312-49 Online Practice Questions and Answers

Which is a standard procedure to perform during all computer forensics investigations?

A. with the hard drive removed from the suspect PC, check the date and time in the system's CMOS

B. with the hard drive in the suspect PC, check the date and time in the File Allocation Table

C. with the hard drive removed from the suspect PC, check the date and time in the system's RAM

D. with the hard drive in the suspect PC, check the date and time in the system's CMOS

Why should you note all cable connections for a computer you want to seize as evidence?

A. to know what outside connections existed

B. in case other devices were connected

C. to know what peripheral devices exist

D. to know what hardware existed

You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?

A. Stringsearch

B. grep

C. dir

D. vim

Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

A. HKEY_LOCAL_MACHINE\hardware\windows\start

B. HKEY_LOCAL_USERS\Software\Microsoft\old\Version\Load

C. HKEY_CURRENT_USER\Microsoft\Default

D. HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run

A packet is sent to a router that does not have the packet destination address in its route table. How will the packet get to its proper destination?

A. Root Internet servers

B. Border Gateway Protocol

C. Gateway of last resort

D. Reverse DNS

How many possible sequence number combinations are there in TCP/IP protocol?

A. 1 billion

B. 320 billion

C. 4 billion

D. 32 million

A picture file is recovered from a computer under investigation. During the investigation process, the file is enlarged 500% to get a better view of its contents. The picture quality is not degraded at all from this process. What kind of picture is this file. What kind of picture is this file?

A. Raster image

B. Vector image

C. Metafile image

D. Catalog image

What method of copying should always be performed first before carrying out an investigation?

A. Parity-bit copy

B. Bit-stream copy

C. MS-DOS disc copy

D. System level copy

To check for POP3 traffic using Ethereal, what port should an investigator search by?

A. 143

B. 25

C. 110

D. 125

Smith, a network administrator with a large MNC, was the first to arrive at a suspected crime scene involving criminal use of compromised computers. What should be his first response while maintaining the integrity of evidence?

A. Record the system state by taking photographs of physical system and the display

B. Perform data acquisition without disturbing the state of the systems

C. Open the systems, remove the hard disk and secure it

D. Switch off the systems and carry them to the laboratory

Which of the following statements is incorrect when preserving digital evidence?

A. Verify if the monitor is in on, off, or in sleep mode

B. Turn on the computer and extract Windows event viewer log files

C. Remove the plug from the power router or modem

D. Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals

Raw data acquisition format creates _________ of a data set or suspect drive.

A. Segmented image files

B. Simple sequential flat files

C. Compressed image files

D. Segmented files

Which of the following processes is part of the dynamic malware analysis?

A. Process Monitoring

B. Malware disassembly

C. Searching for the strings

D. File fingerprinting

NTFS sets a flag for the file once you encrypt it and creates an EFS attribute where it stores Data Decryption Field (DDF) and Data Recovery Field (DDR). Which of the following is not a part of DDF?

A. Encrypted FEK

B. Checksum

C. EFS Certificate Hash

D. Container Name

Which of the following network attacks refers to sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted so as to cause a denial-of-service attack?

A. Email spamming

B. Phishing

C. Email spoofing

D. Mail bombing