answer : ZFS

Explanation (Chapter 3): ZFS is a file system used by Sun and offers a high storage capacity, compression, and volume management. UFS is UNIX file system. EXT is a Linux file system. SMFS is made up.

This is used to render 2D (SGL) or 3D graphics to the screen.

Options are :

  • OpenGL/ES and SGL (Correct)
  • FreeType
  • WebKit
  • Libc

Answer : OpenGL/ES and SGL

Explanation (Chapter 13): All of these are Android libraries. OpenGL/ES and SGL is the correct answer. WebKit is the browser engine used to display web pages. FreeType renders bitmap and vector fonts. Libc is a C system library tuned for embedded Linux-based devices.

The Superblock in UFS has:

Options are :

  • non-magic number
  • seven triangles
  • size and shape of EXT2
  • magic number (Correct)

Answer : magic number

Explanation (Chapter 3): Magic number is correct. The Superblock in Linux EXT2 stores information about the size and shape of EXT2. seven triangles and non-magic number are made up.

This is one of the Disk Editor tools for file headers:

Options are :

  • DFF File Retriever
  • DiskEdit (Correct)
  • Disk Editor
  • Windows Hex Editor

Answer : DiskEdit

Explanation (Chapter 3): DiskEdit is one of the Disk Editor tools for file headers. The other answers are made up.

Misuse of a work computer generally can lead to this type of investigation.

Options are :

  • Criminal
  • Criminal and Civil
  • Civil
  • Administrative (Correct)

Answer : Administrative

Explanation (Chapter 1): An employee misusing a work computer (i.e.- checking Facebook when it is against company policy) generally leads to an Administrative investigation. It could also lead to Civil and Criminal investigations, but the best answer, according to the ECC text, is Administrative.

An investigator needs to jailbreak an iOS phone.

Options are :

  • RedSn0w (Correct)
  • Winter_Time 3000
  • King_Root
  • Yellow_Root

Answer : RedSn0w

Explanation (Chapter 13): RedSn0w is used to root iOS devices. One trick for your exam is anything with "root" in the name is usually for Android. That being said, the other answers in the question are made up.

This rule covers evidence of character and the conduct of the witness.

Options are :

  • Rule 184
  • Rule 699
  • Rule 608 (Correct)
  • Rule 1018

Answer : Rule 608

Explanation (Chapter 2): Rule 608 is correct. The other rules listed here are made up.

An attacker is using every possible combination of characters to crack a password.  This method is known as:

Options are :

  • hybrid attack
  • brute force (Correct)
  • abley cain attack
  • rainbow attack

Answer : brute force

Explanation (Chapter 5): This is known as a brute force attack. Hybrid is a combination of brute force and dictionary attacks. Abley cain is not a real tool. Rainbow attacks use rainbow tables.

Scientific testimony.

Options are :

  • Frye (Correct)
  • Daubert
  • Willie
  • 00AB Standard

Answer : Frye

Explanation (Chapter 14): Frye is the standard for scientific testimony. Daubert covers Expert Witness testimony. Know these for your exam. The other answers are made up.

A hacker sets up an AP to mimick the local Starbuck's AP.  What is this?

Options are :

  • Honeyspot (Correct)
  • Honeypot
  • Honeycomb
  • Starbuck's spot

Answer : Honeyspot

Explanation (Chapter 7): Honeyspot is correct. A Honeypot is a computer set up with fake resources to capture the behavior of attackers, so potential attacks can be mitigated. Honeycomb is something you eat and Starbuck's spot is made up.

The file system that ships with many Linux distributions is:

Options are :

  • EXT3
  • EXT44
  • EXT
  • EXT2 (Correct)

Answer : EXT2

Explanation (Chapter 3): EXT2 is the most popular of the Linux file systems and is found in most distributions. EXT3 offers journaling. EXT was the first Linux file system. EXT44 is made up.

Windows Event Log text file output format is:

Options are :

  • .DOC
  • EVTX (Correct)
  • XVTX
  • A.TXT

Answer : EVTX

Explanation (Chapter 9): EVTX is the correct format. .DOC is a document file format. The other options are made up answers.

The max single file size in EXT3 is 

Options are :

  • 2GB
  • 20TB
  • 1EiB
  • 2TB (Correct)

Answer : 2TB

Explanation (Chapter 3): The question asks for the max single file size, not the max file system size. Pay attention to the verbiage in questions on the actual exam.

Tools designated as software tools include all of the following EXCEPT:

Options are :

  • TULP2G
  • Scalpel
  • Phone Image Carver
  • Paraben's Phone Recovery Stick (Correct)

Answer : Paraben's Phone Recovery Stick

Explanation (Chapter 13): Paraben's Phone Recovery Stick is considered a hardware tool.

This carries out data duplication AND acquisition:

Options are :

  • Recuva
  • File Salvage
  • Drivespy (Correct)
  • EaseUS

Answer : Drivespy

Explanation (Chapter 4): Drive spy is correct. The other answers are tools for file recovery..

The Daubert standard pertains to:

Options are :

  • Legal proceedings
  • scientific testimony
  • expert witness testimony (Correct)
  • admissibility of evidence

Answer : expert witness testimony

Explanation (Chapter 14): Daubert pertains to expert witness and Frye pertains to scientific evidence. The other answers are not applicable to testimony of witnesses. is an e-Commerce business with $500,000 in annual revenue.  Last night, for about 4 hours, their customers were unable to access the website for shopping.  What type of attack did they most likely experience?

Options are :

  • DTC
  • XSS
  • SQL
  • DDoS (Correct)

Answer : DDoS

Explanation (Chapter 8): From the description, this is most likely a denial of service type attack. Since DDoS is the only denial of service attack listed, this is the correct answer.

A report, presented orally, to a board of directors, jury, or managers would be called.

Options are :

  • informal verbal report
  • informal written report
  • formal verbal report (Correct)
  • formal written report

Answer : formal verbal report

Explanation (Chapter 14): A formal verbal report is given orally to the board, a jury, or managers.

All of the following can be used to determine logged on users EXCEPT

Options are :

  • LogonSessions
  • LogonUsers (Correct)
  • net sessions
  • PsLoggedOn

Answer : LogonUsers

Explanation (Chapter 6): LogonUsers is not uses to determine logged on users. The other commands are all valid ways to determine logged on users.

This is a tool used for monitoring log files, produced by UNIX syslog facility.

Options are :

  • Logcheck
  • Watch
  • RegEdit
  • Swatch (Correct)

Answer : Swatch

Explanation (Chapter 7): Swatch is correct. Logcheck allows system Admins to view log files, which are produced by hosts under their control. RegEdit is the registry editor for Windows. Watch is a made up answer.

In exhibit numbering, the zz is for:

Options are :

  • number of exhibits in sequence
  • sequence number of parts of the same exhibit (Correct)
  • year of collection
  • investigator initials

Answer : sequence number of parts of the same exhibit

Explanation (Chapter 2): The "zz" refers to the sequence number for parts of the same exhibit. aaa is for the investigator's initials. The date of the seizure is in day, month, year (dd/mm/yy) format. The number of exhibits is nnnn.

This is used to perform a Quick Analysis of a crash dump file.

Options are :

  • RegEdit
  • MBR
  • NBC 3000
  • DumpChk (Correct)

Answer : DumpChk

Explanation (Chapter 6): DumpChk is correct. RegEdit is the registry editor. MBR is the Master Boot Record and this is not a tool. NBC 3000 is made up.

This type of event correlation stores sets of events in codes.

Options are :

  • Open-Port based
  • Codebook-based (Correct)
  • Standards-based
  • Bayesian correlation

Answer : Codebook-based

Explanation (Chapter 7): Codebook-based is correct. Beayesian correlation uses statistics. Open-port based determines the risk of attack by evaluating a list of open ports. Standards-based is a made up answer.

Stacey wants to obtain data from social media websites.  Which tool can she NOT use for this?

Options are :

  • twecoll
  • Netvizz
  • Geo360
  • Disk Digger (Correct)

Answer : Disk Digger

Explanation (Chapter 2): Disk Digger is not a tool used for obtaining data from social media websites.

The img_stat command:

Options are :

  • displays metadata
  • displays details of an image file (Correct)
  • displays general details of a file system
  • lists file and directory names in an image

Answer : displays details of an image file

Explanation (Chapter 3): The img_stat of TSK (The Sleuth Kit) displays details of an image file. General details of a file system are displayed with the fsstat command. istat displays metadata. fls lists file and directory names in a disk image.

This can be used for Last access time change in Windows 10.

Options are :

  • latc
  • t_change
  • win_10.exe
  • fsutil (Correct)

Answer : fsutil

Explanation (Chapter 6): fsutil is the correct answer. The other provided answers are made up.

Deleted files are found here in Windows 7 and later.

Options are :

  • C:\Recycler
  • C:\$Recycle.Bin (Correct)
  • C:\Recycled
  • C:\Recycle.Bin$

Answer : C:\$Recycle.Bin

Explanation (Chapter 5): Deleted files are found in C:\$Recycle.Bin in Windows 7 and later. C:\Recycler is used for Windows 2000 and XP. C:\Recycled is for Windows 98 and earlier. C:\Recycle.Bin$ is not a valid path/format.

This requires Federal agencies to develop, document, and implement information security programs.

Options are :

  • GLBA
  • FISMA (Correct)
  • SOX

Answer : FISMA

Explanation (Chapter 7): The Federal Information Security Management Act (FISMA) requires Federal agencies to develop, document, and implement information security programs. HIPAA is for healthcare. GLBA requires financial institutions to protect their customers' information against security threats. SOX is to protect investors from fraudulent accounting.

This file is found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.

Options are :

  • passware file
  • page file (Correct)
  • handle file
  • slack file

Answer : page file

Explanation (Chapter 6): The page file is found at this location. There is not a "slack file," but rather it is the slack space (wasted area between the end of a file and cluster). Passware and handle files are made up.

This tool can be used to restore emails.

Options are :

  • File Salvage
  • EaseUS
  • Data Recovery Pro (Correct)

Answer : Data Recovery Pro

Explanation (Chapter 5): Data Recovery Pro can be used to restore emails. EaseUS offers precise searching. File Salvage is used to recover file in Mac. FSSTAT is made up.

The collection of the system time is the ____ step in investigating an incident.

Options are :

  • 3rd
  • 2nd
  • 1st (Correct)
  • 4th

Answer : 1st

Explanation (Chapter 6): The collection of the system time is the first step in investigating an incident. Performing this step later could lead to evidence being corrupted.

Poor controls around passwords and accounts in general would be considered this type of Web application threat.

Options are :

  • CSRF
  • SQL injection
  • Broken account management (Correct)
  • XSS

Answer : Broken account management

Explanation (Chapter 8): Broken account management would involve poor controls around passwords and accounts in general. The other attacks do not involve poor control around passwords and accounts.

The dd command dd if=/dev/xxx of=mbr.backupbs=512 count=1 can be used to:

Options are :

  • backup the MBR (Correct)
  • do double duty
  • complete the Dugle Davis report
  • backup the MRB

Answer : backup the MBR

Explanation (Chapter 3): This command can be used to backup the Master Boot Record (MBR). The other answers are made up.

$Bitmap is in:

Options are :

  • LILO
  • FAT
  • NTFS (Correct)
  • EXT2

Answer : NTFS

Explanation (Chapter 3): NTFS is correct. LILO is one of the Linux bootloaders. EXT2 is a Linux file system. FAT and also FAT32 would not be correct, since NTFS contains $Bitmap, which is used to keep track of used and unused clusters.

UTC stands for which of the following:

Options are :

  • Universal Computer Time
  • Computer Universal Time
  • Coordinated Universal Time (Correct)
  • Universal Computing Time

Answer : Coordinated Universal Time

Explanation (Chapter 6): UTC stands for Coordinated Universal Time. The other answer choices are made up.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions