If you see the files Zer0.tar.gz and copy.tar.gz on a Linux system while doing an
investigation, what can you conclude?

A.

The system files have been copied by a remote attacker

B.

The system administrator has created an incremental backup

C.

The system has been compromised using a t0rnrootkit

D.

Nothing in particular as these can be operational files

Law enforcement officers are conducting a legal search for which a valid warrant was obtained.
While conducting the search, officers observe an item of evidence for an unrelated crime
that was not included in the warrant. The item was clearly visible to the officers and immediately identified as evidence. What is the term used to describe how this evidence is admissible?

A.

Plain view doctrine

B.

Corpus delicti

C.

Locard Exchange Principle

D.

Ex Parte Order

To make sure the evidence you recover and analyze with computer forensics software can be admitted in court, you must test and validate the software. What group is actively providing tools and creating procedures for testing and validating computer forensics software?

A.

Computer Forensics Tools and Validation Committee (CFTVC)

B.

Association of Computer Forensics Software Manufactures (ACFSM)

C.

National Institute of Standards and Technology (NIST)

D.

Society for Valid Forensics Tools and Testing (SVFTT)

You should make at least how many bit-stream copies of a suspect drive?

A.

1

B.

2

C.

3

D.

4

Which federal computer crime law specifically refers to fraud and related activity in
connection with access devices like routers?

A.

18 U.S.C. 1029

B.

18 U.S.C. 1362

C.

18 U.S.C. 2511

D.

18 U.S.C. 2703

You are conducting an investigation of fraudulent claims in an insurance company that involves complex text searches through large numbers of documents. Which of the following tools would allow you to quickly and efficiently search for a string within a file on the bitmap image of the target computer?

A.

Stringsearch

B.

grep

C.

dir

D.

vim

When you are running a vulnerability scan on a network and the IDS cuts off your
connection, what type of IDS is being used?

A.

Passive IDS

B.

Active IDS

C.

Progressive IDS

D.

NIPS

Study the log given below and answer the following question:
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 ->
172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 ->
172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 ->
172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 ->
172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by
(uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by
simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 ->
213.28.22.189:4558
Precautionary measures to prevent this attack would include writing firewall rules. Of these
firewall rules, which among the following would be appropriate?

A.

Disallow UDP53 in from outside to DNS server

B.

Allow UDP53 in from DNS server to outside

C.

Disallow TCP53 in from secondaries or ISP server to DNS server

D.

Block all UDP traffic

When reviewing web logs, you see an entry for resource not found in the HTTP status code filed. What is the actual error code that you would see in the log for resource not found?

A.

202

B.

404

C.

505

The ____________________ refers to handing over the results of private investigations to
the authorities because of indications of criminal activity.

A.

Locard Exchange Principle

B.

Clark Standard

C.

Kelly Policy

D.

Silver-Platter Doctrine

You are working in the security Department of law firm. One of the attorneys asks you
about the topic of sending fake email because he has a client who has been charged with
doing just that. His client alleges that he is innocent and that there is no way for a fake
email to actually be sent. You inform the attorney that his client is mistaken and that fake
email is possibility and that you can prove it. You return to your desk and craft a fake email
to the attorney that appears to come from his boss. What port do you send the email to on
the company SMTP server?

A.

10

B.

25

C.

110

D.

135

When a file is deleted by Windows Explorer or through the MS-DOS delete command, the
operating system inserts _______________ in the first letter position of the filename in the FAT database.

A.

A Capital X

B.

A Blank Space

C.

The Underscore Symbol

D.

The lowercase Greek Letter Sigma (s)