CHFI v3 Sample Test Questions

1. Who made the first recorded study of fingerprints? A. Francis Galton * B. Hans Gross C. Benjamin Franklin D. Francis Eghart 2. Computer Forensics focuses on which three categories of data? (Select 3) A. Latent Data * B. Archival Data * C. Active Data * D. Passive Data E. Inactive Data 3. When is it appropriate to use computer forensics? A. If copyright and intellectual property theft/misuse has occurred * B. If employees do not care for their boss’ management techniques C. If sales drop off for no apparent reason for an extended period of time D. If a financial institution is burglarized by robbers 4. In corporate investigations, what is the most common type of crime found? A. Industrial espionage * B. Copyright infringement C. Physical theft D. Denial of Service attacks 5. Which Amendment in the US Constitution protects every person from unreasonable searches and seizures by government officials? A. The 4th Amendment * B. The 5th Amendment C. The 1st Amendment D. The 10th Amendment 6. Under United States Penal Code 18 U.S.C 1831 for Economic Espionage, what is the maximum fine allowed by law? A. $10,000,000 USD * B. $1,000,000 USD C. $100,000 USD

FBI * B. Xcopy 12. Subpoena C. NSA 9. Netstat * B. Why should you never power on a computer that you need to acquire digital evidence from? A. World Trade Center attack in 2001 * B. Modus operandi 10. Parity-bit copy C. Arp C. What prompted the US Patriot Act to be created? A. Parity-stream copy D. Dir /p D. Iraqi invasion of Kuwait in 1990 8.000. When the computer boots up. Bit-stream copy * B. files are written to the computer rendering the data “unclean” * B. the system cache is cleared which could destroy evidence . Oklahoma City bombing in 1995 C. Secret Service * C. $5. What command can be used to view the current network connections on a computer? A. What method of copying should always be performed first before carrying out an investigation? A. For computer crimes in the United States. When the computer boots up.000 USD 7.D. What must be obtained before an investigation is carried out at a location? A. Finger 11. Search warrant * B. ATF D. which two agencies share jurisdiction for computer crimes that cross state lines? (Select 2) A. Habeas corpus D. World Trade Center attack in 1993 D.

To ensure that keyloggers cannot be used 14. like a usb cable C. Packaging the electronic evidence C. When discussing the chain of custody in an investigation. which IT role should be responsible for recovery. Hard drive failure on a SQL server machine 18. Numerous successful login attempts C. Conducting preliminary interviews D. Network Administrator * B. Gaps in the firewall log with no activity. What is the first step taken in an investigation for laboratory forensic staff members? A. Why would a company issue a dongle with the software they sell? A. Evidence that links one piece of evidence to another. what does a “link” refer to? A.C. To provide wireless functionality with the software C. When marking evidence that has been collected with the “aaa/ddmmyy/nnnn/zz” format. and prevention to constituents? A. Someone that takes possession of a piece of evidence * B. containment. Powering on a computer has no affect when needing to acquire digital evidence from it 13. The sequential number of the exhibits seized * B. Transporting the electronic evidence 15. when there is normally activity * B. When the computer boots up. In handling computer-related incidents. what does the “nnnn” denote? A. Security Administrator . Securing and evaluating the electronic crime scene * B. The initials of the forensics analyst D. To provide source code protection D. The transportation used when moving evidence 17. The year the evidence was taken 16. The sequence number for the parts of the same exhibit C. To provide copyright protection * B. data in the memory’s buffer is cleared which could destroy evidence D. What is one method of detecting a computer-related incident? A. The most critical piece of evidence in an investigation D. Seeing spikes in network activity throughout the workday D.

Wireless cards * B. Low level incident * B. Four 22. Searching could possibly crash the machine or device C. Computer Forensic Labs. One * B. Director of Information Technology D. Hard drives D. Mid level incident C. not recommend that companies search for evidence themselves? A. Inc. Recovery 20. Searching can change date/time stamps * B. What is stored in a StrongHold bag? A. High level incident D. Windows * B. Director of Administration 19. Three C. Paraben’s Lockdown device uses which operating system to write hard drive data? A. PDA’s 23. Which category of incidents can be handled within one working day? A. Red Hat C. Identification * B. What stage of the incident handling process involves reporting events? A. Mac OS 24. Unix D. Containment D. Two D. Why does Computer Forensic Labs. Backup tapes C. Follow-up C.C. All incidents should be handled immediately after their detection 21. Searching creates cache files which would hinder the investigation D. How many entrances are recommended for a computer forensics lab? A. does not make this recommendation . Inc.

Unallocated 27. 550 MB 30. . Sector * B. what is the capacity of the described hard drive? 22. Mount the master boot record on the first partition of the hard drive D. A standard 120 mm CD-ROM will hold up to how much data? A. Cluster C.backup bs=512 count=1 A. 50 GB * . Restore the first 512 bytes of the first partition of the hard drive 29. Back up the master boot record * B.44 GB D. Track D. Given the drive dimensions as follows and assuming a sector has 512 bytes.10 GB 28. the cluster is considered what? A. What is the maximum capacity of a dual-layer blu-ray disc? A. Restore the master boot record C.25.26 GB * B.17 GB D. Corrupt D. 700 MB * B. What will the following command accomplish? dd if=/dev/xxx of=mbr.164 cylinders/disk 80 heads/cylinder 63 sectors/track A. 1. Platter 26.19 GB C. When operating systems mark a cluster as used but not allocated. 11. 53. What is the smallest physical storage unit on a hard drive? A. 850 MB C. 57. Lost * B. Bad C.

RC5 C. What hashing method is used to password protect Blackberry devices? A. SHA-1 * B. 27 GB C. This type of witness is not considered an expert in a particular field? A. who is qualified by the court to address the behavior of the defendant or characteristics of a crime? A. what sources provide examples of expert witnesses’ previous testimonies? A. In a court of law. what electronic format should reports be sent in? A. MD5 D. Subpoena banks D. Legal counsel for defendant . PDF * B. Forensic-sequential numbering D. For forensic investigative reports. TIFF 34. Clerk-appointed witness D. When preparing an investigative report. Bonded witness 35. Material witness C. Victim advocate * B. Court docket banks 33. AES 32. 40 GB D. DOC C. Deposition banks * B. Decimal numbering structure C. Binary-sequential numbering 36. Lay witness * B. 75 GB 31. Legal-sequential numbering * B. WPD D. What type of numbering system in an investigative report is used in pleadings? A. Testimony banks C.B.

C. Before the evidence examination has been completed 39. Victim advocate testimony D. Civil litigation testimony 38. Expert testimony C. After the evidence examination has been completed D. It is only appropriate to use a formal checklist in a final report in felony cases C. No one is qualified 37. When is it appropriate to use a formal checklist in a final report of an investigation? A. A. When should an MD5 hash check be performed when processing evidence? A. On an hourly basis during the evidence examination C. It is always suggested to use a formal checklist in a final report . It is never appropriate to use a formal checklist in a final report * B. This type of testimony is presented by someone who does the actual fieldwork and does not offer a view in court. Technical testimony * B. Legal counsel for prosecution D. It is only appropriate to use a formal checklist in a final report in misdemeanor cases D. Before and after evidence examination * B.

Sign up to vote on this title
UsefulNot useful