312-49v9 ECCouncil Computer Hacking Forensic Investigator (V9) Questions and Answers

Where is the startup configuration located on a router?

How will you categorize a cybercrime that took place within a CSP’s cloud environment?

Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers?

Which forensic investigating concept trails the whole incident from how the attack began to how the victim was affected?

Who is responsible for the following tasks?

When a router receives an update for its routing table, what is the metric value change to that path?

The process of restarting a computer that is already turned on through the operating system is called?

In handling computer-related incidents, which IT role should be responsible for recovery, containment, and prevention to constituents?

John is working as a computer forensics investigator for a consulting firm in Canada. He is called to seize a computer at a local web caf purportedly used as a botnet server. John thoroughly scans the computer and finds nothing that would lead him to think the computer was a botnet server. John decides to scan the virtual memory of the computer to possibly find something he had missed. What information will the virtual memory scan produce?

What is the CIDR from the following screenshot?

What type of analysis helps to identify the time and sequence of events in an investigation?

Madison is on trial for allegedly breaking into her university internal network. The police raided her dorm room and seized all of her computer equipment. Madison lawyer is trying to convince the judge that the seizure was unfounded and baseless. Under which US Amendment is Madison lawyer trying to prove the police violated?

What does 254 represent in ICCID 89254021520014515744?

In Steganalysis, which of the following describes a Known-stego attack?

Julie is a college student majoring in Information Systems and Computer Science. She is currently writing an essay for her computer crimes class. Julie paper focuses on white-collar crimes in America and how forensics investigators investigate the cases. Julie would like to focus the subject. Julie would like to focus the subject of the essay on the most common type of crime found in corporate America. What crime should Julie focus on?

In a virtual test environment, Michael is testing the strength and security of BGP using multiple routers to mimic the backbone of the Internet. This project will help him write his doctoral thesis on "bringing down the Internet". Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in an attempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What will the other routers communicate between themselves?

Which of the following tasks DOES NOT come under the investigation phase of a cybercrime forensics investigation case?

When should an MD5 hash check be performed when processing evidence?

When making the preliminary investigations in a sexual harassment case, how many investigators are you recommended having?

Madison is on trial for allegedly breaking into her university’s internal network. The police raided her dorm room and seized all of her computer equipment. Madison’s lawyer is trying to convince the judge that the seizure was unfounded and baseless. Under which US Amendment is Madison’s lawyer trying to prove the police violated?

NTFS has reduced slack space than FAT, thus having lesser potential to hide data in the slack space. This is because:

When investigating a wireless attack, what information can be obtained from the DHCP logs?

An on-site incident response team is called to investigate an alleged case of computer tampering within their company. Before proceeding with the investigation, the CEO informs them that the incident will be classified as low level. How long will the team have to respond to the incident?

What must an investigator do before disconnecting an iPod from any type of computer?

Which tool does the investigator use to extract artifacts left by Google Drive on the system?

An Expert witness give an opinion if:

Paul's company is in the process of undergoing a complete security audit including logical and physical security testing. After all logical tests were performed; it is now time for the physical round to begin. None of the employees are made aware of this round of testing. The security-auditing firm sends in a technician dressed as an electrician. He waits outside in the lobby for some employees to get to work and follows behind them when they access the restricted areas. After entering the main office, he is able to get into the server room telling the IT manager that there is a problem with the outlets in that room. What type of attack has the technician performed?

George is the network administrator of a large Internet company on the west coast. Per corporate policy, none of the employees in the company are allowed to use FTP or SFTP programs without obtaining approval from the IT department. Few managers are using SFTP program on their computers. Before talking to his boss, George wants to have some proof of their activity. George wants to use Ethereal to monitor network traffic, but only SFTP traffic to and from his network.

What filter should George use in Ethereal?

Corporate investigations are typically easier than public investigations because:

Meyer Electronics Systems just recently had a number of laptops stolen out of their office. On these laptops contained sensitive corporate information regarding patents and company strategies. A month after the laptops were stolen, a competing company was found to have just developed products that almost exactly duplicated products that Meyer produces. What could have prevented this information from being stolen from the laptops?

Which of the following file system is used by Mac OS X?

This organization maintains a database of hash signatures for known software.

You work as a penetration tester for Hammond Security Consultants. You are currently working on a contract for the state government of California. Your next step is to initiate a DoS attack on their network. Why would you want to initiate a DoS attack on a system you are testing?

Why should you note all cable connections for a computer you want to seize as evidence?

Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?

You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacture. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO?

What does the superblock in Linux define?

You have used a newly released forensic investigation tool, which doesn't meet the Daubert Test, during a case. The case has ended-up in court. What argument could the defense make to weaken your case?

You are called by an author who is writing a book and he wants to know how long the copyright for his book will last after he has the book published?

Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

You are working as an independent computer forensics investigator and received a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading inappropriate images from the Internet to a PC in the Computer lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a “simple backup copy” of the hard drive in the PC and put it on this drive and requests that you examine that drive for evidence of the suspected images. You inform him that a “simple backup copy” will not provide deleted files or recover file fragments.

What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceeding?

When setting up a wireless network with multiple access points, why is it important to set each access point on a different channel?

Michael works for Kimball Construction Company as senior security analyst. As part of yearly security audit, Michael scans his network for vulnerabilities. Using Nmap, Michael conducts XMAS scan and most of the ports scanned do not give a response. In what state are these ports?

What will the following command accomplish?

During the course of a corporate investigation, you find that an Employee is committing a crime.

Can the Employer file a criminal complaint with Police?

Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM files on a computer. Where should Harold navigate on the computer to find the file?

An "idle" system is also referred to as what?

When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used?

What happens when a file is deleted by a Microsoft operating system using the FAT file system?

George is performing security analysis for Hammond and Sons LLC. He is testing security vulnerabilities of their wireless network. He plans on remaining as "stealthy" as possible during the scan. Why would a scanner like Nessus is not recommended in this situation?

Law enforcement officers are conducting a legal search for which a valid warrant was obtained.

While conducting the search, officers observe an item of evidence for an unrelated crime that was not included in the warrant. The item was clearly visible to the officers and immediately identified as evidence. What is the term used to describe how this evidence is admissible?

As a security analyst, you setup a false survey website that will require users to create a username and a strong password. You send the link to all the employees of the company. What information will you be able to gather?

Which federal computer crime law specifically refers to fraud and related activity in connection with access devices like routers?

Which part of the Windows Registry contains the user's password file?

You are running through a series of tests on your network to check for any security vulnerabilities.

After normal working hours, you initiate a DoS attack against your external firewall. The firewall Quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?

What do you call the process in which an attacker uses magnetic field over the digital media device to delete any previously stored data?

Which of the following files store the MySQL database data permanently, including the data that had been deleted, helping the forensic investigator in examining the case and finding the culprit?

Robert is a regional manager working in a reputed organization. One day, he suspected malware attack after unwanted programs started to popup after logging into his computer. The network administrator was called upon to trace out any intrusion on the computer and he/she finds that suspicious activity has taken place within Autostart locations. In this situation, which of the following tools is used by the network administrator to detect any intrusion on a system?

What is the location of a Protective MBR in a GPT disk layout?

Smith is an IT technician that has been appointed to his company's network vulnerability assessment team. He is the only IT employee on the team. The other team members include employees from

Accounting, Management, Shipping, and Marketing. Smith and the team members are having their first meeting to discuss how they will proceed. What is the first step they should do to create the network

vulnerability assessment plan?

Which of the following protocols allows non-ASCII files, such as video, graphics, and audio, to be sent through the email messages?

What value of the "Boot Record Signature" is used to indicate that the boot-loader exists?

An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s"," -E as part of collecting the primary data file and logs from a database. What does the "WIN-CQQMK62867E” represent?

What is the name of the first reserved sector in File allocation table?

UEFI is a specification that defines a software interface between an OS and platform firmware. Where does this interface store information about files present on a disk?

Which of the following is a responsibility of the first responder?

Which ISO Standard enables laboratories to demonstrate that they comply with quality assurance and provide valid results?

Which command line tool is used to determine active network connections?

%3cscript%3ealert(”XXXXXXXX”)%3c/script%3e is a script obtained from a Cross-Site Scripting attack. What type of encoding has the attacker employed?

During an investigation, Noel found the following SIM card from the suspect's mobile. What does the code 89 44 represent?

What document does the screenshot represent?

What does Locard's Exchange Principle state?

What must an attorney do first before you are called to testify as an expert?

An investigator is analyzing a checkpoint firewall log and comes across symbols. What type of log is he looking at?

Which of these Windows utility help you to repair logical file system errors?

Which among the following tools can help a forensic investigator to access the registry files during postmortem analysis?

Which of the following stand true for BIOS Parameter Block?

Which of the following is a database in which information about every file and directory on an NT File System (NTFS) volume is stored?

What is the primary function of the tool CHKDSK in Windows that authenticates the file system reliability of a volume?

What type of equipment would a forensics investigator store in a StrongHold bag?

In a Linux-based system, what does the command “Last -F” display?

What is the investigator trying to analyze if the system gives the following image as output?

James, a hacker, identifies a vulnerability in a website. To exploit the vulnerability, he visits the login page and notes down the session ID that is created. He appends this session ID to the login URL and shares the link with a victim. Once the victim logs into the website using the shared URL, James reloads the webpage (containing the URL with the session ID appended) and now, he can browse the active session of the victim. Which attack did James successfully execute?

Bob has encountered a system crash and has lost vital data stored on the hard drive of his Windows computer. He has no cloud storage or backup hard drives. He wants to recover all the data, which includes his personal photos, music, documents, videos, official emails, etc. Which of the following tools shall resolve Bob's purpose?

Select the tool appropriate for finding the dynamically linked lists of an application or malware.