312-49v9 | Leading ECCouncil Computer Hacking Forensic Investigator (V9) 312-49v9 Samples

NEW QUESTION 1

SMTP (Simple Mail Transfer protocol) receives outgoing mail from clients and validates source and destination addresses, and also sends and receives emails to and from other SMTP servers.

• A. True
• B. False

Answer: A

NEW QUESTION 2

What does ICMP Type 3/Code 13 mean?

• A. Administratively Blocked
• B. Host Unreachable
• C. Protocol Unreachable
• D. Port Unreachable

Answer: A

NEW QUESTION 3

When is it appropriate to use computer forensics?

• A. If copyright and intellectual property theft/misuse has occurred
• B. If employees do not care for their boss?management techniques
• C. If sales drop off for no apparent reason for an extended period of time
• D. If a financial institution is burglarized by robbers

Answer: A

NEW QUESTION 4

A picture file is recovered from a computer under investigation. During the investigation process, the file is enlarged 500% to get a better view of its contents. The picture quality is not degraded at all from this process. What kind of picture is this file?its contents. The picture? quality is not degraded at all from this process. What kind of picture is this file?

• A. Raster image
• B. Vector image
• C. Metafile image
• D. Catalog image

Answer: B

NEW QUESTION 5

Who is responsible for the following tasks?
? Secure the scene and ensure that it is maintained In a secure state until the Forensic Team advises
? Make notes about the scene that will eventually be handed over to the Forensic Team

• A. Non-Laboratory Staff
• B. System administrators
• C. Local managers or other non-forensic staff
• D. Lawyers

Answer: A

NEW QUESTION 6

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

• A. one who has NTFS 4 or 5 partitions
• B. one who uses dynamic swap file capability
• C. one who uses hard disk writes on IRQ 13 and 21
• D. one who has lots of allocation units per block or cluster

Answer: D

NEW QUESTION 7

Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document.
What is that code called?

• A. the Microsoft Virtual Machine Identifier
• B. the Personal Application Protocol
• C. the Globally Unique ID
• D. the Individual ASCII String

Answer: C

NEW QUESTION 8

You work as an IT security auditor hired by a law firm in Boston to test whether you can gain access to sensitive information about the company clients. You have rummaged through their trash and found very little information. You do not want to set off any alarms on their network, so you plan on performing passive footprinting against their Web servers. What tool should you use?

• A. Dig
• B. Ping sweep
• C. Netcraft
• D. Nmap

Answer: C

NEW QUESTION 9

When should an MD5 hash check be performed when processing evidence?

• A. After the evidence examination has been completed
• B. On an hourly basis during the evidence examination
• C. Before and after evidence examination
• D. Before the evidence examination has been completed

Answer: C

NEW QUESTION 10

What is a first sector ("sector zero") of a hard disk?

• A. Master boot record
• B. System boot record
• C. Secondary boot record
• D. Hard disk boot record

Answer: A

NEW QUESTION 11

As a CHFI professional, which of the following is the most important to your professional reputation?

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 12

You are working as an independent computer forensics investigator and receive a call from a systems administrator for a local school system requesting your assistance. One of the students at the local high school is suspected of downloading
inappropriate images from the Internet to a PC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a implePC in the Computer Lab. When you arrive at the school, the systems administrator hands you a hard drive and tells you that he made a ?imple backup copy?of the hard drive in the PC and put it on this drive and requests that you examine the drive for evidence of the suspected images. You inform him that a imple backup copy?will not provide deleted files or recover file fragments. What type of copy do you need to make toYou inform him that a ?imple backup copy?will not provide deleted files or recover file fragments. What type of copy do you need to make to ensure that the evidence found is complete and admissible in future proceedings?

• A. Bit-stream copy
• B. Robust copy
• C. Full backup copy
• D. Incremental backup copy

Answer: A

NEW QUESTION 13

Area density refers to:

• A. the amount of data per disk
• B. the amount of data per partition
• C. the amount of data per square inch
• D. the amount of data per platter

Answer: AC

NEW QUESTION 14

Sniffers that place NICs in promiscuous mode work at what layer of the OSI model?

• A. Network
• B. Transport
• C. Physical
• D. Data Link

Answer: C

NEW QUESTION 15

According to US federal rules, to present a testimony in a court of law, an expert witness needs to furnish certain information to prove his eligibility. Jason, a qualified computer forensic expert who has started practicing two years back, was denied an expert testimony in a computer crime case by the US Court of Appeals for the Fourth Circuit in Richmond, Virginia. Considering the US federal rules, what could be the most appropriate reason for the court to reject Jason's eligibility as an expert witness?

• A. Jason was unable to furnish documents showing four years of previous experience in the field
• B. Being a computer forensic expert, Jason is not eligible to present testimony in a computer crime case
• C. Jason was unable to furnish documents to prove that he is a computer forensic expert
• D. Jason was not aware of legal issues involved with computer crimes

Answer: A

NEW QUESTION 16

In Microsoft file structures, sectors are grouped together to form:

• A. Mastered
• B. Not Mastered

Answer: A

NEW QUESTION 17

What will the following URL produce in an unpatched IIS Web Server? http://www.thetargetsite.com/scripts/..% co%af../..%co%af../windows/system32/cmd.exe?/c+dir+c:

• A. Directory listing of C: drive on the web server
• B. Execute a buffer flow in the C: drive of the web server
• C. Directory listing of the C:windowssystem32 folder on the web server
• D. Insert a Trojan horse into the C: drive of the web server

Answer: A

NEW QUESTION 18

When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk?

• A. Write-blocker
• B. Protocol analyzer
• C. Firewall
• D. Disk editor

Answer: A

NEW QUESTION 19

If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an investigation, what can you conclude?

• A. The system files have been copied by a remote attacker
• B. The system administrator has created an incremental backup
• C. The system has been compromised using a t0rn rootkit
• D. Nothing in particular as these can be operational files

Answer: C

NEW QUESTION 20

An attack vector is a path or means by which an attacker can gain access to computer or network resources in order to deliver an attack payload or cause a malicious outcome.

• A. True
• B. False

Answer: A

NEW QUESTION 21

An intrusion detection system (IDS) gathers and analyzes information from within a computer or a network to identify any possible violations of security policy, including unauthorized access, as well as misuse.
Which of the following intrusion detection systems audit events that occur on a specific host?

• A. Network-based intrusion detection
• B. Host-based intrusion detection
• C. Log file monitoring
• D. File integrity checking

Answer: B

NEW QUESTION 22

Why is it Important to consider health and safety factors in the work carried out at all stages of the forensic process conducted by the forensic analysts?

• A. This is to protect the staff and preserve any fingerprints that may need to be recovered at a later date
• B. All forensic teams should wear protective latex gloves which makes them look professional and cool
• C. Local law enforcement agencies compel them to wear latest gloves
• D. It is a part of ANSI 346 forensics standard

Answer: A

NEW QUESTION 23

File signature analysis involves collecting information from the ____ of a file to determine the type and function of the file

• A. First 10 bytes
• B. First 20 bytes
• C. First 30 bytes
• D. First 40 bytes

Answer: B

NEW QUESTION 24

Data acquisition system is a combination of tools or processes used to gather, analyze and record Information about some phenomenon. Different data acquisition system are used depends on the location, speed, cost. etc. Serial communication data acquisition system is used when the actual location of the data is at some distance from the computer. Which of the following communication standard is used in serial communication data acquisition system?

• A. RS422
• B. RS423
• C. RS232
• D. RS231

Answer: C

NEW QUESTION 25

In the context of file deletion process, which of the following statement holds true?

• A. When files are deleted, the data is overwritten and the cluster marked as available
• B. The longer a disk is in use, the less likely it is that deleted files will be overwritten
• C. While booting, the machine may create temporary files that can delete evidence
• D. Secure delete programs work by completely overwriting the file in one go

Answer: C

NEW QUESTION 26

You are assisting a Department of Defense contract company to become compliant with the stringent security policies set by the DoD. One such strict rule is that firewalls must only allow incoming connections that were first initiated by internal computers. What type of
firewall must you implement to abide by this policy?

• A. Packet filtering firewall
• B. Application-level proxy firewall
• C. Statefull firewall
• D. Circuit-level proxy firewall

Answer: C

NEW QUESTION 27

The newer Macintosh Operating System (MacOS X) is based on:

• A. Microsoft Windows
• B. OS/2
• C. BSD Unix
• D. Linux

Answer: C

NEW QUESTION 28

Which table is used to convert huge word lists (i .e. dictionary files and brute-force lists) into password hashes?

• A. Rainbow tables
• B. Hash tables
• C. Master file tables
• D. Database tables

Answer: A

NEW QUESTION 29
......