Computer Hacking Forensic Investigator Certification Test! Trivia Quiz

What file structure database would you expect to find on floppy disks?

• A.

  NTFS

• B.

  FAT32

• C.

  FAT16

• D.

  FAT12

What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled?

• A.

  Digital Attack

• B.

  Denial-of-Service (DoS)

• C.

  Physical Attack

• D.

  ARP Redirect

When examining a file with a Hex Editor, what space does the file header occupy?

• A.

  The last several bytes of the file

• B.

  The first several bytes of the file

• C.

  None, file headers are contained in the FAT

• D.

  One byte at the beginning of the file

In the context of the file deletion process, which of the following statements holds TRUE?

• A.

  When files are deleted, the data is overwritten and the cluster marked as available

• B.

  The longer a disk is in use, the less likely it is that deleted files will be overwritten

• C.

  While booting, the machine may create temporary files that can delete evidence

• D.

  Secure delete programs work by completely overwriting the file in one go

A suspect is accused of violating the acceptable use of computing resources, as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation?

• A.

  Image the disk and try to recover deleted files

• B.

  Seek the help of co-workers who are eye-witnesses

• C.

  Check the Windows registry for connection data (you may or may not recover)

• D.

  Approach the websites for evidence

A ________________ is one whereby by a computer program rather than a hacker performs the steps in the attack sequence.

• A.

  Blackout attack

• B.

  Automated attack

• C.

  Distributed attack

• D.

  Central processing attack

The offset in a hexadecimal code is:

• A.

  The last byte after the colon

• B.

  The 0x at the beginning of the code

• C.

  The 0x at the end of the code

• D.

  The first byte after the colon

It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?

• A.

  By law, three

• B.

  Quite a few

• C.

  Only one

• D.

  At least two

With the standard Linux second extended file system (Ext2FS), a file is deleted when the inode internal link count reaches ________.

• A.

  0

• B.

  10

• C.

  100

• D.

  1

When examining the log files from a Windows IIS Web Server, how often is a new log file created?

• A.

  The same log is used at all times

• B.

  A new log file is created everyday

• C.

  A new log file is created each week

• D.

  A new log is created each time the Web Server is started

Which part of the Windows Registry contains the user's password file?

• A.

  HKEY_LOCAL_MACHINE

• B.

  HKEY_CURRENT_CONFIGURATION

• C.

  HKEY_USER

• D.

  HKEY_CURRENT_USER

An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and digital video discs (DVDs) by using a large magnet. You inform him that this method will not be effective in wiping out the data because CDs and DVDs are ______________ media used to store large amounts of data and are not affected by the magnet.

• A.

  Logical

• B.

  Anti-magnetic

• C.

  Magnetic

• D.

  Optical

Lance wants to place a honeypot on his network. Which of the following would be your recommendations?

• A.

  Use a system that has a dynamic addressing on the network

• B.

  Use a system that is not directly interacting with the router

• C.

  Use it on a system in an external DMZ in front of the firewall

• D.

  It doesn't matter as all replies are faked

What does the acronym POST mean as it relates to a PC?

• A.

  Primary Operations Short Test

• B.

  Power-On Self Test

• C.

  Pre-Operational Situation Test

• D.

  Primary Operating System Test

E-mail logs contain which of the following information to help you in your investigation? (Choose four.)

• A.

  User account that was used to send the account

• B.

  Attachments sent with the e-mail message

• C.

  Unique message identifier

• D.

  Contents of the e-mail message

• E.

  Date and time the message was sent

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

• A.

  One who has NTFS 4 or 5 partitions

• B.

  One who uses dynamic swap file capability

• C.

  One who uses hard disk writes on IRQ 13 and 21

• D.

  One who has lots of allocation units per block or cluster

In what way do the procedures for dealing with evidence in a criminal case differ from the procedures for dealing with evidence in a civil case?

• A.

  Evidence must be handled in the same way regardless of the type of case

• B.

  Evidence procedures are not important unless you work for a law enforcement agency

• C.

  Evidence in a criminal case must be secured more tightly than in a civil case

• D.

  Evidence in a civil case must be secured more tightly than in a criminal case

You are assigned to work in the computer forensics lab of a state police agency. While working on a high profile criminal case, you have followed every applicable procedure, however your boss is still concerned that the defense attorney might question whether evidence has been changed while at the lab. What can you do to prove that the evidence is the same as it was when it first entered the lab?

• A.

  Make an MD5 hash of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab

• B.

  Make an MD5 hash of the evidence and compare it to the standard database developed by NIST

• C.

  There is no reason to worry about this possible claim because state labs are certified

• D.

  Sign a statement attesting that the evidence is the same as it was when it entered the lab

• A.

  Disallow UDP 53 in from outside to DNS server

• B.

  Allow UDP 53 in from DNS server to outside

• C.

  Disallow TCP 53 in from secondaries or ISP server to DNS server

• D.

  Block all UDP traffic

When monitoring for both intrusion and security events between multiple computers, it is essential that the computers' clocks are synchronized. Synchronized time allows an administrator to reconstruct what took place during an attack against multiple computers. Without synchronized time, it is very difficult to determine exactly when specific events took place, and how events interlace. What is the name of the service used to synchronize time among multiple computers?

• A.

  Universal Time Set (UTS)

• B.

  Network Time Protocol (NTP)

• C.

  SyncTime Service (STS)

• D.

  Time-Sync Protocol (TSP)

When investigating a potential e-mail crime, what is your first step in the investigation?

• A.

  Trace the IP address to its origin

• B.

  Write a report

• C.

  Determine whether a crime was actually committed

• D.

  Recover the evidence

If a suspect computer is located in an area that may have toxic chemicals, you MUST:

• A.

  Coordinate with the HAZMAT team

• B.

  Determine a way to obtain the suspect computer

• C.

  Assume the suspect machine is contaminated

• D.

  Do not enter alone

The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however only a few are successful. (Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of the attack.)

• A.

  An IDS evasion technique

• B.

  A buffer overflow attempt

• C.

  A DNS zone transfer

• D.

  Data being retrieved from 63.226.81.13

What happens when a file is deleted by a Microsoft operating system using the FAT file system?

• A.

  Only the reference to the file is removed from the FAT

• B.

  The file is erased and cannot be recovered

• C.

  A copy of the file is stored and the original file is erased

• D.

  The file is erased but can be recovered

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with Microsoft’s Remote Desktop Services (RDS), via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes an RDS query which results in the commands run as shown below. What can you infer from the exploit given?

• A.

  It is a local exploit where the attacker logs in using username johna2k

• B.

  There are two attackers on the system - johna2k and haxedj00

• C.

  The attack is a remote exploit and the hacker downloads three files

• D.

  The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?

• A.

  Rootkit

• B.

  Key escrow

• C.

  Steganography

• D.

  Offset

During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process. Therefore, you report this evidence. This type of evidence is known as:

• A.

  Inculpatory evidence

• B.

  Mandatory evidence

• C.

  Exculpatory evidence

• D.

  Terrible evidence

If you discover a criminal act while investigating a corporate policy abuse, it becomes a public sector investigation and should be referred to law enforcement?

• A.

  True

• B.

  False

What binary coding is used most often for eMail purposes?

• A.

  Multi-purpose Internet Mail Extensions (MIME)

• B.

  Unix-to-Unix ENCODE-ing (UUEncode)

• C.

  Internet Message Access Protocol (IMAP)

• D.

  Simple Mail Transfer Protocol (SMTP)

If you see the files "zer0.tar.gz" and "copy.tar.gz" on a Linux system while doing an investigation, what can you conclude?

• A.

  The system files have been copied by a remote attacker

• B.

  The system administrator has created an incremental backup

• C.

  The system has been compromised using a t0rnrootkit

• D.

  Nothing in particular as these can be operational files

From the following spam mail header, identify the host IP that sent this spam?

• A.

  137.189.96.52

• B.

  8.12.1.0

• C.

  203.218.39.20

• D.

  203.218.39.50

Diskcopy is:

• A.

  A utility by AccessData

• B.

  A standard MS-DOS command

• C.

  Digital Intelligence utility

• D.

  Dd copying tool

Sectors in hard disks typically contain how many bytes?

• A.

  256

• B.

  512

• C.

  1024

• D.

  2048

Area density refers to:

• A.

  The amount of data per disk

• B.

  The amount of data per partition

• C.

  The amount of data per square inch

• D.

  The amount of data per platter

Corporate investigations are typically easier than public investigations because:

• A.

  The users have standard corporate equipment and software

• B.

  The investigator does not have to get a warrant

• C.

  The investigator has to get a warrant

• D.

  The users can load whatever they want on their machines

Which of the following should a computer forensics lab, used for investigations, have?

• A.

  Isolation

• B.

  Restricted access

• C.

  Open access

• D.

  An entry log

Jason is the security administrator of ACMA metal Corporation. One day he notices the company's Oracle database server has been compromised and the customer information along with financial data has been stolen. The financial loss will be in millions of dollars if the database gets into the hands of the competitors. Jason wants to report this crime to the law enforcement agencies immediately. Which organization coordinates computer crimes investigations throughout the United States?

• A.

  Internet Fraud Complaint Center

• B.

  Local or national office of the U.S. Secret Service

• C.

  National Infrastructure Protection Center

• D.

  CERT Coordination Center

Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?

• A.

  Network-based Intrusion Detection System (NIDS)

• B.

  Host-based Intrusion Detection System (HIDS)

• C.

  Anomaly detection

• D.

  Signature recognition

You should make at least ___ bit-stream copies of a suspect drive?

• A.

  1

• B.

  2

• C.

  3

• D.

  4

Why should you note all cable connections for a computer you want to seize as evidence?

• A.

  To know what outside connections existed

• B.

  In case other devices were connected

• C.

  To know what peripheral devices exist

• D.

  To know what hardware existed

What header field in the TCP/IP protocol stack involves the hacker exploit known as the Ping of Death?

• A.

  ICMP header field

• B.

  TCP header field

• C.

  IP header field

• D.

  UDP header field

What method of computer forensics will allow you to trace all ever-established user accounts on a Windows 2000 sever the course of its lifetime?

• A.

  Forensic duplication of hard drive

• B.

  Analysis of volatile data

• C.

  Comparison of MD5 checksums

• D.

  Review of SIDs in the Registry

Which response organization tracks hoaxes as well as viruses?

• A.

  National Photographic Interpretation Center (NIPC)

• B.

  Federal Computer Incident Response Center (FedCIRC)

• C.

  Computer Emergency Response Team (CERT)

• D.

  Computer Incident Advisory  Capability (CIAC)

• E.

  Joint Cybersecurity Coordination Center (JC3) 

• F.

  Department Of Energy - Computer Incident Response Center (DOE-CIRC)

Which federal computer crime law specifically refers to fraud and related activity in connection with access devices like routers?

• A.

  18 U.S.C. § 1029 - Fraud and related activity in connection with access devices

• B.

  18 U.S.C. § 1362 - Communication lines, stations or systems

• C.

  18 U.S.C. § 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited

• D.

  18 U.S.C. § 2703 - Required disclosure of customer communications or records

Documents created by Office programs such as Word, Excel, and PowerPoint contain a code, based off of the Media Access Control (MAC) address, or unique identifier, of the machine upon which the document was written. What is this code called?

• A.

  The Microsoft Virtual Machine Identifier

• B.

  The Personal Application Protocol

• C.

  The Globally Unique IDentifier (GUID)

• D.

  The Individual ASCII String

What TCP/UDP port does the toolkit program netstat use?

• A.

  TCP/UDP Port 7

• B.

  TCP/UDP Port 15

• C.

  TCP/UDP Port 23

• D.

  TCP/UDP Port 69

When investigating a network that uses Dynamic Host Configuration Protocol (DHCP) to assign Internet Protocol (IP) addresses, where would you look to determine which system, identified by it’s Media Access Control (MAC) address, had a specific IP address at a specific time?

• A.

  On the individual computer's ARP cache

• B.

  In the Web Server log files

• C.

  In the DHCP Server log files

• D.

  There is no way to determine the specific IP address

Bob has been trying to penetrate a remote production system for the past two weeks. This time however, he is able to get into the system. He was able to use the System for a period of three weeks. However, law enforcement agencies were recording his every activity and this was later presented as evidence. The organization had used a Virtual Environment to trap Bob. What is a Virtual Environment?

• A.

  A Honeypot that traps hackers

• B.

  A system Using Trojaned commands

• C.

  An environment set up after the user logs in

• D.

  An environment set up before a user logs in

To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software?

• A.

  Computer Forensics Tools and Validation Committee (CFTVC)

• B.

  Association of Computer Forensics Software Manufactures (ACFSM)

• C.

  National Institute of Standards and Technology (NIST)

• D.

  Society for Valid Forensics Tools and Testing (SVFTT)

With regard to using an anti-virus scanner during a computer forensics investigation, you should:

• A.

  Scan the suspect hard drive before beginning an investigation

• B.

  Never run a scan on your forensics workstation because it could change your systems configuration

• C.

  Scan your forensics workstation at intervals of no more than once every five minutes during an investigation

• D.

  Scan your forensics workstation before beginning an investigation