It takes _____________ mismanaged case/s to ruin your professional reputation as a computer forensics examiner?

A.

by law, three

B.

quite a few

C.

only one

D.

at least two

What will the following command accomplish?

A.

Test ability of a router to handle over-sized packets

B.

Test the ability of a router to handle under-sized packets

C.

Test the ability of a WLAN to handle fragmented packets

D.

Test the ability of a router to handle fragmented packets

A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker. Given
below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried
out by the attacker by studying the log. Please note that you are required to infer only what
is explicit in the excerpt.
(Note: The student is being tested on concepts learnt during passive OS fingerprinting,
basic TCP/IP connection concepts and the ability to read packet signatures from a sniff
dump.)
03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111
TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 23678634 2878772
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=
03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111
UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84
Len: 64
01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................
00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................
00 00 00 11 00 00 00 00 ........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=
03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773
UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104
Len: 1084
47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8

A.

The attacker has conducted a network sweep on port 111

B.

The attacker has scanned and exploited the system using Buffer Overflow

C.

The attacker has used a Trojan on port 32773

D.

The attacker has installed a backdoor

In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

A.

one who has NTFS 4 or 5 partitions

B.

one who uses dynamic swap file capability

C.

one who uses hard disk writes on IRQ 13 and 21

D.

one who has lots of allocation units per block or cluster

Windows identifies which application to open a file with by examining which of the
following?

A.

The File extension

B.

The file attributes

C.

The file Signature at the end of the file

D.

The file signature at the beginning of the file

The MD5 program is used to:

A.

wipe magnetic media before recycling it

B.

make directories on an evidence disk

C.

view graphics files on an evidence drive

D.

verify that a disk is not altered when you examine it

After passing her CEH exam, Carol wants to ensure that her network is completely secure.
She implements a DMZ, stateful firewall, NAT, IPSEC, and a packet filtering firewall. Since
all security measures were taken, none of the hosts on her network can reach the Internet.
Why is that?

A.

Stateful firewalls do not work with packet filtering firewalls

B.

NAT does not work with stateful firewalls

C.

IPSEC does not work with packet filtering firewalls

Printing under a Windows Computer normally requires which one of the following files types to be created?

A.

EME

B.

MEM

C.

EMF

D.

CME

When examining the log files from a Windows IIS Web Server, how often is a new log file created?

A.

the same log is used at all times

B.

a new log file is created everyday

C.

a new log file is created each week

D.

a new log is created each time the Web Server is started

You are working as Computer Forensics investigator and are called by the owner of an
accounting firm to investigate possible computer abuse by one of the firm’s employees.
You meet with the owner of the firm and discover that the company has never published a
policy stating that they reserve the right to inspect their computing assets at will. What do
you do?

A.

Inform the owner that conducting an investigation without a policy is not a problem because the company is privately owned

B.

Inform the owner that conducting an investigation without a policy is a violation of the 4th amendment

C.

Inform the owner that conducting an investigation without a policy is a violation of the employee’s expectation of privacy

D.

Inform the owner that conducting an investigation without a policy is not a problem because a policy is only necessary for government agencies

George is a senior security analyst working for a state agency in Florida. His state's
congress just passed a bill mandating every state agency to undergo a security audit
annually. After learning what will be required, George needs to implement an IDS as soon
as possible before the first audit occurs. The state bill requires that an IDS with a "timebased
induction machine" be used.
What IDS feature must George implement to meet this requirement?

A.

Signature-based anomaly detection

B.

Pattern matching

C.

Real-time anomaly detection

D.

Statistical-based anomaly detection

Before you are called to testify as an expert, what must an attorney do first?

A.

engage in damage control

B.

prove that the tools you used to conduct your examination are perfect

C.

read your curriculum vitae to the jury

D.

qualify you as an expert witness