If a suspect computer is located in an area that may have toxic chemicals, you must:

A.

coordinate with the HAZMAT team

B.

determine a way to obtain the suspect computer

C.

assume the suspect machine is contaminated

D.

do not enter alone

While working for a prosecutor, what do you think you should do if the evidence you found appears to be exculpatory and is not being released to the defense?

A.

Keep the information of file for later review

B.

Destroy the evidence

C.

Bring the information to the attention of the prosecutor, his or her supervisor or finally to the judge

D.

Present the evidence to the defense attorney

In conducting a computer abuse investigation you become aware that the suspect of the
investigation is using ABC Company as his Internet Service Provider (ISP). You contact
ISP and request that they provide you assistance with your investigation. What assistance
can the ISP provide?

A.

The ISP can investigate anyone using their service and can provide you with assistance

B.

The ISP can investigate computer abuse committed by their employees, but must preserve the privacy of their customers and therefore cannot assist you without a warrant

C.

The ISP can't conduct any type of investigations on anyone and therefore can't assist you

D.

ISP's never maintain log files so they would be of no use to your investigation

What term is used to describe a cryptographic technique for embedding information into something else for the sole purpose of hiding that information from the casual observer?

A.

rootkit

B.

key escrow

C.

steganography

D.

Offset

Harold is a security analyst who has just run the rdisk /s command to grab the backup SAM
files on a computer. Where should Harold navigate on the computer to find the file?

A.

%systemroot%\system32\LSA

B.

%systemroot%\system32\drivers\etc

C.

%systemroot%\repair

D.

%systemroot%\LSA

Diskcopy is:

A.

a utility by AccessData

B.

a standard MS-DOS command

C.

Digital Intelligence utility

D.

dd copying tool

Your company uses Cisco routers exclusively throughout the network. After securing the
routers to the best of your knowledge, an outside security firm is brought in to assess the
network security.
Although they found very few issues, they were able to enumerate the model, OS version,
and capabilities for all your Cisco routers with very little effort. Which feature will you
disable to eliminate the ability to enumerate this information on your Cisco routers?

A.

Border Gateway Protocol

B.

Cisco Discovery Protocol

C.

Broadcast System Protocol

D.

Simple Network Management Protocol

When investigating a Windows System, it is important to view the contents of the page or
swap file because:

A.

Windows stores all of the systems configuration information in this file

B.

This is file that windows use to communicate directly with Registry

C.

A Large volume of data can exist within the swap file of which the computer user has no knowledge

D.

This is the file that windows use to store the history of the last 100 commands that were run from the command line

One way to identify the presence of hidden partitions on a suspect's hard drive is to:

A.

Add up the total size of all known partitions and compare it to the total size of the hard drive

B.

Examine the FAT and identify hidden partitions by noting an H in the partition Type field

C.

Examine the LILO and note an H in the partition Type field

D.

It is not possible to have hidden partitions on a hard drive

What does mactime, an essential part of the coroner's toolkit do?

A.

It traverses the file system and produces a listing of all files based on the modification, access and change timestamps

B.

It can recover deleted file space and search it for data. However, it does not allow the investigator to preview them

C.

The tools scans for i-node information, which is used by other tools in the tool kit

D.

It is too specific to the MAC OS and forms a core component of the toolkit

Frank is working on a vulnerability assessment for a company on the West coast. The
company hired Frank to assess its network security through scanning, pen tests, and
vulnerability assessments. After discovering numerous known vulnerabilities detected by a
temporary IDS he set up, he notices a number of items that show up as unknown but
Questionable in the logs. He looks up the behavior on the Internet, but cannot find anything
related. What organization should Frank submit the log to find out if it is a new vulnerability
or not?

A.

APIPA

B.

IANA

C.

CVE

D.

RIPE

What type of attack occurs when an attacker can force a router to stop forwarding packets by flooding the router with many open connections simultaneously so that all the hosts behind the router are effectively disabled?

A.

digital attack

B.

denial of service

C.

physical attack

D.

ARP redirect