New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

ECCouncil 312-49v9 Computer Hacking Forensic Investigator (v9) Exam Practice Test

Demo: 88 questions
Total 589 questions

Computer Hacking Forensic Investigator (v9) Questions and Answers

Question 1

Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?

Options:

A.

18 USC §1029

B.

18 USC §1030

C.

18 USC §1361

D.

18 USC §1371

Question 2

Which of the following refers to the process of the witness being questioned by the attorney who called the latter to the stand?

Options:

A.

Witness Authentication

B.

Direct Examination

C.

Expert Witness

D.

Cross Questioning

Question 3

What type of analysis helps to identify the time and sequence of events in an investigation?

Options:

A.

Time-based

B.

Functional

C.

Relational

D.

Temporal

Question 4

Sectors are pie-shaped regions on a hard disk that store data. Which of the following parts of a hard disk do not contribute in determining the addresses of data?

Options:

A.

Sectors

B.

Interface

C.

Cylinder

D.

Heads

Question 5

When carrying out a forensics investigation, why should you never delete a partition on a dynamic disk?

Options:

A.

All virtual memory will be deleted

B.

The wrong partition may be set to active

C.

This action can corrupt the disk

D.

The computer will be set in a constant reboot state

Question 6

What technique used by Encase makes it virtually impossible to tamper with evidence once it has been acquired?

Options:

A.

Every byte of the file(s) is given an MD5 hash to match against a master file

B.

Every byte of the file(s) is verified using 32-bit CRC

C.

Every byte of the file(s) is copied to three different hard drives

D.

Every byte of the file(s) is encrypted using three different methods

Question 7

Why is it still possible to recover files that have been emptied from the Recycle Bin on a Windows computer?

Options:

A.

The data is still present until the original location of the file is used

B.

The data is moved to the Restore directory and is kept there indefinitely

C.

The data will reside in the L2 cache on a Windows computer until it is manually deleted

D.

It is not possible to recover data that has been emptied from the Recycle Bin

Question 8

When a user deletes a file or folder, the system stores complete path including the original filename is a special hidden file called “INFO2” in the Recycled folder. If the INFO2 file is deleted, it is recovered when you ______________________.

Options:

A.

Undo the last action performed on the system

B.

Reboot Windows

C.

Use a recovery tool to undelete the file

D.

Download the file from Microsoft website

Question 9

A small law firm located in the Midwest has possibly been breached by a computer hacker looking to obtain information on their clientele. The law firm does not have any on-site IT employees, but wants to search for evidence of the breach themselves to prevent any possible media attention. Why would this not be recommended?

Options:

A.

Searching for evidence themselves would not have any ill effects

B.

Searching could possibly crash the machine or device

C.

Searching creates cache files, which would hinder the investigation

D.

Searching can change date/time stamps

Question 10

Which tool does the investigator use to extract artifacts left by Google Drive on the system?

Options:

A.

PEBrowse Professional

B.

RegScanner

C.

RAM Capturer

D.

Dependency Walker

Question 11

Where are files temporarily written in Unix when printing?

Options:

A.

/usr/spool

B.

/var/print

C.

/spool

D.

/var/spool

Question 12

Which of the following is a database in which information about every file and directory on an NT File System (NTFS) volume is stored?

Options:

A.

Volume Boot Record

B.

Master Boot Record

C.

GUID Partition Table

D.

Master File Table

Question 13

Adam, a forensic investigator, is investigating an attack on Microsoft Exchange Server of a large organization. As the first step of the investigation, he examined the PRIV.EDB file and found the source from where the mail originated and the name of the file that disappeared upon execution. Now, he wants to examine the MIME stream content. Which of the following files is he going to examine?

Options:

A.

PRIV.STM

B.

gwcheck.db

C.

PRIV.EDB

D.

PUB.EDB

Question 14

What is the default IIS log location?

Options:

A.

SystemDrive\inetpub\LogFiles

B.

%SystemDrive%\inetpub\logs\LogFiles

C.

%SystemDrive\logs\LogFiles

D.

SystemDrive\logs\LogFiles

Question 15

Jacob is a computer forensics investigator with over 10 years experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob testimony in this case?

Options:

A.

Justification

B.

Authentication

C.

Reiteration

D.

Certification

Question 16

The investigator wants to examine changes made to the system’s registry by the suspect program. Which of the following tool can help the investigator?

Options:

A.

TRIPWIRE

B.

RAM Capturer

C.

Regshot

D.

What’s Running

Question 17

Which of the following files gives information about the client sync sessions in Google Drive on Windows?

Options:

A.

sync_log.log

B.

Sync_log.log

C.

sync.log

D.

Sync.log

Question 18

Which of the following is NOT a part of pre-investigation phase?

Options:

A.

Building forensics workstation

B.

Gathering information about the incident

C.

Gathering evidence data

D.

Creating an investigation team

Question 19

What is one method of bypassing a system BIOS password?

Options:

A.

Removing the processor

B.

Removing the CMOS battery

C.

Remove all the system memory

D.

Login to Windows and disable the BIOS password

Question 20

You have been given the task to investigate web attacks on a Windows-based server. Which of the following commands will you use to look at the sessions the machine has opened with other systems?

Options:

A.

Net sessions

B.

Net config

C.

Net share

D.

Net use

Question 21

When operating systems mark a cluster as used but not allocated, the cluster is considered as _________

Options:

A.

Corrupt

B.

Bad

C.

Lost

D.

Unallocated

Question 22

When needing to search for a website that is no longer present on the Internet today but was online few years back, what site can be used to view the website collection of pages?

Options:

A.

Proxify.net

B.

Dnsstuff.com

C.

Samspade.org

D.

Archive.org

Question 23

Which among the following search warrants allows the first responder to get the victim’s computer information such as service records, billing records, and subscriber information from the service provider?

Options:

A.

Citizen Informant Search Warrant

B.

Electronic Storage Device Search Warrant

C.

John Doe Search Warrant

D.

Service Provider Search Warrant

Question 24

An investigator is searching through the firewall logs of a company and notices ICMP packets that are larger than 65,536 bytes. What type of activity is the investigator seeing?

Options:

A.

Smurf

B.

Ping of death

C.

Fraggle

D.

Nmap scan

Question 25

You have been called in to help with an investigation of an alleged network intrusion. After questioning the members of the company IT department, you search through the server log files to find any trace of the intrusion. After that you decide to telnet into one of the company routers to see if there is any evidence to be found. While connected to the router, you see some unusual activity and believe that the attackers are currently connected to that router. You start up an ethereal session to begin capturing traffic on the router that could be used in the investigation. At what layer of the OSI model are you monitoring while watching traffic to and from the router?

Options:

A.

Network

B.

Transport

C.

Data Link

D.

Session

Question 26

Amber, a black hat hacker, has embedded a malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites. What is she doing?

Options:

A.

Click-jacking

B.

Compromising a legitimate site

C.

Spearphishing

D.

Malvertising

Question 27

Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext, where “x” represents the ___________________.

Options:

A.

Drive name

B.

Original file name’s extension

C.

Sequential number

D.

Original file name

Question 28

What is the location of the binary files required for the functioning of the OS in a Linux system?

Options:

A.

/run

B.

/bin

C.

/root

D.

/sbin

Question 29

Which of the following are small pieces of data sent from a website and stored on the user’s computer by the user’s web browser to track, validate, and maintain specific user information?

Options:

A.

Temporary Files

B.

Open files

C.

Cookies

D.

Web Browser Cache

Question 30

When making the preliminary investigations in a sexual harassment case, how many investigators are you recommended having?

Options:

A.

One

B.

Two

C.

Three

D.

Four

Question 31

Which of the following does not describe the type of data density on a hard disk?

Options:

A.

Volume density

B.

Track density

C.

Linear or recording density

D.

Areal density

Question 32

Which of the following statements is TRUE about SQL Server error logs?

Options:

A.

SQL Server error logs record all the events occurred on the SQL Server and its databases

B.

Forensic investigator uses SQL Server Profiler to view error log files

C.

Error logs contain IP address of SQL Server client connections

D.

Trace files record, user-defined events, and specific system events

Question 33

Which list contains the most recent actions performed by a Windows User?

Options:

A.

MRU

B.

Activity

C.

Recents

D.

Windows Error Log

Question 34

Which of the following is NOT an anti-forensics technique?

Options:

A.

Data Deduplication

B.

Password Protection

C.

Encryption

D.

Steganography

Question 35

Which of the following attack uses HTML tags like ?

Options:

A.

Phishing

B.

XSS attack

C.

SQL injection

D.

Spam

Question 36

An investigator has acquired packed software and needed to analyze it for the presence of malice. Which of the following tools can help in finding the packaging software used?

Options:

A.

SysAnalyzer

B.

PEiD

C.

Comodo Programs Manager

D.

Dependency Walker

Question 37

During forensics investigations, investigators tend to collect the system time at first and compare it with UTC. What does the abbreviation UTC stand for?

Options:

A.

Coordinated Universal Time

B.

Universal Computer Time

C.

Universal Time for Computers

D.

Correlated Universal Time

Question 38

What is cold boot (hard boot)?

Options:

A.

It is the process of restarting a computer that is already in sleep mode

B.

It is the process of shutting down a computer from a powered-on or on state

C.

It is the process of restarting a computer that is already turned on through the operating system

D.

It is the process of starting a computer from a powered-down or off state

Question 39

Which of the following registry hive gives the configuration information about which application was used to open various files on the system?

Options:

A.

HKEY_CLASSES_ROOT

B.

HKEY_CURRENT_CONFIG

C.

HKEY_LOCAL_MACHINE

D.

HKEY_USERS

Question 40

Identify the file system that uses $BitMap file to keep track of all used and unused clusters on a volume.

Options:

A.

NTFS

B.

FAT

C.

EXT

D.

FAT32

Question 41

A section of your forensics lab houses several electrical and electronic equipment. Which type of fire extinguisher you must install in this area to contain any fire incident?

Options:

A.

Class B

B.

Class D

C.

Class C

D.

Class A

Question 42

Chong-lee, a forensics executive, suspects that a malware is continuously making copies of files and folders on a victim system to consume the available disk space. What type of test would confirm his claim?

Options:

A.

File fingerprinting

B.

Identifying file obfuscation

C.

Static analysis

D.

Dynamic analysis

Question 43

What does the bytes 0x0B-0x53 represent in the boot sector of NTFS volume on Windows 2000?

Options:

A.

Jump instruction and the OEM ID

B.

BIOS Parameter Block (BPB) and the OEM ID

C.

BIOS Parameter Block (BPB) and the extended BPB

D.

Bootstrap code and the end of the sector marker

Question 44

For what purpose do the investigators use tools like iPhoneBrowser, iFunBox, OpenSSHSSH, and iMazing?

Options:

A.

Bypassing iPhone passcode

B.

Debugging iPhone

C.

Rooting iPhone

D.

Copying contents of iPhone

Question 45

Amelia has got an email from a well-reputed company stating in the subject line that she has won a prize money, whereas the email body says that she has to pay a certain amount for being eligible for the contest. Which of the following acts does the email breach?

Options:

A.

CAN-SPAM Act

B.

HIPAA

C.

GLBA

D.

SOX

Question 46

Data Files contain Multiple Data Pages, which are further divided into Page Header, Data Rows, and Offset Table. Which of the following is true for Data Rows?

Options:

A.

Data Rows store the actual data

B.

Data Rows present Page type. Page ID, and so on

C.

Data Rows point to the location of actual data

D.

Data Rows spreads data across multiple databases

Question 47

What malware analysis operation can the investigator perform using the jv16 tool?

Options:

A.

Files and Folder Monitor

B.

Installation Monitor

C.

Network Traffic Monitoring/Analysis

D.

Registry Analysis/Monitoring

Question 48

Which layer of iOS architecture should a forensics investigator evaluate to analyze services such as Threading, File Access, Preferences, Networking and high-level features?

Options:

A.

Core Services

B.

Media services

C.

Cocoa Touch

D.

Core OS

Question 49

UEFI is a specification that defines a software interface between an OS and platform firmware. Where does this interface store information about files present on a disk?

Options:

A.

BIOS-MBR

B.

GUID Partition Table (GPT)

C.

Master Boot Record (MBR)

D.

BIOS Parameter Block

Question 50

Which type of attack is possible when attackers know some credible information about the victim's password, such as the password length, algorithms involved, or the strings and characters used in its creation?

Options:

A.

Rule-Based Attack

B.

Brute-Forcing Attack

C.

Dictionary Attack

D.

Hybrid Password Guessing Attack

Question 51

Which among the following tools can help a forensic investigator to access the registry files during postmortem analysis?

Options:

A.

RegistryChangesView

B.

RegDIIView

C.

RegRipper

D.

ProDiscover

Question 52

companyXYZ has asked you to assess the security of their perimeter email gateway. From your office in New York you craft a specially formatted email message and send it across the Internet to an employee of CompanyXYZ. The employee of CompanyXYZ is aware.

Options:

A.

Source code review

B.

Reviewing the firewalls configuration

C.

Data items and vulnerability scanning

D.

Interviewing employees and network engineers

Question 53

What do you call the process in which an attacker uses magnetic field over the digital media device to delete any previously stored data?

Options:

A.

Disk deletion

B.

Disk cleaning

C.

Disk degaussing

D.

Disk magnetization

Question 54

Which of the following commands shows you the username and IP address used to access the system via a remote login session and the type of client from which they are accessing the system?

Options:

A.

Net config

B.

Net sessions

C.

Net share

D.

Net stat

Question 55

Where should the investigator look for the Edge browser’s browsing records, including history, cache, and cookies?

Options:

A.

ESE Database

B.

Virtual Memory

C.

Sparse files

D.

Slack Space

Question 56

The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the recycle bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle Bin?

Options:

A.

INFO2

B.

INFO1

C.

LOGINFO1

D.

LOGINFO2

Question 57

In Linux OS, different log files hold different information, which help the investigators to analyze various issues during a security incident. What information can the investigators obtain from the log file

var/log/dmesg?

Options:

A.

Kernel ring buffer information

B.

All mail server message logs

C.

Global system messages

D.

Debugging log messages

Question 58

What is the investigator trying to view by issuing the command displayed in the following screenshot?

Options:

A.

List of services stopped

B.

List of services closed recently

C.

List of services recently started

D.

List of services installed

Question 59

Which of the following Perl scripts will help an investigator to access the executable image of a process?

Options:

A.

Lspd.pl

B.

Lpsi.pl

C.

Lspm.pl

D.

Lspi.pl

Question 60

Which of the following is a device monitoring tool?

Options:

A.

Capsa

B.

Driver Detective

C.

Regshot

D.

RAM Capturer

Question 61

When using Windows acquisitions tools to acquire digital evidence, it is important to use a well-tested hardware write-blocking device to:

Options:

A.

Automate Collection from image files

B.

Avoiding copying data from the boot partition

C.

Acquire data from host-protected area on a disk

D.

Prevent Contamination to the evidence drive

Question 62

When investigating a potential e-mail crime, what is your first step in the investigation?

Options:

A.

Trace the IP address to its origin

B.

Write a report

C.

Determine whether a crime was actually committed

D.

Recover the evidence

Question 63

In Linux, what is the smallest possible shellcode?

Options:

A.

24 bytes

B.

8 bytes

C.

800 bytes

D.

80 bytes

Question 64

The police believe that Melvin Matthew has been obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet Service Providers and Educational Institutions. They also suspect that he has been stealing, copying and misappropriating proprietary computer software belonging to the several victim companies. What is preventing the police from breaking down the suspects door and searching his home and seizing all of his computer equipment if they have not yet obtained a warrant?

Options:

A.

The Fourth Amendment

B.

The USA patriot Act

C.

The Good Samaritan Laws

D.

The Federal Rules of Evidence

Question 65

You are working as a Computer forensics investigator for a corporation on a computer abuse case. You discover evidence that shows the subject of your investigation is also embezzling money from the company. The company CEO and the corporate legal counsel advise you to contact law enforcement and provide them with the evidence that you have found. The law enforcement officer that responds requests that you put a network sniffer on your network and monitor all traffic to the subject’s computer. You inform the officer that you will not be able to comply with that request because doing so would:

Options:

A.

Violate your contract

B.

Cause network congestion

C.

Make you an agent of law enforcement

D.

Write information to the subject’s hard drive

Question 66

Printing under a Windows Computer normally requires which one of the following files types to be created?

Options:

A.

EME

B.

MEM

C.

EMF

D.

CME

Question 67

What information do you need to recover when searching a victim’s computer for a crime committed with specific e-mail message?

Options:

A.

Internet service provider information

B.

E-mail header

C.

Username and password

D.

Firewall log

Question 68

What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?

Options:

A.

rootkit

B.

key escrow

C.

steganography

D.

Offset

Question 69

Kimberly is studying to be an IT security analyst at a vocational school in her town. The school offers many different programming as well as networking languages. What networking protocol language should she learn that routers utilize?

Options:

A.

ATM

B.

UDP

C.

BPG

D.

OSPF

Question 70

Why should you note all cable connections for a computer you want to seize as evidence?

Options:

A.

to know what outside connections existed

B.

in case other devices were connected

C.

to know what peripheral devices exist

D.

to know what hardware existed

Question 71

Jim performed a vulnerability analysis on his network and found no potential problems. He runs another utility that executes exploits against his system to verify the results of the vulnerability test.

The second utility executes five known exploits against his network in which the vulnerability analysis said were not exploitable. What kind of results did Jim receive from his vulnerability analysis?

Options:

A.

False negatives

B.

False positives

C.

True negatives

D.

True positives

Question 72

What TCP/UDP port does the toolkit program netstat use?

Options:

A.

Port 7

B.

Port 15

C.

Port 23

D.

Port 69

Question 73

You have completed a forensic investigation case. You would like to destroy the data contained in various disks at the forensics lab due to sensitivity of the case. How would you permanently erase the data on the hard disk?

Options:

A.

Throw the hard disk into the fire

B.

Run the powerful magnets over the hard disk

C.

Format the hard disk multiple times using a low level disk utility

D.

Overwrite the contents of the hard disk with Junk data

Question 74

You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protected. What are two common methods used by password cracking software that you can use to obtain the password?

Options:

A.

Limited force and library attack

B.

Brute Force and dictionary Attack

C.

Maximum force and thesaurus Attack

D.

Minimum force and appendix Attack

Question 75

Which is a standard procedure to perform during all computer forensics investigations?

Options:

A.

with the hard drive removed from the suspect PC, check the date and time in the system's CMOS

B.

with the hard drive in the suspect PC, check the date and time in the File Allocation Table

C.

with the hard drive removed from the suspect PC, check the date and time in the system's RAM

D.

with the hard drive in the suspect PC, check the date and time in the system's CMOS

Question 76

James is testing the ability of his routers to withstand DoS attacks. James sends ICMP ECHO requests to the broadcast address of his network. What type of DoS attack is James testing against his network?

Options:

A.

Smurf

B.

Trinoo

C.

Fraggle

D.

SYN flood

Question 77

You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

Options:

A.

allinurl:"exchange/logon.asp"

B.

intitle:"exchange server"

C.

locate:"logon page"

D.

outlook:"search"

Question 78

After passively scanning the network of Department of Defense (DoD), you switch over to active scanning to identify live hosts on their network. DoD is a large organization and should respond to any number of scans. You start an ICMP ping sweep by sending an IP packet to the broadcast address. Only five hosts respond to your ICMP pings; definitely not the number of hosts you were expecting. Why did this ping sweep only produce a few responses?

Options:

A.

Only IBM AS/400 will reply to this scan

B.

Only Windows systems will reply to this scan

C.

A switched network will not respond to packets sent to the broadcast address

D.

Only Unix and Unix-like systems will reply to this scan

Question 79

You should make at least how many bit-stream copies of a suspect drive?

Options:

A.

1

B.

2

C.

3

D.

4

Question 80

Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. He knows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT. Which firewall would be most appropriate for Harold? needs?

Options:

A.

Circuit-level proxy firewall

B.

Packet filtering firewall

C.

Application-level proxy firewall

D.

Data link layer firewall

Question 81

What happens when a file is deleted by a Microsoft operating system using the FAT file system?

Options:

A.

only the reference to the file is removed from the FAT

B.

the file is erased and cannot be recovered

C.

a copy of the file is stored and the original file is erased

D.

the file is erased but can be recovered

Question 82

You work as a penetration tester for Hammond Security Consultants. You are currently working on a contract for the state government of California. Your next step is to initiate a DoS attack on their network. Why would you want to initiate a DoS attack on a system you are testing?

Options:

A.

Show outdated equipment so it can be replaced

B.

List weak points on their network

C.

Use attack as a launching point to penetrate deeper into the network

D.

Demonstrate that no system can be protected against DoS attacks

Question 83

What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?

Options:

A.

forensic duplication of hard drive

B.

analysis of volatile data

C.

comparison of MD5 checksums

D.

review of SIDs in the Registry

Question 84

Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests. What type of scan is Jessica going to perform?

Options:

A.

Tracert

B.

Smurf scan

C.

Ping trace

D.

ICMP ping sweep

Question 85

You are working in the security Department of law firm. One of the attorneys asks you about the topic of sending fake email because he has a client who has been charged with doing just that. His client alleges that he is innocent and that there is no way for a fake email to actually be sent. You inform the attorney that his client is mistaken and that fake email is possibility and that you can prove it. You return to your desk and craft a fake email to the attorney that appears to come from his boss. What port do you send the email to on the company SMTP server?

Options:

A.

10

B.

25

C.

110

D.

135

Question 86

You are working as an investigator for a corporation and you have just received instructions from your manager to assist in the collection of 15 hard drives that are part of an ongoing investigation.

Your job is to complete the required evidence custody forms to properly document each piece of evidence as it is collected by other members of your team. Your manager instructs you to complete one multi-evidence form for the entire case and a single-evidence form for each hard drive. How will these forms be stored to help preserve the chain of custody of the case?

Options:

A.

All forms should be placed in an approved secure container because they are now primary evidence in the case.

B.

The multi-evidence form should be placed in the report file and the single-evidence forms should be kept with each hard drive in an approved secure container.

C.

The multi-evidence form should be placed in an approved secure container with the hard drives and the single-evidence forms should be placed in the report file.

D.

All forms should be placed in the report file because they are now primary evidence in the case.

Question 87

Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

Options:

A.

Use a system that has a dynamic addressing on the network

B.

Use a system that is not directly interacting with the router

C.

Use it on a system in an external DMZ in front of the firewall

D.

It doesn't matter as all replies are faked

Question 88

You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published?

Options:

A.

70 years

B.

the life of the author

C.

the life of the author plus 70 years

D.

copyrights last forever

Demo: 88 questions
Total 589 questions