EC-Council CHFI QUESTIONS AND ANSWERS ALL CORRECT

Document Content and Description Below

EC-Council CHFI What does the Windows operating system examine to determine which application should be used to open a file? Correct Answer: The file extension Which of the following BEST defin... es the term e-discovery? Correct Answer: A process of producing electronically stored information for use as evidence. A CHFI is engaged by the owner of a privately owned pharmaceutical firm to investigate possible computer abuse by one of the firm's employees. She discovers that the company has never published a Dervis policy stating that they reserve the right to inspect their computing assets at will. Which of the following is her BEST recommendation to the owner? Correct Answer: B. Inform the owner that conducting an investigation without a policy is a violation of the employee's expectation of privacy Which of the following would best prevent contamination of disk-stored digital evidence? Correct Answer: A write blocker You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message? Correct Answer: The e-mail header Which of the following standards is based on a legal precedent regarding the admissibility of scientific examinations or experiments in legal cases? Correct Answer: Frye Standard What is the name of the standard Linux command that can be used to create bit-stream images? Correct Answer: dd During the course of an investigation, you locate evidence that may prove the innocence of the suspect of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding process, therefore you report this evidence. This type of evidence is known as: Correct Answer: Exculpatory evidence In what circumstance would an expert witness be allowed to state an opinion? Correct Answer: C. the opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the ordinary experience of lay jurors Which of following refers to the location of data that might still exist in a cluster even though the original file has been overwritten by another file? Correct Answer: B. Slack space To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software? Correct Answer: National Institute of Standards and Technology (NIST) What does "message repudiation" refer to in the context De of e-mail investigations? Correct Answer: Message repudiation means a sender can claim they did not actually send a particular message Which of the following BEST defines the term e-discovery? Correct Answer: D. A process of producing electronically stored information for use as evidence. Which of the following file systems is most closely associated with the Mac OS? Correct Answer: A. HFS+ of An investigator uses a process comparing monitored events to a specific attack model to determine whether or not the event qualifies as an intrusion. What is this called? process Correct Answer: A. Signature-based detection When obtaining a search warrant it is important to Correct Answer: C. Particularly describe the place to be searched and particularly describe the items to be seized One technique for hiding information is to change the file extension from the correct one to one that Dennis Thibo might not be noticed by an investigator, such as changing a .jpg extension to a .doc extension so that a picture file appears to be a document. What can an investigator examine to verify that a file has the correct extension? Correct Answer: B. the file header When investigating a Windows system, it is important to view the contents of the page file or swap file because: Correct Answer: C. a large volume of data can exist within the swap file of which the computer user has no knowledge If a file on a hard drive has a size of 2600 bytes, how many sectors are normally allocated to this file? Correct Answer: C. 6 sectors When investigating a security incident involving a Dennis company-owned mobile device, what would the incident responder most likely describe as the most serious violation of the company's security policy requirements? Correct Answer: B. User has modified the default OS of the device You have been asked to perform a live capture of evidence contained in a desktop PC. Which of the following is the best order of analysis? Correct Answer: C. RAM, HDD, backup tape You have used a newly released forensic investigation tool, which does not meet the Daubert Test, during a case. The case goes to court. What argument could the defense make to weaken case? your Correct Answer: The tool has not been reviewed and accepted by your peers While investigating an data breach, you notice that a user from the building maintenance department is a member of the Domain Administrators in Active Directory, and the group account was used to access sensitive data. Which of the following does this indicate? Correct Answer: C. Privilege escalation A forensic practitioner is reviewing the process performed for the protection of digital evidence. Which of the following findings should be of MOST concern? Correct Answer: C. There are no logs documenting the transportation of evidence Which organization is well known for its online collection of digital foren [Show More]

Last updated: 1 year ago

Preview 1 out of 6 pages