312-49V8 ECCouncil Computer Hacking Forensic Investigator Set 1

You can interact with the Registry through intermediate programs. Graphical user interface (GUI)
Registry editors such as Regedit.exe or Regedt32 exe are commonly used as intermediate
programs in Windows 7. Which of the following is a root folder of the registry editor?


Options are :

  • HKEY_LOCAL_ADMIN
  • HKEY_CLASSES_SYSTEM
  • HKEY_USERS (Correct)
  • HKEY_CLASSES_ADMIN

Answer : HKEY_USERS

Attackers can manipulate variables that reference files with "dot-dot-slash (./)" sequences and
their variations such as http://www.juggyDoy.corn/GET/process.php./././././././././etc/passwd.
Identify the attack referred.


Options are :

  • File injection
  • SQL Injection
  • Directory traversal (Correct)
  • XSS attack

Answer : Directory traversal

First response to an incident may involve three different groups of people, and each will have
differing skills and need to carry out differing tasks based on the incident. Who is responsible for
collecting, preserving, and packaging electronic evidence?


Options are :

  • Local managers or other non-forensic staff
  • System administrators
  • Lawyers
  • Forensic laboratory staff (Correct)

Answer : Forensic laboratory staff

Data files from original evidence should be used for forensics analysis


Options are :

  • False (Correct)
  • True

Answer : False

Who is responsible for the following tasks?
Secure the scene and ensure that it is maintained In a secure state until the Forensic Team
advises
Make notes about the scene that will eventually be handed over to the Forensic Team


Options are :

  • Lawyers
  • Local managers or other non-forensic staff
  • System administrators
  • Non-Laboratory Staff (Correct)

Answer : Non-Laboratory Staff

Email archiving is a systematic approach to save and protect the data contained in emails so that
it can be accessed fast at a later date. There are two main archive types, namely Local Archive
and Server Storage Archive. Which of the following statements is correct while dealing with local
archives?


Options are :

  • Local archives should be stored together with the server storage archives in order to be admissible in a court of law
  • It is difficult to deal with the webmail as there is no offline archive in most cases. So consult your counsel on the case as to the best way to approach and gain access to the required data on servers (Correct)
  • Server storage archives are the server information and settings stored on a local system whereas the local archives are the local email client information stored on the mail server
  • Local archives do not have evidentiary value as the email client may alter the message data

Answer : It is difficult to deal with the webmail as there is no offline archive in most cases. So consult your counsel on the case as to the best way to approach and gain access to the required data on servers

Which table is used to convert huge word lists (i .e. dictionary files and brute-force lists) into
password hashes?


Options are :

  • Database tables
  • Master file tables
  • Rainbow tables (Correct)
  • Hash tables

Answer : Rainbow tables

TCP/IP (Transmission Control Protocol/Internet Protocol) is a communication protocol used to
connect different hosts in the Internet. It contains four layers, namely the network interface layer.
Internet layer, transport layer, and application layer.
Which of the following protocols works under the transport layer of TCP/IP?


Options are :

  • UDP (Correct)
  • FTP
  • SNMP
  • HTTP

Answer : UDP

Which of the following commands shows you the names of all open shared files on a server and
number of file locks on each file?


Options are :

  • Net share
  • Net sessions
  • Net file (Correct)
  • Netconfig

Answer : Net file

What is the First Step required in preparing a computer for forensics investigation?


Options are :

  • Secure any relevant media
  • Identify the type of data you are seeking, the Information you are looking for, and the urgency level of the examination
  • Do not turn the computer off or on, run any programs, or attempt to access data on a computer (Correct)
  • Suspend automated document destruction and recycling policies that may pertain to any relevant media or users at Issue

Answer : Do not turn the computer off or on, run any programs, or attempt to access data on a computer

File deletion is a way of removing a file from a computer's file system. What happens when a file is
deleted in windows7?


Options are :

  • The computer looks at the clusters occupied by that file and does not avails space to store a new file
  • The last letter of a file name is replaced by a hex byte code E5h
  • Corresponding clusters in FAT are marked as used
  • The operating system marks the file's name in the MFT with a special character that indicates that the file has been deleted (Correct)

Answer : The operating system marks the file's name in the MFT with a special character that indicates that the file has been deleted

Which of the following would you consider an aspect of organizational security, especially focusing
on IT security?


Options are :

  • Security from frauds
  • Biometric information security
  • Information copyright security
  • Application security (Correct)

Answer : Application security

Task list command displays a list of applications and services with their Process ID (PID) for all
tasks running on either a local or a remote computer.
Which of the following task list commands provides information about the listed processes,
including the image name, PID, name, and number of the session for the process?


Options are :

  • tasklist/v (Correct)
  • tasklist/p
  • tasklist/s
  • tasklist/u

Answer : tasklist/v

When dealing with the powered-off computers at the crime scene, if the computer is switched off,
turn it on


Options are :

  • True
  • False (Correct)

Answer : False

FAT32 is a 32-bit version of FAT file system using smaller clusters and results in efficient storage
capacity. What is the maximum drive size supported?


Options are :

  • 1 terabytes
  • 2 terabytes (Correct)
  • 3 terabytes
  • 4 terabytes

Answer : 2 terabytes

Which Is a Linux journaling file system?


Options are :

  • HFS
  • BFS
  • FAT
  • Ext3 (Correct)

Answer : Ext3

The Recycle Bin exists as a metaphor for throwing files away, but it also allows user to retrieve
and restore files. Once the file is moved to the recycle bin, a record is added to the log file that
exists in the Recycle Bin.
Which of the following files contains records that correspond to each deleted file in the Recycle
Bin?


Options are :

  • LOGINFO2 file
  • LOGINFO1 file
  • INFO1 file
  • INFO2 file (Correct)

Answer : INFO2 file

Email archiving is a systematic approach to save and protect the data contained in emails so that
it can tie easily accessed at a later date.


Options are :

  • False
  • True (Correct)

Answer : True

Which of the following commands shows you all of the network services running on Windowsbased
servers?


Options are :

  • Net use
  • Net share
  • Net start (Correct)
  • Net Session

Answer : Net start

WPA2 provides enterprise and Wi-Fi users with stronger data protection and network access
control which of the following encryption algorithm is used DVWPA2?


Options are :

  • AES-TKIP
  • RC4-CCMP
  • AES-CCMP (Correct)
  • RC4-TKIP

Answer : AES-CCMP

Which of the following statements is incorrect when preserving digital evidence?


Options are :

  • Remove the power cable depending on the power state of the computer i.e., in on. off, or in sleep mode
  • Turn on the computer and extract Windows event viewer log files (Correct)
  • Verily if the monitor is in on, off, or in sleep mode
  • Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals

Answer : Turn on the computer and extract Windows event viewer log files

The disk in the disk drive rotates at high speed, and heads in the disk drive are used only to read
data.


Options are :

  • False (Correct)
  • True

Answer : False

The status of the network interface cards (NICs) connected to a system gives information about
whether the system is connected to a wireless access point and what IP address is being used

Which command displays the network configuration of the NICs on the system?


Options are :

  • tasklist
  • net session
  • ipconfig /all (Correct)
  • netstat

Answer : ipconfig /all

What is a bit-stream copy?


Options are :

  • A bit-stream image is the file that contains the FAT32 files and folders of all the data on a disk or partition
  • Creating a bit-stream image transfers only non-deleted files from the original disk to the image disk
  • Bit-Stream Copy is a bit-by-bit copy of the original storage medium and exact copy of the original disk (Correct)
  • A bit-stream image is the file that contains the NTFS files and folders of all the data on a disk or partition

Answer : Bit-Stream Copy is a bit-by-bit copy of the original storage medium and exact copy of the original disk

Network forensics allows Investigators 10 inspect network traffic and logs to identify and locate the
attack system
Network forensics can reveal: (Select three answers)

A. Source of security incidentsí and network attacks
B. Path of the attack
C. Intrusion techniques used by attackers
D. Hardware configuration of the attacker's system


Options are :

  • A,B,C (Correct)
  • A,C,D
  • B,C,D
  • D,A,C

Answer : A,B,C

Wireless access control attacks aim to penetrate a network by evading WLAN access control
measures, such as AP MAC filters and Wi-Fi port access controls.
Which of the following wireless access control attacks allows the attacker to set up a rogue access
point outside the corporate perimeter, and then lure the employees of the organization to connect
to it?


Options are :

  • MAC spoofing
  • Client mis-association (Correct)
  • War driving
  • Rogue access points

Answer : Client mis-association

When a file or folder is deleted, the complete path, including the original file name, is stored in a
special hidden file called "INF02" in the Recycled folder. If the INF02 file is deleted, it is re-created
when you___________.


Options are :

  • Kill the running processes in Windows task manager
  • Run the anti-spyware tool on the system
  • Run the antivirus tool on the system
  • Restart Windows (Correct)

Answer : Restart Windows

Which of the following steganography types hides the secret message in a specifically designed
pattern on the document that is unclear to the average reader?


Options are :

  • Visual semagrams steganography
  • Technical steganography
  • Open code steganography (Correct)
  • Text semagrams steganography

Answer : Open code steganography

MAC filtering is a security access control methodology, where a ___________ is assigned to each
network card to determine access to the network


Options are :

  • 48-bit address (Correct)
  • 16-bit address
  • 32-bit address
  • 24-bit address

Answer : 48-bit address

Which of the following statements does not support the case assessment?


Options are :

  • Review the case investigator's request for service
  • Identify the legal authority for the forensic examination request
  • Do not document the chain of custody (Correct)
  • Discuss whether other forensic processes need to be performed on the evidence

Answer : Do not document the chain of custody

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions