E-mail administrators may make use of , which overwrites a log file when it reaches a specified size or at the end of a specified time frame

E-mail administrators may make use of , which overwrites a log file when it reaches a specified size or at the end of a specified time frame

a. log recycling
b. circular logging
c. log purging
d. log cycling

Answer: B

The utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook

The  utility can be used to repair .ost and .pst files, and is included with Microsoft Outlook

a. fixmail.exe
b. scanpst.exe
c. repairpst.exe
d. rebuildpst.exe

Answer: B

What command below could be used on a UNIX system to help locate log directories

What command below could be used on a UNIX system to help locate log directories

a. show log
b. detail
c. search
d. find

Answer: D

The term "via Frontend Transport" in a header indicates that the e-mail is on which of the following

The term "via Frontend Transport" in a header indicates that the e-mail is on which of the following

a. UNIX server
b. Older NetWare Server
c. Microsoft Exchange Server
d. Mac Server

Answer: C

Sendmail uses which file for instructions on processing an e-mail message

Sendmail uses which file for instructions on processing an e-mail message

a. sendmail.cf
b. syslogd.conf
c. mese.ese
d. mapi.log

Answer: A

When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do

When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do

a. Search available log files for any forwarded messages
b. Restore the e-mail server from a backup
c. Check the current database files for an existing copy of the email
d. Do nothing because after the file has been deleted, it can no longer be recovered.

Answer: B

Which of the following types of files can provide useful information when you're examining an e-mail server

Which of the following types of files can provide useful information when you're examining an e-mail server

a. .dbf files
b. .emx files
c. .log files
d. .slf files

Answer: C

What information is _NOT_ in an e-mail header (Choose all that apply)

What information is _NOT_ in an e-mail header (Choose all that apply)

a. Blind copy (Bcc) addresses
b. Internet addresses
c. Domain name
d. Contents of the message
e. Type of e-mail server used to send the email

Answer: A & D.

On a Unix-like system, which file specifies where to save different types of e-mail log files

On a Unix-like system, which file specifies where to save different types of e-mail log files

a. maillog
b. /var/spool/log
c. syslog.conf
d. log

Answer: C

Logging options on many email servers can be:

Logging options on many email servers can be:

a. Disabled by the administrator
b. Set up in a circular logging configuration
c. Configured to a specified size before being overwritten
d. All of the above

Answer: D

Router logs can be used to verify what types of email data

Router logs can be used to verify what types of email data

a. Message content
b. Content of Attached files
c. Tracking flows through e-mail server ports
d. Finding blind copies

Answer: C

To trace an IP address in an email header, what type of lookup service can you use (Choose all that apply)

To trace an IP address in an email header, what type of lookup service can you use (Choose all that apply)

a. Intelius Inc's AnyWho online directory
b. Verizon's http://superpages.com
c. A Domain lookup service, such as www.arin.net, www.internic.com.,or ww.whois.net
d. Any Web search engine

Answer: C & D.

When you access your email, what type of computer architecture are you using

When you access your email, what type of computer architecture are you using

a. Mainframe and minicomputers
b. Domain
c. Client/Server
d. None of the above

Answer: C

True/False All email headers contain the same types of information.

True/False All email headers contain the same types of information. 

Answer: True

Which of the following is a current formatting standard for e-mail

Which of the following is a current formatting standard for e-mail

a. SMTP
b. MIME
c. Outlook
d. HTML

Answer: B

Phishing does which of the following

Phishing does which of the following

a. Uses DNS poisoning
b. Lures users with false promises
c. Takes people to fake websites
d. Uses DHCP

Answer: B

When searching a victim's computer for a crime committed with a specific email, what provides information for determining the emails originator (Choose all that apply)

When searching a victim's computer for a crime committed with a specific email, what provides information for determining the emails originator (Choose all that apply)

a. E-mail header
b. Username and password
c. Firewall log
d. All of the above
a. E-mail header

Answer: C

In Microsoft Outlook, what are the email storage files typically found on a client computer

In Microsoft Outlook, what are the email storage files typically found on a client computer

a. .pst and .ost
b. res1.log and res2.log
c. PU020102.db
d. .evolution

Answer: A

What's the main piece of information you look for in an email message you're investigating

What's the main piece of information you look for in an email message you're investigating

a. Sender or receivers e-mail address
b. Originating e-mail domain or IP address
c. Subject line content
d. Message number

Answer: B

E-mail headers contain which of the following information (Choose all that apply.)

E-mail headers contain which of the following information (Choose all that apply.)

a. The sender and receiver e-mail address
b. An ESMTP number or reference number
c. The e-mail servers the message traveled through to reach its destination
d. The IP address of the receiving server
e. All of the above

Answer: E

In a ___ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections

In a ___ attack, the attacker keeps asking your server to establish a connection, with the intent of overloading a server with established connections

a. smurf
b. SYN flood
c. spoof
d. ghost

Answer: B

At what layers of the OSI model do most packet analyzers function

At what layers of the OSI model do most packet analyzers function

a. layer 1 or 2
b. layer 2 or 3
c. layer 3 or 4
d. layer 4 or 5

Answer: B

What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses

What utility is best suited to examine e-mail headers or chat logs, or network communication between worms and viruses

a. tcpdump
b. Argus
c. Ngrep
d. Tcpslice

Answer: C

The ___ is the version of Pcap available for Linux based operating systems

The ___ is the version of Pcap available for Linux based operating systems

a. Wincap
b. Libcap
c. Tcpcap
d. Netcap

Answer: B

Select the file below that is used in VirtualBox to create a virtual machine

Select the file below that is used in VirtualBox to create a virtual machine

a. .vdi
b. .vbox
c. .r0
d. ova

Answer: D

What processor instruction set is required in order to utilize virtualization software

What processor instruction set is required in order to utilize virtualization software

a. AMD-VT
b. Intel VirtualBit
c. Virtual Machine Extensions (VMX)
d. Virtual HardwareExtensions (VHX)

Answer: C

What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine

What file type below, associated with VMWare, stores VM paging files that are used as RAM for a virtual machine

a. .nvram
b. .vmen
c. .vmpage
d. .vmx

Answer: B

In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters

In Windows, what PowerShell cmdlet can be used in conjunction with Get-VM to display a virtual machine's network adapters

a. Slow-NetworkAdapters
b. Query-ipconfig
c. Get-VMNetworkAdapter
d. Dump-Betconfig

Answer: C

The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and freeware forensics tools

The ___ tool is an updated version of BackTrack, and contains more than 300 tools, such as password crackers, network sniffers, and freeware forensics tools

a. Kali Linux
b. Ubuntu
c. OSForensics
d. Sleuth Kit

Answer: A

The ___ is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to examine

The ___ is a good tool for extracting information from large Libpcap files; you simply specify the time frame you want to examine

a. Tcpdstat
b. Tcpslice
c. Ngrep
d. tcpdump

Answer: B

The tcpdump and Wireshark utilities both use what well known packet capture format

The tcpdump and Wireshark utilities both use what well known packet capture format

a. Netcap
b. Pcap
c. Packetd
d. RAW

Answer: B

Select below the program within the Pstools suite that allows you to run processes remotely

Select below the program within the Pstools suite that allows you to run processes remotely

a. PsService
b. PsPasswd
c. PsRemote
d. PsExec

Answer: D

The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is running, and produce hundreds of thousands of records.

The ___ command line program is a common way of examining network traffic, which provides records of network activity while it is running, and produce hundreds of thousands of records.

a. netstat
b. ls
c. ifconfig
d. tcpdump

Answer: D

The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three modes

The NSA's defense in depth (DiD) strategy contains three modes of protection. Which option below is not one of the three modes

a. People
b. Technology
c. Operations
d. Management

Answer: D

Select below the option that is not common type 1 hypervisor

Select below the option that is not common type 1 hypervisor

a. VMwar vSphere
b. Microsoft Hyper-V
c. Citirix XenServer
d. Oracle VirtualBox

Answer: D

The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of Ubuntu

The SANS Investigative Forensics Toolkit (SIFT) appliance can currently only be installed on what version of Ubuntu

a. 12.04
b. 13.11
c. 14.04
d. 14.11

Answer: A

In VirtualBox, ___ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters

In VirtualBox, ___ different types of virtual network adapters are possible, such as AMD and Intel Pro adapters

a. 2
b. 4
c. 6
d. 8

Answer: C

What Windows Registry key contains associations for file extensions

What Windows Registry key contains associations for file extensions

a. HKEY_CLASSES_ROOT
b. HKEY_USERS
c. HKEY_LOCAL_MACHINE
d. HKEY_CURRENT_CONFIG

Answer: A

The ___ disk image file format is associated with the VirtualBox hypervisor

The ___ disk image file format is associated with the VirtualBox hypervisor

a. .vmdk
b. .had
c. .vhd
d. .vdi

Answer: D

What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided as shareware

What virtual machine software supports all Windows and Linux OSs as well as Macintosh and Solaris, and is provided as shareware

a. KVM
b. Parallels
c. Microsoft Virtual PC
d. VirtualBox

Answer: D

When do zero day attacks occur (Choose all that apply)

When do zero day attacks occur (Choose all that apply)

a. On the day the application or OS is released
b. Before a patch is available
c. Before the vendor is aware of the vulnerability
d. On the day the patch is created

Answer: B

Packet analyzers examine what layers of the OSI model

Packet analyzers examine what layers of the OSI model

a. Layers 2 and 4
b. Layers 4 through 7
c. Layers 2 and 3
d. All layers

Answer: C

True/False Tcpslice can be used to retrieve specific timeframes of packet captures.

True/False Tcpslice can be used to retrieve specific timeframes of packet captures. 

Answer: True

A layered network defense strategy puts the most valuable data where

A layered network defense strategy puts the most valuable data where

a. In the DMZ
b. In the outermost layer
c. In the innermost layer
d. None of the above

Answer: C

Which of the following is a clue that a virtual machine has been installed on a host system ?

Which of the following is a clue that a virtual machine has been installed on a host system ?

a. Network Logs
b. Virtual network adapter
c. Virtualization Software
d. USB Drive

Answer: B

Which Registry key contains associations for file extensions ?

Which Registry key contains associations for file extensions ?

a. HFILE_CLASSES_ROOT
b. HKEY_CLASSES_ROOT
c. HFILE_EXTENSIONS
d. HKEY_CLASSES_FILE

Answer: B

True/False A forensic image of a VM includes all snapshots.

True/False A forensic image of a VM includes all snapshots. 

Answer: True

In VirtualBox, a(n) ______ file contains settings for virtual hard drives.

In VirtualBox, a(n) ______ file contains settings for virtual hard drives.

a. .vox-prev
b. .ovf
c. .vbox
d. .log

Answer: C

Which of the following file extensions are associated with VMware virtual machine

Which of the following file extensions are associated with VMware virtual machine

a. .vmx, .log, and .nvram
b. .vdi, .ova, and .r0
c. .vmx, .r0, and .xml-prev
d. .vbox, .vdi, and .log

Answer: A

You can expect to find a type 2 hypervisor on what type of device (Choose all that apply)

You can expect to find a type 2 hypervisor on what type of device (Choose all that apply)

a. Desktop
b. Smartphone
c. Tablet
d. Network Server
b. Smartphone

Answer: C

Virtual Machine Extension (VMX) are part of which of the following

Virtual Machine Extension (VMX) are part of which of the following

a. Type 1 hypervisors
b. Type 2 hypervisors
c. Intel Virtualized Technology
d. AMD Virtualized Technology

Answer: B

The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but does not list hash values of known illegal files.

The _______________________ maintains a national database of updated file hash values for a variety of OSs, applications, and images, but does not list hash values of known illegal files.

a. Open Hash Database
b. HashKeeper Online
c. National Hashed Software Referenced.
d. National Software Reference Library

Answer: D

A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external media.

A ____________ image file containing software is intended to be bit-stream copied to floppy disks or other external media.

a. fdisk
b. format
c. dd
d. DiskEdit

Answer: C

The term for detecting and analyzing steganography files is _________________.

The term for detecting and analyzing steganography files is _________________.

a. carving
b. steganology
c. steganalysis
d. steganomics

Answer: C

The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known program files from view and contains the hash values of known illegal files.

The AccessData program has a hashing database, ________________, which is available only with FTK, and can be used to filter known program files from view and contains the hash values of known illegal files.

a. DeepScan Filter
b. Unknown File Filter (UFF)
c. Known File Filter (KFF)
d. FTK Hash Imager

Answer: C

In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely.

In order to aid a forensics investigation, a hardware or software ______________ can be utilized to capture keystrokes remotely.

a. keygrabber
b. keylogger
c. packet capture
d. protocol analyzer

Answer: B

When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented

When performing a static acquisition, what should be done after the hardware on a suspect's computer has been inventoried and documented

a. Inventory and documentation information should be stored on a drive and then the drive should be reformatted.
b. Start the suspect's computer and begin collecting evidence.
c. The hard drive should be removed, if practical, and the system's date and time values should be recorded from the system's CMOS.
d. Connect the suspect's computer to the local network so that up to date forensics utilities can be utilized.

Answer: C

What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords

What technique is designed to reduce or eliminate the possibility of a rainbow table being used to discover passwords

a. salted passwords
b. scrambled passwords
c. indexed passwords
d. master passwords

Answer: A

Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.

Many commercial encryption programs use a technology called _____________, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure.

a. key vault
b. key escrow
c. bump key
d. master key

Answer: B

What letter should be typed into DiskEdit in order to mark a good sector as bad

What letter should be typed into DiskEdit in order to mark a good sector as bad

a. M
b. B
c. T
d. D

Answer: B

A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside.

A user with programming experience may use an assembler program (also called a __________ ) on a file to scramble bits, in order to secure the information contained inside.

a. compiler
b. shifter
c. macro
d. script

Answer: C

Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools.

Typically, anti-virus tools run hashes on potential malware files, but some advanced malware uses ________________ as a way to hide its malicious code from antivirus tools.

a. hashing
b. bit-shifting
c. registry edits
d. slack space

Answer: B

Which option below is not a disk management tool

Which option below is not a disk management tool

a. Partition Magic
b. Partition Master
c. GRUB
d. HexEdit

Answer: D

Within Windows Vista and later, partition gaps are _____________ bytes in length.

Within Windows Vista and later, partition gaps are _____________ bytes in length.

a. 64
b. 128
c. 256
d. 512

Answer: B

Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords:

Select the tool below that does not use dictionary attacks or brute force attacks to crack passwords:

a. Last Bit
b. AccessData PRTK
c. OSForensics
d. Passware

Answer: C

In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.

In Windows, the ______________ command can be used to both hide and reveal partitions within Explorer.

a. format
b. fdisk
c. grub
d. diskpart

Answer: D

Which of the following file systems can't be analyzed by OSForensics

Which of the following file systems can't be analyzed by OSForensics

a. FAT12
b. Ext2fs
c. HFS+
d. XFS

Answer: D

The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the original description because of unexpected evidence found.

The goal of recovering as much information as possible can result in ________________, in which an investigation expands beyond the original description because of unexpected evidence found.

a. litigation
b. scope creep
c. criminal charges
d. violations

Answer: B

Which password recovery method uses every possible letter, number, and character found on a keyboard

Which password recovery method uses every possible letter, number, and character found on a keyboard

a. rainbow table
b. dictionary attack
c. hybrid attack
d. brute-force attack

Answer: D

In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters

In which file system can you hide data by placing sensitive or incriminating data in free or slack space on disk partition clusters

a. NTFS
b. FAT
c. HFSX
d. Ext3fs

Answer: B

What format below is used for VMware images

What format below is used for VMware images

a. .vhd
b. .vmdk
c. .s01
d. .aff

Answer: B

True/False Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific les or sectors.

True/False Advanced hexadecimal editors offer many features not available in digital forensics tools, such as hashing specific les or sectors. 

Answer: True

True/False In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.

True/False In private sector cases, like criminal and civil cases, the scope is always defined by a search warrant.

Answer: False

True/False The advantage of recording hash values is that you can determine whether data has changed. Answer: True

True/False The advantage of recording hash values is that you can determine whether data has changed.

Answer: True

True/False One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court.

True/False One of the most critical aspects of digital forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court.

Answer: True

True/False Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come to light while complying with a defense request for full discovery.

True/False Because attorneys do not have the right of full discovery of digital evidence, it is not possible for new evidence to come to light while complying with a defense request for full discovery.

Answer: False

Block-wise hashing has which of the following benefits for forensics examiners

Block-wise hashing has which of the following benefits for forensics examiners

Answer: Provides a method for hashing sectors of a known good file that can be used to search for data remnants on a suspect's drive.

If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords

If an application uses salting when creating passwords, what concerns should a forensics examiner have when attempting to recover passwords

Answer: Salting can make password recovery extremely difficult and time consuming.

True/False The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length.

True/False The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. 

Answer: True

Rainbow tables serve what purpose for digital forensics examinations

Rainbow tables serve what purpose for digital forensics examinations

Answer: Rainbow tables contain computed hashes of possible passwords that some password- recovery programs can use to crack passwords.

In steganalysis, cover-media is which of the following

In steganalysis, cover-media is which of the following

Answer: The file a steganalysis tool uses to host a hidden message, such as a JPEG or an MP3 file

The National Software Reference Library provides what type of resources for digital forensics examiners.

The National Software Reference Library provides what type of resources for digital forensics examiners.

Answer: A list of MD5 and SHA1 hash values for all known OSs and applications

Steganography is used for which of the following purposes

Steganography is used for which of the following purposes

Answer: Hiding Data

You're using Disk Manager to view primary and extended partitions on a subjects drive. The program reports the extended partitions total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information.

You're using Disk Manager to view primary and extended partitions on a subjects drive. The program reports the extended partitions total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information.

Answer: There's a hidden partition

Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation

Suppose you're investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation

a. Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly.
b. Criminal investigation because law enforcement agencies have more resources at their disposal
c. Internal corporate investigation because corporate investigators typically have ready access to company records.
d. Internal corporate investigation because ISPs almost always turn over email and access logs when requested by a large corporation

Answer: C

Which forensic image file format creates or incorporates a validation hash value in the image file (Choose all that apply)

Which forensic image file format creates or incorporates a validation hash value in the image file (Choose all that apply)

a. Expert Witness
b. SMART
c. AFF
d. dd

Answer: A, B & C.

The Known File Filter (KFF) can be used for which of the following purposes (Choose all that apply)

The Known File Filter (KFF) can be used for which of the following purposes (Choose all that apply)

a. Filter known program file from view
b. Calculate hash values of image files
c. Compare hash values of known files with evidence files
d. Filter out evidence that doesn't relate to our investigation
a. Filter known program file from view

Answer: D

For which of the following reasons should you wipe a target drive

For which of the following reasons should you wipe a target drive

a. To ensure the quality of digital evidence you acquire
b. To make sure unwanted data isn't retained on the drive
c. neither of the above
d. Both a and b

Answer: D

Which of the following represents known files you can eliminate from an investigation (Choose all that apply)

Which of the following represents known files you can eliminate from an investigation (Choose all that apply)

a. Any graphics files
b. Files associated with an application
c. System files the OS uses
d. Any files pertaining to the company
b. Files associated with an application

Answer: C