Chris has been called upon to investigate a hacking incident reported by one of his clients.
The company suspects the involvement of an insider accomplice in the attack. Upon
reaching the incident scene, Chris secures the physical area, records the scene using
visual media. He shuts the system down by pulling the power plug so that he does not
disturb the system in any way. He labels all cables and connectors prior to disconnecting
any. What do you think would be the next sequence of events?

A.

Connect the target media; prepare the system for acquisition; Secure the evidence; Copy the media

B.

Prepare the system for acquisition; Connect the target media; copy the media; Secure the evidence

C.

Connect the target media; Prepare the system for acquisition; Secure the evidence; Copy the media

D.

Secure the evidence; prepare the system for acquisition; Connect the target media; copy the media

E-mail logs contain which of the following information to help you in your investigation? (Choose four.)

A.

user account that was used to send the account

B.

attachments sent with the e-mail message

C.

unique message identifier

D.

contents of the e-mail message

E.

date and time the message was sent

To preserve digital evidence, an investigator should ____________________.

A.

Make two copies of each evidence item using a single imaging tool

B.

Make a single copy of each evidence item using an approved imaging tool

C.

Make two copies of each evidence item using different imaging tools

D.

Only store the original evidence item

How many sectors will a 125 KB file use in a FAT32 file system?

A.

32

B.

16

C.

256

D.

25

When examining a file with a Hex Editor, what space does the file header occupy?

A.

the last several bytes of the file

B.

the first several bytes of the file

C.

Cnone, file headers are contained in the FAT

D.

one byte at the beginning of the file

How many bits is Source Port Number in TCP Header packet?

A.

16

B.

32

C.

48

D.

64

What are the security risks of running a "repair" installation for Windows XP?

A.

Pressing Shift+F10gives the user administrative rights

B.

Pressing Shift+F1gives the user administrative rights

C.

Pressing Ctrl+F10 gives the user administrative rights

D.

There are no security risks when running the "repair" installation for Windows XP

When performing a forensics analysis, what device is used to prevent the system from recording data on an evidence disk?

A.

a write-blocker

B.

a protocol analyzer

C.

a firewall

D.

a disk editor

You are using DriveSpy, a forensic tool and want to copy 150 sectors where the starting sector is 1709 on the primary hard drive. Which of the following formats correctly specifies these sectors?

A.

0:1000, 150

B.

0:1709, 150

C.

1:1709, 150

D.

0:1709-1858

What file structure database would you expect to find on floppy disks?

A.

NTFS

B.

FAT32

C.

FAT16

D.

FAT12

You are called in to assist the police in an investigation involving a suspected drug dealer. The suspects house was searched by the police after a warrant was obtained and they located a floppy disk in the suspects bedroom. The disk contains several files, but they appear to be password protected. What are two common methods used by password cracking software that you can use to obtain the password?

A.

Limited force and library attack

B.

Brute Force and dictionary Attack

C.

Maximum force and thesaurus Attack

D.

Minimum force and appendix Attack

After passively scanning the network of Department of Defense (DoD), you switch over to
active scanning to identify live hosts on their network. DoD is a large organization and
should respond to any number of scans. You start an ICMP ping sweep by sending an IP
packet to the broadcast address. Only five hosts respond to your ICMP pings; definitely not
the number of hosts you were expecting. Why did this ping sweep only produce a few responses?

A.

Only IBM AS/400 will reply to this scan

B.

Only Windows systems will reply to this scan

C.

A switched network will not respond to packets sent to the broadcast address

D.

Only Unix and Unix-like systems will reply to this scan