Question 1

Heather, a computer forensics investigator, is assisting a group of investigators working on a large computer fraud case involving over 20 people. These 20 people, working in different offices, allegedly siphoned off money from many different client accounts. Heather responsibility is to find out how the accused people communicated between each other. She has searched their email and their computers and has not found any useful evidence. Heather then finds some possibly useful evidence under the desk of one of the accused. In an envelope she finds a piece of plastic with numerous holes cut out of it. Heather then finds the same exact piece of plastic with holes at many of the other accused peoples desks. Heather believes that the 20 people involved in the case were using a cipher to send secret messages in between each other. What type of cipher was used by the accused in this case?

Accepted Answer

The piece of plastic with holes is indicative of a grill cipher, where a physical template is used to reveal or conceal parts of a message.

Question 2

Paul is a computer forensics investigator working for Tyler & Company Consultants. Paul has been called upon to help investigate a computer hacking ring broken up by the local police. Paul begins to inventory the PCs found in the hackers hideout. Paul then comes across a PDA left by them that is attached to a number of different peripheral devices. What is the first step that Paul must take with the PDA to ensure the integrity of the investigation?

Accepted Answer

Paul should first photograph and document the peripheral devices to ensure that there is a record of how everything was originally connected, which is crucial for maintaining the integrity of the investigation.

Question 3

A forensics investigator is searching the hard drive of a computer for files that were recently moved to the Recycle Bin. He searches for files in C:\RECYCLED using a command line tool but does not find anything. What is the reason for this?

Accepted Answer

The files in the Recycle Bin are typically hidden, so the investigator must use a command line switch to view hidden files.

Question 4

What must an investigator do before disconnecting an iPod from any type of computer?

Accepted Answer

Before disconnecting an iPod from a computer, it is important to unmount it to ensure that no data is being transferred and to prevent data corruption.

Question 5

What is the slave device connected to the secondary IDE controller on a Linux OS referred to?

Accepted Answer

In Linux, the naming convention for IDE devices is such that the primary master is 'hda', primary slave is 'hdb', secondary master is 'hdc', and secondary slave is 'hdd'.

Question 6

An investigator is searching through the firewall logs of a company and notices ICMP packets that are larger than 65,536 bytes. What type of activity is the investigator seeing?

Accepted Answer

The "Ping of death" attack involves sending malformed or oversized packets, typically ICMP packets, to a target system, which can cause crashes or reboots. ICMP packets larger than 65,536 bytes fit this description.

Question 7

What advantage does the tool Evidor have over the built-in Windows search?

Accepted Answer

Evidor can search slack space, which is an area of the disk that the built-in Windows search does not typically access.

Question 8

The objective of this act was to protect consumers' personal financial information held by financial institutions and their service providers.

Accepted Answer

The Gramm-Leach-Bliley Act (GLBA) is designed to protect consumers' personal financial information held by financial institutions and their service providers.

Question 9

Under confession, an accused criminal admitted to encrypting child pornography pictures and then hiding them within other pictures. What technique did the accused criminal employ?

Accepted Answer

The accused criminal used steganography, which involves hiding data within other files, such as embedding encrypted images within other pictures.

Question 10

John is working on his company policies and guidelines. The section he is currently working on covers company documents; how they should be handled, stored, and eventually destroyed. John is concerned about the process whereby outdated documents are destroyed. What type of shredder should John write in the guidelines to be used when destroying documents?

Accepted Answer

Cross-cut shredders are recommended for destroying documents as they provide a higher level of security by cutting paper into smaller pieces compared to strip-cut shredders.

Question 11

What hashing method is used to password protect Blackberry devices?

Accepted Answer

Blackberry devices use SHA-1 for hashing passwords, which is a cryptographic hash function designed to ensure data integrity.

Question 12

What technique used by Encase makes it virtually impossible to tamper with evidence once it has been acquired?

Accepted Answer

The answer of What technique used by Encase makes it...

Question 13

Jonathan is a network administrator who is currently testing the internal security of his network. He is attempting to hijack a session, using Ettercap, of a user connected to his Web server. Why will Jonathan not succeed?

Accepted Answer

HTTP protocol does not maintain session state, making it difficult to hijack a session using tools like Ettercap.

Question 14

A packet is sent to a router that does not have the packet destination address in its route table. How will the packet get to its proper destination?

Accepted Answer

The "Gateway of last resort" is used by routers to forward packets when there is no specific route for the destination address in the routing table.

Question 15

What layer of the OSI model do TCP and UDP utilize?

Accepted Answer

TCP and UDP operate at the Transport layer of the OSI model, which is responsible for end-to-end communication and data transfer management.

Question 16

When using an iPod and the host computer is running Windows, what file system will be used?

Accepted Answer

When an iPod is used with a Windows computer, it typically uses the FAT32 file system for compatibility with Windows operating systems.

Question 17

What is one method of bypassing a system BIOS password?

Accepted Answer

Removing the CMOS battery can reset the BIOS settings, including the password, as it clears the stored settings in the CMOS memory.

Question 18

Where does Encase search to recover NTFS files and folders?

Accepted Answer

Encase searches the Master File Table (MFT) to recover NTFS files and folders, as the MFT contains metadata about every file and directory on an NTFS file system.

Question 19

If you are concerned about a high level of compression but not concerned about any possible data loss, what type of compression would you use?

Accepted Answer

Lossy compression achieves a high level of compression by allowing some data loss, which is acceptable if data integrity is not a concern.

Question 20

Harold is a web designer who has completed a website for ghttech.net. As part of the maintenance agreement he signed with the client, Harold is performing research online and seeing how much exposure the site has received so far. Harold navigates to google.com and types in the following search. link:www.ghttech.net What will this search produce?

Accepted Answer

The search query "link:www.ghttech.net" is used to find all sites that link to ghttech.net.

Exam 4: EC-Council Certified CISO