CHFI EXAMINATION

1. Jessica works as systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests. What type of scan is Jessica going to perform?

2. Which ISO standard enables laboratories to demonstrate that they comply with quality assurance and provide valid results?

3. Which of these Windows utility help you to repair logical file system errors?

4. You have been asked to investigate the possibility of computer fraud in the finance department of a company. It is suspected that a staff member has been committing finance fraud by printing cheques that have not been authorized. You have exhaustively searched all data files on a bitmap image of the target computer, but have found no evidence. You suspect the files may not have been saved. What should you examine next in this case?

5. To preserve digital evidence, an investigator should

6. What can be used to protect a mobile device if a Faraday bag is not available?

7. Where should a investigator search for activities on an SQL database?

8. Forensic Toolkit software is used for

9. During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to identify attributes such as "author name,” "organization name,” "network name,” or any additional supporting data that is meant for the owner's identification purpose. Which term describes these attributes?

10. What is one method of bypassing a system BIOS password?

11. Which of the following statements pertaining to First Response is true?

12. How many characters long is the fixed-length MD5 algorithm checksum of a critical system file?

13. Jacky encrypts her documents using a password. It is known that she uses her daughter's year of birth as part of the password. Which password cracking technique would be optimal to crack her
password?

14. Printing under a Windows Computer normally requires which one of the following files types to be created?

15. Rule 1002 of Federal Rules of Evidence (US) talks about ?

16. Which federal computer crime law specifically refers to fraud and related activity in connection with access devices like routers?

17. During a forensic investigation, a large number of files were collected. The investigator needs to evaluate ownership and accountability of those files. Therefore, he begins to identify attributes such as "author name,” "organization name,” "network name,” or any additional supporting data that is meant for the owner's identification purpose. which term describes these attributes?

18. When analyzing logs, it is important that the clocks of all the network devices are synchronized.
Which protocol will help in synchronizing these clocks?

19. Adam is thinking of establishing a hospital in the US and approaches John, a software developer to build a site and host it for him on one of the servers, which would be used to store patient health records. He has learned from his legal advisors that he needs to have the server’s log data reviewed and managed according to certain standards and regulations. Which of the following regulations are the legal advisors referring to?

20. What information do you need to recover when searching a victim’s computer for a crime committed with specific e-mail message?

21. What type of malware analysis is Edgar performing?

22. An investigator seized a notebook device installed with a Microsoft Windows OS. Which type of files would support an investigation of the data size and structure in the device?

23. Which of the following should a computer forensics lab used for investigations have?

24. An investigator wants to extract passwords from SAM and System Files. Which tool can the investigator use to obtain a list of users, passwords, and their hashes in this case?

25. Tx1 can format in how many file system ?

26. Which of the following Windows event logs record events related to device drives and hardware changes?

27. You are a digital forensic investigator at a large pharmaceutical company. You are responding to a security incident where you have found a computer on the scene, and you believe the computer contains evidence that is valuable to the case. The computer is running, but the screen is blank. What should you do first?

28. Select the Microsoft Excel extension.

29. What binary coding is used most often for e-mail purposes?

30. Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?

31. Which of the following methods of mobile device data acquisition captures all the data present on the device, as well as all deleted data and access to unallocated space?

32. Which cloud model allows an investigator to acquire the instance of a virtual machine and initiate the forensics examination process?

33. Ftk imager software is used for:

34. The information security manager at a national legal firm has received several alerts from the intrusion detection system that a known attack signature was detected against the organization’s file server. What should the information security manager do first?

35. Consider a scenario where a forensic investigator is performing malware analysis on a memory dump acquired from a victim’s computer. The investigator uses Volatility Framework to analyze RAM contents; which plugin helps investigator to identify hidden processes or injected code/DLL in the memory dump?

36. You are a forensic investigator who is analyzing a hard drive that was recently collected as evidence. You have been unsuccessful at locating any meaningful evidence within the file system and suspect a drive wiping utility may have been used. You have reviewed the keys within the software hive of the Windows registry and did not find any drive wiping utilities. How can you verify that drive wiping software was used on the hard drive?

37. SO/IEC 17025 is an accreditation for which of the following:

38. An attacker successfully gained access to a remote Windows system and plans to install
persistent backdoors on it. Before that, to avoid getting detected in future, he wants to cover his
tracks by disabling the last-accessed timestamps of the machine. What would he do to achieve
this?

39. As a CHFI professional, which of the following is the most important to your professional reputation?

40. Mac OS file system

41. In TX1 accessory port is write blocked?

42. The MD5 program is used to:

43. Which of the following tools is used to dump the memory of a running process, either
immediately or when an error condition occurs?

44. This organization maintains a database of hash signatures for known software.

45. Which of the following statements is true with respect to SSDs (solid-state drives)?

46. What will the following URL produce in an unpatched IIS Web Server? http://www.thetargetsite.com/scripts/..%co%af../..%co%af../windows/system32/cmd.exe?/c+dir+c:\

47. Right path for print spool

48. Consider a scenario where the perpetrator of a dark web crime has uninstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can investigate it for artifacts of Tor browser usage. Which of the following should the investigators examine to establish the use of Tor browser on the suspect machine?

49. When cataloging digital evidence, the primary goal is to

50. Data is striped at a byte level across multiple drives, and parity information is distributed among all member drives. What RAID level is represented here?

51. You are an information security analyst at a large pharmaceutical company. While performing a routine review of audit logs, you have noticed a significant amount of egress traffic to various IP addresses on destination port 22 during off-peak hours. You researched some of the IP addresses and found that many of them are in Eastern Europe. What is the most likely cause of this traffic?

52. The storage location of Recycle Bin for NTFS file systems (Windows Vista and later) is
located at:

53. Robert is a regional manager working in a reputed organization. One day, he suspected a malware attack after unwanted programs started popping up after logging into his computer. The network administrator was called upon to trace out any intrusion on the computer and he/she finds that suspicious activity has taken place within Autostart locations. In this situation, which of the following tools is used by the network administrator to detect any intrusion on a system?

54. When investigating a Windows System, it is important to view the contents of the page or swap file because:

55. Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called?

56. You are asked to build a forensic lab and your manager has specifically informed you to use copper for lining the walls, ceilings, and floor. What is the main purpose of lining the walls, ceilings, and floor with copper?

57. What value of the "Boot Record Signature" is used to indicate that the boot-loader exists?

58. Amber, a black hat hacker, has embedded a malware into a small enticing advertisement and posted it on a popular ad-network that displays across various websites.

59. POP3 is an Internet protocol used to retrieve emails from a mail server. Through which port does an email client connect with a POP3 server?

60. Identify the location of Recycle Bin in Windows XP system.

61. “No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court” – this principle is advocated by which of the following?

62. On NTFS file system, which of the following tools can a forensic investigator use in order to identify timestamping of evidence files?

63. Maria has executed a suspicious executable file in a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for in this scenario?

64. During the course of a corporate investigation, you find that an Employee is committing a crime. Can the Employer file a criminal complaint with Police?

65. Which following forensic tool allows investigator to detect and extract hidden streams on NTFS drive?

66. How many source evidence type is there in the create Disk image option of FTK imager?

67. During an investigation, Noel found a SIM card from the suspect's mobile. The ICCID on the card is 8944245252001451548. What does the first four digits (89 and 44) in the ICCID represent?

68. Windows identifies which application to open a file with by examining which of the following?

69. When analyzing logs, it is important that the clocks of all the network devices are synchronized. Which protocol will help in synchronizing these clocks?

70. What is the path for system logs on a Mac?

71. The Recycle Bin exists as a metaphor for throwing files away, but it also allows a user to retrieve and restore files. Once the file is moved to the Recycle Bin, a record is added to the log file that exists in the Recycle Bin. Which of the following files contains records that correspond to each deleted file in the Recycle bin?

72. Why should you note all cable connections for a computer you want to seize as evidence?

73. Select the image file extension.

74. Smith, a forensic examiner, was analyzing a hard disk image to find and acquire deleted sensitive files. He stumbled upon a $Recycle.Bin folder in the root directory of the disk. Identify the operating system in use.

75. Which of the following tools will allow a forensic investigator to acquire the memory dump of a suspect machine so that it may be investigated on a forensic workstation to collect evidentiary data like processes and Tor browser artifacts?

76. itunes backup default path

77. Which OWASP IoT vulnerability talks about security flaws such as lack of firmware validation, lack of secure delivery and lack of anti-rollback mechanisms on IoT devices?

78. A state department site was recently attacked and all the servers had their disks erased. The incident response team sealed the area and commenced investigation. During evidence collection they came across a zip disks that did not have the standard labeling on it. The incident team ran the disk on an isolated system and found that the system disk was accidentally erased. They decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects including three summer interns. Where did the incident team go wrong?

79. Edgar is part of the FBI’s forensic media and malware analysis team; he is analyzing a current malware and is conducting a thorough examination of the suspect system, network, and other connected devices. Edgar’s approach is to execute the malware code to know how it interacts with the host system and its impacts on it. He is also using a virtual machine and a sandbox environment. What type of malware analysis is Edgar performing?

80. In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court?

81. Web browsers can store relevant information from user activities. Forensic investigators may retrieve files, lists, access history, cookies, among other digital footprints. Which tool can contribute to this task?

82. An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s"," -E as part of collecting the primary data file and logs from a database. What does the "WIN-CQQMK62867E” represent?

83. Before you are called to testify as an expert, what must an attorney do first?

84. The working of the Tor browser is based on which of the following concepts?

85. Tx1 can detect how many file system?

86. Jack is reviewing headers to verify the file format and hopefully find more information of the file. After a careful review of the data chunks through a hex editor; Jack finds the binary value 0xffd8ff. Based on the above information, what type of format is the file/image saved as?

87. E-mail logs contain which of the following information to help you in your investigation?

88. Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:

89. Which part of the Windows Registry contains the user's password file?

90. Which of the following files stores information about a local Google Drive installation such as User email ID, Local Sync Root Path, and Client version installed?

91. Netstat is a tool for collecting information regarding network connections. It provides a simple view of TCP and UDP connections, and their state and network traffic statistics. Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers?

92. In a FAT32 system, a 123 KB file will use how many sectors?

93. Why would a company issue a dongle with the software they sell?

94. Which layer in the IoT architecture is comprised of hardware parts such as sensors, RFID tags, and devices that play an important role in data collection?

95. The newer Macintosh Operating System is based on:The newer Macintosh Operating System is based on:

96. A cybercriminal is attempting to remove evidence from a Windows computer. He deletes the file evidence1.doc, sending it to Windows Recycle Bin. The cybercriminal then empties the Recycle Bin. After having been removed from the Recycle Bin, what will happen to the data?

97. Can we index data through Forensic Toolkit?

98. Sally accessed the computer system that holds trade secrets of the company where she is employed. She knows she accessed it without authorization and all access (authorized and unauthorized) to this computer is monitored. To cover her tracks, Sally deleted the log entries on this computer. What among the following best describes her action?

99. Which layer in the IoT architecture is comprised of hardware parts such as sensors, RFID tags, and devices that play an important role in data collection?

100. Which option is correct for capturing volatile memory through FTK imager?

101. To understand the impact of a malicious program after the booting process and to collect recent information from the disk partition, an investigator should evaluate the content of the:

102. Which legal document contains a summary of findings and is used to prosecute?

103. Which US law does the interstate or international transportation and receiving of child pornography fall under?

104. What is the name of the Standard Linux Command that is also available as windows application that can be used to create bit-stream images?

105. Place the following in order of volatility from most volatile to the least volatile.

106. An investigator is examining a file to identify any potentially malicious content. To avoid code execution and still be able to uncover hidden indicators of compromise (IOC), which type of examination should the investigator perform:

107. When mounting a forensic image using ftk imager, an examiner can mount in which of the "mount type" ? Choose multiple options

108. Which of the following directory contains the binary files or executables required for system
maintenance and administrative tasks on a Linux system?

109. Which of the following refers to the data that might still exist in a cluster even though the original file has been overwritten by another file?

110. This is original file structure database that Microsoft originally designed for floppy disks. It is written to the outermost track of a disk and contains information about each file stored on the drive.

111. What is the smallest physical storage unit on a hard drive?

112. Cybercriminals sometimes use compromised computers to commit other crimes, which may involve using computers or networks to spread malware or illegal information. Which type of cybercrime stops users from using a device or network, or prevents a company from providing a
software service to its customers?

113. Which of the following statements is true about SQL Server error logs?

114. An investigator enters the command sqlcmd -S WIN-CQQMK62867E -e -s,”" -E as part of collecting the primary data file and logs from a database. What does "WIN-CQQMK62867E" represent?

115. Mounting a forensic image file to your workstation is useful to run antivirus and malware detection detection against the image file

116. An investigator wants to extract passwords from SAM and System Files. Which tool can the investigator use to obtain a list of users, passwords, and their hashes in this case?

117. What is the initial hexadecimal value of a JPEG?

118. Self-monitoring, analysis, and reporting technology (SMART) system is built into hard drives to monitor and report system activity. Which of the following is included in the report generated by SMART?

119. How does RAID 3 store data?

120. When investigating a network that uses DHCP to assign IP addresses, where would you look to determine which system (MAC address) had a specific IP address at a specific time?

121. What command-line tool enables forensic investigator to establish communication between an Android device and a forensic workstation in order to perform data acquisition from the device?

122. Windows identifies which application to open a file with by examining which of the following?

123. Which of the following file system is used by Mac OS X?

124. What happens when a file is deleted by a Microsoft operating system using the FAT file system?

125. Maria has executed a suspicious executable file in a controlled environment and wants to see if the file adds/modifies any registry value after execution via Windows Event Viewer. Which of the following event ID should she look for in this scenario ?

126. Rule 1002 of Federal Rules of Evidence (US) talks about

127. How many destination image type format in ftk imager.

128. When installed on a Windows machine, which port does the Tor browser use to establish a network connection via Tor nodes?

129. The rule of thumb when shutting down a system is to pull the power plug. However, it has certain drawbacks. Which of the following would that be?

130. Mac identifies which application to open a file with by examining which of the following?

131. When you carve an image, recovering the image depends on which of the following skills?

132. Which is a standard procedure to perform during all computer forensics investigations?

133. In a forensic examination of hard drives for digital evidence, what type of user is most likely to have the most file slack to analyze?

134. Malware analysis can be conducted in various manners. An investigator gathers a suspicious executable file and uploads it to VirusTotal in order to confirm whether the file is malicious, provide information about its functionality, and provide information that will allow to produce simple network signatures. What type of malware analysis was performed here?

135. The "filter by File Owner" option that appears when creating an AD1 image file, pulls the owner information from which Windows File?

136. Mark works for a government agency as a cyber-forensic investigator. He has been given the task of restoring data from a hard drive. The partition of the hard drive was deleted by a disgruntled employee in order to hide their nefarious actions. What tool should Mark use to restore the data?

137. A file requires 10 KB space to be saved on a hard disk partition. An entire cluster of 32 KB has been allocated for this file. The remaining, unused space of 22 KB on this cluster will be identified as

138. Microsoft Outlook maintains email messages in a proprietary format in what type of file?

139. A suspect is accused of violating the acceptable use of computing resources as he has visited adult websites and downloaded images. The investigator wants to demonstrate that the suspect did indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie cache. Moreover, he has removed any images he might have downloaded. What can the investigator do to prove the violation? Choose the most feasible option.

140. An investigator needs to perform data acquisition from a storage media without altering its contents to maintain the integrity of the content. The approach adopted by the investigator relies upon the capacity of enabling read-only access to the storage media. Which tool should the investigator integrate into his/her procedures to accomplish this task?

141. Consider a scenario where the perpetrator of a dark web crime has uninstalled Tor browser from their computer after committing the crime. The computer has been seized by law enforcement so they can investigate it for artifacts of Tor browser usage. Which of the following should the investigators examine to establish the use of Tor browser on the suspect machine?

142. To which phase of the computer forensics investigation process does “planning and budgeting of a forensics lab” belong?

143. On an Active Directory network using NTLM authentication, where on the domain controllers are
the passwords stored?

144. Which Model or legislation applies to a holist approach toward any criminal activity as a criminal operation?

145. Which “Standards and Criteria” under SWDGE states that “the agency must use hardware and that software are appropriate and effective for the seizure or examination procedure”?

146. When investigating a system, the forensics analyst discovers that malicious scripts were injected into benign and trusted websites. The attacker used a web application to send malicious code, in the form of a browser side script, to a different end-user. What attack was performed here?

147. Ronald, a forensic investigator, has been hired by a financial services organization to investigate an attack on their MySQL database server, which is hosted on a Windows machine named WINDTRAI83202X. Ronald wants to retrieve information on the changes that have been made to the database. Which of the following files should Ronald examine for this task?

148. Malware analysis can be conducted in various manners. An investigator gathers a suspicious executable file and uploads it to VirusTotal in order to confirm whether the file is malicious, provide information about its functionality, and provide information that will allow to produce simple network signatures. What type of malware analysis was performed here?

149. An investigator is checking a Cisco firewall log that reads as follows:
Aug 21 2019 09:16:44: %ASA-1-106021: Deny ICMP reverse path check from 10.0.0.44 to 10.0.0.33 on interface outside. What does %ASA-1-106021 denote?

150. Is there any option in Forensic Toolkit for backup or restore a image ?