When monitoring for both intrusion and security events between multiple computers, it is
essential that the computers' clocks are synchronized. Synchronized time allows an
administrator to reconstruct what took place during an attack against multiple computers.
Without synchronized time, it is very difficult to determine exactly when specific events took
place, and how events interlace. What is the name of the service used to synchronize time
among multiple computers?

A.

Universal Time Set

B.

Network Time Protocol

C.

SyncTime Service

D.

Time-Sync Protocol

What type of file is represented by a colon (:) with a name following it in the Master File Table of NTFS disk?

A.

A compressed file

B.

A Data stream file

C.

An encrypted file

D.

A reserved file

You are assisting in the investigation of a possible Web Server Hack. The company who
called you stated that customers reported to them that whenever they entered the web
address of the company in their browser, what they received was a porno graphic web site.
The company checked the web server and nothing appears wrong. When you type in the
IP address of the web site in your browser everything appears normal. What is the name of
the attack that affects the DNS cache of the name resolution servers, resulting in those
servers directing users to the wrong web site?

A.

ARP Poisoning

B.

DNS Poisoning

C.

HTTP redirect attack

D.

IP Spoofing

You have been asked to investigate the possibility of computer fraud in the finance
department of a company. It is suspected that a staff member has been committing finance
fraud by printing cheques that have not been authorized. You have exhaustively searched
all data files on a bitmap image of the target computer, but have found no evidence. You
suspect the files may not have been saved. What should you examine next in this case?

A.

The registry

B.

The swap file

C.

The recycle bin

D.

The metadata

When using Windows acquisitions tools to acquire digital evidence, it is important to use a well-tested hardware write-blocking device to:

A.

Automate Collection from image files

B.

Avoiding copying data from the boot partition

C.

Acquire data from host-protected area on a disk

D.

Prevent Contamination to the evidence drive

What is the target host IP in the following command?

A.

172.16.28.95

B.

10.10.150.1

C.

Firewalk does not scan target hosts

D.

This command is using FIN packets, which cannot scan target hosts

Which is a standard procedure to perform during all computer forensics investigations?

A.

with the hard drive removed from the suspect PC, check the date and time in the system's CMOS

B.

with the hard drive in the suspect PC, check the date and time in the File Allocation Table

C.

with the hard drive removed from the suspect PC, check the date and time in the system's RAM

D.

with the hard drive in the suspect PC, check the date and time in the system's CMOS

When cataloging digital evidence, the primary goal is to

A.

Make bit-stream images of all hard drives

B.

Preserve evidence integrity

C.

Not remove the evidence from the scene

D.

Not allow the computer to be turned off

Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

A.

Only an HTTPS session can be hijacked

B.

HTTP protocol does not maintain session

C.

Only FTP traffic can be hijacked

D.

Only DNS traffic can be hijacked

George is performing security analysis for Hammond and Sons LLC. He is testing security vulnerabilities of their wireless network. He plans on remaining as "stealthy" as possible during the scan. Why would a scanner like Nessus is not recommended in this situation?

A.

Nessus is too loud

B.

Nessus cannot perform wireless testing

C.

Nessus is not a network scanner

D.

There are no ways of performing a "stealthy" wireless scan

Harold wants to set up a firewall on his network but is not sure which one would be the most appropriate. He knows he needs to allow FTP traffic to one of the servers on his network, but he wants to only allow FTP-PUT. Which firewall would be most appropriate for Harold? needs?

A.

Circuit-level proxy firewall

B.

Packet filtering firewall

C.

Application-level proxy firewall

D.

Data link layer firewall

John is using Firewalk to test the security of his Cisco PIX firewall. He is also utilizing a
sniffer located on a subnet that resides deep inside his network. After analyzing the sniffer
log files, he does not see any of the traffic produced by Firewalk. Why is that?

A.

Firewalk cannot pass through Cisco firewalls

B.

Firewalk sets all packets with a TTL of zero

C.

Firewalk cannot be detected by network sniffers

D.

Firewalk sets all packets with a TTL of one