ECCouncil Computer Hacking Forensic Investigator (V9) v11.0 (312-49v9)

Page:    1 / 33   
Total 486 questions

File deletion is a way of removing a file from a computer's file system. What happens when a file is deleted in windows7?

  • A. The last letter of a file name is replaced by a hex byte code E5h
  • B. The operating system marks the file's name in the MFT with a special character that indicates that the file has been deleted
  • C. Corresponding clusters in FAT are marked as used
  • D. The computer looks at the clusters occupied by that file and does not avails space to store a new file


Answer : B

Networks are vulnerable to an attack which occurs due to overextension of bandwidth, bottlenecks, network data interception, etc.
Which of the following network attacks refers to a process in which an attacker changes his or her IP address so that he or she appears to be someone else?

  • A. IP address spoofing
  • B. Man-in-the-middle attack
  • C. Denial of Service attack
  • D. Session sniffing


Answer : A

The evolution of web services and their increasing use in business offers new attack vectors in an application framework. Web services are based on XML protocols such as web Services Definition Language (WSDL) for describing the connection points, Universal
Description, Discovery, and Integration (UDDI) for the description and discovery of Web services and Simple Object Access Protocol (SOAP) for communication between Web services that are vulnerable to various web application threats. Which of the following layer in web services stack is vulnerable to fault code leaks?

  • A. Presentation Layer
  • B. Security Layer
  • C. Discovery Layer
  • D. Access Layer


Answer : C

The ARP table of a router comes in handy for Investigating network attacks, as the table contains IP addresses associated with the respective MAC addresses.
The ARP table can be accessed using the __________command in Windows 7.

  • A. C:\arp -a
  • B. C:\arp -d
  • C. C:\arp -s
  • D. C:\arp -b


Answer : A

What document does the screenshot represent?


  • A. Chain of custody form
  • B. Search warrant form
  • C. Evidence collection form
  • D. Expert witness form


Answer : A

Attackers can manipulate variables that reference files with "dot-dot-slash (./)" sequences and their variations such as http://www.juggyDoy.corn/GET/process.php./././././././././etc/passwd.
Identify the attack referred.

  • A. Directory traversal
  • B. SQL Injection
  • C. XSS attack
  • D. File injection


Answer : A

What is a SCSI (Small Computer System Interface)?

  • A. A set of ANSI standard electronic interfaces that allow personal computers to communicate with peripheral hardware such as disk drives, tape drives. CD-ROM drives, printers, and scanners
  • B. A standard electronic interface used between a computer motherboard's data paths or bus and the computer's disk storage devices
  • C. A "plug-and-play" interface, which allows a device to be added without an adapter card and without rebooting the computer
  • D. A point-to-point serial bi-directional interface for transmitting data between computer devices at data rates of up to 4 Gbps


Answer : A

Billy, a computer forensics expert, has recovered a large number of DBX files during forensic investigation of a laptop. Which of the following email clients he can use to analyze the DBX files?

  • A. Microsoft Outlook
  • B. Microsoft Outlook Express
  • C. Mozilla Thunderoird
  • D. Eudora


Answer : B

Depending upon the Jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?

  • A. 18 USC 7029
  • B. 18 USC 7030
  • C. 18 USC 7361
  • D. 18 USC 7371


Answer : B

What is a bit-stream copy?

  • A. Bit-Stream Copy is a bit-by-bit copy of the original storage medium and exact copy of the original disk
  • B. A bit-stream image is the file that contains the NTFS files and folders of all the data on a disk or partition
  • C. A bit-stream image is the file that contains the FAT32 files and folders of all the data on a disk or partition
  • D. Creating a bit-stream image transfers only non-deleted files from the original disk to the image disk


Answer : A

Network forensics can be defined as the sniffing, recording, acquisition and analysis of the network traffic and event logs in order to investigate a network security incident.

  • A. True
  • B. False


Answer : A

According to US federal rules, to present a testimony in a court of law, an expert witness needs to furnish certain information to prove his eligibility. Jason, a qualified computer forensic expert who has started practicing two years back, was denied an expert testimony in a computer crime case by the US Court of Appeals for the Fourth Circuit in Richmond,
Virginia. Considering the US federal rules, what could be the most appropriate reason for the court to reject Jason's eligibility as an expert witness?

  • A. Jason was unable to furnish documents showing four years of previous experience in the field
  • B. Being a computer forensic expert, Jason is not eligible to present testimony in a computer crime case
  • C. Jason was unable to furnish documents to prove that he is a computer forensic expert
  • D. Jason was not aware of legal issues involved with computer crimes


Answer : A

Syslog is a client/server protocol standard for forwarding log messages across an IP network. Syslog uses ___________to transfer log messages in a clear text format.

  • A. TCP
  • B. FTP
  • C. SMTP
  • D. POP


Answer : A

Which of the following statements is incorrect when preserving digital evidence?

  • A. Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals
  • B. Verily if the monitor is in on, off, or in sleep mode
  • C. Remove the power cable depending on the power state of the computer i.e., in on. off, or in sleep mode
  • D. Turn on the computer and extract Windows event viewer log files


Answer : D

An Internet standard protocol (built on top of TCP/IP) that assures accurate synchronization to the millisecond of computer clock times in a network of computers. Which of the following statement is true for NTP Stratum Levels?

  • A. Stratum-0 servers are used on the network; they are not directly connected to computers which then operate as stratum-1 servers
  • B. Stratum-1 time server is linked over a network path to a reliable source of UTC time such as GPS, WWV, or CDMA transmissions
  • C. A stratum-2 server is directly linked (not over a network path) to a reliable source of UTC time such as GPS, WWV, or CDMA transmissions
  • D. A stratum-3 server gets its time over a network link, via NTP, from a stratum-2 server, and so on


Answer : D

Page:    1 / 33   
Total 486 questions