NEW QUESTION 1

Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do not write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

• A. Use Vmware to be able to capture the data in memory and examine it
• B. Give the Operating System a minimal amount of memory, forcing it to use a swap file
• C. Create a Separate partition of several hundred megabytes and place the swap file there
• D. Use intrusion forensic techniques to study memory resident infections

Answer: AC

NEW QUESTION 2

An "idle" system is also referred to as what?

• A. PC not connected to the Internet
• B. PC not being used
• C. Zombie
• D. Bot

Answer: C

NEW QUESTION 3

The need for computer forensics is highlighted by an exponential increase in the number of cybercrimes and litigations where large organizations were involved. Computer forensics plays an important role in tracking the cyber criminals. The main role of computer forensics is to:

• A. Maximize the investigative potential by maximizing the costs
• B. Harden organization perimeter security
• C. Document monitoring processes of employees of the organization
• D. Extract, process, and interpret the factual evidence so that it proves the attacker's actions in the court

Answer: D

NEW QUESTION 4

Ron. a computer forensics expert, Is Investigating a case involving corporate espionage. He has recovered several mobile computing devices from the crime scene. One of the evidence that Ron possesses is a mobile phone from Nokia that was left in on condition. Ron needs to recover the IMEI number of the device to establish the identity of the device owner. Which of the following key combinations he can use to recover the IMEI number?

• A. #*06*#
• B. *#06#
• C. #06r
• D. *1MEI#

Answer: B

NEW QUESTION 5

Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank to assess its network security through scanning, pen tests, and vulnerability assessments. After discovering numerous known vulnerabilities detected by a temporary IDS he set up, he notices a number of items that show up as unknown but Questionable in the logs. He looks up the behavior on the Internet, but cannot find anything related. What organization should Frank submit the log to find out if it is a new vulnerability or not?

• A. CVE
• B. IANA
• C. RIPE
• D. APIPA

Answer: A

NEW QUESTION 6

Kimberly is studying to be an IT security analyst at a vocational school in her town. The
school offers many different programming as well as networking languages. What networking protocol language should she learn that routers utilize?

• A. BPG
• B. ATM
• C. OSPF
• D. UDP

Answer: C

NEW QUESTION 7

Which Intrusion Detection System (IDS) usually produces the most false alarms due to the unpredictable behaviors of users and networks?

• A. network-based IDS systems (NIDS)
• B. host-based IDS systems (HIDS)
• C. anomaly detection
• D. signature recognition

Answer: BC

Explanation:
NIDS and HIDS are types of IDS systems, Host or Network, and addresses placement of the probe. Anomaly detection is based on behavior analysis, and if you read the question, the question says “behavior” and if the behavior is unporedictable, then the IDS won’t know what is normal and what is bad.

NEW QUESTION 8

On an Active Directory network using NTLM authentication, where on the domain controllers are the passwords stored?

• A. SAM
• B. AMS
• C. Shadow file
• D. Password.conf

Answer: A

NEW QUESTION 9

Which program is the oot loader?when Windows XP starts up?Which program is the ?oot loader?when Windows XP starts up?

• A. KERNEL.EXE
• B. NTLDR
• C. LOADER
• D. LILO

Answer: B

NEW QUESTION 10

Damaged portions of a disk on which no read/Write operation can be performed is known as ____ .

• A. Lost sector
• B. Bad sector
• C. Empty sector
• D. Unused sector

Answer: B

NEW QUESTION 11

George is the network administrator of a large Internet company on the west coast. Per corporate policy, none of the employees in the company are allowed to use FTP or SFTP programs without obtaining approval from the IT department. Few managers are using SFTP program on their computers. Before talking to his boss, George wants to have some proof of their activity. George wants to use Ethereal to monitor network traffic, but only SFTP traffic to and from his network. What filter should George use in Ethereal?

• A. src port 23 and dst port 23
• B. src port 22 and dst port 22
• C. udp port 22 and host 172.16.28.1/24
• D. net port 22

Answer: B

NEW QUESTION 12

Preparing an image drive to copy files to is the first step in Linux forensics. For this purpose, what would the following command accomplish? dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync

• A. Fill the disk with zeros
• B. Low-level format
• C. Fill the disk with 4096 zeros
• D. Copy files from the master disk to the slave disk on the secondary IDE controller

Answer: A

NEW QUESTION 13

You setup SNMP in multiple offices of your company. Your SNMP software manager is not receiving data from other offices like it is for your main office. You suspect that firewall changes are to blame. What ports should you open for SNMP to work through Firewalls
(Select 2)

• A. 161
• B. 162
• C. 163
• D. 160

Answer: AB

NEW QUESTION 14

When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:

• A. Recycle Bin
• B. MSDOS.sys
• C. BIOS
• D. Case files

Answer: A

NEW QUESTION 15

When searching through file headers for picture file formats, what should be searched to find a JPEG file in hexadecimal format?

• A. FF D8 FF E0 00 10
• B. FF FF FF FF FF FF
• C. FF 00 FF 00 FF 00
• D. EF 00 EF 00 EF 00

Answer: A

NEW QUESTION 16

Davidson Trucking is a small transportation company that has three local offices in Detroit Michigan. Ten female employees that work for the company have gone to an attorney reporting that male employees repeatedly harassed them and that management did nothing to stop the problem. Davidson has employee policies that outline all company guidelines, including awareness on harassment and how it will not be tolerated. When the case is brought to court, whom should the prosecuting attorney call upon for not upholding company policy?

• A. IT personnel
• B. Employees themselves
• C. Supervisors
• D. Administrative assistant in charge of writing policies

Answer: C

NEW QUESTION 17

After passively scanning the network of Department of Defense (DoD), you switch over to active scanning to identify live hosts on their network. DoD is a large organization and should respond to any number of scans. You start an ICMP ping sweep by sending an IP packet to the broadcast address. Only five hosts responds to your ICMP pings; definitely not the number of hosts you were expecting. Why did this ping sweep only produce a few responses?

• A. Only IBM AS/400 will reply to this scan
• B. Only Windows systems will reply to this scan
• C. Only Unix and Unix-like systems will reply to this scan
• D. A switched network will not respond to packets sent to the broadcast address

Answer: C

NEW QUESTION 18

Printing under a Windows Computer normally requires which one of the following files types to be created?

• A. EME
• B. MEM
• C. EMF
• D. CME

Answer: C

NEW QUESTION 19

You are called in to assist the police in an investigation involving a suspected drug dealer. The police searched the suspect house after aYou are called in to assist the police in an investigation involving a suspected drug dealer. The police searched the suspect? house after a warrant was obtained and they located a floppy disk in the suspect bedroom. The disk contains several files, but they appear to be passwordwarrant was obtained and they located a floppy disk in the suspect? bedroom. The disk contains several files, but they appear to be password protected. What are two common
methods used by password cracking software that you could use to obtain the password?

• A. Limited force and library attack
• B. Brute force and dictionary attack
• C. Maximum force and thesaurus attack
• D. Minimum force and appendix attack

Answer: B

NEW QUESTION 20

Digital evidence validation involves using a hashing algorithm utility to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a disk drive or file.
Which of the following hash algorithms produces a message digest that is 128 bits long?

• A. CRC-32
• B. MD5
• C. SHA-1
• D. SHA-512

Answer: B

NEW QUESTION 21

What is the following command trying to accomplish? C:> nmap -sU -p445 192.168.0.0/24

• A. Verify that TCP port 445 is open for the 192.168.0.0 network
• B. Verify that UDP port 445 is open for the 192.168.0.0 network
• C. Verify that UDP port 445 is closed for the 192.168.0.0 network
• D. Verify that NETBIOS is running for the 192.168.0.0 network

Answer: B

NEW QUESTION 22

If you plan to startup a suspect’s computer, you must modify the ____ to ensure that you do not contaminate or alter data on the suspect’s hard drive by booting to the hard drive.

• A. deltree command
• B. CMOS
• C. Boot.sys
• D. Scandisk utility
• E. boot.ini

Answer: E

Explanation:
The OS isn’t specified, but if this was a Windows OS, then this would be boot.ini
The answer is CMOS. The startup of a computer is the boot sequence, and the boot sequence is defined in the CMOS. The common occurrence is to boot off a floppy, and you need to see that the floppy (usually the A drive) is first in the sequence. If you don’t, and the hard drive is first, then booting the system wil boot the hard drive and alter the evidence.

NEW QUESTION 23

What layer of the OSI model do TCP and UDP utilize?

• A. Data Link
• B. Network
• C. Transport
• D. Session

Answer: C

NEW QUESTION 24

Which of the following password cracking techniques works like a dictionary attack, but adds some numbers and symbols to the words from the dictionary and tries to crack the password?

• A. Brute forcing attack
• B. Hybrid attack
• C. Syllable attack
• D. Rule-based attack

Answer: B

NEW QUESTION 25

Data compression involves encoding the data to take up less storage space and less bandwidth for transmission. It helps in saving cost and high data manipulation in many business applications. Which data compression technique maintains data integrity?

• A. Lossless compression
• B. Lossy compression
• C. Speech encoding compression
• D. Lossy video compression

Answer: A

NEW QUESTION 26

You are running through a series of tests on your network to check for any security vulnerabilities. After normal working hours, you initiate a DoS attack against your external firewall. The firewall Quickly freezes up and becomes unusable. You then initiate an FTP connection from an external IP into your internal network. The connection is successful even though you have FTP blocked at the external firewall. What has happened?

• A. The firewall failed-open
• B. The firewall failed-closed
• C. The firewall ACL has been purged
• D. The firewall failed-bypass

Answer: A

NEW QUESTION 27
......