WGU C702 CHFI and OA Question and Answers
Terms in this set (214)
Which of the following is true Computer forensics deals with the process of
... [Show More] regarding computer forensics? finding evidence related to a digital crime to find
the culprits and initiate legal action against them.
Which of the following is NOT a Document vulnerabilities allowing further loss of objective of computer intellectual property, finances, and reputation
forensics? during an attack.
WGU C702 CHFI and OA
An organization's ability to make optimal use of Forensic readiness refers to: digital evidence in a limited time period and with
minimal investigation costs.
Which of the following is NOT a Evidence smaller in size. element of cybercrime?
Which of the following is true Investigators, with a warrant, have the authority to of cybercrimes? forcibly seize the computing devices.
Which of the following is true The initial reporting of the evidence is usually of cybercrimes? informal.
Which of the following is NOT a Value or cost to the victim. consideration during a
cybercrime investigation?
Which of the following is a Address book. user-created source of
potential evidence?
Which of the following is a Swap file. computer-created source of
potential evidence?
Which of the following is NOT Processor. where potential evidence may
be located?
Under which of the following When original evidence is in possession of the conditions will duplicate originator.
WGU C702 CHFI and OA
Upgrade to remove ads Only $3.99/month
Which of the following Federal Rules of Evidence governs
proceedings in the courts of the United States?
Rule 101.
Which of the following Federal Rules of Evidence ensures that the truth may be ascertained
and the proceedings justly determined?
Rule 102.
Which of the following Federal Rules of Evidence contains
rulings on evidence?
Rule 103
WGU C702 CHFI and OA
Which of the following Federal Rules of Evidence states that
the court shall restrict the evidence to its proper scope and instruct the jury
accordingly?
Rule 105
Which of the following refers to a set of methodological
procedures and techniques to identify, gather, preserve,
extract, interpret, document, and present evidence from
computing equipment in such a manner that the discovered evidence is acceptable during a legal and/or administrative
proceeding in a court of law?
Computer Forensics.
Computer Forensics deals with the process of finding _____
related to a digital crime to find the culprits and initiate legal action against them.
Evidence.
Minimizing the tangible and intangible losses to the
organization or an individual is considered an essential computer forensics use.
True.
Cybercrimes can be classified into the following two types of
WGU C702 CHFI and OA
Internal and External.
Espionage, theft of intellectual property, manipulation of records, and trojan horse
attacks are examples of what?
Insider attack or primary attacks.
External attacks occur when
True.
there are inadequate
information-security policies
and procedures.
Upgrade to remove ads Only $3.99/month
Which type of cases involve
disputes between two parties?
Civil.
A computer forensic examiner can investigate any crime as long as he or she takes
detailed notes and follows the appropriate processes.
False.
________ is the standard
investigative model used by the FBI when conducting
investigations against major criminal organizations.
Enterprise Theory of Investigation (ETI).
WGU C702 CHFI and OA
Forensic readiness includes technical and nontechnical actions that maximize an
organization's competence to use digital evidence.
True.
Which of the following is the
Incident Response.
process of developing a
strategy to address the
occurrence of any security
breach in the system or
network?
Digital devices store data
about session such as user and type of connection.
True.
Codes of ethics are the
principles stated to describe the expected behavior of an investigator while handling a
case. Which of the following is NOT a principle that a computer forensic investigator must follow?
Provide personal or prejudiced opinions.
What must an investigator do in order to offer a good report to a court of law and ease the
prosecution?
Preserve the evidence.
What is the role of an expert witness?
To educate the public and court.
WGU C702 CHFI and OA
Which of the following is NOT a First Responder. legitimate authorizer of a
search warrant?
Upgrade to remove ads Only $3.99/month
Under which of the following
Delay in obtaining a warrant may lead to the
circumstances has a court of destruction of evidence and hamper the
law allowed investigators to investigation process.
perform searches without a
warrant?
Which of the following should be considered before planning and evaluating the budget for
the forensic investigation case?
Breakdown of costs into daily and annual expenditure.
Which of the following should be physical location and
structural design considerations for forensics labs?
Lab exteriors should have no windows.
Which of the following should be work area considerations for forensics labs?
Examiner station has an area of about 50-63 square feet.
WGU C702 CHFI and OA
Which of the following is NOT part of the Computer Forensics Investigation Methodology?
Testify as an expert defendant.
Which of the following is NOT part of the Computer Forensics Investigation Methodology?
Destroy the evidence.
Investigators can immediately take action after receiving a report of a security incident.
False.
In forensics laws,
"authenticating or identifying evidences" comes under which rule?
Rule 901.
Courts call knowledgable persons to testify to the
accuracy of the investigative process. These people who tesify are known as the:
Expert witnesses.
A chain of custody is a critical document in the computer forensics investigation process because the document
provides legal validation of
appropriate evidence handling.
True.
WGU C702 CHFI and OA
Identify the following which Computer Forensic Tool Testing Project (CFTTP) was launched by the National
Institute of Standards and Technology (NIST), that
establishes a "methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware."
Which of the following is NOT a Quantum storage devices. digital data storage type?
Which of the following is NOT a EFX3 common computer file
system?
Which field type refers to the Number 1 volume descriptor as a
primary?
Which logical drive holds the Extended partition. information regarding the data
and files that are stored in the disk?
How large is the partition table 64-byte. structure that stores
information about the
partitions present on the hard disk?
WGU C702 CHFI and OA
How many bits are used by the 32 bits MBR partition scheme for
storing LBAs (Logical Block Addresses) and the size
information on a 512-byte sector?
in the GUID Partition Table, LBA 2 which Logical Block Address
contains the Partition Entry Array?
Which of the following Warm booting. describes when the user
restarts the system via the operating system?
Which Windows operating Windows 8. system power on and starts up
using either the traditional BIOS-MBR method or the newer UEFI-GPT method?
Upgrade to remove ads Only $3.99/month
WGU C702 CHFI and OA
Which item describes the PEI (Pre-EFI Initialization) Phase. following UEFI boot process
phase?
The phase of EFI consisting of initializing the CPU, temporary memory, and boot firmware volume (BFV); locating and executing the chapters to
initialize all the found hardware in the system; and creating a Hand-Off Block List with all found resources interface
descriptors.
Which of the following basic DiskPart. partitioning tools displays
details about the GPT partition tables in Windows OS?
What stage of the Linux boot Bootloader Stage process includes the task of
loading the Linux kernel and optional initial RAM disk?
What component of a typical Boot Sector.
FAT32 file system consists of data that the document
framework uses to get to the volume and utilizes the
framework parcel to stack the working portion documents?
WGU C702 CHFI and OA
Which component of the NTFS Ntfs.sys architecture is a computer
system file driver for NTFS?
What is the name of the Virtual File System (VFS) abstract layer that resides on
top of a complete file system, allows client application to access various file systems, and consists of a dispatching layer and numerous caches?
Which information held by the Revision Level. superblock contains major and
minor items that allow the mounting code to determine whether or not supported
features are available to the file system?
Which file system used in Linux Ext3 was developed by Stephen
Tweedie in 2001 as a journaling file system that improves
reliability of the system?
How many bit values does HFS 16
use to address allocation blocks?
What UFS file system part is Boot blocks. composed of a few blocks in
the partition reserved at the
WGU C702 CHFI and OA
What is a machine readable ASCII language used in major digital
operations, such as sending and receiving emails?
What is JPEG an acronym of? Joint Photographic Experts Group
What is the proprietary PPT Microsoft Office presentation
file extension used in PowerPoint?
Which of the following is an CD/DVD example of optical media?
In sector, addressing _______ Cylinders, Heads, and Sectors (CHS) determines the address of the
individual sector on the disk.
______ is a 128 bit unique Global Unique Identifier (GUID) reference number used as an
identifier in computer software?
Mac OS uses a hierarchical file True. system.
The main advantage of RAID is The system will continue to function without loss of that if a single physical disk data.
fails:
WGU C702 CHFI and OA
The command "fsstat" displays False. the details associated with an
image file.
What is the simplest RAID level RAID 0 that does not involve
redundancy, and fragments the file into the user-defined stripe size of the array?
An investigator may commit Use of correct cables and cabling techniques. some common mistakes while
collecting data from the system that result in the loss of critical evidence. Which of the following is NOT a mistake that investigators commonly make?
In Linux Standard Tools, dd and dcfldd forensic investigators use the
following build-in Linux Commands to copy data from a disk drive:
Because they are always True. changing, the information in
the registers or the processor cache are the most volatile
data.
WGU C702 CHFI and OA
Forensic data duplication True. involves the creation of a file
that has every bit of
information from the source in a raw bit-stream format.
What document is used as a Chain of custody document. written record consisting of all
processes involved in seizure, custody, control, transfer,
analysis, and disposition of physical or electronic evidence?
What is the process of Media sanitization. permanently deleting or
destroying data from storage media?
The process of acquiring Live data acquisition. volatile data from working
computers )locked or in sleep condition) that are already
powered on is:
Which of the following refers Volatile information. to the data stored in the
registries, cache, and RAM of digital devices?
Where are deleted items Drive;\$Recycle.Bin stored on Windows Vista and
later versions of Windows?
WGU C702 CHFI and OA
Where are deleted items Drive:\RECYCLED stored on Windows 98 and
earlier versions of Windows?
Where are deleted items Drive:\RECYCLER stored on the Windows 2000,
XP, and NT versions of Windows?
What is the maximum size limit 3.99GB for the Recycle Bin in Windows
prior to Windows Vista?
Which of the following is NOT a recovering files from a network drive. feature of the Recover My Files
tool?
What tool is used for format EaseUS recovery, unformatting and
recovering deleted files emptied from the Recycle Bin, or data lost due to partition loss or damage, software
crash, virus infection, or
unexpected shutdown and supports hardware RAID
Which tool undeletes and Disk Digger recovers lost files from hard
drives, memory cards, and USB flash drives?
WGU C702 CHFI and OA
Which tool recovers files that Quick Recovery have been lost, deleted,
corrupted, and even deteriorated?
Which tool recovers lost data Total Recall from hard drives, RAID,
photographs, deleted files, iPods, and removable disks connected via FireWire or USB?
Which tool scans the entire Advanced Disk Recovery system for deleted files and
folders and recovers them?
Which tool for MAC recovers Data Rescue 4 files from a crashed or virus-
corrupted hard drive?
Which of the following are Fingerprints frequently left by criminals,
assisting investigators in
understanding the process of crime and the motive behind it, and allowing them to attempt to identify the person(s) who committed it?
WGU C702 CHFI and OA
WGU C702 CHFI and OA
Which of the following Netstat commands is NOT a command
used to determine running processes in Windows?
Which is a completely open Volatility Framework collection of tools,
implemented in Python under the GNU General Public
License, for the extraction of digital artifacts from volatile memory (RAM) samples?
The information about the SAM database file system users is stored in which
file?
The value 0 associated with the Prefetching is disabled. registry entry Enable
Prefetcher tells the system to use which prefetch?
What prefetch does value 1 Application prefetching is enabled. from the registry entry
EnablePrefetcher tell the system to use?
What prefetch does value 2 Boot prefetching is enabled. from the registry entry
EnablePrefetcher tell the system to use?
WGU C702 CHFI and OA
What prefetch does the value 3 Both application and boot prefetching are enabled. from the registry entry
EnablePrefetcher tell the system to use?
What tool enables you to Wevtutil. retrieve information about
event logs and publishers in Windows 10?
Intruders attempting to gain True. remote access to a system try
to find the other systems connected to the network and visible to the compromised system.
________ command is used to ipconfig /all display the network
configuration of the NICs on the system.
Investigators can use Linux dmesg commands to gather necessary
information from the system. Identify the following shell command that is used to
display the kernel ring buffer or information about device
drivers loaded into the kernel.
WGU C702 CHFI and OA
What are the unique Microsoft security ID. identification numbers
assigned to Windows user account for granting user access to particular resources?
In the Windows Event Log File System.evtx internals, the following file is
used to store the Databases related to the system:
Thumbnails of images remain True on computers even after files
are deleted.
What is NOT one of the three Log rotation tiers a log management
infrastructure typically comprises?
Which is NOT a log Log generation. management system function?
What is NOT one of the three Log viewing major concerns regarding log
management?
Which is a type of network- Eavesdropping based attack?
Which attack does NOT Denial of service directly lead to unauthorized
WGU C702 CHFI and OA
How can an attacker exploit a Through wired or wireless connections. network?
What is the primary reason for To gain an insight into events that occurred in the forensic investigators to affected devices/network.
examine logs?
Which is true about the It is the backbone for data flow between two
transport layer in the TCP/IP devices in a network. model?
What is an ongoing process Real time analysis that returns results
simultaneously so that the system or operators can respond to attacks
immediately?
Which of the following is an bottleneck internal network vulnerability?
Which attack is specific to Jamming signal attack. wireless networks?
Where can congressional FISMA security standards and
guidelines be found, along with an emphasis for federal
agencies to develop,
document, and implement organization-wide programs for information security?
WGU C702 CHFI and OA
What requires companies that GLBA offer financial products or
services to protect customer information against security threats?
Which of the following HIPAA includes security standards for
health information?
What is the act passed by the SOX
U.S. Congress to protect
investors from the possibility of fraudulent accounting activities by corporations?
What is a proprietary PCI DSS information security standard
for organizations that handle cardholder information for major debit, credit, prepaid, e- purse, ATM, and POS cards?
In what type of forensic Postmortem examination do investigators
perform an examination of logs to detect something that has
already occurred in a network/device and determine what it is?
What are the most common AP MAC spoofing network attacks launched
WGU C702 CHFI and OA
WGU C702 CHFI and OA
What layer of web application Business layer architecture is responsible for
the core functioning of the system and includes logic and application, such as .NET, used by developers to build websites according to client requirements?
What layer of web application Database layer architecture is composed of
cloud services that hold all commercial transactions and a server that supplies an
organization's production data in a structured form?
Which web application threat Buffer overflow occurs when the application
fails to guard memory properly and allows writing beyond maximum size?
Which web application threat Cookie poisoning refers to the modification of a
website's remnant data for
bypassing security measures or gaining unauthorized
information?
WGU C702 CHFI and OA
Which web application threat Insecure storage. occurs when an attacker is
allowed to gain access as a legitimate user to a web
application or dad such as account records, credit card numbers, passwords, or other authenticated information?
Which web application threat Information leakage. refers to a drawback in a web
application where it
unintentionally reveals sensitive data to an unauthorized user?
Which web application threat Improper error handling arises when a web application
is unable to handle technical issues properly and the website returns information,
such as database dumps, stack traces, and codes?
Which web application threat Broken account management refers to vulnerable
management functions, including user updates,
recovery of passwords, or resetting passwords?
WGU C702 CHFI and OA
Which web application threat Directory traversal occurs when attackers exploit
HTTP, gain access to
unauthorized directories, and execute commands outside the web server's root directory?
Which web application threat SQL injection occurs when attackers insert
commands via input data and are able to tamper with the
data?
Which web application threat parameter tampering occurs when attackers intend
to manipulate the communication exchanged
between the client and server to make changes in application data?
Which web application threat is Denial of service a method intended to
terminate website or server operations by making resources unavailable to
clients?
Which web application threat Unvalidated input. occurs when attackers tamper
with the URL, HTTP requests, headers, hidden fields, form fields, or query strings? [Show Less]