Sunday, November 27, 2016

Digital Forensics Exam

Digital Forensics Exam

Digital Forensics Exam

Computer  Forensics Exam

A technician is conducting a forensics analysis on a computer system. Which of the following should bedone FIRST?
A. Look for hidden files.
B. Analyze temporary files.
C. Get a binary copy of the system.
D. Search for Trojans.


Answer: C

Which of the following prevents damage to evidence during forensic analysis?
A. Write-only drive connectors
B. Drive sanitization tools
C. Read-only drive connectors
D. Drive recovery tools


Answer: C
 

Which of the following is a common practice in forensic investigation?
A. Performing a Gutman sanitization of the drive
B. Performing a binary copy of the systems storage media
C. Performing a file level copy of the systems storage media
D. Performing a sanitization of the drive


Answer: B
 

Which of the following is established immediately upon evidence seizure?
A. Start the incident respond plan
B. Damage and loss control
C. Chain of custody
D. Forensic analysis


Answer: C


Which of the following should Jane, a security administrator, perform before a hard drive is analyzed with forensics tools?
A. Identify user habits
B. Disconnect system from network
C. Capture system image
D. Interview witnesses


Correct Answer: C

A security administrator needs to image a large hard drive for forensic analysis. Which of the following will allow for faster imaging to a second hard drive?
A. cp /dev/sda /dev/sdb bs=8k
B. tail -f /dev/sda > /dev/sdb bs=8k
C. dd in=/dev/sda out=/dev/sdb bs=4k
D. locate /dev/sda /dev/sdb bs=4k


Correct Answer: C

The security manager received a report that an employee was involved in illegal activity and has saved data to a workstation’s hard drive. During the investigation, local law
enforcement’s criminal division confiscates the hard drive as evidence. Which of the following forensic procedures is involved?
A. Chain of custody
B. System image
C. Take hashes
D. Order of volatility


Correct Answer: A
 
Which of the following is the MOST important step for preserving evidence during forensic procedures?
A. Involve law enforcement
B. Chain of custody
C. Record the time of the incident
D. Report within one hour of discovery


Correct Answer: B

Matt, a forensic analyst, wants to obtain the digital fingerprint for a given message. The message is 160-bits long. Which of the following hashing methods would Matt have to use to obtain this digital fingerprint?
A. SHA1
B. MD2
C. MD4
D. MD5


Correct Answer: A
 

After making a bit-level copy of compromised server, the forensics analyst Joe wants to verify that he bid not accidentally make a change during his investigation. Which of the
following should he perform?
A. Take a hash of the image and compare it to the one being investigated
B. Compare file sizes of all files prior to and after investigation
C. Make a third image and compare it to the second image being investigated
D. Compare the logs of the copy to the actual server


Correct Answer: A


 An intrusion has occurred in an internet facing system. The security administrator would like to gather forensic evidence while the system is still in operation. Which of the following
procedures should the administrator perform FIRST on the system?
A. Make a drive image
B. Take hashes of system data
C. Collect information in RAM
D. Capture network traffic


Correct Answer: D

After receiving the hard drive from detectives, the forensic analyst for a court case used a log to capture corresponding events prior to sending the evidence to lawyers. Which of the
following do these actions demonstrate?
A. Chain of custody
B. Order if volatility
C. Data analysis
D. Tracking man hours and expenses


Correct Answer: A


A security manager is preparing the training portion of an incident plan. Which of the following job roles should receive training on forensics, chain of custody, and the order of
volatility?
A. System owners
B. Data custodians
C. First responders
D. Security guards


Correct Answer: C


  A forensics analyst is tasked identifying identical files on a hard drive. Due to the large number of files to be compared, the analyst must use an algorithm that is known to have the lowest collision rate. Which of the following should be selected?
A. MD5
B. RC4
C. SHA-128
D. AES-256


Correct Answer: C

Joe a computer forensic technician responds to an active compromise of a database server. Joe first collects information in memory, then collects network traffic and finally
conducts an image of the hard drive. Which of the following procedures did Joe follow?
A. Order of volatility
B. Chain of custody
C. Recovery procedure
D. Incident isolation


Correct Answer: A
 

 Which of the following best describes the initial processing phase used in mobile device
forensics?
A. The phone should be powered down and the battery removed to preserve the state of data on
any internal or removable storage utilized by the mobile device
B. The removable data storage cards should be processed first to prevent data alteration when
examining the mobile device
C. The mobile device should be examined first, then removable storage and lastly the phone without
removable storage should be examined again
D. The phone and storage cards should be examined as a complete unit after examining the
removable storage cards separately.


Answer: D


The __________Sleuthkit tools processes the full directory tree and finds the file name that points to a given inode number.
a. ffind
b fnfind
c. fsfind
d. ifind


 Answer: A

Following are forensic imaging tools?
a. dd
b. vdd
c. sdd
d. dcfldd 


 Answer: A,D

The Google drive file ??? contains a detailed list of a user's cloud transactions
a. loggedtransactions.log
b. sync_log.log
c. transact_user.db
d. history.db

 Answer: B

The tcpdump and Wireshark utilities both use what well known packet capture format
a. Netcap
b. Pcap
c. Packetd
d. RAW

 Answer: B

What Windows Registry key contains associations for file extensions
a. HKEY_CLASSES_ROOT
b. HKEY_USERS
c. HKEY_LOCAL_MACHINE
d. HKEY_CURRENT_CONFIG

 Answer: A

At what offset is a prefetch file's create date & time located
a. 0x88
b. 0x80
c. 0x98
d. 0x90

 Answer: B

In a prefetch file, the application's last access date and time are at offset ???
a. 0x80
b. 0x88
c. 0xD4
d. 0x90

 Answer:D

With cloud systems running in a virtual environment, ??? can give you valuable information before, during, and after an incident
a. carving
b. live acquisition
c. RAM
d. snapshot

 Answer:D

To reduce the time it takes to start applications, Microsoft has created ??? files, which contain the DLL pathnames and metadata used by application
a. temp
b. cache
c. config
d. prefetch

Answer:D

Metadata in a prefetch file contains an application's ??? times in UTC format and a counter of how many times the application has run since the prefect file was created
a. startup / access
b. log event
c. ACL
d. MAC

Answer:D

Which one of the following types of evidence is the most volatile ?
a. Network status and Connections
b. Swap Space
c. Memory
d. Processes running


Answer:C

During copying of evidence which is a important process, to a forensic drive, the forensic drive should be :
a. Erased, deleting all files on the drive
b. A new drive
c. Wiped clean
d. No preparation is needed


Answer:C

Backup copy contains exactly the same data as a bit-image copy. This statement is ____
a. True
b. False


Answer:B

Is it true that Pagefile.sys file on a computer can contain message fragments from instant messaging applications?
a. Yes
b. No


Answer:A

When will file’s hash value change?
a. Changing character
b. Changing filename
c. Changing file permission
d. Creating a symlink


Answer:A

_____ Windows Registry key contains file extensions associations.
a. HKEY_USERS
b. HKEY_CLASSES_ROOT.
c. HKEY_LOCAL_MACHINE
d. HKEY_CURRENT_CONFIG


Answer:B

The suspect evidence media be write-protected  ______
a.  To ensure that data is not altered
b. To ensure data  is available
c. To alter the data
d. None of them


Answer: A

Data for roaming phones is  stored in ____
a . HLR
b. GSM
c. BTS
d. VLR


Answer: d

To preserve digital evidence how many copies of a each evidence  should be created and maintained :
 a. At least two copies
b. One copy
c. No copies
d. None of the above


Answer: A

 Issue/s  with search & seizure procedure for cell  mobile devices is/are:
a. Power Loss
b. Cloud services synchronization
c. Remote wiping
d. All of the above
Answer: D

 _______ requires using a modified boot loader to access RAM for analysis?.
a. Chip-off
b. Manual extraction
c. Hex dumping
d. Micro read
Answer: C

_____ Sleuthkit tools can be used to display statistics of the file system.
a. fsfind
b fsstat
c. fstab
d. fstat
Answer: B

When shutting down a computer what information is typical lost?

a. Non-volatile information
b. Digital information
d. Static information

Answer: C

Which method of acquisition is always the most preferred?

a. Live
b. Static 
c. Logical
d. Illogical

Answer: B

How many disk-to-image copies should you make?

a. Never more than 1.
b. At least 2 
c. You should always use disk-to-disk rather than disk-to-image.
d. This is not a required step for digital forensics.

Answer: B

Ref:
CompTIA. Security+.TestInside.SY0-201.sec+.769q.vce SY0-401.examcollection.premium.exam.1752q
 

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud

 

No comments:

Post a Comment

Digital Forensics:WhatsMyName (OSINT)

Digital Forensics:WhatsMyName (OSINT) Welcome to WhatsMyName This tool allows you to enumerate usernames across many websites How to use: 1....