Question: The chief information officer of a small computer company believes the company network is the target of a denial of service (DoS) attack. There has been no visible loss of data, but customers are complaining that network response time is slow. Which digital evidence should a forensic investigator collect to identify a potential DoS attack?

Answer Choices:
– Security log
\n- Browser history
\n- Firewall log
\n- Browser cookies

Answer: Firewall log

 

Question: A digital forensic examiner receives a computer used in a hacking case. The examiner is asked to extract information from the computer’s Registry. How should the examiner proceed when obtaining the requested digital evidence?

Answer Choices:
– Enlist a colleague to witness the investigative process
\n- Investigate whether the computer was properly seized
\n- Download a tool from a hacking website to extract the data
\n- Ensure that any tools and techniques used are widely accepted

Answer: Ensure that any tools and techniques used are widely accepted

 

Question: A forensic investigator is searching for evidence on a seized computer. What is the correct order for data collection?

Answer Choices:
– Volatile, persistent, temporary
\n- Temporary, persistent, volatile
\n- Temporary, volatile, persistent
\n- Volatile, temporary, persistent

Answer: Volatile, temporary, persistent

 

Question: Which universal principle must be observed when handling digital evidence?

Answer Choices:
– Avoid making changes to the evidence
\n- Make a copy and analyze the original
\n- Keep the evidence in a plastic bag
\n- Get the signatures of two witnesses

Answer: Avoid making changes to the evidence

 

Question: An organization believes that a company-owned mobile phone has been compromised. Which software should be used to collect an image of the phone as digital evidence?

Answer Choices:
– Forensic Toolkit (FTK)
\n- Forensic SIM Cloner
\n- Data Doctor
\n- PTFinder

Answer: Forensic Toolkit (FTK)

 

Question: Which operation on a Linux machine is related to the data in the /var/log/pr.log file?

Answer Choices:
– Webserver
\n- Failed logins
\n- Application failures
\n- Printing

Answer: Printing

 

Question: Which law requires telecommunications carriers and manufacturers of telecommunications equipment to modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities?

Answer Choices:
– Electronic Communications Privacy Act
\n- CAN-SPAM Act
\n- USA Patriot Act of 2006
\n- Communication Assistance to Law Enforcement Act

Answer: Communication Assistance to Law Enforcement Act

 

Question: A major retail company was recently the victim of a Denial of Service (DoS) attack. Which digital evidence should be collected to determine where the attack came from?

Answer Choices:
– Internal users’ operating system logs and URL history
\n- Database transaction logs and database server logs
\n- IP addresses, MAC addresses, and packet information
\n- Email messages, text messages, and phone call logs

Answer: IP addresses, MAC addresses, and packet information

 

Question: While investigating a crime scene, an investigator discovers a computer system. The computer system is unplugged from any power sources. The investigator then takes pictures, as well as records model numbers, serial numbers, and unique markings. Which action should the investigator do next?

Answer Choices:
– Turn the computer on and use a file manager application to review evidence
\n- Turn the computer on and use EnCase to collect digital evidence
\n- Remove any storage devices and examine them with Forensic Toolkit (FTK)
\n- Remove the computer and create a bit-by-bit image of any storage devices

Answer: Remove the computer and create a bit-by-bit image of any storage devices

 

Question: An organization has identified a system breach and has collected volatile data from the system. Which evidence type should be collected next?

Answer Choices:
– Running processes
\n- Temporary data
\n- Network connections
\n- File timestamps

Answer: File timestamps

 

Question: A cybercriminal hacked into an Apple iPad that belongs to a company’s chief executive officer (CEO). The cybercriminal deleted some important files on the data volume that must be retrieved. Which hidden folder will contain the digital evidence?

Answer Choices:
– /etc
\n- /Private/etc
\n- /.Trashes/501
\n- /lost+found

Answer: /.Trashes/501

 

Question: An organization identifies that a breach has occurred on a system. Which evidence should be collected before shutting the system down?

Answer Choices:
– File names
\n- File timestamps
\n- Temporary files
\n- Swap file

Answer: Temporary files

 

Question: Which description applies to the Advanced Forensic Format (AFF)?

Answer Choices:
– A proprietary format developed by Guidance Software
\n- A proprietary format used by the iLook tool
\n- An open file standard used by Sleuth Kit and Autopsy
\n- An open file standard developed by AccessData

Answer: An open file standard used by Sleuth Kit and Autopsy

 

Question: Which data storage format uses Negated AND (NAND) gate-based memory?

Answer Choices:
– Integrated drive electronics (IDE)
\n- Digital linear tape (DLT)
\n- Digital audio tape (DAT)
\n- Solid-state drives (SSD)

Answer: Solid-state drives (SSD)

 

Question: Which operating system (OS) uses the NTFS (New Technology File System) file operating system?

Answer Choices:
– Linux
\n- Windows 8
\n- Mac OS X v10.5
\n- Mac OS X v10.4

Answer: Windows 8

 

Question: Which United States law enables location-based communications such as GPS information to be collected?

Answer Choices:
– Telecommunications Act
\n- Federal Privacy Act
\n- Computer Security Act
\n- Wireless Communications and Public Safety Act

Answer: Wireless Communications and Public Safety Act

 

Question: Which type of storage media is resistant to shocking, scratching, stretching, and becoming worn out over time?

Answer Choices:
– Optical media
\n- Magnetic media
\n- USB flash drive
\n- Digital audio tapes

Answer: USB flash drive

 

Question: A forensic specialist is about to collect digital evidence from a suspect’s computer hard drive. The computer is off. What should be the specialist’s first step?

Answer Choices:
– Turn the computer on and remove any malware
\n- Carefully review the chain of custody form
\n- Turn the computer on and photograph the desktop
\n- Make a forensic copy of the computer’s hard drive

Answer: Make a forensic copy of the computer’s hard drive

 

Question: Which protection is provided by the Fourth Amendment to the U.S. Constitution?

Answer Choices:
– Protection of right to trial by jury
\n- Protection of free speech
\n- Protection of due process
\n- Protection from illegal search

Answer: Protection from illegal search

 

Question: The chief financial officer of a small computer company believes an employee is uploading sensitive financial data about the company to a competitor’s website. Which type of forensic analysis should be used to obtain evidence about this leak?

Answer Choices:
– Internet
\n- Software
\n- Email
\n- Disk

Answer: Internet