NEW QUESTION 1

According to US federal rules, to present a testimony in a court of law, an expert witness needs to furnish certain information to prove his eligibility. Jason, a qualified computer forensic expert who has started practicing two years back, was denied an expert testimony in a computer crime case by the US Court of Appeals for the Fourth Circuit in Richmond, Virginia. Considering the US federal rules, what could be the most appropriate reason for the court to reject Jason's eligibility as an expert witness?

• A. Jason was unable to furnish documents showing four years of previous experience in the field
• B. Being a computer forensic expert, Jason is not eligible to present testimony in a computer crime case
• C. Jason was unable to furnish documents to prove that he is a computer forensic expert
• D. Jason was not aware of legal issues involved with computer crimes

Answer: A

NEW QUESTION 2

What stage of the incident handling process involves reporting events?

• A. Containment
• B. Follow-up
• C. Identification
• D. Recovery

Answer: C

NEW QUESTION 3

What advantage does the tool Evidor have over the built-in Windows search?

• A. It can find deleted files even after they have been physically removed
• B. It can find bad sectors on the hard drive
• C. It can search slack space
• D. It can find files hidden within ADS

Answer: C

NEW QUESTION 4

You just passed your ECSA exam and are about to start your first consulting job running security audits for a financial institution in Los Angeles. The IT manager of the company you will be working for tries to see if you remember your ECSA class. He asks about the methodology you will be using to test the company's network. How would you answer?

• A. IBM Methodology
• B. Microsoft Methodology
• C. Google Methodology
• D. LPT Methodology

Answer: D

NEW QUESTION 5

In a FAT32 system, a 123 KB file will use how many sectors?

• A. 34
• B. 25
• C. 11
• D. 56
• E. 246

Answer: E

Explanation:
If you assume that we are using 512 bytes sectors, then 123x1024/512 = 246 sectors would be needed.

NEW QUESTION 6

You have compromised a lower-level administrator account on an Active Directory network of a small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect to one of the Domain Controllers on port 389 using ldp.exe. What are you trying to accomplish here?

• A. Enumerate domain user accounts and built-in groups
• B. Enumerate MX and A records from DNS
• C. Establish a remote connection to the Domain Controller
• D. Poison the DNS records with false records

Answer: A

NEW QUESTION 7

What is the first step that needs to be carried out to investigate wireless attacks?

• A. Obtain a search warrant
• B. Identify wireless devices at crime scene
• C. Document the scene and maintain a chain of custody
• D. Detect the wireless connections

Answer: A

NEW QUESTION 8

File deletion is a way of removing a file from a computer's file system. What happens when a file is deleted in windows7?

• A. The last letter of a file name is replaced by a hex byte code E5h
• B. The operating system marks the file's name in the MFT with a special character that indicates that the file has been deleted
• C. Corresponding clusters in FAT are marked as used
• D. The computer looks at the clusters occupied by that file and does not avails space to store a new file

Answer: B

NEW QUESTION 9

You are running known exploits against your network to test for possible vulnerabilities. To test the strength of your virus software, you load a test network to mimic your production
network. Your software successfully blocks some simple macro and encrypted viruses. You decide to really test the software by using virus code where the code rewrites itself entirely and the signatures change from child to child, but the functionality stays the same. What type of virus is this that you are testing?

• A. Oligomorhic
• B. Transmorphic
• C. Polymorphic
• D. Metamorphic

Answer: D

NEW QUESTION 10

Why should you never power on a computer that you need to acquire digital evidence from?

• A. When the computer boots up, files are written to the computer rendering the data nclean?When the computer boots up, files are written to the computer rendering the data ?nclean
• B. When the computer boots up, the system cache is cleared which could destroy evidence
• C. When the computer boots up, data in the memory buffer is cleared which could destroy evidenceWhen the computer boots up, data in the memory? buffer is cleared which could destroy evidence
• D. Powering on a computer has no affect when needing to acquire digital evidence from it

Answer: A

NEW QUESTION 11

Which legal document allows law enforcement to search an office, place of business, or other locale for evidence relating to an alleged crime?

• A. Search warrant
• B. Subpoena
• C. Wire tap
• D. Bench warrant

Answer: A

NEW QUESTION 12

A rogue/unauthorized access point is one that Is not authorized for operation by a particular firm or network

• A. True
• B. False

Answer: A

NEW QUESTION 13

In Windows 7 system files, which file reads the Boot.ini file and loads Ntoskrnl.exe. Bootvid.dll. Hal.dll, and boot-start device drivers?

• A. Ntldr
• B. Gdi32.dll
• C. Kernel32.dll
• D. Boot.in

Answer: A

NEW QUESTION 14

What is kept in the following directory? HKLM\SECURITY\Policy\Secrets

• A. IAS account names and passwords
• B. Service account passwords in plain text
• C. Local store PKI Kerberos certificates
• D. Cached password hashes for the past 20 users

Answer: B

NEW QUESTION 15

How many bits is Source Port Number in TCP Header packet?

• A. 16
• B. 48
• C. 32
• D. 64

Answer: A

NEW QUESTION 16

An "idle" system is also referred to as what?

• A. PC not connected to the Internet
• B. PC not being used
• C. Zombie
• D. Bot

Answer: C

NEW QUESTION 17

Which device in a wireless local area network (WLAN) determines the next network point to which a packet should be forwarded toward its destination?

• A. Wireless router
• B. Wireless modem
• C. Antenna
• D. Mobile station

Answer: A

NEW QUESTION 18

A computer forensic report is a report which provides detailed information on the complete forensics investigation process.

• A. True
• B. False

Answer: A

NEW QUESTION 19

You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them?

• A. allinurl:"exchange/logon.asp"
• B. intitle:"exchange server"
• C. outlook:"search"
• D. locate:"logon page"

Answer: A

NEW QUESTION 20

You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?

• A. Stringsearch
• B. grep
• C. dir
• D. vim

Answer: B

NEW QUESTION 21

What information do you need to recover when searching a victim computer for a crime committed with specific e-mail message?What information do you need to recover when searching a victim? computer for a crime committed with specific e-mail message?

• A. Internet service provider information
• B. E-mail header
• C. Username and password
• D. Firewall log

Answer: B

NEW QUESTION 22

What is the target host IP in the following command? C:\> firewalk -F 80 10.10.150.1 172.16.28.95 -p UDP

• A. 10.10.150.1
• B. This command is using FIN packets, which cannot scan target hosts
• C. Firewalk does not scan target hosts
• D. 172.16.28.95

Answer: D

NEW QUESTION 23

Which is not a part of environmental conditions of a forensics lab?

• A. Large dimensions of the room
• B. Good cooling system to overcome excess heat generated by the work station
• C. Allocation of workstations as per the room dimensions
• D. Open windows facing the public road

Answer: D

NEW QUESTION 24

The need for computer forensics is highlighted by an exponential increase in the number of cybercrimes and litigations where large organizations were involved. Computer forensics plays an important role in tracking the cyber criminals. The main role of computer forensics is to:

• A. Maximize the investigative potential by maximizing the costs
• B. Harden organization perimeter security
• C. Document monitoring processes of employees of the organization
• D. Extract, process, and interpret the factual evidence so that it proves the attacker's actions in the court

Answer: D

NEW QUESTION 25

John is working on his company policies and guidelines. The section he is currently working on covers company documents; how they shouldJohn is working on his company? policies and guidelines. The section he is currently working on covers company documents; how they should be handled, stored, and eventually destroyed. John is concerned about the process whereby outdated documents are destroyed. What type of shredder should John write in the guidelines to be used when destroying documents?

• A. Strip-cut shredder
• B. Cross-cut shredder
• C. Cross-hatch shredder
• D. Cris-cross shredder

Answer: B

NEW QUESTION 26

Data files from original evidence should be used for forensics analysis

• A. True
• B. False

Answer: B

NEW QUESTION 27
......