Digital Forensics Exam
Computer Forensics Exam
A technician is conducting a forensics analysis on a computer system. Which of the following should bedone FIRST?A. Look for hidden files.
B. Analyze temporary files.
C. Get a binary copy of the system.
D. Search for Trojans.
Answer: C
Which of the following prevents damage to evidence during forensic analysis?
A. Write-only drive connectors
B. Drive sanitization tools
C. Read-only drive connectors
D. Drive recovery tools
Answer: C
Which of the following is a common practice in forensic investigation?
A. Performing a Gutman sanitization of the drive
B. Performing a binary copy of the systems storage media
C. Performing a file level copy of the systems storage media
D. Performing a sanitization of the drive
Answer: B
Which of the following is established immediately upon evidence seizure?
A. Start the incident respond plan
B. Damage and loss control
C. Chain of custody
D. Forensic analysis
Answer: C
Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools?
A. Identify user habits
B. Disconnect system from network
C. Capture system image
D. Interview witnesses
Correct Answer: C
A security administrator needs to image a large hard drive for forensic analysis. Which of the following will allow for faster imaging to a second hard drive?
A. cp /dev/sda /dev/sdb bs=8k
B. tail -f /dev/sda > /dev/sdb bs=8k
C. dd in=/dev/sda out=/dev/sdb bs=4k
D. locate /dev/sda /dev/sdb bs=4k
Correct Answer: C
The security manager received a report that an employee was involved in illegal activity and has saved data to a workstation’s hard drive. During the investigation, local law
enforcement’s criminal division confiscates the hard drive as evidence. Which of the following forensic procedures is involved?
A. Chain of custody
B. System image
C. Take hashes
D. Order of volatility
Correct Answer: A
Which of the following is the MOST important step for preserving evidence during forensic procedures?
A. Involve law enforcement
B. Chain of custody
C. Record the time of the incident
D. Report within one hour of discovery
Correct Answer: B
Matt, a forensic analyst, wants to obtain the digital fingerprint for a given message. The message is 160-bits long. Which of the following hashing methods would Matt have to use to obtain this digital fingerprint?
A. SHA1
B. MD2
C. MD4
D. MD5
Correct Answer: A
After making a bit-level copy of compromised server, the forensics analyst Joe wants to verify that he bid not accidentally make a change during his investigation. Which of the
following should he perform?
A. Take a hash of the image and compare it to the one being investigated
B. Compare file sizes of all files prior to and after investigation
C. Make a third image and compare it to the second image being investigated
D. Compare the logs of the copy to the actual server
Correct Answer: A
An intrusion has occurred in an internet facing system. The security administrator would like to gather forensic evidence while the system is still in operation. Which of the following
procedures should the administrator perform FIRST on the system?
A. Make a drive image
B. Take hashes of system data
C. Collect information in RAM
D. Capture network traffic
Correct Answer: D
After receiving the hard drive from detectives, the forensic analyst for a court case used a log to capture corresponding events prior to sending the evidence to lawyers. Which of the
following do these actions demonstrate?
A. Chain of custody
B. Order if volatility
C. Data analysis
D. Tracking man hours and expenses
Correct Answer: A
A security manager is preparing the training portion of an incident plan. Which of the following job roles should receive training on forensics, chain of custody, and the order of
volatility?
A. System owners
B. Data custodians
C. First responders
D. Security guards
Correct Answer: C
A forensics analyst is tasked identifying identical files on a hard drive. Due to the large number of files to be compared, the analyst must use an algorithm that is known to have the lowest collision rate. Which of the following should be selected?
A. MD5
B. RC4
C. SHA-128
D. AES-256
Correct Answer: C
Joe a computer forensic technician responds to an active compromise of a database server. Joe first collects information in memory, then collects network traffic and finally
conducts an image of the hard drive. Which of the following procedures did Joe follow?
A. Order of volatility
B. Chain of custody
C. Recovery procedure
D. Incident isolation
Correct Answer: A
Which of the following best describes the initial processing phase used in mobile device
forensics?
A. The phone should be powered down and the battery removed to preserve the state of data on
any internal or removable storage utilized by the mobile device
B. The removable data storage cards should be processed first to prevent data alteration when
examining the mobile device
C. The mobile device should be examined first, then removable storage and lastly the phone without
removable storage should be examined again
D. The phone and storage cards should be examined as a complete unit after examining the
removable storage cards separately.
Answer: D
The __________Sleuthkit tools processes the full directory tree and finds the file name that points to a given inode number.
a. ffind
b fnfind
c. fsfind
d. ifind
Answer: A
Following are forensic imaging tools?
a. dd
b. vdd
c. sdd
d. dcfldd
Answer: A,D
a. loggedtransactions.log
b. sync_log.log
c. transact_user.db
d. history.db
Answer: B
a. Netcap
b. Pcap
c. Packetd
d. RAW
a. HKEY_CLASSES_ROOT
b. HKEY_USERS
c. HKEY_LOCAL_MACHINE
d. HKEY_CURRENT_CONFIG
a. 0x88
b. 0x80
c. 0x98
d. 0x90
a. 0x80
b. 0x88
c. 0xD4
d. 0x90
Answer:D
a. carving
b. live acquisition
c. RAM
d. snapshot
a. temp
b. cache
c. config
d. prefetch
a. startup / access
b. log event
c. ACL
d. MAC
Which one of the following types of evidence is the most volatile ?
a. Network status and Connections
b. Swap Space
c. Memory
d. Processes running
Answer:C
During copying of evidence which is a important process, to a forensic drive, the forensic drive should be :
a. Erased, deleting all files on the drive
b. A new drive
c. Wiped clean
d. No preparation is needed
Answer:C
Backup copy contains exactly the same data as a bit-image copy. This statement is ____
a. True
b. False
Answer:B
Is it true that Pagefile.sys file on a computer can contain message fragments from instant messaging applications?
a. Yes
b. No
Answer:A
When will file’s hash value change?
a. Changing character
b. Changing filename
c. Changing file permission
d. Creating a symlink
Answer:A
_____ Windows Registry key contains file extensions associations.
a. HKEY_USERS
b. HKEY_CLASSES_ROOT.
c. HKEY_LOCAL_MACHINE
d. HKEY_CURRENT_CONFIG
Answer:B
The suspect evidence media be write-protected ______
a. To ensure that data is not altered
b. To ensure data is available
c. To alter the data
d. None of them
Answer: A
Data for roaming phones is stored in ____
a . HLR
b. GSM
c. BTS
d. VLR
Answer: d
To preserve digital evidence how many copies of a each evidence should be created and maintained :
a. At least two copies
b. One copy
c. No copies
d. None of the above
Answer: A
Issue/s with search & seizure procedure for cell mobile devices is/are:
a. Power Loss
b. Cloud services synchronization
c. Remote wiping
d. All of the above
Answer: D
_______ requires using a modified boot loader to access RAM for analysis?.
a. Chip-off
b. Manual extraction
c. Hex dumping
d. Micro read
Answer: C
_____ Sleuthkit tools can be used to display statistics of the file system.
a. fsfind
b fsstat
c. fstab
d. fstat
Answer: B
Ref:
CompTIA. Security+.TestInside.SY0-201.sec+.769q.vce SY0-401.examcollection.premium.exam.1752q
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud