Computer Hacking Forensic Investigator Certification Test! Trivia Quiz

If a criminal act is discovered during an investigation into corporate policy abuse, it should be referred to law enforcement because it becomes a public sector investigation. This means that the investigation is no longer solely focused on internal policy violations within the organization, but now involves potential criminal activity that falls under the jurisdiction of law enforcement agencies. Referring the case to law enforcement ensures that appropriate legal actions can be taken against the individuals involved in the criminal act.

A denial-of-service (DoS) attack occurs when an attacker floods a router with numerous open connections simultaneously, causing the router to stop forwarding packets. This flood of connections overwhelms the router's resources, rendering it unable to function properly. As a result, all the hosts behind the router are effectively disabled and unable to communicate with the network. This type of attack aims to disrupt the availability of a network or service by overwhelming its resources and causing it to become unresponsive.

The acronym POST stands for Power-On Self Test. This test is performed by a computer when it is powered on to check if all the hardware components are functioning properly. It helps to identify any potential issues or errors that may prevent the computer from booting up successfully. The Power-On Self Test is an essential part of the boot process and ensures that the computer is in a suitable state to start the operating system.

Steganography is the correct answer because it refers to the practice of concealing information within another form of data, such as an image or audio file, in order to keep it hidden from anyone who is not the intended recipient. This technique is commonly used to ensure the secrecy and confidentiality of sensitive information, as it allows for the covert transmission of messages without arousing suspicion from the casual observer.

When conducting forensic analysis on a suspect drive, it is recommended to make at least two bit-stream copies. This is important because it ensures the preservation of the original evidence and allows for multiple copies to be used for different purposes. Having multiple copies also reduces the risk of data loss or corruption during the analysis process. Additionally, it enables multiple investigators or experts to work on different copies simultaneously, increasing efficiency and collaboration.

CDs and DVDs are optical media used to store large amounts of data. Optical media use a laser to read and write data, and the data is stored as microscopic pits on the surface of the disc. The magnet does not affect the data stored on optical media because it does not interfere with the microscopic pits or the laser reading mechanism. Therefore, using a magnet to wipe out the data on CDs and DVDs will not be effective.

A Virtual Environment in this context refers to a Honeypot that traps hackers. It is a simulated environment that is designed to attract and deceive potential attackers, like Bob, into thinking they have gained unauthorized access to a system. In reality, the actions performed within the Virtual Environment are monitored and recorded by law enforcement agencies, allowing them to gather evidence against the hacker. This technique is commonly used to gather intelligence on hacking activities and to protect real production systems from unauthorized access.

The correct answer is to image the disk and try to recover deleted files. By creating a forensic image of the suspect's disk, the investigator can make an exact copy of the data stored on it. This allows them to conduct a thorough analysis of the disk without altering or tampering with the original evidence. By using specialized forensic tools, the investigator can attempt to recover deleted files, including browsing history, cookies, and downloaded images, which can provide evidence of the suspect's activities on adult websites.

It only takes one mismanaged case to ruin your professional reputation as a computer forensics examiner. This suggests that even a single instance of mishandling a case can have severe consequences and negatively impact the examiner's reputation. It emphasizes the importance of maintaining a high level of professionalism and accuracy in this field.

To prove that the evidence is the same as it was when it first entered the lab, making an MD5 hash of the evidence and comparing it with the original MD5 hash is the most effective method. MD5 is a cryptographic algorithm that generates a unique hash value for a given input. By comparing the MD5 hash of the evidence with the original hash, any changes or tampering with the evidence can be easily detected. This ensures the integrity and authenticity of the evidence, providing a strong defense against any claims of alteration.

The correct answer is Network Time Protocol (NTP). NTP is a service used to synchronize the clocks of multiple computers. By ensuring that all computers have synchronized time, an administrator can accurately reconstruct the sequence of events during an attack. Without synchronized time, it would be difficult to determine the exact timing and order of events. Universal Time Set (UTS), SyncTime Service (STS), and Time-Sync Protocol (TSP) are not valid terms or services related to time synchronization among multiple computers.

The correct answer is 18 U.S.C. § 1029 - Fraud and related activity in connection with access devices. This law specifically deals with fraud and related activities involving access devices such as routers. It addresses the illegal use of access devices, including unauthorized access, trafficking, and possession of stolen access devices. This law aims to protect against fraudulent activities and unauthorized access to computer systems using access devices.

An automated attack refers to a type of attack where a computer program, rather than a hacker, carries out the steps in the attack sequence. This means that the attack is executed automatically, without the need for human intervention. In an automated attack, the program can be designed to exploit vulnerabilities, launch malicious actions, or gain unauthorized access to systems or networks. This type of attack is often used to target multiple systems simultaneously and can be highly efficient and difficult to detect.

The code mentioned in the question is called the Globally Unique IDentifier (GUID). It is a unique identifier assigned to a document created by Office programs. This identifier is based on the Media Access Control (MAC) address of the machine on which the document was written.

A computer forensics lab used for investigations should have restricted access. This is necessary to ensure the security and integrity of the evidence being analyzed. Restricted access means that only authorized personnel should be allowed to enter the lab, reducing the risk of tampering or unauthorized access to the equipment and data. By implementing restricted access protocols, the lab can maintain a controlled environment where the chain of custody can be properly maintained, and the integrity of the evidence can be preserved.

The 0x at the beginning of the code is the offset in a hexadecimal code. Hexadecimal codes often start with 0x to indicate that the following characters represent a hexadecimal value. This allows the code reader to interpret the value correctly. The offset represents the position or location of a specific byte within the code, and in this case, it is indicated by the 0x at the beginning.

In the standard Linux second extended file system (Ext2FS), the inode internal link count represents the number of hard links pointing to a file. When this count reaches 0, it means that there are no more hard links pointing to the file, indicating that the file is no longer being referenced or used. Therefore, the file is considered deleted.

If a suspect computer is located in an area that may have toxic chemicals, it is important to coordinate with the HAZMAT team. This is necessary because the presence of toxic chemicals can pose a risk to the individuals involved in the investigation. The HAZMAT team is trained and equipped to handle hazardous materials safely, so their involvement ensures that proper precautions are taken. By coordinating with the HAZMAT team, the investigators can ensure their own safety and minimize the risk of contamination or harm.

In a network that uses DHCP to assign IP addresses, the DHCP server is responsible for assigning and managing IP addresses. The DHCP server maintains a log file that records the IP address assignments made to each system. By looking into the DHCP server log files, one can determine which system, identified by its MAC address, had a specific IP address at a specific time. This log file provides a record of the IP address assignments made by the DHCP server, allowing for the identification of the system associated with a particular IP address.

In corporate investigations, the investigator does not have to get a warrant. Unlike public investigations, where law enforcement agencies typically need a warrant to search and seize evidence, corporate investigations are conducted within the boundaries of the company's policies and regulations. This means that the investigator can access and examine corporate equipment and software without the need for a warrant. However, it is important to note that this does not imply unlimited access, as investigators still need to adhere to legal and ethical guidelines while conducting their investigations.

Exculpatory evidence is evidence that tends to prove the innocence of the suspect or defendant in a criminal investigation or trial. It is important for investigators to maintain an unbiased and objective approach to the fact-finding process, which includes reporting any evidence that may support the innocence of the suspect. By doing so, investigators ensure a fair and just investigation, allowing for the possibility of exonerating the individual if the evidence is strong enough.

Based on the given information, the presence of the files "zer0.tar.gz" and "copy.tar.gz" on a Linux system does not provide enough evidence to conclude anything specific. These files could potentially be operational files or have other legitimate purposes. Therefore, no particular conclusion can be drawn from their presence alone.

Sectors in hard disks typically contain 512 bytes. This is the standard sector size used in most hard drives. A sector is the smallest unit of data that can be read from or written to a hard disk. It is important to have a consistent sector size across different hard drives to ensure compatibility and efficient data storage and retrieval.

In a criminal case, the evidence must be secured more tightly than in a civil case. This is because a criminal case involves the accusation of a crime, which can result in the loss of liberty for the accused. Therefore, the evidence needs to be handled with utmost care and security to ensure its integrity and prevent tampering or contamination. In contrast, a civil case typically involves disputes between individuals or organizations, where the consequences are generally limited to monetary compensation. Hence, the level of security for evidence in a civil case is comparatively lower.

The National Institute of Standards and Technology (NIST) is actively providing tools and creating procedures for testing and validating computer forensics software. This organization is known for its expertise in developing standards and guidelines for various fields, including computer forensics. By testing and validating the software, NIST ensures that it meets the necessary requirements and can be considered reliable and accurate in a court of law.

The correct answer is HKEY_LOCAL_MACHINE. This part of the Windows Registry contains system-wide configuration settings and information for all users on the computer. It does not specifically contain the user's password file.

It is important to scan the forensics workstation before beginning an investigation to ensure that there are no existing malware or viruses present that could potentially compromise the investigation. By scanning the workstation beforehand, any potential threats can be identified and removed, ensuring the integrity of the investigation process.

Diskcopy is a standard MS-DOS command. MS-DOS is an operating system developed by Microsoft for IBM-compatible personal computers. The diskcopy command is used to create an identical copy of a floppy disk or a hard drive. It is a built-in utility in MS-DOS and allows users to duplicate disks for backup or distribution purposes.

By noting all cable connections for a computer that is being seized as evidence, one can determine what outside connections existed. This information is crucial as it can provide insights into potential sources of data transfer or communication with external devices. It allows investigators to understand the extent of the computer's network connections and identify any potential threats or additional devices that might have been connected to it.

In this scenario, the correct answer is "the same log is used at all times". This means that the Windows IIS Web Server does not create a new log file on a regular basis. Instead, it continues to use the same log file for all the server activities. This can be advantageous for tracking and analyzing server events as all the information is stored in a single log file, making it easier to manage and review the server's activity history.

The first step in investigating a potential e-mail crime is to trace the IP address to its origin. This is important because the IP address can provide crucial information about the location and identity of the sender. By tracing the IP address, investigators can gather evidence that can help in identifying and apprehending the perpetrator. It is a crucial step in the investigation process as it can lead to further steps such as obtaining search warrants or subpoenas to gather more evidence.

The correct answer is TCP header field. The Ping of Death is a hacker exploit that involves sending an oversized ICMP Echo Request packet to a target system. This causes the target system to crash or become unresponsive. The TCP header field is responsible for managing and controlling the transmission of data between devices over a network. In the case of the Ping of Death, the hacker manipulates the TCP header field to send a malicious packet that overwhelms the target system, leading to a denial of service.

The given excerpt mentions that the attacker switches to playing with Microsoft's Remote Desktop Services (RDS) and constructs SQL statements that execute shell commands on the IIS server. It is mentioned that the attacker makes an RDS query which results in the commands run. This indicates that the attack is a remote exploit, as the attacker is able to execute commands on the server remotely. Additionally, it is mentioned that the attacker downloads three files, further confirming that the attack is remote and involves downloading files from the server.

The correct answer is 203.218.39.20. This is the host IP that sent the spam, as indicated by the question.

The file slack refers to the unused space between the end of a file and the end of the last allocated cluster. The more allocation units per block or cluster a user has, the larger the file slack will be. Therefore, a user who has lots of allocation units per block or cluster is most likely to have the most file slack to analyze in a forensic examination of hard drives for digital evidence.

The correct answer is TCP/UDP Port 15. Netstat is a command-line tool used to display active network connections, listening ports, and other network statistics. It can be used to monitor network traffic and troubleshoot network-related issues. In this case, netstat uses TCP/UDP Port 15 to display the active network connections and associated information.

MIME is the most commonly used binary coding for email purposes. MIME allows different types of data to be included in email messages, such as images, audio, and video files, by encoding them into a binary format. This encoding ensures that the data can be transmitted and received correctly across different email systems and platforms. It also allows email clients to interpret and display the data correctly, regardless of the file type. Therefore, MIME is widely used to handle the encoding and decoding of binary data in email communications.

While booting, the machine may create temporary files that can delete evidence. This statement is true because during the booting process, temporary files are often created by the operating system or other programs. These temporary files can potentially overwrite or delete evidence of previously deleted files, making it harder to recover them. This is why it is important to use specialized tools and techniques for data recovery if the deleted files are of importance.

E-mail logs contain information such as the user account that was used to send the email, the unique message identifier, the contents of the email message, and the date and time the message was sent. These details can be helpful in an investigation as they can provide information about the sender, the specific email being investigated, its content, and when it was sent. By analyzing these logs, investigators can gather evidence and track the source of the email.

When a file is deleted by a Microsoft operating system using the FAT file system, only the reference to the file is removed from the File Allocation Table (FAT). This means that the operating system no longer recognizes the file as being present, but the actual data of the file remains intact on the storage device. Although the file may appear to be erased, it can still be recovered using specialized software that can access the underlying data.

Area density refers to the amount of data stored on a given disk. It measures the quantity of data that can be packed into a specific area of the disk's surface. This metric is typically expressed as the amount of data per square inch. The higher the area density, the more information can be stored on the disk, resulting in greater storage capacity. It is an important factor in determining the efficiency and effectiveness of data storage systems.

The correct answer is the local or national office of the U.S. Secret Service. The U.S. Secret Service is responsible for investigating and preventing crimes related to financial fraud, including computer crimes. They have the jurisdiction and expertise to handle cases involving the theft of customer information and financial data. Reporting the crime to the U.S. Secret Service would ensure that the appropriate law enforcement agency is notified and can take action to investigate and apprehend the perpetrators.

The correct answer is "It doesn't matter as all replies are faked." This means that regardless of the specific recommendations given, all responses received from the honeypot will be false or manipulated. Therefore, the specific characteristics of the system, such as dynamic addressing or placement in a DMZ, do not have any impact on the faked replies.

The given answer is "An IDS evasion technique". This can be inferred from the fact that the log captures intrusion attempts and only a few are successful. An IDS evasion technique refers to methods used by attackers to avoid detection by an Intrusion Detection System (IDS). This suggests that the successful intrusion attempts were able to bypass the IDS, indicating the use of an IDS evasion technique.

Floppy disks were commonly used in the past for storing data. The FAT12 file structure database is the most suitable for floppy disks because it is specifically designed for small storage devices. FAT12 uses a 12-bit file allocation table and is capable of managing the limited storage capacity of floppy disks efficiently. Therefore, it is expected to find the FAT12 file structure database on floppy disks.

Host-based Intrusion Detection Systems (HIDS) are installed on individual host systems and monitor activities and events occurring on those systems. Since HIDS focus on the behavior and activities of individual hosts, they are more likely to produce false alarms due to the unpredictable behaviors of users and networks. Users may engage in unusual activities or network behaviors may change, leading to false alarms being triggered by the HIDS. In contrast, Network-based Intrusion Detection Systems (NIDS) monitor network traffic and are less affected by the specific behaviors of individual hosts, making them less prone to false alarms in this context. Anomaly detection and signature recognition are techniques used by both NIDS and HIDS to identify potential intrusions.

The file header occupies one byte at the beginning of the file. This byte is used to store information about the file, such as its format or type. It is typically the first piece of data that is read when opening a file and is important for identifying and interpreting the contents of the file.

The correct answer is Computer Incident Advisory Capability (CIAC). CIAC is an organization that not only tracks viruses but also hoaxes. They provide information and guidance to organizations and individuals to help prevent and respond to computer security incidents.

This answer suggests that the UDP port 53 should be blocked for incoming traffic from outside to the DNS server. This is because UDP port 53 is commonly used for DNS queries and allowing external access to this port could potentially expose the DNS server to unauthorized access or malicious attacks. By disallowing UDP 53 traffic from outside, the DNS server can be better protected.

The comparison of MD5 checksums is not the correct method for tracing user accounts on a Windows 2000 server. MD5 checksums are used to verify the integrity of data, not to trace user accounts. This method involves generating a unique hash value for a file or data and comparing it with the original hash value to check for any changes or tampering. It is not relevant to tracing user accounts on a server.