FRS

1. What is the full form of DFRWS?
(a) Digital Forensic Research Workshop
(b) Digital Forensic Research Workgroup
(c) Digital Forensics and Research Work
(d) none of above
(a) Digital Forensic Research Workshop


2. A network sniffer program is an example of:
(a) Evidence development tool
(b) Packet collection tool
(c) Packet formatting tool
(d) none of the above
(b) Packet collection tool


3. Items included in a forensic toolkit should include the following except
(a) Screwdrivers
(b) Power cables
(c) Printer
(d) Permanent markers
(c) Printer


4. The evidence custodian should
(a) Give the evidence to the secretary
(b) Place evidence in the storage place
(c) Keep logs of who has the evidence, when was it check out, etc.
(d) Use the evidence for personal use.
(c) Keep logs of who has the evidence, when was it check out, etc.


5. ______________ is forensics applied to information stored or transported on
network.
(a) Information forensics
(b) Data forensics
(c) Computer forensics
(d) Network forensics
(d) Network forensics


6. In ____________ intrusion detection system is a device or application used to inspect all network traffic and alert the user or administrator when there has
been unauthorized attempts or access.
(a) Alert data
(b) Security check
(c) Network security
(d) Traffic control
(c) Network security


7. Which phase is not included in generic process model?
(a) Validation and Discrimination
(b) Collection
(c) Analysis
(d) Investigation
(a) Validation and Discrimination


8. What is full form RMW algorithm?
(a) Ready and moonwalk
(b) Ready modify and write
(c) Random moonwalk
(d) none of the above
(c) Random moonwalk


9. CDE refers to
(a) Comprehensive Digital Evidence
(b) Common Digital Evidence
(c) Common Data Entity
(d) none of the above
(a) Comprehensive Digital Evidence


10. MAC refers to
(a) Medium Access Control
(b) Machine Address Control
(c) Machine Assess Control
(d) none of the above
(d) none of the above -> Media access controll address


ForNet can identify network events like ____
(a) ICMP messages
(b) TCP connection establishment, port scanning
(c) UDP connection establishment
(d) Both TCP and UDP
(b) TCP connection establishment, port scanning


PNFEC stands for ____
(a) Portable network forensic evidence collector
(b) Partial network forensic evidence connector
(c) Portable network forensic evidence connector
(d) Partial network forensic evidence collector
(a) Portable network forensic evidence collector


OpenBSD is ____
(a) Operating system
(b) Programming language
(c) Antivirus
(d) Firewall
(a) Operating system


CAIDA stands for ____
(a) Cooperative association for Internet data analysis
(b) Cooperative activity for Internet data analysis
(c) Cooperative association for Internet data assignment
(d) Cooperative activity for Internet data assignment
(a) Cooperative association for Internet data analysis


Network forensic agents are engines of ____
(a) Data gathering
(b) Data analysis
(c) Help in anti-forensics
(d) Attribution
(a) Data gathering


Marking module performs ____
(a) Identification of outgoing packets
(b) Rejection of automatic events
(c) Identification of malicious activity
(d) Analysis of evidence
(c) Identification of malicious activity


7. Bulk_extractor is ____
(a) Forensic tool
(b) Security tool
(c) Antivirus
(d) Firewall
(a) Forensic tool


PNFEC operates in ____
(a) Two modes
(b) Three modes
(c) Four modes
(d) Five modes
(b) Three modes


GHSOM stands for ____
(a) Growing hierarchical self-organizing method
(b) Growing hierarchical self-organizing market
(c) Growing hash value self-organizing map
(d) Growing hierarchical self-organizing map
(d) Growing hierarchical self-organizing map


Forensic mining of network logs are performed ____
(a) Parallel to the system
(b) In real-time case
(c) After attack had launched
(d) Before attack had launched
(c) After attack had launched


The following tool can be used for capturing network packets:
(a) TCPPump
(b) TCPCopy
(c) TCPDump
(d) TCPCap
(c) TCPDump


The following is an application layer protocol
(a) HTTP
(b) SMTP
(c) BOOTP
(d) All of the above
(d) All of the above


Packet capture file format, pcap is based on a library called
(a) libcap
(b) libc
(c) libpcap
(d) libvmi
(c) libpcap


The advanced file format after pcap is
(a) pcapnext
(b) pcapng
(c) pcapnew
(d) None of the above
(b) pcapng


Mandatory blocks in pcapng file format are
(a) SHB and IDB
(b) SHB and EPB
(c) IDB and NRB
(d) SPB and NRB
(a) SHB and IDB


Recent version of NetFlow is
(a) 7
(b) 9
(c) 5
(d) 10
(a) 7


IPFIX stands for
(a) Internal Protocol Flow Information Export
(b) Internet Protocol Flow Information Export
(c) Internet Protocol Flow Intelligent Export
(d) Internet Protocol Flow Information Expert
(b) Internet Protocol Flow Information Export


NetFlow was developed by
(a) Extreme
(b) Juniper
(c) Cisco
(d) Brocade
(c) Cisco


Template records in a NetFlow record can have values between
(a) 0 and 255
(b) 0 and 10
(c) 0 and 1023
(d) 0 and 127
(a) 0 and 255


Optional blocks in pcapng format
(a) EPB
(b) SPB
(c) NRB
(d) All of the above
(d) All of the above


What is the full form of DBSCAN?
(a) Density-based spatial clustering of application with noise
(b) Database spatial clustering of application with noise
(c) Density-based spatial clustering approach with noise
(d) None of the above
(a) Density-based spatial clustering of application with noise


2. SVM is initially designed for
(a) Multi-class problems
(b) One-class problems
(c) Two-class problems
(d) All of the above
(a) Multi-class problems


3. KNN is a ___________ type of learning.
(a) Supervised
(b) Unsupervised
(c) Semi-supervised
(d) None of the above
(a) Supervised


4. Pruning in decision tree is used to avoid __________
(a) Over-fitting
(b) Complexity
(c) Misclassification
(d) None of these
(a) Over-fitting


5. SOM in neural networks stands for
(a) Self-organizing map
(b) Service-oriented model
(c) Self-organizing model
(d) Statistical-oriented map
(a) Self-organizing map


6. SVM is based on the concept of ____________
(a) Lines
(b) Multidimensional planes
(c) Hyperplanes
(d) Curves
(c) Hyperplanes


7. Which of the following is a clustering technique?
(a) SOM
(b) SVM
(c) Naïve Bayes
(d) K-means
(d) K-means


8. SVM refers to
(a) Support vector model
(b) Support vector machines
(c) Support vector methods
(d) Support vector modules
(b) Support vector machines


9. Who is called the father of original genetic algorithm?
(a) John Holland
(b) Vapnik
(c) Charles Dwain
(d) Martin Easter
(a) John Holland


10. DBSCAN algorithm is proposed for ____________ databases.
(a) Multimedia databases
(b) Temporal database
(c) Geographic data
(d) Spatial databases
(d) Spatial databases


1. The phase is not part of the botnet forensic framework.
(a) Investigation
(b) Identification
(c) Analysis
(d) None of the above
(d) None of the above


2. In botnet forensic attribution model cover.
(a) Malware analysis
(b) Attribution
(c) Acquisition
(d) None of the above
(a) Malware analysis


3. Analysis of botnet forensics not covered.
(a) Static analysis
(b) Run time code
(c) Dynamic analysis
(d) None of the above
(c) Dynamic analysis


4. Which of the following is not a part of the botnet life cycle?
(a) Infection
(b) Invocation
(c) Communication
(d) Attack
(b) Invocation


Which of the following statement is incorrect?
(a) IRC-based botnets are prone to detection due to centralized server.
(b) HTTP-based botnets are prone to detection due to centralized server.
(c) P2P-based botnets are prone to detection due to centralized server.
(d) None of the above
(b) HTTP-based botnets are prone to detection due to centralized server.


. Fast-flux mechanism is used by botnets authors for ________
(a) Ensure the availability botnet service
(b) Make the botnets more resilient
(c) Both A and B options
(d) None of the above options
(c) Both A and B options


Which of the following is/are used for data acquisition?
(a) Honeypots
(b) Sandboxes
(c) Both (A) and (B) options
(d) None of these options
Both (A) and (B) options


Which of the following is part of the botnet forensic framework?
(a) Investigation
(b) Identification
(c) Analysis
(d) All of the above
(d) All of the above


The botnet forensic attribution model covers ____________
(a) Malware analysis
(b) Attribution
(c) Acquisition
(d) None of the above
(a) Malware analysis


Analysis of botnet forensics do not cover ___________
(a) Static analysis
(b) Run time code
(c) Dynamic analysis
(d) None of the above
(c) Dynamic analysis


What is the first phase of doing smartphone forensics?
(a) Preservation/Seizing
(b) Acquisition
(c) Analysis
(d) Reports
(a) Preservation/Seizing


2. If we get the device in on-state at crime location, what is the first step we should
perform?
(a) Remove SD card if it is placed in device
(b) Isolate it from network
(c) Switch off the device
(d) None of the above
(b) Isolate it from network


The following is not a smartphone operating system
(a) Symbian
(b) Android
(c) Windows
(d) None of above
(d) None of above


. TCE stands for
(a) Trusted Computing Enterprise
(b) Trusted Communication Environment
(c) Trusted Computing Environment
(d) Tested Computing Environment
(c) Trusted Computing Environment


HDFI stands for
(a) Harmonized Digital Forensic Investigation
(b) Horizontal Digital Forensic Information
(c) Harmonized Defence Forensic Investigation
(d) Harmonized Digital Forensic Interpretation
(a) Harmonized Digital Forensic Investigation


Smartphone forensic investigation must include following steps
(a) Preservation
(b) Data Acquisition
(c) Examination and Analysis
(d) All of the above
(d) All of the above


JTAG stands for
(a) Joint Trust Action Group
(b) Joint Test Action Group
(c) Joint Test Active Group
(d) Joint Test Action Graph
(b) Joint Test Action Group


Only one of the following tools is specific to Smartphone forensics
(a) Encase
(b) Volatality
(c) Oxygen
(d) OWADE
(c) Oxygen


UFED stands for
(a) Universal Forensic Extraction Device
(b) Uniform Forensic Extraction Device
(c) Universal Forensic Examination Device
(d) Universal Forensic Extraction Domain
(a) Universal Forensic Extraction Device


0. Rooting a smartphone involves
(a) Attain privileged access over various subsystems of the OS
(b) Ability to alter or replace system applications or settings
(c) Complete removal of existing version with a more recent version of OS
(d) All of the above
(d) All of the above


CSA stands for ____.
(a) Cloud Security Alliance
(b) Cloud Security Attribution
(c) Cloud Service Alliance
(d) Cloud Sensor Application
(a) Cloud Security Alliance


. A cloud customer uses take services from ____.
(a) Cloud Service Alliance
(b) Software Developers
(c) Software-Defined Networks
(d) Cloud Service Providers
(d) Cloud Service Providers


International Standards ISO 27037 looks for ____.
(a) Creating a common baseline for the practice of digital forensics
(b) Attribution
(c) Attack simulation
(d) Anti-forensics
(a) Creating a common baseline for the practice of digital forensics


Attribution is the procedure of ____.
(a) Deciding and finding the character and cause of digital attack
(b) Acquisition of evidence
(c) Service-level agreement
(d) Software development
(a) Deciding and finding the character and cause of digital attack


VMI collects ____.
(a) High-level information
(b) Software programs
(c) Only logs files
(d) Low-level information
(d) Low-level information


Anti-forensic prevents ____.
(a) Forensic investigation process
(b) Attacker to attack
(c) Security threats
(d) Malicious attacks
(a) Forensic investigation process


7. SLA stands for ____.
(a) Service-level agreement
(b) Security-level alliance
(c) Software-level awareness
(d) Software-level agreement
(a) Service-level agreement


The cloud service models are ____.
(a) SaaS, PaaS, and IaaS
(b) Public and private
(c) Able to perform on-demand services
(d) Cost-effective
(a) SaaS, PaaS, and IaaS


Attribution in a cloud environment is more difficult because ____.
(a) Service-level agreement
(b) Complex architecture of cloud computing
(c) Cloud actors
(d) Cloud consumer
(b) Complex architecture of cloud computing


Multi-jurisdictional and multi-tenant situations are ___.
(a) Analytical issues
(b) Functional issues
(c) Architectural issues
(d) Legal issues
(d) Legal issues

Database/web/email/chat/voice mail servers
Application servers


What is the best statement for taking advantage of a weakness in the security of an IT system?
Exploit


HTTP is_____?
Hypertext Transfer Protocol


Metasploit is____?
Penetration testing software


Contain IP address to MAC address mapping, the time the IP was leased
DHCP Servers


Handles multiplexing of process communication, provides end-to-end reliability, sequencing, flowcontrol, congestion control. Connection established through 3-way handshake.
TCP


Evidence collected from network device logs
Packet analysis


What port isused to connect to the Active Directory in Windows 2000?
389


Monitor network traffic and alerts on suspicious activities
NIDS/NIPS


DDOS attack is______
Many-to-one IP addresses


Rules, Alerts, packet capture is
NIDS/NIPS components


Web server, Email server, network ports canning is
One-to-one IP address


00:03
01:38

Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
Logs successful/failed login attempts for all devices within its authentication system
Authentication Servers


What method can be used in online-password attack?
Dictionary attack - Bruteforce attack


Contains routing tables that map router port swith the network, may function as packet filters
Firewalls


Communicates error messages and other conditions via IP datagrams
Internet Control Message Protocol (ICMP)


Addressing and Routing (src and dst) at Layer 3
Internet Protocol (IP)


Contains tables that store mapping between physical port and MAC addresses
Switches


Devices that pierce the shielding of copper cables
Vampire Taps


Stores web surfing log for an entire organization
Web proxies


MAC flooding (over flowing table) or ARP spoofing (fill table with fake value)
Intercepting traffic from switches


DNS is____
Domain Name Server


Distributed database used to map between domain names and IP addresses
Domain Name System (DNS)


Sensor, collector, aggregator, analysis
Flow record processing system


One source IP, one or more destination IOP, destination port numbers increasing incrementally, large volume of packets, out bound protocol flags set to SYN
TCP port scan


Sniffing, protocol understanding, Alerting and high fidelity
NIDS/NIPS functionality


Recovering and analyzing digital evidence from network resources
Network Forensics


Connection less, unreliable, used by DNS, SNMP, audio/video streaming
User Datagram Protocol


What character can be used t ocomment at the end of your SQL injection?
# -


Pattern matching, parsing fields, packet filtering
Packet analysis techniques


Provides mapping between IP addresses and MAC for a local subnet
Address Resolution Protocol (ARP)


Tool for capturing, filtering, and analyzing traffic
tcpdump


Comprehensive study of protocols, packets and flows, and methods for dissecting them
Packet analysis use cases


Data is broadcasted, easy to eavesdrop
Intercepting traffic from hubs


Libraries: libpcap and WinPcap, Tools: Wireshark, snort, nmap, ngrep, tcpdump
Traffic acquisition software


1.Physical, 2.DataLink, 3.Network, 4.Transport, 5.Session, 6. Presentation, 7.Application
Open System Inter connection (OSI)


Facilitates sending and receiving documents on the web
Hyper Text Transfer Protocol (HTTP)


Understand how a protocol works, how to identify and dissect it; canuse RFCs and standards to understands protocols
Protocol analysis


How do you prevent SQL Injection?
Use Parameterized Queries


May detect attacks in progress, can be tuned to give more granular data
Network Intrusion Detection/Prevention Systems


In default, HTTP services work on port?
80


In default, HTTPS services work on port?
443


Search from common values associated with a protocol, information in encapsulated protocol, port numbers, server functions, common header values
Protocol identification


MAC refers to
Machine Address Control


______________ is forensics applied to information stored or transported on network.
Network forensics


A network sniffer program is an example of:
Packet collection tool


The following is an application layer protocol
All of the above (HTTP, SMTP, BOOTP)


Packet capture file format, pcap is based on a library called
libp cap


Net Flow was developed by
Cisco


Anti-forensic prevents____.
Forensic investigation process


Which of the following type of attack CANNOT be deterred solely through technical means?
Social engineering


HTML is_____?
Hypertext Markup Language


Why do social engineering attacks often succeed?
lack of security awareness


SSL is_____?
Secure Sockets Layer


Which of the following is an example of the theft of network passwords without the use of software tools?
Social engineering


AJAX is?
Asynchronous JavaScript And XML


Which of the following measures can be used to guard against a social engineering attack?
Education, limit available information and security policy.


Which of the following is the major difference between a worm and a Trojan horse?
Worms are self replicating while Trojan horses are not.


What type of program will record system key strokes in a text file and email it to the author, and will also delete system logs every five days or whenever a backup is performed?
Trojan


Which of the following is the boolean operator for logical-and?
&&


In ISO 27002, which sections defines the responses and procedures around a security incident
Information security incident management


Which involves impersonation of users/devices?
Impersonation


In ISO 27002, which sections defines the restriction of access rights to networks, systems, applications, functions and data?
Access control


______________ are the two common data classification schemes
Government and private sector/commercial business


Which attack involves continual requests from a range of remote hosts?
DDoS attack


Which is a hashing function?
MD5


The mark average of Bob and Alice is 70%, Bob and Eve is 60%, and Alice and Eve is 60%. What is Eve's mark?
50%


The mark average of Bob and Alice is 20%, Bob and Eve is 30%, and Alice and Eve is 40%. What is Eve's mark?
50%


Which protocol is not supported by Snort?
IGMP


For an ARP reply, which destination MAC address is used?
The destionation host


What happens to the MD5 signature when a single character is changed in a file?
The whole signature is changed


Layer 4 the transmitted encapsulated data is know as a _____________
segment


Which is the easiest way for an intruder to defeat an IDS?
Compromise the firewall


What does the "SYN", "SYN,ACK", "ACK" sequence signify?
The initial negotiation of a client-server connection


Which commercial business/private sector data classification is used to control information about individuals within an organization?
Private


What hacker does not have many skills, and use standard scripting tools:
Script kiddies


Which involves actual deception of users and system operators?
Mispresentation


Which TCP does MSN Messenger use?
1863


STRIDE is often used in relation to assessing threats against applications or operating systems. _______ is NOT an element of STRIDE
Disclousre


Which Snort command will filter for an incoming FTP response from an FTP server?
alert tcp any 21 -> any any msg "FTP response"


How many characters does a Hex MD5 signature have:
32


How many characters does a Hex SHA-1 signature have:
40


How many bits does an MD5 signature have:
128


How many bits does an SHA-1 signature have:
160


How many bits does an SHA-256 signature have:
160


Which is a valid MD5 Hex signature:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Which is an example of a one-way function
MD5 and SHA-1


Which is the following is an example of a MD5 signature:
455D04D3EBDE98FB5AB92B7363DFF33D


What is the Diffie-Hellman method used for:
To pass a secret key


What is MD5 used for:
To create a unique signature


"What happens to the MD5 signature when a single character is changed in a file:"
The signature cannot be produced


What is the main weakness of the Diffie-Hellman method:
It allows for a man-in-the-middle attack


What does the "SYN", "SYN,ACK", "ACK" sequence signify:
The initial negotiation of a client-server connection


"For the ""SYN"", ""SYN,ACK"", ""ACK"" sequence, who generates the initial ""SYN"""
The client


"For the ""SYN"", ""SYN,ACK"", ""ACK"" sequence, who generates the ""SYN,ACK"""
The server


"For the ""SYN"", ""SYN,ACK"", ""ACK"" sequence, who
...


generates the ""ACK"""
The client


Which type of traffic cannot be deeply inspected:
SSH, SFTP, SHTTP


Which TCP port does SMTP use:
25


Which TCP port does IMAP use:
143


Which TCP port does POP-3 use:
110


What is ARP used for:
Discovering the MAC address of a host


For an ARP request, which source MAC address is used
The local host


For an ARP request, which destination MAC address is used
The broadcast address


For an ARP reply which source MAC address is used
The local host


For an ARP reply, which destination MAC address is used
The destination host


Which is the encrypted port used for IMAP over SSL
993


Which tool can determine if a file has been changed
Hash signature


Which tool shows the open TCP ports
netstat


Which tool shows the MAC address of the local host
ipconfig


Which tool shows the IP address of a domain name
nslookup


Which tool determines if a host is on-line
ping


Which transport protocol does DNS use
UDP


Which UDP port does DNS use
53


"When a host sends an ARP for a node at 1.2.3.4, who will receive the reply"
Only the host that asked for it


"When a host sends an ARP for a node at 1.2.3.4, who will receive the ARP request"
The whole network bounded by a router port


Which tool does a vunerability analysis for a host
nmap


What does .NET use to provide hardware compatibility:
MSIL


"What does .NET use to provide different DLL versions to be supported:"
Global Assembly Cache


"What does .NET use to provide different languages to be used in .NET:"
Common Language


"What does .NET use to provide common classes, methods and properties:"
Framework Class Library


Where do .NET programs run:
Within the CLR


Which folder contains the .NET framework:
C:\WINDOWS\Microsoft.NET\Framework\


Which is the most recent .NET version
.NET 3.5


Which reference is required for Role-based security:
System.Security.Principal


Which method is used with WindowsPrinciple (myPrin) to test a role:
myPrin.IsInRole()


"What does .NET use to provide different DLL versions to be supported:"
Global Assembly Cache


What is the main advantage of the Global Assembly Cache in .NET:
It stores different versions of DLLs


Which XML tags will allow users access to a Web service:
<authorization> <allow users="*"></authorization>


"Which file contains the security settings for an ASP.NET Web service:"
Web.config


What is the strong name used in .NET assemblies:
It uniquely identifies an assembly


"Which command line option would generate the encryption keys for a
...


strong name in a .NET assembly:"
sn -k


Which is the correct format for the version number in .NET:
"<major version>.<minor version>.<build


number>.<revision>"
...


"For an assembly version number of 2.1.1500.10. What does the 2 represent:"
Major version


"For an assembly version number of 2.1.1500.10. What does the 1 represent:"
Minor version


"For an assembly version number of 2.1.1500.10. What does the 1500 represent:"
Build version


"For an assembly version number of 2.1.1500.10. What does the 10 represent:"
Revision


Which is the following is not stored in an assembly:
The type of operating system used


Which of the following sets the version number for an assembly:
[assembly:AssemblyVersionAttribute("2.5.*")]


Which of the following is true for the version number of 2.5.*:
"A wild card is


used for the build and the revision numbers, where the build process
...


automatically generates these numbers."
...


Which best defines the global assembly cache:
"It is a cache within a machine that contains


the assemblies which are to be shared with applications."
...


In which file is the Version attribute normally defined (for Form1):
AssemblyInfo.cs


Multiple versions of assemblies can exist in the GAC. True or false?
True


"An assembly can be dragged into the GAC using the Windows explorer.
...


True or false?"
True


"You have created a class that is derived from the ServicedComponent
...


class called DistributionApp. You need to install it into the Global Assembly
...


Cache and create the key pair that will be used to give the compiled assembly
...


a strong name. Which of the following commands will produce the key pair?
...


(Select the best choice.)"
sn -k "mykey.snk"


Which applications require the strongest security:
Web services, and in .NET remoting


"Which file is stored in the Config directory of the default
...


.NET Framework installation. It contains settings that are applied to all the
...


applications which run on the host."
Machine configuration file


"Which file contains settings which relate to a specific application.
...


These are named are Web.config (for Web applications) and App.config (for Windows applications)."
Application configuration file


"Which file defines the security policy for a hierarchy of
...


groups. It defines enterprise-level (Enterprise-sec.config), machine-level (Security.config), and user-level (Security.config) security policies:"
Security configuration file


Which is the .NET Framework Configuration Tool:
Mscorcfg.msc


"What occurs when a remote user tries to access the Web.config file on the Web server"
It displays a message that it is forbidden to access the file.


What is the default Web service security level for authentication:
Windows


Which authentication process uses IIS to authentication the client:
Windows


"Which authentication process uses an HTML log-in form to authenticate the client, which are then passed to the Web server for authentication:"
Forms


"Which authentication process uses a centralized authentication service is used to define access, with a single logon and profile services for member sites:"
Passport


"Which authentication process, when, on a successful authentication, the server issues a cookie to the client, which is then used by the client to access the Web service:"
Forms


"Which authentication process is typically used to register sites with a single passport, and grants a site-specific key:"
Passport


"Which of following is true for the authorization script of:
...


<authorization><deny users=""Fred""/> <allow
...


role=""Administrator"" /></authorization>"
Fred is not allowed access to the service


"Which of following is true for the authorization script of:
...


<authorization> <deny users=""Fred""/> <allow
...


role=""Administrator"" /> </authorization>"
"Anyone in the Administrator role is allowed access to the service"


"Which method verifies if the caller is a member the specified role. It returns a True if it is, else it returns a False. "
Object.IsCallerInRole()


Why is PGP computationaly efficient:
It uses a shared-secret key


How many bits, at a time, are used to encode using Base-64:
6 bits


What is the advantage of using Base-64 as a convertor:
It can convert binary


How does HMAC differ from normal hashing methods:
It uses a secret key to generate the hash function


What is "silent" as Base64:
Z29vZGJ5


Which is not a method of obfuscation in .NET:
Licencing checking


Which WinPCap display filter will only show SYN/ACK TCP flags:
tcp.flags.syn==1 and tcp.flags.ack==1


Which WinPCap display filter will only show HTTP traffic:
tcp.port == 80


Which WinPCap display filter will only show FTP traffic:
tcp.port == 21


Which WinPCap display filter will only show TELNET traffic:
tcp.port == 23


Which WinPCap display filter will only show SMTP traffic:
tcp.port == 25


Which WinPCap display filter will only show IMAP traffic:
tcp.port == 143


Which WinPCap display filter will only show POP-3 traffic:
tcp.port == 110


"With a tunnelling DNS covert channel, Bob sends a request for dGVzdA==.alicehost.com.
...


What is the covert message (Refer to table, such as
...


from www.aardwulf.com/tutor/base64/base64.pdf):"
test


"With a tunnelling DNS covert channel, Bob sends a request for aGVsbG8=.alicehost.com.
...


What is the covert message (Refer to table, such as
...


from www.aardwulf.com/tutor/base64/base64.pdf):"
hello


"With a tunnelling DNS covert channel, Bob sends a
...


request for Z29vZGJ5ZQ==.alicehost.com.
...


What is the covert message (Refer to
...


table, such as from www.aardwulf.com/tutor/base64/base64.pdf):"
goodbye


"With a tunnelling DNS covert channel, Bob sends a request for aGFwcHk=.alicehost.com.
...


What is the covert message (Refer to table, such as
...


from www.aardwulf.com/tutor/base64/base64.pdf):"
happy


"With a tunnelling DNS covert channel, Bob sends a request for c2Fk.alicehost.com.
...


What is the covert message (Refer to table, such as from
...


www.aardwulf.com/tutor/base64/base64.pdf):"
sad


What is the main advantage of the one-time password system:
Requires the password to be entered once


Which tag in the Web.Config file is used to deny certain users:
Authorization


Which tag in the Web.Config file is used to deny certain groups:
Authorization


"Which tag in the Web.Config file is used to specify a forms-based login:"
Authentication


"Which tag in the Web.Config file is used to specify that the authentication is from the Windows user base:"
Authentication


"For the code of
...


""EventLog evt = new System.Diagnostics.EventLog();"",
...


which is an invalid property:"
evt.Events


"For the code of ""EventLog evt = new System.Diagnostics.EventLog();"",
...


which contains the contents of the Event log:"
evt.Entries


Which method is used to encrypt the encryption key in PGP:
RSA


"PGP uses RSA for the main encryption of the email content.
...


True or false:"
False


"A scan of a disk identifies the string ""JFIF"".
...


What is the likely type of file associated with this:"
Document"


"A scan of a disk identifies the string ""GIF89a"". What is the likely type of file associated with this:"
Image


"A scan of a disk identifies the hex sequence of 504B0304. What is the likely type of file associated with this:"
ZIP file


"An investigator wants to scan for the word ""test""
...


on a disk which contains the string in 16-bit Unicode. What is the search string:"
\0t\0e\0s\0t


How many colours are contained in a GIF colour table:
256


How many colours are possible for each pixel in a GIF file:
16.7 million


"For a 64-bit hash signature. How many Base-64 characters would be used:"
12


"For a 192-bit hash signature. How many Base-64 characters would be used:"
32


"For a 256-bit hash signature. How many Base-64 characters would be used:"
44


"Which protocol on a switch should be setup to allow a host to capture traffic from other hosts:"
SPAN


Which TCP port does MSN Messenger use:
1863


Which filter shows traffic for both 1.2.3.4 and 2.3.4.5:
ip.addr == 1.2.3.4 or ip.addr == 2.3.4.5


Which filter shows traffic between 1.2.3.4 and 2.3.4.5:
ip.addr == 1.2.3.4 and ip.addr == 2.3.4.5


"Which filter shows traffic that is not destined
...


for either 1.2.3.4 nor 2.3.4.5:"
not ip.addr == 1.2.3.4 and not ip.addr == 2.3.4.5


"Which filter will only show traffic for host 1.2.3.4 for FTP
...


traffic:"
ip.addr == 1.2.3.4 and tcp.port == 21


Which is a possible place to hide a convert message in an IP header:
Identification


Which field in the IP header identifies AH (Authentication Header):
Protocol field


"Which field in the IP header identifies ESP (Encapsulating Security Payload):"
Protocol field


Where should a standard ACLs be placed:
As near the destination


Where should an extended ACLs be placed:
As near the source address as possible


"For an address an ACL of <BR>access-list 1 deny 192.168.1.1
...


0.0.0.255<BR><BR>Will a node at 192.168.1.200 be denied:"
Yes


"For an address an ACL of <BR>access-list 1 deny 192.168.1.1
...


0.0.0.0<BR><BR>Will a node at 192.168.1.200 be denied:"
No


"Which is an example of apply an access-list of 5
...


on an interface for the incoming direction:"
(config-if)# access-group 5 in


"Which is an example of apply an access-list of 15 on an interface for the outgoing direction:"
(config-if)# access-group 15 in


For Static NAT, what is translated for incoming traffic:
The destination IP address


For Static NAT, what is translated for outgoing traffic:
The source IP address


For Dynamic NAT, what is translated for incoming traffic:
The destination IP address


For Dynamic NAT, what is translated for outgoing traffic:
The destination IP address


For PAT, what is translated for incoming traffic:
The source IP address and TCP port


For PAT, what is translated for outgoing traffic:
The source IP address and TCP port


"For a question of ""What is your favourite football team?"", what is the authentication method:"
Something you know


"For a question of ""What is your mother's maiden name?"", what is the authentication method:"
Something you know


"For a question of ""What is the name of your pet"", what is the authentication method:"
Something you know


"For a user to be authenticated with a smart card, what is the authentication method:"
Something you have


"For a user to be authenticated with a USB stick, what is the authentication method:"
Something you have


"For a user to be authenticated with a Visa card, what is the authentication method:"
Something you have


"For a user to be authenticated with a digital certificate, what is the authentication method:"
Something you have


"For a user to be authenticated with their fingerprints, what is the authentication method:"
Something you are


"For a user to be authenticated with their handprints, what is the authentication method:"
Something you are


"Which access-list blocks only even IP addresses
...


from 156.1.1.0/24 access to 10.0.0.0/24:"
"access-list 100 deny ip


156.1.1.0 0.0.0.254 10.0.0.0 0.0.0.255"
...


Which access-list allows traffic from all addresses in the range 192.168.3.0
...


to 192.168.3.255 :
access-list 10 permit 192.168.3.0 0.0.0.255


"Which access-list permits traffic originating from
...


any address on the 63.36.9.0 network to a Web site:"
"access-list


101 permit tcp 63.36.9.0 0.0.0.255 any eq 21"
...


Which command is used to define an ACL on an interface:
ip access-group


"Which command is used to define an ACL which can be applied to an interface:"
access-list


Which ACL bars every node from the 192.168.10.0 subnet:
access-list 1 deny 192.168.10.0 0.0.0.255


Which command can be used to prevent DOS attacks:
ip inspect


What does the ip host command achieve:
Sets up a hosts table


Which commands set the line console password:
line con 0, password


Which commands set the telnet password:
line vty 0 4, password


"Which command is ignored by the router in the set-up on an interface:"
description


How would 10.11.12.13 with a subnet mask of 255.0.0.0 be displayed:
10.11.12.13\8


"How would 10.11.12.13 with a subnet mask of 255.255.0.0 be displayed:"
10.11.12.13\16


"How would 10.11.12.13 with a subnet mask of 255.255.255.0 be displayed:"
10.11.12.13\24


"How would 10.11.12.13 with a subnet mask of 255.255.255.240 be displayed:"
10.11.12.13\28


"How would 192.168.0.22 with a subnet mask of 255.255.255.128 be displayed:"
192.168.0.22\25


"How would 192.168.0.22 with a subnet mask of 255.255.255.192 be displayed:"
192.168.0.22\26


"How would 192.168.0.22 with a subnet mask of 255.255.255.224 be displayed:"
192.168.0.22\27


"How would 192.168.0.22 with a subnet mask of 255.255.255.240 be displayed:"
192.168.0.22\28


Which command defines the message of the day:
banner motd hello


Which command defines the login message:
banner login hello


Which command defines the EXEC message:
banner exec hello


Which command enables the Web server:
ip http server


Which command defines a username named fred:
username fred password bert


Which TCP ports are typically used for SNMP:
161,162


Which of the following IP address is not a private address:
146.176.1.5


Which of the following is not a valid subnet mask:
255.164.0.0


Which layer of the OSI model do routers operate:
1, 2 and 3


Which layer of the OSI model do firewalls (packet filter) operate:
1, 2, 3 and 4


Which router command is used to set the host name:
hostname


Which router command is used to set name server:
ip name-server


Which router command is used to set the domain name:
ip domain-name


What is the range of access-lists which relate to standard ACLs:
1-99


What is the range of access-lists which relate to extended ACLs:
100-199


"Which of the following is an example of a named
...


access list command:"
(config-std-nacl)# deny 156.1.1.0 0.0.0.255


Which of the following creates an access-list named Test1:
(config)# ip access-list standard Test1


When an EnCase user double-clicks on a file within EnCase what determines the action that will result.
The settings in the FileTypes.ini file


Search results are found in which of the following files.
The case file


If cluster #3552 entry in the FAT table contains a value of ?? this would mean:
The cluster is unallocated


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@[a-z]+.com.
Bob@America.com


You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is Windows XP Home. No programs are visibly running. You should:
Pull the plug from the back of the computer


A physical file size is.
The total size of all the clusters used by the file


In Unicode, one printed character is composed of ____ bytes of data.
2


If cluster number 10 in the FAT contains the number 55, this means.
that cluster 10 is used and the file continues in cluster number 55


How are the results of a signature analysis examined.
By sorting on the signature column in the Table view. By sorting on the signature column in the Table view


The acronym ASCII stands for.
American Standard Code for Information Interchange


The default export folder remains the same for all cases.
False


The EnCase default export folder is.
A case-specific setting that can be changed


Hash libraries are commonly used to.
Identify files that are already known to the user


Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry.
C X H X S X 512


Within EnCase, clicking on Save on the toolbar affects what file(s).
The open case file


EnCase uses the _________________ to conduct a signature analysis.
file signature table


EnCase is able to read and examine which of the following file systems.
NTFS, EXT3, FAT, HFS


ROM is an acronym for.
Read Only Memory


If a floppy diskette is in the ?drive, the computer will always boot to that drive before any other device. If a floppy diskette is in the ??drive, the computer will always boot to that drive before any other device.
True


A standard Windows 98 boot disk is acceptable for booting a suspect drive.
True


Search terms are case sensitive by default.
True


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1st , 2?0?00.
Jan 1st , 2000


An evidence file can be moved to another directory without changing the file verification..
True


Pressing the power button on a computer that is running could have which of the following results.
All of the above could happen.


How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive? How does EnCase verify that the evidence file contains an exact copy of the suspect's hard drive.
By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file. By means of an MD5 hash of the suspect? Hard drive compared to an MD5 hash of the data stored in the evidence file.


By default, EnCase will display the data from the end of a logical file, to the end of the cluster, in what color.
Red


A SCSI drive is pinned as a master when it is.
A SCSI drive is not pinned as a master


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[^a-z].
om? ? RP


This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search.
Will find it because EnCase performs a logical


An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD.
Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD


You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of evidentiary value.
Hard drive


You are a computer forensic examiner explaining how computers store and access the data you recovered as evidence during your examination. The evidence was a log file and was recovered as an artifact of user activity on the ____________, which was stored on the _____________, contained within a ____________ on the media.
operating system, file system, partition


You are a computer forensic examiner investigating a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is FAT (File Allocation Table). What information about the document file can be found in the FAT on the media? (Choose all that apply.).
Starting cluster of the file D. Fragmentation of the file


You are a computer forensic examiner investigating media on a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is NTFS (New Technology File System). What information about the document file can be found in the NTFS master file table on the media? (Choose all that apply.).
Name of the file, Date and time stamps of the file, Starting cluster of the file, Fragmentation of the file, Ownership of the file


You are preparing to lead a team to serve a search warrant on a business suspected of committing large-scale consumer fraud. Ideally, you would you assign which tasks to search team members? (Choose all that apply.).
Photographer, Search and seizure specialists, Recorder, Digital evidence search and seizure specialists


You are a computer forensic examiner at a scene and have determined you will seize a Linux server, which according to your source of information contains the database records for the company under investigation for fraud. What is the best practice for "taking down" the server for collection.
Photograph the screen and note any running programs or messages, and so on, and use the normal shutdown procedure.


You are a computer forensic examiner at a scene and are authorized to seize only media that can be determined to have evidence related to the investigation. What options do you have to determine whether evidence is present before seizure and a full forensic examination? (Choose all that apply.).
Use an EnCase boot floppy or CD to boot the machine into Linux, and use LinEn to preview the hard drive through a crossover cable with EnCase for Windows & Remove the subject hard drive from the machine, and preview the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc & Use an EnCase boot floppy or CD to boot the machine into DOS, use EnCase for DOS to preview the hard drive through a crossover cable with EnCase for Windows


You are a computer forensic examiner at a scene and have determined you will need to image a hard drive in a workstation while on-site. What are your options for creating a forensically sound image of the hard drive? (Choose all that apply.).
Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to image the subject hard drive to a second hard drive attached to the machine & Remove the subject hard drive from the machine, and image the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc & Use an EnCase boot floppy or CD to boot the machine into DOS, and use EnCase for DOS to image the hard drive through a crossover cable with EnCase for Windows.


You are a computer forensic examiner and have imaged a hard drive on site. Before you leave the scene, you want to ensure the image completely verifies as an exact forensic duplicate of the original. To verify the EnCase evidence file containing the image, you should do which of the following.
Load the EnCase evidence files into EnCase for Windows, allow the verification process to finish, and then check the results for complete verification.


You are a computer forensic examiner and need to verify the integrity of an EnCase evidence file. To completely verify the file's integrity, which of the following must be true.
The CRC values and the MD5 hash value both must verify.


You are a computer forensic examiner and need to determine what files are contained within a folder called Business documents. What EnCase pane will you use to view the names of the files in the folder.
Table pane


You are a computer forensic examiner and need to view the contents of a file contained within a folder called Business documents. What EnCase pane will you use to view the contents of the file.
View pane


You are a computer forensic examiner and are viewing a file in an EnCase evidence file. With your cursor, you have selected one character in the file. What binary term is used for the amount of data that represents a single character.
A byte


You are a computer forensic examiner and need to search for the name of a suspect in an EnCase evidence file. You enter the name of the suspect into the EnCase keyword interface as John Doe. What search hits will be found with this search term with the default settings? (Choose all that apply.).
John Doe, john doe


You are a computer forensic examiner and need to determine whether any Microsoft Office documents have been renamed with image extensions to obscure their presence. What EnCase process would you use to find such files.
File signature analysis


You are a computer forensic examiner and want to reduce the number of files required for examination by identifying and filtering out known good or system files. What EnCase process would you use to identify such files.
File hash analysis


You are a computer forensic examiner and want to determine whether a user has opened or double-clicked a file. What folder would you look in for an operating system artifact for this user activity.
Recent


You are a computer forensic examiner and want to determine when a user deleted a file contained in a Windows XP Recycle Bin. In what file is the date and time information about the file deletion contained.
INFO2


You are a computer forensic examiner and want to determine how many times a program was executed. Where would you find information.
Registry


You are a computer forensic examiner and want to examine any email sent and received by the user of the computer system under investigation. What email formats are supported by EnCase.
Outlook, Outlook Express, America Online, Hotmail, Yahoo!, Mozilla Thunderbird


What is the definition of a CPU.
A part of the computer whose function is to perform data processing


What is the BIOS.
BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and its operating system


Is the information stored on a computer's ROM chip lost during a proper shutdown.
No


Is the information contained on a computer's RAM chip accessible after a proper shutdown.
No


Can information stored in the BIOS ever change.
Yes


What is the purpose or function of a computer's ROM chip.
Long-term or permanent storage of information and instructions


Information contained in RAM memory (system's main memory), which is located on the
...


motherboard, is _________.
volatile


What is the maximum number of drive letters assigned to hard drive(s) partitions on a system.
24


The smallest area on a drive that data can be written to is a _______, while the smallest area on a drive that a file can be written to is a ________.
sector and cluster


The size of a physical hard drive can be determined by which of the following.
Both (The cylinder × head × sector × 512 bytes) and (The total LBA sectors ×512 bytes)


The electrical pathway used to transport data from one computer component to another is called what.
Bus


What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are attached.
Motherboard


IDE, SCSI, and SATA are different types of interfaces describing what device.
Hard drives


What do the terms master, slave, and Cable Select refer to.
Jumper settings for internal hardware such as IDE hard drives and CD drives


What can you assume about a hard drive that is pinned as CS.
It's an IDE drive.


What is found at Cylinder 0, Head 0, Sector 1 on a hard drive.
Master boot record


What is the first sector on a volume called.
Volume boot record or sector


Which of the following is incorrect.
The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4 bytes each to do so


FAT is defined as which of the following.
A table created during the format that the operating system reads to locate data on a drive


How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT table.
It does affect the FAT table. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to


Which of the following describes a partition table.
All of the above.


Which selection keeps track of a fragmented file in a FAT file system.
File allocation table


If the FAT table lists cluster number 2749 with a value of 0, what does this mean about this specific cluster.
It is unallocated and is available to store data.


Which of the following is true about a volume boot record.
It is always located at the first sector of its logical partition & It contains BIOS parameter block and volume boot code


The NTFS file system does which of the following.
All of the above


How many clusters can a FAT32 file system manage.
228 = 268,435,456 clusters


The FAT tracks the ________ while the directory entry tracks the ________.
file's last cluster (EOF) and file's starting cluster


How many copies of the FAT does each FAT32 volume maintain in its default configuration.
Two


A file's logical size is displayed as.
The number of bytes that the logical file contains


A file's physical size is.
The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster


A directory entry in a FAT file system has a logical size of which of the following.
0 bytes


Each directory entry in a FAT file system is ____ bytes in length.
32


By default, what color does EnCase use to display directory entries within a directory structure.
RED


What is the area between the end of a file's logical size and the file's physical size called.
Slack space


What three things occur when a file is created in a FAT32 file system.
Directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file's data is filled in to the assigned clusters


How does EnCase recover a deleted file.
It obtains the deleted file's starting cluster number and size from the directory entry to obtain the data's starting location and number of clusters required


What does EnCase do when a deleted file's starting cluster number is assigned to another file.
EnCase marks the deleted file as being overwritten


What information does a file's directory entry in a FAT file system store about itself.
All of the above


What is the first consideration when responding to a scene.
Your safety


What are some variables regarding a facility that you should consider prior to responding to a scene.
All of the above.


What are some variables regarding items to be seized that you should consider prior to
...


responding to a scene.
All of the above


Generally speaking, if you encounter a desktop computer running Windows XP, how should you take down the machine.
Shut down by pulling the plug from the computer box


Generally speaking, if you encounter a computer running Windows 2000 Server, how should you take down the machine.
Shut down using its operating system


Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine.
Shut down using its operating system


When unplugging a desktop computer, from where is it best to pull the plug.
The back of the computer


What is the best method to shut down a notebook computer.
Both A(Unplug from the back of the computer) and C(Remove the battery).


Generally speaking, if you encounter a Macintosh computer, how should you take down the machine.
Shut down by pulling the plug from the computer box


Which selection displays the incorrect method for shutting down a computer.
Linux: Pull the plug


When shutting down a computer, what information is typically lost.
All of the above


Which of the following is not acceptable for "bagging" a computer workstation.
Plastic garbage bag


EnCE.
Encase Certified Examiner


SCSI.
Small Computer Systems Interface


IDE.
Integrated Drive Electronics


SATA.
Serial Advanced Technology Attachment


RAID.
Redundant Array of Inexpensive Disks


DVD.
Digital Versatile Disc


USB.
Universal serial bus


IEEE.
Institute of Electrical and Electronics Engineers


IEEE 1394.
Firewire


ISA.
Industry Standard Architecture


MCA.
IBM Micro Channel Architecture


EISA.
Extended Industry Standard Architecture


PCI.
Peripheral Component Interconnect


AGP.
Accelerated Graphics Port


PCMCIA.
Personal Computer Memory Card International Association\


PCI.
Peripheral Component Interconnect


CMOS.
Complementary Metal-Oxide Semiconductor


EFI.
Extensible Firmware Interface


POST.
Power On Self-Test


MBR.
Master Boot Record


VBR.
Volume Boot Record


FAT.
File Allocation Table (12, 16 or 32)


MFT.
Master File Table


POST.
Power On Self-Test


0000 0001.
Read only && Bit Flag Values for Attribute Field at Byte Offset 11


0000 0010.
Hidden File


0000 0100.
System File


0000 1000.
Volume label


0000 1111.
Long File Name


0001 0000.
Directory


0010 0000.
Archive


In which circumstance is pulling the plug to shut down a computer system considered the best practice.
None of the above


How is the chain of custody maintained.
All of the above


It is always safe to pull the plug on a Windows 2000 Professional operating system.
False


On a production Linux/Unix server, you must generally be which user to shut down the system.
root


When would it be acceptable to navigate through a live system.
All of the above


A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following.
MS-DOS


When called to a large office complex with numerous networked machines, is it always a good idea to request the assistance of the network administrator.
False


Subsequent to a search warrant where evidence is seized, what items should be left behind.
B(Copy of the search warrant) and C(List of items seized)


SAFE.
Secure Authentication for EnCase


HPA.
Host Protected Area


DCO.
Device Configuration Overlay


MD5.
Message-Digest algorithm 5. or The odds of any two files having the same MD5 are 1 in 2128, which is, more graphically, 1 in 340,282,366,920,938,000,000,000,000,000,000,000,000.


CRC.
cyclic redundancy check (CRC) or polynomial code checksum


When acquiring a hard drive in the DOS mode, what would be the cause of EnCase not detecting partition information.
Both A(The drive has been FDisked and the partition(s) removed.) and B(The partition(s) are not recognized by DOS)


A standard DOS 6.22 boot disk does not make calls to the C: volume of a hard drive when the diskette is booted.
False


As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it.
Cross-contamination


If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the drive, what should you do.
All of the above


What system files are changed or in any way modified by EnCase when creating an EnCase boot disk.
All of the above


Reacquiring an image and adding compression will change the MD5 value of the acquisition hash.
False


When reacquiring an image, you can change the name of the evidence.
False


Which of the following should you do when creating a storage volume to hold an EnCase evidence file that will be created with EnCase for DOS or LinEn? (Choose all that apply.).
Format the volume with the FAT file system && Give the volume a unique label to identify it. && Wipe the volume before formatting to conform to best practices, and avoid claims of crosscontamination. && Create a directory to contain the evidence file.


In Linux, what describes hdb2? (Choose all that apply.).
Refers to the primary slave && Refers to the second partition


When acquiring USB flash memory, you should write-protect it by doing what.
All of the above


Which type or types of cables can be used in a network cable acquisition.
Network crossover cable && Standard network patch cable used with a crossover adaptor


Should Zip/Jaz disks be acquired with EnCase in DOS or Windows.
DOS


When using LinEn, the level of support for USB, FireWire, and SCSI devices is determined by what.
The distribution of Linux being used


How should CDs be acquired using EnCase.
Windows


Select all that are true about EE and FIM.
They can acquire or preview a system live without shutting it down && They can capture live system-state volatile data using the Snapshot feature && With EE, the SAFE is on a separate PC, administered by the keymaster && With FIM, the SAFE is on the examiner's PC and the keymaster and the examiner are the same person


How does an EnCase boot disk differ from a DOS 6.22 disk.
Both A(EnCase boot disk adds the EnCase executable, EN.EXE) and B(EnCase boot disk switches all calls from C: to A:.)


The EnCase evidence file is best described as follows.
A bitstream image of a source device written to a file or several file segments


How does EnCase verify the contents of an evidence file.
EnCase writes a CRC value for every 64 sectors copied


What is the smallest file size that an EnCase evidence file can be saved as.
1 MB


What is the largest file segment size that an EnCase evidence file can be saved as.
2 GB


How does EnCase verify that the evidence file contains an exact copy of the source device.
By comparing the MD5 hash value of the source device to the MD5 hash value of the data stored in the evidence file


How does EnCase verify that the case information—such as case number, evidence number, notes, and so on—in an evidence file has not been damaged or altered after the evidence file has been written.
EnCase writes a CRC value for the case information and verifies the CRC value when the evidence is added to a case.


For an EnCase evidence file to successfully pass the file verification process, which of the following must be true.
The CRC values and the MD5 hash value both must verify


The MD5 hash algorithm produces a _____ value.
128-bit


The MD5 hash algorithm is ___ hexadecimal characters in length.
32


If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later altered.
All of the above.


Which of the following aspects of the EnCase evidence file can be changed during a reacquire of the evidence file.
Evidence file size


An evidence file was archived onto five CD-ROMs with the third file segment on disc 3. Can the contents of the third file segment be verified by itself while still on the CD-ROM.
Yes. Any evidence file segment can be verified independently by comparing the CRC values


Will EnCase allow a user to write data into an acquired evidence file.
No, data cannot be added to the evidence file after the acquisition is made


All investigators using EnCase should run tests on the evidence file acquisition and verification process to do which of the following.
All of the above


When a noncompressed evidence file is reacquired with compression, the acquisition and verification hash values for the evidence file will remain the same for both files.
True


Search hit results and bookmarks are stored in the evidence file.
False


The EnCase evidence file's logical file name can be changed without affecting the verification of the acquired evidence.
True


An evidence file can be moved to another directory without changing the file verification.
False


What happens when EnCase attempts to reopen a case once the evidence file has been moved.
EnCase prompts for the location of the evidence file


During reacquisition, you can change which of the following? (Choose all that apply.).
Block size and error granularity && Add or remove a password && Compression && File segment size


In the EnCase Windows environment, must an examiner first create a new case before adding a device to examine.
Yes


Proper file management and organization require that which of the following should be created prior to acquiring evidence.
All of the above


The EnCase methodology dictates that the lab drive used to store EnCase evidence files must have which of the following prior to acquiring an image.
Previously wiped and sterile partition


When creating a new case, the Case Options dialog box prompts for which of the following.
All of the above


What determines the action that will result when a user double-clicks a file within EnCase.
The settings in the FILETYPES.INI file


In the EnCase environment, the term external viewers is best described as which of the following.
External programs that are associated with EnCase to open specific file types


Where is the list of external viewers kept within EnCase.
The settings in the VIEWERS.INI file


When the copy/unerase feature is used, EnCase saves the selected file(s) to which folder.
Export


Can the Export folder be moved once it is saved within a case.
Yes


Files that have been sent to external viewers are copied to which folder.
Temp


The Temp folder of a case cannot be changed once the case has been saved.
False


Files stored in the Temp folder are removed once EnCase is properly closed.
True


How do you access the setting to adjust how often a backup file (.cbak) is saved.
Select Tools _ Options _ Global


What is the maximum number of columns that can be sorted simultaneously in the Table view tab.
Five


How would a user reverse-sort on a column in the Table view.
Both A(Hold down the Ctrl key, and double-click the selected column header) and B(Right-click the selected column, select Sort, and select either Sort Ascending or Sort Descending)


How can you hide a column in the Table view.
All of the above.


What does the Gallery view tab use to determine graphics files.
File extension


Will the EnCase Gallery view display a .jpeg file if its file extension was renamed to .txt.
Yes, but only if a signature analysis is performed to correct the "File Category" to "Picture" based on its file header information.


How would a user change the default colors and text fonts within EnCase.
The user can change default colors and fonts settings by clicking the Tools tab on the menu bar, selecting Options, and selecting the Colors tab or Fonts tab


An EnCase user will always know the exact location of the selected data in the evidence file by looking at which of the following.
Data bar


Computers use a numbering system with only two digits, 0 and 1. This system is referred to as which of the following.
Binary


A bit can have a binary value of which of the following.
0 or 1


A byte consists of ___ bits.
8


If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight unique possibilities. This is known as the power of 2. How many unique possibilities are there in 8 bits (28).
256


When the letter A is represented as 41h, it is displayed in which of the following.
Hexadecimal


What is the decimal integer value for the binary code 0000-1001.
9


Select all of the following that depict a Dword value.
FF 00 10 AF && 0000 0000 0000 0000 0000 0000 0000 0001


How many characters can be addressed by the 7-bit ASCII character table? 16-bit Unicode.
128 and 65,536


Where does EnCase (Version 5 or 6) store keywords.
Both A( Within each specific case file (.case and .cbak)) and B(In the KEYWORDS.INI file)


When performing a keyword search in Windows, EnCase searches which of the following.
Both (The logical files) and (The physical disk in unallocated clusters and other unused disk areas)


By default, search terms are case sensitive.
False


By selecting the Unicode box, EnCase searches for both ASCII and Unicode formats.
true


With regard to a search using EnCase in the Windows environment, can EnCase find a word or phrase that is fragmented or spans in noncontiguous clusters.
Yes, EnCase performs both physical and logical searches.


Which of the following would be a search hit for the His keyword.
All of the above


Which of the following would be a search hit for the following GREP expression? [^a-z]Liz[^a-z].
Liz1


Which of the following would be a search hit for the following GREP expression ? [\x00-\x07]\x00\x00\x00... .
06 00 00 00 A0 EE F1


Which of the following would be a search hit for the following GREP expression.
Both (Jan 1st, 2006) and (Jan 1st, 06)


Which of the following will not be a search hit for the following GREP expression [^#]123[ \-]45[ \-]6789[^#].
A1234567890


A sweep or highlight of a specific range of text is referred to as which of the following.
Highlighted data bookmark


Which of the following is not correct regarding building and querying indexes.
To search an index, click the Search button on the toolbar.


A file header is which of the following.
A unique set of characters at the beginning of a file that identifies the file type


The Windows operating system uses a file name's _______ to associate files with the proper applications.
extension


Unix (including Linux) operating systems use a file's _______ to associate file types to specific applications.
header


The Mac OS X operating system uses which of the following file information to associate a file to a specific application.
All of the above


Information regarding a file's header information and extension is saved by EnCase in the _________ file.
FileSignatures.ini


When a file's signature is unknown and a valid file extension exists, EnCase will display the following result after a signature analysis is performed.
!Bad Signature


When a file's signature is known and the file extension does not match, EnCase will display the following result after a signature analysis is performed.
Alias (Signature Mismatch)


When a file's signature is known and the file extension matches, EnCase will display the following result after a signature analysis is performed.
Match


When a file's signature and extension are not recognized, EnCase will display the following result after a signature analysis is performed.
Unknown


Can a file with a unique header share multiple file extensions.
Yes


A user can manually add new file headers and extensions by doing which of the following.
Choosing File Signatures view, right-clicking, and selecting New in the appropriate folder


Select the correct answer that completes the following statement: An MD5 hash ___________.
All of the above


EnCase can create a hash value for the following.
All of the above


What portion of an evidence file does EnCase analyze during the verification process to yield an MD5 hash value.
Data area


Will changing a file's name affect the file's MD5 hash value.
No


Usually a hash value found in a hash set named Windows XP Home Edition would be reported in the Hash Category column as which of the following.
Known


With regard to hash categories, evidentiary files or files of interest are categorized as which of the following.
Notable


An MD5 hash of a specific media generated by EnCase will yield the same hash value as an independent third-party MD5 hashing utility.
True


A hash _______ is comprised of hash _______, which is comprised of hash _______.
library(ies), set(s), value(s)


An operating system artifact can be defined as which of the following.
All of the above


A FAT file system stores date and time stamps in _______, whereas the NTFS file system stores date and time stamps in _______.
Local time and GMT


Where does Windows store the time zone offset.
Registry


The date and time of when a file was sent to the Recycle Bin can be found where.
$I index file


When a text file is sent a pre-Windows Vista Recycle Bin, Windows changes the short file name of the deleted file to DC0.txt in the Recycle Bin. Select the best choice that explains the deleted file name.
D=deleted, C=drive letter, 0=index number, file extension remains the same


When a document is opened, a link file bearing the document's file name is created in the ____folder.
Recent


Link files are shortcuts or pointers to actual items. These actual items can be what.
All of the above


In NTFS, information unique to a specific user is stored in the ______ file.
NTUSER.DAT


In Windows XP or Windows Vista, by default, how many recently opened documents are displayed in the My Recent Documents or Recent Items folder.
15


Most of a user's desktop items on a Windows XP operating system would be located in the _________ directory.
C:\Documents and Settings\%User%\Desktop


Because this file will hold the contents of RAM when the machine is powered off, the ______ file will be the size of the system RAM and will be in the root directory.
hiberfil.sys


Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows XP system.
All of the above


File names with the .url extension that direct web browsers to a specific website are located in which folder.
Favorites folder


Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the cookie is stored in.
index.dat file


On a Windows 98 machine, which folder is the swap or page file contained in.
WIN386.SWP


When you are examining evidence that has been sent to a printer, which file contains an image of the actual print job.
The spool file


The two modes for printing in Windows are ______ and _______.
EMF and RAW


Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover the file as a result of a search on its unique header information in areas such as Unallocated Clusters or swap file.
True


The index.dat files are system files that store information about other files. They track date and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file.
Recycle Bin


The Temporary Internet Files directory contains which of the following.
All of the above


How many sector(s) on a hard drive are reserved for the master boot record (MBR).
63


The very first sector of a formatted hard drive that contains an operating system is referred to as which of the following.
All of the above


How many logical partitions does the partition table in the master boot record allow for a physical drive.
4


The very first sector of a partition is referred to as which of the following.
Volume boot record


If a hard drive has been fdisked, EnCase can still recover the deleted partition(s), if you point to the _________, right-click, and select Add Partition.
volume boot record


In an NTFS partition, where is the backup copy of the volume boot record (VBR) stored.
The last sector of the partition


EnCase can mount a compound file, which can then be viewed in a hierarchical format. Select an example of a compound file.
All of the above


Windows XP contains two master keys in its registry. They are KEY_LOCAL_MACHINE and which of the following.
HKEY_USERS


In Windows 2000/XP, information about a specific user's preference is stored in the NTUSER.DAT file. This compound file can be found where.
C:\Documents and Settings\username


In an NTFS file system, the date and time stamps recorded in the registry are stored where.
GMT and converted based on the system's time zone settings


EnScript is a proprietary programming language and application programming interface (API) developed by Guidance Software, designed to function properly only within the EnCase environment.
True


Since EnScript is a proprietary programming language developed by Guidance Software, EnScripts can be created by and obtained only from Guidance Software.
False


Filters are a type of EnScript that "filters" a case for certain file properties such as file types, dates, and hash categories. Like EnScripts, filters can also be changed or created by a user.
True


Select the type of email that EnCase 6 is not capable of recovering.
None of the above


Which method is used to view the contents of a compound file that contains emails such as a PST file in EnCase 6.
Both (Right-click, and select View File Structure) and (Run search, and in the Search menu select the types of email to recover).


EnCase 6 cannot process web-based email such as MSN Hotmail or Yahoo! Mail because the information can be found only on the mail servers.
False


The EnCase Decryption Suite (EDS) will not decrypt Microsoft's Encrypting File System (EFS) on the ___________ operating system.
Windows XP Home Edition


At which levels can the VFS module mount objects in the Windows environment.
All of the above


The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk Emulator cannot mount.
Both (Cases) and (Folders)


The Virtual File System (VFS) module mounts data as _______, while the Physical Disk Emulator (PDE) module mounts data as _______.
network share, emulated disk


The end of a logical file to the end of the cluster that the file ends is called.
Slack


The boot partitioin table found at the beginning of a hard drive is located in what sector.
Master boot record


What information in a FAT file system directory entry refers to the location of a file on a hard drive.
The starting cluster


A logical file would be best described as.
The data from the beginning of the starting cluster to the length of the file.


A case file can contain __ hard drive images.
Any number of


Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with standard DOS 6.22 boot disk.
False


Select the appropriate name for the hightlighted area of the binary numbers.
Byte


If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed.
All of the above.


The BIOS chip on an IBM clone computer is most commonly located on.
The motherboard


Consider the following path in the FAT file system: C:\My Documents\My Pictures\Bikes. Where does the directory bikes receive its name.
From the My Pictures directory


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. 800[) \-]+555-1212.
(800) 555-1212


How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written.
Encase writes a CRC value of the case information and verifies the CRC value when the evidenece is.


Which of the following statements is more accurate.
The Recycle Bin increases the chance of locating the existence of a file on a computer.


The first sector on a volume is called the.
Volume boot sector or record


When an EnCase user double-clicks on a file within EnCase what determines the action that will result.
The settings in the FileTypes.ini file.


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@[a-z]+.com.
Bob@America.com


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[a-z].
Tom


The following GREP expressioin was typed in exactly as shown. Choose the answer(s) that would result. [\x00-\x05]\x00\x00\x00?[\x00-\x05]\x00\x00\x00.
04 00 00 FF FF BA


This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search.
Will find it because EnCase performs a logical search.


When a file is deleted in the FAT file system, what happens to the FAT.
The FAT entries for that file are marked as available


In DOS and Windows, how many bytes are in one FAT directory entry.
32


When a non-compressed evidence file is reacquired with compression, the aquistion and verification hash value for the evidence will remain the same for both files.
True


An EnCase evidence file of a hard drive _____ be restored to another hard drive of equal or greater size.
Can


Upon starting a new case, what two directories should be defined.
Default EXPORT and TEMP directories


All lab media should be forensically sterile. What does this mean.
The media should be: WIPED of all data AND VERIFIED to be absent of all data AND Freshly partitioned and formatted


All lab media should maintain a unique __________, and a unique __________ to receive evidence files.
VOLUME LABEL and DIRECTORY


What happens when an examiner double-clicks on a file of a file type known by EnCase.
The data is copied to the case defined TEMP directory, and the associated viewer is then called to display the file data


What happens to the data files that are copied by EnCase to the case defined TEMP directory.
When Encase is PROPERLY shut down, EnCase will DELETE the files from the temp folder.


What is the evidence file.
It is a BIT STREAM image of the source media written to a file(s).


Evidence files can be segmented between a range of _____ and _____.
Min 1 Mb - Max 2000 Mb.


You can add data to an existing evidence file.
FALSE


You can add data to an existing evidence file.
The contents of an evidence file CANNOT be changed, altered, or modified.


What does the FIRST block of the evidence file contain.
It contains the CASE INFORMATION, which is validated by an attached CRC.


How is the evidence file verified.
CRC (32bit) every 64 Sectors && MD5 (128bit) computed during the source media acquisition and placed at the end of the evidence file. && ALL CRC's and the MD5 MUST validate and verify.


If any changes occur to the evidence file (file corruption, etc...), what happens.
The CRC for the affected block(s) will NO LONGER VERIFY, and EnCase will display an ERROR when any data in that block(s) are accessed.


an individual segments of an evidence file be verified.
YES


What three (3) aspects of an evidence file can be changed without impacting the evidence file verification.
Add / Remove PASSWORD protection && Change file COMPRESSION && Change the file SEGMENT SIZE


What is the CASE file.
It is a TEXT file containing: Pointers to evidence file(s) && Results of searches and analysis (File Signature / Hashes) && Bookmarks && Investigator's Notes.


What is the MAXIMUM number of evidence files that can be added to a single case file.
There is NO limit. (ie. 8 HDDs, 200 FDDs, and 24 CDRs)


What is the file extension for a Encase version 4.x case file? ...for the back-up case file.
CASE for Encase v4.x && A backup file is created every 10 minutes by default with an extension of .CBK.


Evidence files can be RENAMED and MOVED without changing their Verification and Validity.
True


In the EnCase Environment, what are configuration files and how are they used.
.INI files that store global changes and settings to the Encase Environment. The global environment dictates information/tools available for ALL cases.


Searches within the EnCase Windows environment are both __________ and __________.
PHYSICAL && LOGICAL


What is UNICODE.
Unicode uses TWO (2) bytes for each character, allowing the representation of 65,536 characters.


During a search for a keyword, selecting the UNICODE option will cause Encase to search for the keyword in both ASCII and UNICODE.
True


How is the GREP symbol " ? " used during a search.
? Means "or not" - joh?n will yield both JON and JOHN.


How is the GREP symbol " \x " used during a search.
\x Indicates that the following value is to be treated as a hexadecimal value. (\xFF\xD8\xFF...)


How is the GREP symbol " * " used during a search.
* States to repeat the preceding character or set any number of times, including zero times.


How is the GREP symbol " + " used during a search.
+ States to repeat the preceding chracter or set any number of times, but at least once.


How is the GREP symbol " ^ " used during a search.
^ States "not" - [^a-z] = NO alpha characters from a to z.


How is the GREP symbol " - " used during a search.
Denotes a range or characters, as in [1-9] or [a-z].


How is the GREP symbols " [ ] " used during a search.
[ ] Square brackets form a set. The included values within the set have to match a single character. [1-9] will match any single numeric value from 1 to 9.


Default settings for the EnCase BOOT DISK search do NOT include case sensitivity, GREP or UNICODE.
True


Searches in unallocated space are (Physical / Logical) only. (Choose one).
Searches in unallocated space are PHYSICAL only, as no logical definitions exist in this area.


In the EnCase Windows environment, searches will find keywords in non-contiguous clusters in unallocated space.
False


Within the EnCase Environment, what does the File Signatures function do.
It simply compares the displayed file extension with the file's header/signature.


The File Signature table in EnCase CANNOT be changed.
FALSE.


After adding a device to your case, you immediately go to the Gallery View tab, as this will display all supported image files, even if they maintain extensions inconsisent with image files.
FALSE


After running the File Signature Analysis function, a file shows " !Bad Signature " as the result. What does this mean.
!Bad Signature - The extension is in the File Signature table, but the header is incorrect and the header is not in the File Signatures table. BAD -> [header].[ext] <-GOOD


After running the File Signature Analysis function, a file shows " *[Alias] " as the result. What does this mean.
*[Alias] - The header is in the table and the extension is incorrect. this indicates a file with a renamed extension. GOOD -> [header].[ext] <- BAD


After running the File Signature Analysis function, a file shows " MATCH " as the result. What does this mean.
MATCH - The header matches the extension. If the extension has no header in the File Signatures table then EnCase will return a MATCH as long as the header of the file does not match any header in the File Signatures table. GOOD -> [header].[ext] <- GOOD


Before running the File Signature Analysis function, the Gallery View will display all supported image files, even if they maintain extensions inconsisent with image files.
False


After running the File Signature Analysis function, a file shows " UNKNOWN " as the result. What does this mean.
UNKNOWN - Indicates that neither the header/signature nor the extension is listed in the table. If either the header/signature or the extension is listed in the table, you will NOT obtain a value of UNKNOWN. UNKNOWN -> [header].[ext] <- UNKNOWN


The hash value computed for a given file is based upon the physical file, including the files slack area.
FALSE


The hash value for a file will change if it is moved to another Folder/Directory.
FALSE


What purpose does a Hash Analysis serve for the Examiner.
Hash Analysis allows the examiner to identify files that are known - either as innocuous files that can be ignord, or as files that are evidentiary in content.


A files content can be recreated based on the computed hash value of that file.
False


What does ASCII stand for.
American Standard Code for Information Exchange


The ASCII Table is a _____ - Bit table.
The ASCII table is a 7-bit table. The resultant 128 values represent alpha/numeric values, common punctuation, etc.


What does the "LE" indicator within EnCase indicate.
It indicates the number of BYTES that been selected / swept / highlighted.


Nibble = 4 bits (16 possible values)
...


Byte = 8 bits (256 possible values)
...


Word = 2 bytes (16 bits)
...


DWord = 4 bytes (32 bits)
...


Only one file can occupy a CLUSTER at one time.
True


___________ file size is the amount of actual media space allocated to the file.
PHYSICAL


___________ file size is the actual number of bytes that the file contains.
LOGICAL


By default, each sector contains ____ data bytes.
512 data bytes. This size is consistant across different media types. (ZIP Disks, Floppies, HDD, etc...)


Each FAT volume maintains how many copies of the FAT.
It maintains two (2) copies of the FAT - FAT1 and FAT2.


he number of clusters that a file system can manage is determined by the available number of _____ employed by the FAT.
BITS


The FAT file systems (FAT12, FAT16, FAT32) group one or more sectors, in powers of 2, into _________.
Clusters


The FAT maintains information regarding the status of all the clusters on the volume. What are some of these settings.
Available, End of File, BAD, in use


What is Slack Space.
It is the data from the end of the logical file to end of the physical file. EnCase displays this data in RED text.


EnCase displays Slack Space in red text. By default, what other entry is also displayed in red and why.
Directory entries are also displayed in red. Neither slack nor directories have any logical size.


How does EnCase determine if a deleted file has been overwritten.
If the starting extent (cluster) is in use by another file.


Deleting a file has NO effect on the actual data in FAT or NTFS.
TRUE


What two (2) actions occur when a file is deleted from a FAT system.
The first character of the directory entry pertianing to the file is changed to E5h. && The values within the FAT that pertain to this file is reset to zero (available).


What does BIOS stand for.
BIOS = Basic Input Output System


What does the BIOS do.
It is responsible for the initial checking of the system components and initial configuration of the system once power is turned on.


What does the Examiner access to determine the target system boot sequence and system date/time.
The systems BIOS (Basic Input/Output System).


What is RAM.
Random Access Memory - stores data temorarily and is accessible immediately to the Operating System


What is ROM.
Read Only Memory


What is the first activity taken by a computer system after power is applied.
POST - Power On Self Test. This includes the testing of identified attached devices on the system bus


When are drive letters assigned by the operating system.
During the boot process. Note these letters are NOT written to the media.


In order for media to be bootable it must maintain a _________________.
Bootable partition / volume and in the case of HDD's it must also be set to Active.


What are some examples of Add-In Cards.
SCSI Host Card, Video Card, Network Interface Card (NIC), etc...


How are most standard IDE Drives configured for the roles of MASTER/SLAVE/CABLE.
Through the use of Jumper PINs on the physical drive


SCSI drives follow the same methodology as IDE drives of MASTER/SLAVE.
FALSE.


What is the formula for determing hard drive capacity (CHS geometry).
Clusters x Heads x Sectors x 512


What is contained in the first sector of a standard hard drive.
The MASTER BOOT RECORD. In the Windows and Linux operating system environment, the partition table is also located here


What is contained in the first sector of each defined partition on a physical hard drive.
VOLUME BOOT RECORD.


The partition Master Boot Record (MBR) can maintian how many entries? What is each records length.
The MBR can maintian four (4) records, each 16 Bytes in length


Using EnCase while doing an on-site triage, what are the four (4) options for previewing a drive.
FastBloc, Parallel Cable, Network Cable, Boot Disk Text Search


Why is it important to boot a target system with a Forensic Boot Disk.
To prevent writes to the target hard drive and the default mounting of a compressed volume


What two files need to be modified on a standard DOS boot disk to make it forensically sound.
IO.SYS, COMMAND.COM, Also, the drvspace.bin command must be removed


Run through the basic procedure for a forensic system takedown.
Photograph environment, external inspection, lable connections, internal inspection, disconnnect power/data cables from HDD, boot with EnCase boot disk, access BIOS - note date/time and boot sequence


Using the EnCase Boot Disk, you will be able to see ALL file systems, including NT logical partitions, Linux, Unix, and MAC HFS.
False


Evidence files can be restored to media of equal OR greater size.
True


How can you verify that the restore completed properly and that it is an exact match to the original media.
The MD5 hash value of a properly restored evidence file will match the value maintained within the evidence file


When restoring evidence files of a logical partition, the file system it is being restored to must match the original.
True


Where do you commonly see BASE64 encoded files.
Email Attachments.


Where does Windows 2000 and XP store users personal folders.
"C:\Documents and Settings"


What are .LNK files.
.lnk are "shortcut" files created by the windows operating system to files manipulated by the logged in user. They can show dates, times, and full path to the target file.


Name some of the more common artifact locations in the Windows 9X operating environment.
C:\Windows\Recent, C:\Windows\Desktop, C:\Windows\Send To, C:\Windows\Temp


In DOS/Windows environments, what is the length of FAT Directory entries.
32 Bytes in Length.


Every printed document from a computer is considered an "Original".
True


Compression of evidence files has no bearing on the validity or admissibility fo the data.
True


What is meant by the legal term "Daubert".
It is a legal test employed by US courts to determine if a scientific or technical process is acceptable.


What are the three basic questions asked to determine if a process is acceptable under Daubert.
Has the process been tested and subjected to peer review && Does the process/application maintain general acceptance within the related community && Can the findings be duplicated/repeated


If the original evidence must be returned to the owner, can the EnCase Evidence files be considered "Best Evidence".
Yes


What type of files are commonly associated with printing in the Windows operating system.
.emf / .spl / .shd


If the file system is not support by EnCase, the Examiner cannot use EnCase to do the examination.
False


You need to do an onsite acquisition of a Windows NT Server, should you Shut Down the system or pull the power plug.
Gracefully shut down the system. Generally, servers need to be shut down gracefully. Workstations or personal computers should have the power plug pulled


What does IDE stand for.
Integrated Drive Electronics.


FAT is defined as which of the following.
The FAT (File Allocation Table) is created by the file system during formats and contains pointers to clusters located on a drive.


How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT table.
When the FAT table marks a cluster as being bad, the entire cluster is prevented from being written to


Which of the following describes a partition table.
A partition table is located in the master boot record and is always located in the very first sector of a physical drive. The partition table keeps track of the partitions located on the physical drive.


Which selection keeps track of a fragmented file in a FAT file system.
The FAT table assigns numbers to each cluster entry pointing to the next cluster in the cluster run until the last cluster is reached, which is marked as EOF.


If the FAT table lists cluster number 2749 with a value of 0, what does this mean about this specific cluster.
When the FAT table marks as 0, it is in unallocated blusters (sic?), which means it is freely available to store data


Which of the following is true about a volume boot record.
The Volume Boot Record is always located at the first sector of its logical partition and contains the BIOS parameter block and volume boot code.


The NTFS file system does which of the following.
The NTFS file system supports long file names, compresses files and directories, and contains the BIOS parameter block and volume boot code.


How many clusters can a FAT32 file system manage.
A FAT32 file system theoretically allows up to 228 = 268,435,456 clusters. The extra 4 bits are reserved by the file system, however, and there is an MBR-imposed limit of 67,092,481 clusters, which means FAT32 is capable of supporting a file size of 2 terabytes


The FAT tracks the___while the directory entry tracks the___.
The FAT tracks the location of the last cluster for a file (EOF), while the directory entry maintains the file's starting cluster number


How many copies of the FAT does each FAT32 volume maintain in its default configuration.
Each volume maintains two copies (one for backup): FAT1 and FAT2.


A file's logical size is displayed as.
A file's logical size is displayed as the actual number of bytes that the file contains


A file's physical size is.
A file's physical size is the number of bytes to the end of the last cluster, and a file's logical size is the amount of bytes that the actual file contains. A file's physical size can be the same as its logical


A directory entry in a FAT file system has a logical size of which of the following.
A directory entry in a FAT file system has no logical size.


Each directory entry in a FAT file system is___bytes in length.
In a FAT file system each directory entry is 32 bytes in length.


By default, what color does EnCase use to display directory entries within a directory structure.
Because directory entries are just names with no logical size and because they do not contain any actual data, EnCase displays the information in red.


What is the area called between the end of a file's logical size and the file's physical size called.
The area between a file's logical size and its physical size is commonly referred to as slack space


What three things occur when a file is created in a FAT32 file system.
The directory structure records the file's information, the FAT tracks the number of clusters allocated to the file, and the file's data is filled in to the assigned clusters.


How does EnCase recover a deleted file.
EnCase recovers deleted files by first obtaining the file's starting cluster number and its size from the directory entry. Encase determines the number of clusters needed based on the file's size and then attempts to recover the data from the starting extent through the amount of clusters needed


What does EnCase do when a deleted file's starting cluster number is assigned to another file.
When EnCase determines that the starting cluster in the FAT has been reassigned to an existing file, it reports the previously deleted file as being overwritten.


What information does a file's directory entry in a FAT file system store about itself.
A file's directory entry stores almost everything about the file with the exception of the actual data itself. (File name, date/time, file extension, starting cluster(extent))


What is the most significant legal issue in computer forensics.
Admissibility of Evidence


When a file is deleted.
All of the above


Which of the following is not a property of computer evidence.
Conform and Human Readable


You can use ________, a powerful search tool, to perform keyword searches in Linux and in EnCase software.
grep


When a forensic copy is made, in what format are the contents of the hard
...


drive stored.
As compressed images


Which of the following is not a type of volatile evidence.
Log files


In establishing what evidence is admissible, many rules of evidence
...


concentrate first on the _____________ of the offered evidence.
Search and Seizure


Which of the following is a proper acquisition technique.
Disk to Image


Traditional crimes that became easier or more widespread because of telecommunication networks and powerful PCs include all of the following except.
Money laundering


_____________ devices prevent altering data on drives attached to the suspect computer and also offer very fast acquisition speeds.
Write Blocking


Which duplication method produces an exact replica of the original drive.
Bit-Stream Copy


To verify the original drive with the forensic copy, you use __________.
a hash analysis


As a good forensic practice, why would it be a good idea to wipe a forensic drive before using it.
Cross-contamination


The ability to hide data in another file is called.
Steganography


When two hard drives are on the same data cable, both drives must have
...


USB drives use ______________. Flash memory
...


Which of the following is not a true operating system.
Windows 3.1


When shutting down a computer, what information is typically lost.
All of the above


If the Internet History file has been deleted, ____________ may still provide information about what Web sites the user has visited.
Cookies


You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of evidentiary value.
Hard drive


You are a computer forensic examiner and want to determine whether a user has opened or double-clicked a file. What folder would you look in for an operating system artefact for this user activity.
Recent


You are a computer forensic examiner explaining how computers store and access the data you recovered as evidence during your examination. The evidence was a log file and was recovered as an artefact of user activity on the _____, which was stored on the _____, contained within a _____ on the media.
operating system, file system, partition


The smallest area on a drive that data can be written to is a _____, while the smallest area on a drive that a file can be written to is a _____.
sector and cluster


File Allocation Table (FAT) is defined as which of the following.
It is unallocated and is available to store data


How many clusters can a FAT32 file system manage.
228 = 268,435,456 clusters


The FAT tracks the _____ while the directory entry tracks the _____.
file's last cluster (EOF) and file's starting cluster


What is the first consideration when responding to a scene of crime.
Your safety


When shutting down a computer, what information is typically lost.
All of the above


The Windows operating system uses a file name's _____ to associate files with the proper applications.
extension


A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following.
MS-DOS


How is the chain of custody maintained.
All of the above


What is the area between the end of a file's logical size and the file's physical size called.
Slack space


Which of the following is not acceptable for "bagging" a computer workstation.
Plastic garbage bag


In NTFS, information unique to a specific user is stored in the ____ file.
NTUSER.DAT


As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it.
Cross-contamination


A file header is which of the following.
A unique set of characters at the beginning of a file that identifies the file type


Most of a user's desktop items on a Windows XP operating system would be located in the _________ directory.
C:\Documents and Settings\%User%\Desktop


Because this file will hold the contents of RAM when the machine is powered off, the ______ file will be the size of the system RAM and will be in the root directory.
hiberfil.sys


Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows XP system.
All of the above


Data about Internet cookies such as URL names, date and timestamps, and pointers to the actual location of the cookie is stored in.
index.dat file


Windows XP contains two master keys in its registry. They are HKEY_LOCAL_MACHINE and which of the following.
HKEY_USERS


1.What is the most significant legal issue in computer forensics ?
Admissibility of Evidence


2.When a file is deleted
All of the above


3.Which of the following is not a property of computer evidence?
Conform and Human Readable


4.You can use_______, a powerful search tool, to perform keyword searches in Linux and in EnCase software.
grep


5.You are a computer forensics examiner at a scene and have determined you will seize a Linux server, which according to your source of information contains the database records for the company under investigation for fraud. The best practice for "taking down" the server for collection is to photograph the screen, note any running programs or messages and so on, and________
use the normal shutdown procedure.


6.When a forensic copy is made, in what format are the contents of the hard drive stored?
As compressed images.


7.Which of the following is not a type of volatile evidence?
Main Memory


8.In establishing what evidence is admissible, many rules of evidence concentrate first on the_______
...


Of the offered evidence.
Relevancy


9.Which of the following is a proper acquisition technique?
All of the above


10.Traditional crimes that became easier or more widespread because of telecommunication networks and powerful PCs include all of the following except
Child pornography


11.___________ devices prevent altering data on drives attached to the suspect computer and also offer very fast acquisition speeds
Write blocking


12.Which duplication method produces an exact replica of the original drive ?
Bit-Stream Copy


13.To verify the original drive with the forensic copy, you use___________
a hash analysis


14.The Windows operating system uses a file name's__________to associate files with the proper applications.
Extension


15.As a good forensic practice, why would it be a good idea to wipe a forensic drive before using it?
Cross-contamination


16.The ability to hide data in another file is called
Steganography.


17.When two hard drives are on the same data cable, both drives must have which to settings for them to work ?
Master and Slave.


18.USB drives use________
Flash memory.


19.Which of the following is a proper search technique?
All of the above.


20.A file header is which of the following?
A unique set of characters at the beginning of a file that identifies the file type.


21.Which of the following is not a true operating system?
UNIX


22. Computer memory files written to the hard drive are called______
Swap files.


23.When shutting down a computer, what information is typically lost?
All of the above


24._______is the science of hiding messages in messages.
Steganography.


25.If the internet history file has been deleted,_______may still provide information about what Web sites the user has visited.
Cookies


26.You are computer forensic examiner tasked with determining that evidence is on a seized computer. On what part of the computer system will you find data of evidentiary value?
Hard drive


27.The smallest area on a drive that data can be written to is a _______, while the smallest area on a drive that a file can be written to is a ________.
Sector and cluster


28.How many clusters can a FAT32 file system manage?
2^28=268,435,456 clusters


29.The FAT tracks the ________ while the directory entry tracks the ________.
file's last cluster (EOF) and file's starting cluster


30.What is the first consideration when responding to a scene?
Your safety


31.When shutting down a computer, what information is typically lost?
All of the above


32.The Windows operating system uses a file name's _______ to associate files with the proper applications.
extension


33. A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following?
MS-DOS


34. How is the chain of custody maintained?
All of the above


35. What is the area between the end of a file's logical size and the file's physical size called?
Slack space


36. Which of the following is not acceptable for "bagging" a computer workstation?
Plastic garbage bag.


37. In NTFS, information unique to a specific user is stored in the ______ file.
NTUSER.DAT


38. As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it?
Cross-contamination


39. A file header is which of the following?
A unique set of characters at the beginning of a file that identifies the file type


40. Most of a user's desktop items on a Windows XP operating system would be located in the _________ directory.
C:\Documents and Settings\%User%\Desktop


41. Because this file will hold the contents of RAM when the machine is powered off, the ______ file will be the size of the system RAM and will be in the root directory.
hiberfil.sys


42. Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the cookie is stored in:
index.dat file


43. Windows XP contains two master keys in its registry. They are KEY_LOCAL_MACHINE and which of the following?
HKEY_USERS


44. What type of attack could be prevented by egress filtering?
DDOS


45.If a suspect is using encryption, which data below is likely to be lost if the devices is powered off?
Laptop hard drive


46.You have been given the task to investigate web attacks on a Windows-based server.
...


47.Which of the following commands will you use to look at which sessions the machine has opened with other systems?
Net use


48.Joe is making a clone of the evidence drive onto a target drive. Which of these is not a good practice?
Use a hardware write-blocker


49.When the letter"A" is represented as 4th, it is displayed in
...


50.In which step of the computer forensics investigation methodology would you run MD5 checksum on the evidence
Acquire the data


51.TCP/IP is a communication protocol used to connect different host in the internet. It contains four layer namely the network interface layer, internet layer........ Which of the following protocols works under the transport layer of TCP/IP
UDP


52.Network forensics allows Investigators 10 inspect network traffic and logs to identify and locate the attack system.Network forensics can reveal.
...


53.Which of the following Steganography techniques allows you to encode information that ensures creation of cover for secret communication?
Cover generation techniques


54.Which of the following commands shows you the names of all open shared files on a server and number of file locks on each file?
netfile


55.A swap file is a space on a hard disk used as the virtual memory extension of a computer's RAM.Where is the hidden swap file in Windows located?
C:\pagefile.sys


56.FAT32 is a 32-bit version of FAT file system using smaller clusters and results in efficient storage capacity. What is the maximum drive size supported?
2terabytes


57.You can interact with the Registy through intermediate programs. Graphical user interface (GUI) Registry editors such as Regedit.exe or Regedit32.exe are.......
HKEY_USERS


58.What is the purpose of function of a computer's ROM chip
Long-term or permanent storage


59.All the information about the user activity on the network, like details about login and logoff ............
528


60.On a production Linux/UNIX server, you must generally be which user to shut down the system?
...


61.Which of these items must be written in clear, non-technical English ?
Examiner's final report


62.We execute this command ./vol.py...................
Display a list in tree form of all processes


63.What is the goal of forensics science?
To determine the evidential value of the crime scene and relate devidence


64.Digital evidence validation involves using a hashing algorithm ............ Which of the following hash algorithms produces a message digest that is 128 bits long?
md5


65.Task list command displays a list of applications and services with their ProcessID for all tasks running on either a local or a remote computer.
...


Which of the following task list commands provides information about the listed processes, including the image name, PID, name, and number of the session for the process?
tasklist/v


66.Which of the following commands shows you all of the network services running in Windows-based servers?
netstart


67.Which is a linux journaling file system?
...


68.A file header is
A unique set of characters at the beginning.......


69.Computer security logs contain information about the events occurring within an organization's.................
Analyzing log files


70.Computer use a numbering system with only two digits, 0 and 1. This system is referred to as
...


71.Which term describes long-term off-site storage of old data?
Cloud persistence


72.Which of the following commands shows you the TCP and UDP network connections, listening ports, and the identifiers
netstat /ano


73.Where is the Modified timestamp for a file stored?
Registry


74.MAC filtering is a security access control methodology, where a__________ is assigned to each network card to determine access to the network
48bit


75.The status of the network interface cards (NICs) connected to a system gives information about whether the system is connected to a wireless access point and whatIP address is being used.
...


Which command displays the network configuration of the NICs on the system?
ipconfig/all


76.The Volatility Framework currently provides the following extraction capabilities for memory samples
...


77.How many characters can be addressed by the 7-bit ASCII character table? 16-bit Unicode?
128 - 65.536


78.What is the first step required in preparing a computer for forensics investigation ?
Do not turn the computer off or on,...............


79.Which is protocol is used to send email?
SMTP


80.How do you define forensics computing?
It is the science of capturing..............


81.What activity of an SSD controller causes write operations to one block to actually store data on some other block?
File translation layer


82.A bit can have a binary value of ?
...


83.What term best describes BAGE64 enconding
Encryption


84.Tyler uses DISKPART and CLEAN ALL to write zeroes to his whole hard drive, including the Word document. What type of data is the Word document now?
Archival data


85.Windows Security Accounts Manager (SAM) is a registry file which stores passwords in a hashed format, SAM file in Windows is located at
...


86.When collectiong evidence from the RAM, where do you look for data?
Swap file


87.The NTFS file system does which of the following?
All of the others


88.What is the technical term for the last part of a Web address such as .com or .net ?
...


89.Which item must be placed in a Faraday bad immediately after seizure? Cell phone
...


90.POP3 is a standard protocol for receiving email ...............
PORT110


91.A company moves to the cloud, talking imagesoof their servers, routers, and switches, and deploying them to Amazon's serveres as virtual machines and software-defined networks.....
IaaS


92.Windows Security Event Log contains records of login/logout activity or other security-related events specified by the system's audit policy. What does event ID 531 in Windows Security Event Log indicates?
A logon attempt was made using a disabled account


93.The recycle bin is located on the windows desktop. When you .............
...


What is the size limit for Recycle bin in BIsta and later version of the Windows ?
...


94.Boston police searched houses for the bomber without warrants. What justification did they have for that ?
Probable cause


95.Tyler deletes the document, so it goes into the Recycle Bin. What type of data is it ?
...


96.Jason, a renowned forensics investigator, is investigating a network attack that ............
DNS Poisoning


97.Which of the following statements is incorrect when preserving digital evidence ?
Turn on the computer and extract Windows event viewer log files


98.Which is the most reliable forensics software?
Never trust any of them


99.What is a chain of custody
A legal document that demonstrates the progression of evidence a sit travels from the original evidence location to the forensic laboratory


100.How do you define Technical Steganography?
Steganography that uses physical or chemical means to hide the existence of a message


101.If you see a repeated patten of DEADBEEF for a large portion of a hard drive, what does this indicate?
Drive wiping


1. What is the most significant legal issue in computer forensics?
C. Admissibility of Evidence.


2. When a file is deleted
D. All of the above.


3. Which of the following is not a property of computer evidence?
...


A. Authentic and Accurate.
D. Conform and Human Readable.


4. You can use ________, a powerful search tool, to perform keyword searches
...


in Linux and in EnCase software.
A. grep.


5. You are a computer forensic examiner at a scene and have determined you will seize a Linux server, which according to your source of information contains the database records for the company under investigation for fraud. The best practice for "taking down" the server for collection is to photograph the screen, note any running programs or messages and so on, and __________.
A. Use the normal shutdown procedure


6. When a forensic copy is made, in what format are the contents of the hard
...


drive stored?
A. As compressed images.


7. Which of the following is not a type of volatile evidence?
C. Log files


8. In establishing what evidence is admissible, many rules of evidence concentrate first on the _____________ of the offered evidence.
B. Search and Seizure


9. Which of the following is a proper acquisition technique?
A. Disk to Image


10. Traditional crimes that became easier or more widespread because of telecommunication networks and powerful PCs include all of the following except
A. Money laundering


11. _____________ devices prevent altering data on drives attached to the suspect computer and also offer very fast acquisition speeds.
C. Write Blocking


12. Which duplication method produces an exact replica of the original drive?
A. Bit-Stream Copy


13. To verify the original drive with the forensic copy, you use __________.
B. a hash analysis


14. The Windows operating system uses a file name's ___________ to associate files with the proper applications.
B. Extension


15. As a good forensic practice, why would it be a good idea to wipe a forensic drive before using it?
D. Cross-contamination


16. The ability to hide data in another file is called
B. Steganography.


17. When two hard drives are on the same data cable, both drives must have which two settings for them to work?
C. Master and Slave


18. USB drives use ______________.
C. Flash memory


19. Which of the following is a proper search technique?
D. All of the above


20. A file header is which of the following?
A. A unique set of characters at the beginning of a file that identifies the file type


21. Which of the following is not a true operating system?
D. UNIX


22. Computer memory files written to the hard drive are called ____________.
A. Metadata


23. When shutting down a computer, what information is typically lost?
D. All of the above


24. ________________ is the science of hiding messages in messages.
C. Steganography


25. If the Internet History file has been deleted, ____________ may still provide information about what Web sites the user has visited.
A. Cookies


When an EnCase user double-clicks on a file within EnCase what determines the action that will result?
B. The settings in the FileTypes.ini file.


Search results are found in which of the following files?
C. The case file


If cluster #3552 entry in the FAT table contains a value of ?? this would mean:
A. The cluster is unallocated


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Bob@[a-z]+.com
C. Bob@America.com


You are an investigator and have encountered a computer that is running at the home of a suspect. The computer does not appear to be a part of a network. The operating system is Windows XP Home. No programs are visibly running. You should:
A. Pull the plug from the back of the computer.


A physical file size is:
B. The total size of all the clusters used by the file measured in bytes.


In Unicode, one printed character is composed of ____ bytes of data.
C. 2


If cluster number 10 in the FAT contains the number 55, this means:
A. That cluster 10 is used and the file continues in cluster number 55.


How are the results of a signature analysis examined?
B. By sorting on the signature column in the Table view.


The acronym ASCII stands for:
B. American Standard Code for Information Interchange


The default export folder remains the same for all cases.
B. False


The EnCase default export folder is:
B. A case-specific setting that can be changed.


Hash libraries are commonly used to:
B. Identify files that are already known to the user.


Which is the proper formula for determining the size in bytes of a hard drive that uses cylinders (C), heads (H), and sectors (S) geometry?
B. C X H X S x 512


Within EnCase, clicking on Save on the toolbar affects what file(s)?
C. The open case file


EnCase uses the _________________ to conduct a signature analysis.
B. file signature table


EnCase is able to read and examine which of the following file systems?
A. NTFS EXT3 FAT HFS


ROM is an acronym for:
C. Read Only Memory


If a floppy diskette is in the ?drive, the computer will always boot to that drive before any other device.
B. True


A standard Windows 98 boot disk is acceptable for booting a suspect drive.
A. True


Search terms are case sensitive by default.
B. True


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. Jan 1st , 2?0?00
D. Jan 1st , 2000


An evidence file can be moved to another directory without changing the file verification.
B. True


Pressing the power button on a computer that is running could have which of the following results?
D. All of the above could happen.


How does EnCase verify that the evidence file contains an exact copy of the suspect hard drive?
B. By means of an MD5 hash of the suspect hard drive compared to an MD5 hash of the data stored in the evidence file.


By default, EnCase will display the data from the end of a logical file, to the end of the cluster, in what color:
A. Red


A SCSI drive is pinned as a master when it is:
D. A SCSI drive is not pinned as a master.


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[^a-z]
B. om? ? RP


This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:
B. Will find it because EnCase performs a logical search.


An evidence file was archived onto five CD-Rom disks with the third file segment on disk number three. Can the contents of the third file segment be verified by itself while still on the CD?
C. Yes. Any segment of an evidence file can be verified through re-computing and comparing the CRCs, even if it is on a CD.


You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of evidentiary value?
C. Hard drive


You are a computer forensic examiner explaining how computers store and access the data you recovered as evidence during your examination. The evidence was a log file and was recovered as an artifact of user activity on the ____________, which was stored on the _____________, contained within a ____________ on the media.
B. operating system, file system, partition


You are a computer forensic examiner investigating a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is FAT (File Allocation Table). What information about the document file can be found in the FAT on the media? (Choose all that apply.)
C. Starting cluster of the file


You are a computer forensic examiner investigating media on a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is NTFS (New Technology File System). What information about the document file can be found in the NTFS master file table on the media? (Choose all that apply.)
A. Name of the file | all


You are a computer forensic examiner at a scene and have determined you will seize a Linux server, which according to your source of information contains the database records for the company under investigation for fraud. What is the best practice for "taking down" the server for collection?
A. use


You are a computer forensic examiner and have imaged a hard drive on site. Before you leave the scene, you want to ensure the image completely verifies as an exact forensic duplicate of the original. To verify the EnCase evidence file containing the image, you should do which of the following?
D. Load the EnCase evidence files into EnCase for Windows, allow the verification process to finish, and then check the results for complete verification.


ou are a computer forensic examiner and need to verify the integrity of an EnCase evidence file. To completely verify the file's integrity, which of the following must be true?
...


A. The MD5 hash value must verify. B. The CRC values and the MD5 hash value both must verify.
...


You are a computer forensic examiner and need to determine what files are contained within a folder called Business documents. What EnCase pane will you use to view the names of the files in the folder?
B. Table pane


You are a computer forensic examiner and need to view the contents of a file contained within a folder called Business documents. What EnCase pane will you use to view the contents of the file?
C. View pane


You are a computer forensic examiner and are viewing a file in an EnCase evidence file. With your cursor, you have selected one character in the file. What binary term is used for the amount of data that represents a single character?
A. A byte


You are a computer forensic examiner and need to search for the name of a suspect in an EnCase evidence file. You enter the name of the suspect into the EnCase keyword interface as John Doe. What search hits will be found with this search term with the default settings? (Choose all that apply.)
A. john doe C. John Doe


You are a computer forensic examiner and need to determine whether any Microsoft Office documents have been renamed with image extensions to obscure their presence. What EnCase process would you use to find such files?
A. File signature analysis


You are a computer forensic examiner and want to reduce the number of files required for examination by identifying and filtering out known good or system files. What EnCase process would you use to identify such files?
D. File hash analysis


You are a computer forensic examiner and want to determine whether a user has opened or double-clicked a file. What folder would you look in for an operating system artifact for this user activity?
B. Recent


You are a computer forensic examiner and want to determine when a user deleted a file contained in a Windows XP Recycle Bin. In what file is the date and time information about the file deletion contained?
C. INFO2


You are a computer forensic examiner and want to determine how many times a program was executed. Where would you find information?
B. Registry


You are a computer forensic examiner and want to examine any email sent and received by the user of the computer system under investigation. What email formats are supported by EnCase?
all


What is the BIOS?
A. BIOS stands for Basic Input Output System and is a combination of low-level software and drivers that function as the interface, intermediary, or layer between a computer's hardware and its operating system.


Is the information stored on a computer's ROM chip lost during a proper shutdown?
B. No


Is the information contained on a computer's RAM chip accessible after a proper shutdown?
B. No


Can information stored in the BIOS ever change?
A. Yes


What is the purpose or function of a computer's ROM chip?
A. Long-term or permanent storage of information and instructions


Information contained in RAM memory (system's main memory), which is located on the
...


motherboard, is _________.
A. volatile


What is the maximum number of drive letters assigned to hard drive(s) partitions on a system?
C. 24


The smallest area on a drive that data can be written to is a _______, while the smallest area on a drive that a file can be written to is a ________.
B. sector and cluster


The size of a physical hard drive can be determined by which of the following?
E. Both B and C


The electrical pathway used to transport data from one computer component to another is called what?
A. Bus


What is the main component of a computer to which essential internal devices such as CPU, memory chips, and other chipsets are attached?
B. Motherboard


IDE, SCSI, and SATA are different types of interfaces describing what device?
D. Hard drives


What do the terms master, slave, and Cable Select refer to?
C. Jumper settings for internal hardware such as IDE hard drives and CD drives


What can you assume about a hard drive that is pinned as CS?
A. It's an IDE drive.


What is found at Cylinder 0, Head 0, Sector 1 on a hard drive?
A. Master boot record


What is the first sector on a volume called?
B. Volume boot record or sector


Which of the following is incorrect?
D. The partition table is contained within the MBR and consists of a total of 16 bytes, which describes up to four partitions using 4


FAT is defined as which of the following?
B. A table created during the format that the operating system reads to locate data on a drive


How does a corrupted sector located in the data area of a hard drive affect the corresponding cluster number on a FAT table?
D. It does affect the FAT table. The corresponding cluster number is marked as bad, and the entire cluster is prevented from being written to.


Which of the following describes a partition table?
D. All of the above.


Which selection keeps track of a fragmented file in a FAT file system?=
A. File allocation table


If the FAT table lists cluster number 2749 with a value of 0, what does this mean about this specific cluster?=
D. It is unallocated and is available to store data.


Which of the following is true about a volume boot record?=
D. A and C.


The NTFS file system does which of the following?=
D. All of the above


How many clusters can a FAT32 file system manage?=
D. 228 = 268,435,456 clusters


The FAT tracks the ________ while the directory entry tracks the ________.
C. file's last cluster (EOF) and file's starting cluster


How many copies of the FAT does each FAT32 volume maintain in its default configuration?=
B. Two


A file's logical size is displayed as?=
C. The number of bytes that the logical file contains


A file's physical size is?
B. The number of bytes in the logical file plus all slack space from the end of the logical file to the end of the last cluster


A directory entry in a FAT file system has a logical size of which of the following?
A. 0 bytes


Each directory entry in a FAT file system is ____ bytes in length.
D. 32


By default, what color does EnCase use to display directory entries within a directory structure?
B. Red


What is the area between the end of a file's logical size and the file's physical size called?
D. Slack space


What three things occur when a file is created in a FAT32 file system?
A. Directory entry for the file is created, the FAT assigns the necessary clusters to the file, and the file's data is filled in to the assigned clusters.


How does EnCase recover a deleted file?
C. It obtains the deleted file's starting cluster number and size from the directory entry to obtain the data's starting location and number of clusters required.


What does EnCase do when a deleted file's starting cluster number is assigned to another file?
C. EnCase marks the deleted file as being overwritten.


What information does a file's directory entry in a FAT file system store about itself?
E. All of the above


What is the first consideration when responding to a scene?
A. Your safety


What are some variables regarding a facility that you should consider prior to responding to a scene?
E. All of the above.


What are some variables regarding items to be seized that you should consider prior to
...


responding to a scene?
E. All of the above


Generally speaking, if you encounter a desktop computer running Windows XP, how should you take down the machine?
C. Shut down by pulling the plug from the computer box.


Generally speaking, if you encounter a computer running Windows 2000 Server, how should you take down the machine?
A. Shut down using its operating system.


Generally speaking, if you encounter a Unix/Linux machine, how should you take down the machine?
A. Shut down using its operating system.


When unplugging a desktop computer, from where is it best to pull the plug?
A. The back of the computer


What is the best method to shut down a notebook computer?
D. Both A and C.


Generally speaking, if you encounter a Macintosh computer, how should you take down the machine?
C. Shut down by pulling the plug from the computer box.


Which selection displays the incorrect method for shutting down a computer?
D. Linux: Pull the plug.


When shutting down a computer, what information is typically lost?
E. All of the above


Which of the following is not acceptable for "bagging" a computer workstation?
C. Plastic garbage bag.


File Allocation Table (FAT) is defined as which of the following?
B. A table created during the format that the operating system reads to locate data on a drive


The NT File System (NTFS) file system does which of the following?
D. All of the above


A console prompt that displayed backslashes (\) as part of its display would most likely be which of the following?
D. MS-DOS


How is the chain of custody maintained?
E. All of the above


In NTFS, information unique to a specific user is stored in the ______ file.
B. NTUSER.DAT


As a good forensic practice, why would it be a good idea to wipe a forensic drive before reusing it?
B. Cross-contamination


If the number of sectors reported by EnCase does not match the number reported by the manufacturer for the drive, what should you do?
E. All of the above


Most of a user's desktop items on a Windows XP operating system would be located in the _________ directory.
D. C:\Documents and Settings\%User%\Desktop


Because this file will hold the contents of RAM when the machine is powered off, the ______ file will be the size of the system RAM and will be in the root directory.
A. hiberfil.sys


Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows XP system?
...


A. In Temporary Internet Files under Local Settings in the user's profile
E. All of the above


File names with the .url extension that direct web browsers to a specific website are located in which folder?
A. Favorites folder


Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the cookie is stored in:
B. index.dat file


On a Windows 98 machine, which folder is the swap or page file contained in?
A. WIN386.SWP


When you are examining evidence that has been sent to a printer, which file contains an image of the actual print job?
C. The spool file


The two modes for printing in Windows are ______ and _______.
D. EMF and RAW


Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover the file as a result of a search on its unique header information in areas such as Unallocated Clusters or swap file.
A. True


The index.dat files are system files that store information about other files. They track date and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file.
C. Recycle Bin


The Temporary Internet Files directory contains which of the following?
D. All of the above


How many sector(s) on a hard drive are reserved for the master boot record (MBR)?
E. 63


The very first sector of a formatted hard drive that contains an operating system is referred to as which of the following?
D. All of the above


How many logical partitions does the partition table in the master boot record allow for a physical drive?
C. 4


The very first sector of a partition is referred to as which of the following?
D. Volume boot record


If a hard drive has been fdisked, EnCase can still recover the deleted partition(s), if you point to the _________, right-click, and select Add Partition.
B. volume boot record


In an NTFS partition, where is the backup copy of the volume boot record (VBR) stored?
C. The last sector of the partition


EnCase can mount a compound file, which can then be viewed in a hierarchical format. Select an example of a compound file.
E. All of the above


Windows XP contains two master keys in its registry. They are KEY_LOCAL_MACHINE and which of the following?
A. HKEY_USERS


In Windows 2000/XP, information about a specific user's preference is stored in the NTUSER.DAT file. This compound file can be found where?
C. C:\Documents and Settings\username


In an NTFS file system, the date and time stamps recorded in the registry are stored where?
B. GMT and converted based on the system's time zone settings


EnScript is a proprietary programming language and application programming interface (API) developed by Guidance Software, designed to function properly only within the EnCase environment.
A. True


Since EnScript is a proprietary programming language developed by Guidance Software, EnScripts can be created by and obtained only from Guidance Software.
B. False


Filters are a type of EnScript that "filters" a case for certain file properties such as file types, dates, and hash categories. Like EnScripts, filters can also be changed or created by a user.
A. True


Select the type of email that EnCase 6 is not capable of recovering.
E. None of the above


Which method is used to view the contents of a compound file that contains emails such as a PST file in EnCase 6?
C. Both A and B.


EnCase 6 cannot process web-based email such as MSN Hotmail or Yahoo! Mail because the information can be found only on the mail servers.
B. False


The EnCase Decryption Suite (EDS) will not decrypt Microsoft's Encrypting File System (EFS) on the ___________ operating system.
...


A. Windows 2000 Professional and Server
D. Windows XP Home Edition


At which levels can the VFS module mount objects in the Windows environment?
E. All of the above


The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk Emulator cannot mount.
E. Both A and B


The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the module can mount a piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk Emulator cannot mount.
E. Both A and B


The Virtual File System (VFS) module mounts data as _______, while the Physical Disk Emulator (PDE) module mounts data as _______.
A. network share, emulated disk


The end of a logical file to the end of the cluster that the file ends is called:
D. Slack


The boot partitioin table found at the beginning of a hard drive is located in what sector?
B. Master boot record


What information in a FAT file system directory entry refers to the location of a file on a hard drive?
C. The starting cluster


A logical file would be best described as:
A. The data from the beginning of the starting cluster to the length of the file.


A case file can contain __ hard drive images?
D. Any number of


Calls to the C:\ volume of the hard drive are not made by DOS when a computer is booted with standard DOS 6.22 boot disk.
B. False


Select the appropriate name for the hightlighted area of the binary numbers.
E. Byte


If an evidence file has been added to a case and completely verified, what happens if the data area within the evidence file is later changed?
D. All of the above.


The BIOS chip on an IBM clone computer is most commonly located on:
A. The motherboard


Consider the following path in the FAT file system: C:\My Documents\My Pictures\Bikes. Where does the directory bikes receive its name?
A. From the My Pictures directory


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. 800[) \-]+555-1212.
D. (800) 555-1212


How does EnCase verify that the case information (Case Number, Evidence Number, Investigator Name, etc) in an evidence file has not been damaged or changed, after the evidence file has been written?
A. The Recycle Bin increases the chance of locating the existence of a file on a computer.


The first sector on a volume is called the:
D. Volume boot sector or record


When an EnCase user double-clicks on a file within EnCase what determines the action that will result?
C. The settings in the FileTypes.ini file.


The following GREP expression was typed in exactly as shown. Choose the answer(s) that would result. [^a-z]Tom[a-z]
C. Tom


The following GREP expressioin was typed in exactly as shown. Choose the answer(s) that would result. [\x00-\x05]\x00\x00\x00?[\x00-\x05]\x00\x00\x00
C. 04 00 00 FF FF BA


This question addresses the EnCase for Windows search process. If a target word is within a logical file, and it begins in cluster 10 and ends in cluster 15 (the word is fragmented), the search:
C. Will find it because EnCase performs a logical search.


When a file is deleted in the FAT file system, what happens to the FAT?
D. The FAT entries for that file are marked as available.


In DOS and Windows, how many bytes are in one FAT directory entry?
C. 32


When a non-compressed evidence file is reacquired with compression, the aquistion and verification hash value for the evidence will remain the same for both files.
A. True


An EnCase evidence file of a hard drive _____ be restored to another hard drive of equal or greater size.
A. Can


Upon starting a new case, what two directories should be defined?
Default EXPORT and TEMP directories.


What happens when an examiner double-clicks on a file of a file type known by EnCase?
The data is copied to the case defined TEMP directory, and the associated viewer is then called to display the file data.


What happens to the data files that are copied by EnCase to the case defined TEMP directory?
When Encase is PROPERLY shut down, EnCase will DELETE the files from the temp folder.


What is the evidence file?
It is a BIT STREAM image of the source media written to a file(s).


Evidence files can be segmented between a range of _____ and _____.
FALSE


It contains the CASE INFORMATION, which is validated by an attached CRC.
It contains the CASE INFORMATION, which is validated by an attached CRC.


It indicates the number of BYTES that been selected / swept / highlighted.
It indicates the number of BYTES that been selected / swept / highlighted.


Which of the following are required by forensic investigators?
D. All are required


Which of the following is NOT one of the skills you need as a forensic investigator?
D. Knowledge of the person's intent


Which of the following is NOT considered one of the five stage of a computer investigation?
C. Conviction


The chain of custody must include which of the following items?
A. Where the evidence was stored


Database/web/email/chat/voicemail servers
a. DNS/Name Servers
b. DHCP Servers
c. Application servers
d. Authentication Servers
c. Application servers


c
QN=1 Database/web/email/chat/voice mail servers
a. DNS/Name Servers
b. DHCP Servers
c. Application servers
d. Authentication Servers
e. None of the mentioned


00:02
01:38
Which Snort command line option is used to define that packets are not logged
A.-v
B.-c
C.-n
D.-l
E.-k
C


c
QN=2 What is the best statement for taking advantage of a weakness in the security of an IT system?
a. Threat
b. Attack
c. Exploit
d. Vulnerability


Which Snort command line option is used to read a rules file
A.-v
B.-c
C.-n
D.-l
E.-k
B


What is the best statement for taking advantage of a weakness in the security of an IT system?
a. Threat
b. Attack
c. Exploit
d. Vulnerability
c. Exploit


HTTP is _____ ?
a. Hypertext Transfer Protocol
b. Hypertext Text Protocol
c. Hypertext Transfer Programming
d. High Transfer Protocol
e. None of the above
a. Hypertext Transfer Protocol


a
QN=3 HTTP is_____?
a. Hypertext Transfer Protocol
b. Hypertext Text Protocol
c. Hypertext Transfer Programming
d. High Transfer Protocol
e. None of the above


Which Snort command line option is used to run in verbose mode
A.-v
B.-c
C.-n
D.-l
E.-k
A


Metasploit is ____ ?
a. Text editor
b. Backup tool
c. Antivirus software
d. Penetration testing software
e. Programming language
d. Penetration testing software


d
QN=4 Metasploit is____?
a. Text editor
b. Backup tool
c. Antivirus software
d. Penetration testing software
e. Programming language


Which Snort command line option is used to define the interface number
A.-v
B.-c
C.-i
D.-l
E.-k
C


00:02
01:38

Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
Contain IP address to MAC address mapping, the time the IP was leased
a. DNS/Name Servers
b. Vampire Taps
c. tcpdump
d. DHCP Servers
d. DHCP Servers


d
QN=5 Contain IP address to MAC address mapping, the time the IP was leased
a. DNS/Name Servers
b. Vampire Taps
c. tcp dump
d. DHCP Servers


Which Snort command line option is used to define the log directory
A.-v
B.-c
C.-n
D.-l
E.-k
D


Which Snort command line option is used to define an ASCII log
A.-a
B.-k ASCII
C.-K ASCII
D.-ascii
E.-text
C


Handles multiplexing of process communication, provides end-to-end
reliability, sequencing, flow control, congestion control. Connection
established through 3-way handshake.
a. Routers
b. Switches
c. TCP
d. NIDS/NIPS
c. TCP


c
QN=6 Handles multiplexing of process communication, provides end-to-end reliability, sequencing, flowcontrol, congestion control. Connection established through 3-way handshake.
a. Routers
b. Switches
c. TCP
d. NIDS/NIPS


Evidence collected from network device logs
a. Flow analysis
b. Active Acquisition
c. Modes of detection
d. Packet analysis
d. Packet analysis


d
QN=7 Evidence collected from network device logs
a. Flow analysis
b. Active Acquisition
c. Modes of detection
d. Packet analysis


Which Snort command line option is used to list the interfaces
A.-w
B.-W
C.-i
D.-a
E.-int
B


What port is used to connect to the Active Directory in Windows 2000?
a. 80
b. 445
c. 139
d. 389
d. 389


d
QN=8 What port isused to connect to the Active Directory in Windows 2000?
a. 80
b. 445
c. 139
d. 389


Which protocol does ping use:
A.IP
B.TCP
C.UDP
D.ICMP
E.HTTP
D


Monitor network traffic and alerts on suspicious activities
a. TCP
b. Firewalls
c. Switches
d. NIDS/NIPS
d. NIDS/NIPS


d
QN=9 Monitor network traffic and alerts on suspicious activities
a. TCP
b. Firewalls
c. Switches
d. NIDS/NIPS


Which transport layer protocol does DNS use:
A.IP
B.TCP
C.UDP
D.ICMP
E.HTTP
C


Which port does DNS use:
A.21
B.23
C.53
D.80
E.110
C


b
QN=10 DDOS attack is______
a. One-to-many IP adsdresses
b. Many-to-one IP addresses
c. One-to-one IP address
d. Many-to-many IP addresses


DDOS attack is ______
a. One-to-many IP adsdresses
b. Many-to-one IP addresses
c. One-to-one IP address
d. Many-to-many IP addresses
b. Many-to-one IP addresses


Rules, Alerts, packet capture is
a. DNS/Name Servers
b. NIDS/NIPS components
c. NIDS/NIPS
d. Induction coils
b. NIDS/NIPS components


b
QN=11 Rules, Alerts, packet capture is
a. DNS/Name Servers
b. NIDS/NIPS components
c. NIDS/NIPS
d. Induction coils


Typically, which TCP server port does FTP use:
A.21
B.23
C.53
D.80
E.110
A


Webserver, Email server, network port scanning is
a. Many-to-many IP addresses
b. One-to-many IP addresses
c. One-to-one IP address
d. Many-to-one IP addresses
c. One-to-one IP address


c
QN=12 Web server, Email server, network ports canning is
a. Many-to-many IPaddresses
b. One-to-many IPaddresses
c. One-to-one IP address
d. Many-to-one IP addresses


Typically, which TCP server port does TELNET use:
A.21
B.23
C.53
D.80
E.110
B


Logs successful/failed login attempts for all devices within its
authentication system
a. Induction coils
b. DHCP Servers
c. DNS/Name Servers
d. Authentication Servers
d. Authentication Servers


d
QN=13 Logs successful/failed login attempts for all devices within its authentication system
a. Induction coils
b. DHCP Servers
c. DNS/Name Servers
d. Authentication Servers


Typically, which TCP server port does HTTP use:
A.21
B.23
C.53
D.80
E.110
D


Typically, which TCP server port does POP-3 use:
A.21
B.23
C.53
D.80
E.110
E


ab
QN=14 What method can be used in online-passwor dattack?
a. Dictionary attack
b. Bruteforce attack
c. SQL injection
d. Cross-site-scripting
e. None of the above


What method can be used in online-password attack ?
a. Dictionary attack
b. Brute force attack
c. SQL injection
d. Cross-site-scripting
e. None of the above
a. Dictionary attack
b. Brute force attack


Contains routing tables that map router ports with the network, may
function as packet filters
a. Switch
b. Firewalls
c. TCP
d. tcpdump
b. Firewalls


b
QN=15 Contains routing tables that map router port swith the network, may function as packet filters
a. Switch
b. Firewalls
c. TCP
d. tcpdump


Which application layer protocol is used to send email:
A.SMTP
B.SNMP
C.POP-3
D.IMAP
E.SSH
A


Communicates error messages and other conditions via IP datagrams
a. Address Resolution Protocol (ARP)
b. Internet Control Message Protocol (ICMP)
c. HyperText Transfer Protocol (HTTP)
d. Internet Protocol (IP)
b. Internet Control Message Protocol (ICMP)


b
QN=16 Communicates error messages and other conditions via IP datagrams
a. Address Resolution Protocol (ARP)
b. Internet Control Message Protocol (ICMP)
c. Hyper Text Transfer Protocol (HTTP)
d. Internet Protocol (IP)


Which application layer protocol is used to read email:
A.SMTP
B.SNMP
C.POP-3
D.FTP
E.SSH
C


Addressing and Routing (src and dst) at Layer 3
a. Fiber optic taps
b. Inline Network Taps
c. Induction coils
d. Internet Protocol (IP)
d. Internet Protocol (IP)


d
QN=17 Addressing and Routing (src and dst) at Layer 3
a. Fiber optic taps
b. Inline etwork Taps
c. Induction coils
d. Internet Protocol (IP)


Which application layer protocol is used to read email:
A.SMTP
B.SNMP
C.IMAP
D.FTP
E.SSH
C


Contains tables that store mapping between physical port and MAC addresses
a. Switches
b. TCP
c. Routers
d. tcpdump
a. Switches


a
QN=18 Contains tables that store mapping between physical port and MAC addresses
a. Switches
b. TCP
c. Routers
d. tcp dump


In Snort how might the home network variable to set
A.var $HOME_NET=192.168.0.12\24
B.var $HOME_NET 192.168.0.12\24
C.$HOME_NET 192.168.0.12\24
D.$HOME_NET=192.168.0.12\24
E.var $HOME_NET is 192.168.0.12\24
B


In Snort, which is the default alert file
A.alert.txt
B.snort.txt
C.myalerts.ids
D.alert.ids
E.source.alert
D


a
QN=19 Devices that pierce the shielding of copper cables
a. Vampire Taps
b. DHCP Servers
c. Routers
d. NIDS/NIPS


Devices that pierce the shielding of copper cables
a. Vampire Taps
b. DHCP Servers
c. Routers
d. NIDS/NIPS
a. Vampire Taps


What does the "SYN", "SYN,ACK", "ACK" sequence signify
A.The identification of a buffer overflow
B.The retransmission of data
C.The end of a client-server connection
D.The handshaking of data for a client-server connection
E.The initial negotiation of a client-server connection
E


Stores web surfing log for an entire organization
a. Routers
b. DHCP Servers
c. Web proxies
d. Firewalls
c. Web proxies


c
QN=20 Stores web surfing log for an entire organization
a. Routers
b. DHCP Servers
c. Web proxies
d. Firewalls


MAC flooding (overflowing table) or ARP spoofing (fill table with fake value)
a. Intercepting traffic from switches
b. Intercepting traffic in wireless media
c. Higher-layer Traffic analysis
d. Intercepting traffic from hubs
a. Intercepting traffic from switches


a
QN=21 MAC flooding (over flowing table) or ARP spoofing (fill table with fake value)
a. Intercepting traffic from switches
b. Intercepting traffic in wireless media
c. Higher-layer Traffic analysis
d. Intercepting traffic from hubs


For the "SYN", "SYN,ACK", "ACK" sequence, who generates the initial "SYN"
A.The client
B.The server
C.Either the client or the server
A


DNS is ____
a. Domain Name System
b. Domain Name Server
c. Domain Name Service
d. Domain Network System
e. None of the above
b. Domain Name Server


b
QN=22 DNS is____
a. Domain Name System
b. Domain Name Server
c. Domain Name Service
d. Domain Network System
e. None of the above


For the "SYN", "SYN,ACK", "ACK" sequence, who generates the "SYN,ACK"
A.The client
B.The server
C.Either the client or the server
B


Distributed database used to map between domain names and IP addresses
a. Modes of detection
b. Inline Network Taps
c. Vampire Taps
d. Domain Name System (DNS)
d. Domain Name System (DNS)


d
QN=23 Distributed database used to map between domain names and IP addresses
a. Modes of detection
b. Inline Network Taps
c. Vampire Taps
d. Domain Name System (DNS)


For the "SYN", "SYN,ACK", "ACK" sequence, who generates the "ACK"
A.The client
B.The server
C.Either the client or the server
A


Which type of traffic cannot be deeply inspected
A.Email
B.Web
C.TELNET
D.SSH
E.FTP
D


d
QN=24 Sensor, collector, aggregator, analysis
a. Flow analysis techniques
b. Wireless access points
c. Web proxies
d. Flow record processing system


Sensor, collector, aggregator, analysis
a. Flow analysis techniques
b. Wireless access points
c. Web proxies
d. Flow record processing system
d. Flow record processing system


One source IP, one or more destination IOP, destination port numbers increasing incrementally, large volume of packets, outbound protocol flags set to SYN
a. TCP port scan
b. Web proxies
c. DHCP Servers
d. Vampire Taps
a. TCP port scan


a
QN=25 One source IP, one or more destination IOP, destination port numbers increasing incrementally, large volume of packets, out bound protocol flags set to SYN
a. TCP port scan
b. Web proxies
c. DHCP Servers
d. Vampire Taps


Which type of traffic cannot be deeply inspected
A.Email
B.Web
C.TELNET
D.SFTP
E.FTP
D


Sniffing, protocol understanding, Alerting and high fidelity
a. NIDS/NIPS Evidence Acquisition
b. NIDS/NIPS components
c. Induction coils
d. NIDS/NIPS functionality
d. NIDS/NIPS functionality


d
QN=26 Sniffing, protocol understanding, Alerting and high fidelity
a. NIDS/NIPS Evidence Acquisition
b. NIDS/NIPS components
c. Induction coils
d. NIDS/NIPS functionality
e. None of the mentioned


Which type of traffic cannot be deeply inspected
A.Email
B.Web
C.TELNET
D.SHTTP
E.FTP
D


Recovering and analyzing digital evidence from network resources
a. TCP port scan
b. Protocol analysis
c. Web proxies
d. Network Forensics
d. Network Forensics


d
QN=27 Recovering and analyzing digital evidence from network resources
a. TCP port scan
b. Protocol analysis
c. Web proxies
d. Network Forensics


Which TCP port does SMTP use
A.21
B.23
C.25
D.110
E.143
C


Which TCP port does IMAP use
A.21
B.23
C.25
D.110
E.143
E


a
QN=28 Connection less, unreliable, used by DNS, SNMP, audio/video streaming
a. User Datagram Protocol
b. Internet Protocol (IP)
c. Fiber optic taps
d. Web proxies


Connection less, unreliable, used by DNS, SNMP, audio/video streaming
a. User Datagram Protocol
b. Internet Protocol (IP)
c. Fiber optic taps
d. Web proxies
a. User Datagram Protocol


Which TCP port does POP-3 use
A.21
B.23
C.25
D.110
E.143
D


ac
QN=29 What character can be used t ocomment at the end of your SQL injection?
a. #
b. ;
c. -
d. $
e. %


What character can be used to comment at the end of your SQL injection ?
a. #
b. ;
c. --
d. $
e. %
a. #
c. --


a
QN=30 Pattern matching, parsing fields, packet filtering
a. Packet analysis techniques
b. Flow analysist echniques
c. Web analysis techniques
d. DNS analysis techniques


What is ARP used for
A.Discovering the MAC address of a host
B.Discovering the IP address of a host
C.Discovering the local MAC address
D.Discoverting the local IP address
E.Discovering the IP for a Domain Name
A


Pattern matching, parsing fields, packet filtering
a. Packet analysis techniques
b. Flow analysis techniques
c. Web analysis techniques
d. DNS analysis techniques
a. Packet analysis techniques


Provides mapping between IP addresses and MAC for a local subnet
a. Address Resolution Protocol (ARP)
b. Internet Protocol (IP)
c. HyperText Transfer Protocol (HTTP)
d. Internet Control Message Protocol (ICMP)
a. Address Resolution Protocol (ARP)


a
QN=31 Provides mapping between IP addresses and MAC for a local subnet
a. Address Resolution Protocol (ARP)
b. Internet Protocol (IP)
c. Hyper Text Transfer Protocol (HTTP)
d. Internet Control Message Protocol (ICMP)


For an ARP request, which source MAC address is used
A.The local host
B.The destination host
C.The broadcast address
A


Tool for capturing, filtering, and analyzing traffic
a. Routers
b. TCP
c. NIDS/NIPS
d. tcpdump
d. tcpdump


d
QN=32 Tool for capturing, filtering, and analyzing traffic
a. Routers
b. TCP
c. NIDS/NIPS
d. tcpdump


For an ARP request, which destination MAC address is used
A.The local host
B.The destination host
C.The broadcast address
C


For an ARP reply which source MAC address is used
A.The local host
B.The destination host
C.The broadcast address
A


a
QN=33 Comprehensive study of protocols, packets and flows, and methods for dissecting them
a. Packet analysis use cases
b. Protocol analysis
c. Flow analysis
d. Packet analysis


Comprehensive study of protocols, packets and flows, and methods for dissecting them
a. Packet analysis use cases
b. Protocol analysis
c. Flow analysis
d. Packet analysis
a. Packet analysis use cases


b
QN=34 Data is broadcasted, easy to eavesdrop
a. Intercepting traffic in wireless media
b. Intercepting traffic from hubs
c. Intercepting traffic in wired media
d. Intercepting traffic from switches


For an ARP reply, which destination MAC address is used
A.The local host
B.The destination host
C.The broadcast address
B


Data is broadcasted, easy to eavesdrop
a. Intercepting traffic in wireless media
b. Intercepting traffic from hubs
c. Intercepting traffic in wired media
d. Intercepting traffic from switches
b. Intercepting traffic from hubs


Libraries: libpcap and WinPcap, Tools: Wireshark, snort, nmap, ngrep, tcpdump
a. Application servers
b. Traffic acquisition software
c. Active Acquisition
d. Authentication Servers
b. Traffic acquisition software


b
QN=35 Libraries: libpcap and WinPcap, Tools: Wireshark, snort, nmap, ngrep, tcpdump
a. Application servers
b. Traffic acquisition software
c. Active Acquisition
d. Authentication Servers


Which is the encrypted port used for IMAP over SSL
A.25
B.110
C.143
D.993
E.999
D


Physical, 2. Data Link, 3. Network, 4. Transport, 5. Session, 6. Presentation, 7. Application
a. Modes of detection
b. Open System Interconnection (OSI)
c. Induction coils
d. Internet Protocol (IP)
b. Open System Interconnection (OSI)


b
QN=36 1.Physical, 2.DataLink, 3.Network, 4.Transport, 5.Session, 6. Presentation, 7.Application
a. Modesof detection
b. Open System Inter connection (OSI)
c. Induction coils
d. Internet Protocol (IP)


In IDS patterns, which is an example of outside reconnaissance
A.DNS lookup
B.Subnet layout
C.Breaching a firewall
D.Advance-up security levels
E.Data stealing
A


Facilitates sending and receiving documents on the web
a. User Datagram Protocol
b. Address Resolution Protocol (ARP)
c. HyperText Transfer Protocol (HTTP)
d. Internet Protocol (IP)
c. HyperText Transfer Protocol (HTTP)


c
QN=37 Facilitates sending and receiving documents on the web
a. User Datagram Protocol
b. Address Resolution Protocol (ARP)
c. Hyper Text Transfer Protocol (HTTP)
d. Internet Protocol (IP)


In IDS patterns, which is an example of inside reconnaissance
A.DNS lookup
B.Subnet layout
C.Breaching a firewall
D.Advance-up security levels
E.Data stealing
B


In IDS patterns, which is an example of exploit
A.DNS lookup
B.Subnet layout
C.Breaching a firewall
D.Advance-up security levels
E.Data stealing
C


Understand how a protocol works, how to identify and dissect it; can use RFCs and standards to understands protocols
a. Protocol analysis
b. Flow analysis
c. Network Forensics
d. Protocol identification
a. Protocol analysis


a
QN=38 Understand how a protocol works, how to identify and dissect it; canuse RFCs and standards to understands protocols
a. Protocol analysis
b. Flow analysis
c. Network Forensics
d. Protocol identification


c
QN=39 How do you prevent SQL Injection?
a. Use mysql,don`t use microsoft sql
b. Use SQLmap
c. Use Parameterized Queries
d. Use PHP language,don`t use .Net or Java language
e. None of the above


In IDS patterns, which is an example of a foothold
A.DNS lookup
B.Subnet layout
C.Breaching a firewall
D.Advance-up security levels
E.Data stealing
D


How do you prevent SQL Injection ?
a. Use mysql, don`t use microsoft sql
b. Use SQLmap
c. Use Parameterized Queries
d. Use PHP language, don`t use .Net or Java language
c. Use Parameterized Queries


May detect attacks in progress, can be tuned to give more granular data
a. Open System Interconnection (OSI)
b. Network Forensics
c. Flow record processing system
d. Network Intrusion Detection/Prevention Systems
d. Network Intrusion Detection/Prevention Systems


d
QN=40 May detect attacks in progress, can be tuned to give more granular data
a. Open System Inter connection (OSI)
b. Network Forensics
c. Flow record processing system
d. Network Intrusion Detection/Prevention Systems


In IDS patterns, which is an example of profit
A.DNS lookup
B.Subnet layout
C.Breaching a firewall
D.Advance up security levels
E.Data stealing
E


In default, HTTP services work on port ?
a. 80
b. 443
c. 25
d. 110
a. 80


a
QN=41 Indefault, HTTP services work on port?
a. 80
b. 443
c. 25
d. 110
e. None of the above


Which IDS logger can detect unsuccessful access through a firewall
A.An IDS on the outside firewall port
B.An IDS on the inside firewall port
C.A host-based IDS
A


In default, HTTPS services work on port ?
a. 80
b. 443
c. 25
d. 110
e. 81
b. 443


b
QN=42 In default, HTTPS services work on port?
a. 80
b. 443
c. 25
d. 110
e. 81


Which IDS logger can detect successful accesses through a firewall
A.An IDS on the outside firewall port
B.An IDS on the inside firewall port
C.A host-based IDS
B


Which tool shows the open TCP ports
A.nslookup
B.net
C.ping
D.netstat
E.ipconfig
D


Search from common values associated with a protocol, information in encapsulated protocol, port numbers, server functions, common header values
a. Protocol identification
b. Protocol analysis
c. Active Acquisition
d. Modes of detection
a. Protocol identification


a
QN=43 Search from common values associated with a protocol, information in encapsulated protocol, port numbers, server functions, common header values
a. Protocol identification
b. Protocol analysis
c. Active Acquisition
d. Modesof detection


MAC refers to
a. Medium Access Control
b. Machine Address Control
c. Machine Assess Control
d. none of the above
b. Machine Address Control


b
QN=44 MAC refers to
a. Medium Access Control
b. Machine Address Control
c. Machine Assess Control
d. none of the above


Which tool shows the MAC address of the local host
A.nslookup
B.net
C.ping
D.netstat
E.ipconfig
E


______________ is forensics applied to information stored or transported
on network.
a. Information forensics
b. Data forensics
c. Computer forensics
d. Network forensics
d. Network forensics


d
QN=45 ______________ is forensics applied to information stored or transported on network.
a. Information forensics
b. Data forensics
c. Computer forensics
d. Network forensics


Which tool shows the IP address of a domain name
A.nslookup
B.net
C.ping
D.netstat
E.ipconfig
A


A network sniffer program is an example of:
a. Evidence development tool
b. Packet collection tool
c. Packet formatting tool
d. none of the above
b. Packet collection tool


b
QN=46 A network sniffer program is an example of:
a. Evidence development tool
b. Packet collection tool
c. Packet formatting tool
d. none of the above


Which tool determines if a host is on-line
A.nslookup
B.net
C.ping
D.netstat
E.ipconfig
C


Which transport protocol does DNS use
A.SPX
B.TCP
C.UDP
D.IP
C


d
QN=47 The following is an application layer protocol
a. HTTP
b. SMTP
c. BOOTP
d. All of the above


The following is an application layer protocol
a. HTTP
b. SMTP
c. BOOTP
d. All of the above
d. All of the above


Packet capture file format, pcap is based on a library called
a. libcap
b. libc
c. libpcap
d. libvmi
c. libpcap


c
QN=48 Packet capture file format, pcap is based on a libraryc alled
a. lib cap
b. libc
c. libp cap
d. libvmi
e. None of the mentioned


Which UDP port does DNS use
A.21
B.23
C.53
D.80
E.110
C


NetFlow was developed by
a. Extreme
b. Juniper
c. Cisco
d. Brocade
c. Cisco


c
QN=49 Net Flow was developed by
a. Extreme
b. Juniper
c. Cisco
d. Brocade


When a host sends an ARP for a node at 1.2.3.4, who will receive the reply
A.The whole network bounded by a router port
B.Only the host that asked for it
C.The host that asked for it, and the router port
D.Only the requested host
B


Anti-forensic prevents ____.
a. Forensic investigation process
b. Attacker to attack
c. Security threats
d. Malicious attacks
a. Forensic investigation process


a
QN=50 Anti-forensicprevents____.
a. Forensic investigation process
b. Attacker to attack
c. Security threats
d. Malicious attacks


When a host sends an ARP for a node at 1.2.3.4, who will receive the ARP request
A.The whole network bounded by a router port
B.Only the host that asked for it
C.The host that asked for it, and the router port
D.Only the requested host
A


Which Snort pre-processor rule detects port scans
A.ICMP Scan
B.FSPORTSCAN
C.PINGALERT
D.CTRLALTDEL
B


d
QN=51 Which of the following type of attack CANNOT be deterred solely through technical means?
a. Dictionary
b. Man in the middle
c. DoS (Denial of Service)
d. Social engineering
e. None of the mentioned


Which of the following type of attack CANNOT be deterred solely through technical means?
a. Dictionary
b. Man in the middle
c. DoS (Denial of Service)
d. Social engineering
d. Social engineering


HTML is _____?
a. Hypertext Markup Language
b. Hypertext Makeup Language
c. High Markup Language
d. Hypertext Markup Loop
e. None of the above
a. Hypertext Markup Language


a
QN=52 HTML is_____?
a. Hypertext Markup Language
b. Hypertext Makeup Language
c. High Markup Language
d. Hypertext Markup Loop
e. None of the above


Which tool does a vunerability analysis for a host
A.nslookup
B.nmap
C.ping
D.netstat
E.ipconfig
B


Why do social engineering attacks often succeed?
a. strong passwords are not required
b. lack of security awareness
c. multiple logins are allowed
d. audit logs are not monitored frequently
b. lack of security awareness


b
QN=53 Why do social engineering attacks often succeed?
a. strong passwords are not required
b. lack of security awareness
c. multiple logins are allowed
d. audit logs are not monitored frequently


Which WinPCap display filter will only show SYN/ACK TCP flags:
A.tcp.flags.syn==0 and tcp.flags.ack==0
B.tcp.flags.syn==0 and tcp.flags.ack==1
C.tcp.flags.syn==1 and tcp.flags.ack==0
D.tcp.flags.syn==1 and tcp.flags.ack==1
E.tcp.flags.syn==1 or tcp.flags.ack==1
D


SSL is _____?
a. Secure Server Level
b. Secure Sockets Layer
c. Secure Sockets Level
d. Secure Server Layer
e. None of the above
b. Secure Sockets Layer


b
QN=54 SSL is_____?
a. Secure Server Level
b. Secure Sockets Layer
c. Secure Sockets Level
d. Secure Server Layer
e. None of the above


Which WinPCap display filter will only show HTTP traffic:
A.tcp.port == 21
B.tcp.port == 23
C.tcp.port == 25
D.tcp.port == 80
E.tcp.port == 143
D


Which of the following is an example of the theft of network passwords without the use of software tools?
a. Trojan programs
b. Social engineering
c. Sniffing
d. Hacking
b. Social engineering


b
QN=55 Which of the following is an example of the theft of network passwords without the use of software tools?
a. Trojan programs
b. Social engineering
c. Sniffing
d. Hacking


Which WinPCap display filter will only show FTP traffic:
A.tcp.port == 21
B.tcp.port == 23
C.tcp.port == 25
D.tcp.port == 80
E.tcp.port == 143
A


Which WinPCap display filter will only show TELNET traffic:
A.tcp.port == 21
B.tcp.port == 23
C.tcp.port == 25
D.tcp.port == 80
E.tcp.port == 143
B


a
QN=56 AJAX is?
a. Asynchronous JavaScript And XML
b. Asynchronous Java And XML
c. Asynchronous JavaScript And XPATH
d. Asynchronous Java And XPATH
e. None of the above


AJAX is ?
a. Asynchronous JavaScript And XML
b. Asynchronous Java And XML
c. Asynchronous JavaScript And XPATH
d. Asynchronous Java And XPATH
e. None of the above
a. Asynchronous JavaScript And XML


Which of the following measures can be used to guard against a social engineering attack?
a. Education, limit available information and security policy.
b. Education, firewalls and security policy.
c. Security policy, firewalls and incident response.
d. Security policy, system logging and incident response. e.
a. Education, limit available information and security policy.


a
QN=57 Which of the following measures can be used to guard against a social engineering attack?
a. Education, limit available information and securityp olicy.
b. Education, firewalls and security policy.
c. Securitypolicy, firewalls and incident response.
d. Securitypolicy, system logging and incident response.


Which WinPCap display filter will only show SMTP traffic:
A.tcp.port == 21
B.tcp.port == 23
C.tcp.port == 25
D.tcp.port == 80
E.tcp.port == 143
C


Which of the following is the major difference between a worm and a Trojan horse?
a. Worms are spread via e-mail while Trojan horses are not.
b. Worms are self replicating while Trojan horses are not.
c. Worms are a form of malicious code while Trojan horses are not.
d. There is no difference.
b. Worms are self replicating while Trojan horses are not.


b
QN=58 Which of the following is the major difference between a worm and a Trojan horse?
a. Worms are spread via e-mail while Trojan horses are not.
b. Worms are self replicating while Trojan horses are not.
c. Worms are a form of malicious code while Trojan horses are not.
d. There is no difference.
e. None of the mentioned


Which WinPCap display filter will only show IMAP traffic:
A.tcp.port == 21
B.tcp.port == 23
C.tcp.port == 25
D.tcp.port == 80
E.tcp.port == 143
E


What type of program will record system keystrokes in a text file and e- mail it to the author, and will also delete system logs every five days or whenever a backup is performed?
a. Virus
b. Back door
c. Logic bomb
d. Trojan
d. Trojan


d
QN=59 What type of program will record system key strokes in a text file and email it to the author, and will also delete system log severy five days or whenever a backup is performed?
a. Virus
b. Backdoor
c. Logic bomb
d. Trojan


Which WinPCap display filter will only show POP-3 traffic:
A.tcp.port == 21
B.tcp.port == 23
C.tcp.port == 25
D.tcp.port == 110
E.tcp.port == 143
D


Which of the following is the boolean operator for logical-and?
a. *
b. &&
c. |
d. |&
e. None of the above
b. &&


b
QN=60 Which of the following is the boolean operator for logical-and?
a. *
b. &&
c. |
d. |&
e. None of the above


Which protocol on a switch should be setup to allow a host to capture traffic from other hosts:
A.ARP
B.SPAN
C.HTTP
D.FTP
E.TELNET
B


b
QN=61 In ISO 27002, which sections defines the responses and procedures around a security incident
a. Compliance
b. Information security incident management
c. Information systems acquisition, development and maintenace
d. Business continuity management
e. None of the other choices


Which TCP does MSN Messenger use:
A.1024
B.21
C.23
D.1836
E.1863
E


d
QN=62 Which involves impersonation of users/devices?
a. Piggy back attacks
b. Spoofing
c. Physical removals
d. Impersonation
e. None of the mentioned


Which filter shows traffic for both 1.2.3.4 and 2.3.4.5:
A.ip.addr == 1.2.3.4 and ip.addr == 2.3.4.5
B.ip.addr == 1.2.3.4 or ip.addr == 2.3.4.5
C.not ip.addr == 1.2.3.4 and not ip.addr == 2.3.4.5
D.not ip.addr == 1.2.3.4 or not ip.addr == 2.3.4.5
B


b
QN=63 In ISO 27002, which sections defines the restriction of access rights to networks, systems, applications, functions and data?
a. Information systems acquisition, development and maintenance
b. Access control
c. None of the other choices
d. Physical and environmental security
e. Information security incident management


Which filter shows traffic between 1.2.3.4 and 2.3.4.5:
A.ip.addr == 1.2.3.4 and ip.addr == 2.3.4.5
B.ip.addr == 1.2.3.4 or ip.addr == 2.3.4.5
C.not ip.addr == 1.2.3.4 and not ip.addr == 2.3.4.5
D.not ip.addr == 1.2.3.4 or not ip.addr == 2.3.4.5
A


b
QN=64 ______________ are the two common data classification schemes
a. None of the other choice
b. Government and private sector/commercial business
c. Personal and government
d. Classified and unclassified
e. Private sector and unrestricted sector


Which filter shows traffic that is not destined for either 1.2.3.4 nor 2.3.4.5:
A.ip.addr == 1.2.3.4 and ip.addr == 2.3.4.5
B.ip.addr == 1.2.3.4 or ip.addr == 2.3.4.5
C.not ip.addr == 1.2.3.4 and not ip.addr == 2.3.4.5
D.not ip.addr == 1.2.3.4 or not ip.addr == 2.3.4.5
C


d
QN=65 In Snort, which rule detects and FIN scan?
a. alert tcp any -> any any (msg:"--"; sid:999;flags:0;)
b. alert tcp any -> any any (msg:"--"; sid:999;flags:SRAFPU;)
c. None of the mentioned
d. alert tcp any -> any any (msg:"--"; sid:999;flags:F;)
e. alert tcp any -> any any (msg:"--"; sid:999;flags:FPU;)


Which filter will only show traffic for host 1.2.3.4 for FTP traffic:
A.ip.addr == 1.2.3.4 and tcp.port == 21
B.ip.addr == 1.2.3.4 or tcp.port == 21
C.ip.addr == 1.2.3.4 and udp.port == 21
D.ip.addr == 1.2.3.4 or udp.port == 21
A


e
QN=66 The mark average of Bob and Alice is 20%, Bob and Eve is 30%, and Alice and Eve is 40%. What is Bob's
a. 20%
b. 40%
c. 30%
d. 50%
e. 10%


For an IDS, which is the correct term for an alarm that is generated and the condition should have been alarmed:
A.True-Positive
B.False-Positive
C.True-Negative
D.False-Negative
A


a
QN=67 Which attack involves continual requests from a range of remote hosts?
a. DDoS attack
b. Worm spread
c. None of the mentioned
d. DoS attack
e. Man-in-the-middle


For an IDS, which is the correct term for an alarm that is generated and the condition should not be alarmed:
A.True-Positive
B.False-Positive
C.True-Negative
D.False-Negative
B


d
QN=68 Which is a hashing function?
a. RSA
b. None of the mentioned
c. DES
d. MD5
e. Diffie-Hellman


For an IDS, which is the correct term for when an alarm is not generated and the condition should not be alarmed:
A.True-Positive
B.False-Positive
C.True-Negative
D.False-Negative
C


a
QN=69 The mark average of Bob and Alice is 70%, Bob and Eve is 60%, and Alice and Eve is 30%. What is Eve's mark?
a. 20%
b. 40%
c. 30%
d. 100%
e. 10%


For an IDS, which is the correct term for when an alarm is not generated and the condition should be alarmed:
A.True-Positive
B.False-Positive
C.True-Negative
D.False-Negative
D


d
QN=70 The mark average of Bob and Alice is 20%, Bob and Eve is 30%, and Alice and Eve is 40%. What is Eve's mark?
a. 20%
b. 40%
c. 30%
d. 50%
e. 10%


For an IDS, which component detects and sends data to the system:
A.Network sensors
B.Central monitoring system
C.Report analysis
D.Database/storage component
E.Response box
A


a
QN=71 Which protocol is not supported by Snort?
a. IGMP
b. IP
c. ICMP
d. UDP
e. None of the mentioned


For an IDS, which component presents information on an event:
A.Network sensors
B.Central monitoring system
C.Report analysis
D.Database/storage component
E.Response box
C


b
QN=72 For an ARP reply, which destination MAC address is used?
a. None of the other choices
b. The destionation host
c. The local host
d. The broadcast address


For an IDS, which component processes/analyzed data from sensors:
A.Network sensors
B.Central monitoring system
C.Report analysis
D.Database/storage component
E.Response box
B


c
QN=73 What happens to the MD5 signature when a single character is changed in a file?
a. A single character is changed
b. None of the mentioned
c. The whole signature is changed
d. Nothing is changed


For an IDS, which component presents information on how to deal with an event:
A.Network sensors
B.Central monitoring system
C.Report analysis
D.Database/storage component
E.Response box
C


a
QN=74 Layer 4 the transmitted encapsulated data is know as a _____________
a. segment
b. data frame
c. None of the mentioned
d. data packet


For an IDS, which component has trend analysis and logging information on alerts:
A.Network sensors
B.Central monitoring system
C.Report analysis
D.Database/storage component
E.Response box
D


b
QN=75 Which is the easiest way for an intruder to defeat an IDS?
a. Compromise the firewall
b. Create a tunnel
c. Install a good virus scanner
d. None of the mentioned
e. Use UDP for the transport layer


For an IDS, which component takes information from other IDS components, and tries to respond to a threat:
A.Network sensors
B.Central monitoring system
C.Report analysis
D.Database/storage component
E.Response box
E


e
QN=76 What does the "SYN", "SYN,ACK", "ACK" sequence signify?
a. The retransmission of data
b. The handshaking of data for client-server connection
c. None of the other choices
d. The end of a client-server connection
e. The intial negotiantion of a client-server connection


What is the main focus for Snort:
A.Pattern matching
B.Protocol Decoding
C.Anomaly Detection
D.Audit/Compliance
A


a
QN=77 Which commercial business/private sector data classification is used to control information about individuals within an organization?
a. Private
b. Proprietary
c. Sensitive
d. Confidential
e. None of the other choices


Which protocol is not supported by Snort:
A.IP
B.UDP
C.TCP
D.ICMP
E.IGMP
E


d
QN=78 What hacker does not have many skills, and use standard scripting tools:
a. Phreakers
b. None of the mentioned
c. White hat
d. Script kiddies
e. Hacktvist


Which is the best detection method for known attacks:
A.Pattern matching
B.Anomaly detection
C.Protocol analysis
D.Stateful inspection
A


a
QN=79 Which involves actual deception of users and system operators?
a. Mispresentation
b. Logical Scavening
c. None of the mentioned
e. Eavesdropping
e. Visual Spying


Which method contains a threat spread over several packets, over a relatively long time period (and thus IDS cannot detect the threat):
A.Session splicing
B.Session hijacking
C.IP fragmentation
D.Ethernet frame fragmentation
A


b
QN=80 Which TCP does MSN Messenger use?
a. 23
b. 1863
c. 1024
d. 1836
e. None of the other choices


Which method packet capture component must be installed for Snort to work:
A.Word
B.WinPCap
C.Excel
D.Cisco IDS
B


a
QN=81 STRIDE is often used in relation to assessing threats against applications or operating systems. _______ is NOT an element of STRIDE
a. Disclousre
b. Elevation of privilege
c. None of the mentioned
d. Spoofing
e. Repudiation


a
QN=82 Which Snort command will filter for an incoming FTP response from an FTP server?
a. alert tcp any 21 -> any any msg "FTP response"
b. alert tcp any 25 -> any any msg "FTP response"
c. alert tcp any any -> any 25 msg "FTP response"
d. alert tcp any 25 -> any 21 msg "FTP response"
e. None of the mentioned


Database/web/email/chat/voicemail servers
a. DNS/Name Servers
b. DHCP Servers
c. Application servers
d. Authentication Servers
c. Application servers


What is the best statement for taking advantage of a weakness in the security of an IT system?
a. Threat
b. Attack
c. Exploit
d. Vulnerability
c. Exploit


HTTP is _____ ?
a. Hypertext Transfer Protocol
b. Hypertext Text Protocol
c. Hypertext Transfer Programming
d. High Transfer Protocol
e. None of the above
a. Hypertext Transfer Protocol


Metasploit is ____ ?
a. Text editor
b. Backup tool
c. Antivirus software
d. Penetration testing software
e. Programming language
d. Penetration testing software


Contain IP address to MAC address mapping, the time the IP was leased
a. DNS/Name Servers
b. Vampire Taps
c. tcpdump
d. DHCP Servers
d. DHCP Servers


Handles multiplexing of process communication, provides end-to-end
reliability, sequencing, flow control, congestion control. Connection
established through 3-way handshake.
a. Routers
b. Switches
c. TCP
d. NIDS/NIPS
c. TCP


Evidence collected from network device logs
a. Flow analysis
b. Active Acquisition
c. Modes of detection
d. Packet analysis
d. Packet analysis


What port is used to connect to the Active Directory in Windows 2000?
a. 80
b. 445
c. 139
d. 389
d. 389


Monitor network traffic and alerts on suspicious activities
a. TCP
b. Firewalls
c. Switches
d. NIDS/NIPS
d. NIDS/NIPS


DDOS attack is ______
a. One-to-many IP adsdresses
b. Many-to-one IP addresses
c. One-to-one IP address
d. Many-to-many IP addresses
b. Many-to-one IP addresses


Rules, Alerts, packet capture is
a. DNS/Name Servers
b. NIDS/NIPS components
c. NIDS/NIPS
d. Induction coils
b. NIDS/NIPS components


Webserver, Email server, network port scanning is
a. Many-to-many IP addresses
b. One-to-many IP addresses
c. One-to-one IP address
d. Many-to-one IP addresses
c. One-to-one IP address


Logs successful/failed login attempts for all devices within its
authentication system
a. Induction coils
b. DHCP Servers
c. DNS/Name Servers
d. Authentication Servers
d. Authentication Servers


What method can be used in online-password attack ?
a. Dictionary attack
b. Brute force attack
c. SQL injection
d. Cross-site-scripting
e. None of the above
a. Dictionary attack
b. Brute force attack


Contains routing tables that map router ports with the network, may
function as packet filters
a. Switch
b. Firewalls
c. TCP
d. tcpdump
b. Firewalls


Communicates error messages and other conditions via IP datagrams
a. Address Resolution Protocol (ARP)
b. Internet Control Message Protocol (ICMP)
c. HyperText Transfer Protocol (HTTP)
d. Internet Protocol (IP)
b. Internet Control Message Protocol (ICMP)


Addressing and Routing (src and dst) at Layer 3
a. Fiber optic taps
b. Inline Network Taps
c. Induction coils
d. Internet Protocol (IP)
d. Internet Protocol (IP)


Contains tables that store mapping between physical port and MAC addresses
a. Switches
b. TCP
c. Routers
d. tcpdump
a. Switches


Devices that pierce the shielding of copper cables
a. Vampire Taps
b. DHCP Servers
c. Routers
d. NIDS/NIPS
a. Vampire Taps


Stores web surfing log for an entire organization
a. Routers
b. DHCP Servers
c. Web proxies
d. Firewalls
c. Web proxies


MAC flooding (overflowing table) or ARP spoofing (fill table with fake value)
a. Intercepting traffic from switches
b. Intercepting traffic in wireless media
c. Higher-layer Traffic analysis
d. Intercepting traffic from hubs
a. Intercepting traffic from switches


DNS is ____
a. Domain Name System
b. Domain Name Server
c. Domain Name Service
d. Domain Network System
e. None of the above
b. Domain Name Server


Distributed database used to map between domain names and IP addresses
a. Modes of detection
b. Inline Network Taps
c. Vampire Taps
d. Domain Name System (DNS)
d. Domain Name System (DNS)


Sensor, collector, aggregator, analysis
a. Flow analysis techniques
b. Wireless access points
c. Web proxies
d. Flow record processing system
d. Flow record processing system


One source IP, one or more destination IOP, destination port numbers increasing incrementally, large volume of packets, outbound protocol flags set to SYN
a. TCP port scan
b. Web proxies
c. DHCP Servers
d. Vampire Taps
a. TCP port scan


Sniffing, protocol understanding, Alerting and high fidelity
a. NIDS/NIPS Evidence Acquisition
b. NIDS/NIPS components
c. Induction coils
d. NIDS/NIPS functionality
d. NIDS/NIPS functionality


Recovering and analyzing digital evidence from network resources
a. TCP port scan
b. Protocol analysis
c. Web proxies
d. Network Forensics
d. Network Forensics


Connection less, unreliable, used by DNS, SNMP, audio/video streaming
a. User Datagram Protocol
b. Internet Protocol (IP)
c. Fiber optic taps
d. Web proxies
a. User Datagram Protocol


What character can be used to comment at the end of your SQL injection ?
a. #
b. ;
c. --
d. $
e. %
a. #
c. --


Pattern matching, parsing fields, packet filtering
a. Packet analysis techniques
b. Flow analysis techniques
c. Web analysis techniques
d. DNS analysis techniques
a. Packet analysis techniques


Provides mapping between IP addresses and MAC for a local subnet
a. Address Resolution Protocol (ARP)
b. Internet Protocol (IP)
c. HyperText Transfer Protocol (HTTP)
d. Internet Control Message Protocol (ICMP)
a. Address Resolution Protocol (ARP)


Tool for capturing, filtering, and analyzing traffic
a. Routers
b. TCP
c. NIDS/NIPS
d. tcpdump
d. tcpdump


Comprehensive study of protocols, packets and flows, and methods for dissecting them
a. Packet analysis use cases
b. Protocol analysis
c. Flow analysis
d. Packet analysis
a. Packet analysis use cases


Data is broadcasted, easy to eavesdrop
a. Intercepting traffic in wireless media
b. Intercepting traffic from hubs
c. Intercepting traffic in wired media
d. Intercepting traffic from switches
b. Intercepting traffic from hubs


Libraries: libpcap and WinPcap, Tools: Wireshark, snort, nmap, ngrep, tcpdump
a. Application servers
b. Traffic acquisition software
c. Active Acquisition
d. Authentication Servers
b. Traffic acquisition software


Physical, 2. Data Link, 3. Network, 4. Transport, 5. Session, 6. Presentation, 7. Application
a. Modes of detection
b. Open System Interconnection (OSI)
c. Induction coils
d. Internet Protocol (IP)
b. Open System Interconnection (OSI)


Facilitates sending and receiving documents on the web
a. User Datagram Protocol
b. Address Resolution Protocol (ARP)
c. HyperText Transfer Protocol (HTTP)
d. Internet Protocol (IP)
c. HyperText Transfer Protocol (HTTP)


Understand how a protocol works, how to identify and dissect it; can use RFCs and standards to understands protocols
a. Protocol analysis
b. Flow analysis
c. Network Forensics
d. Protocol identification
a. Protocol analysis


How do you prevent SQL Injection ?
a. Use mysql, don`t use microsoft sql
b. Use SQLmap
c. Use Parameterized Queries
d. Use PHP language, don`t use .Net or Java language
c. Use Parameterized Queries


May detect attacks in progress, can be tuned to give more granular data
a. Open System Interconnection (OSI)
b. Network Forensics
c. Flow record processing system
d. Network Intrusion Detection/Prevention Systems
d. Network Intrusion Detection/Prevention Systems


In default, HTTP services work on port ?
a. 80
b. 443
c. 25
d. 110
a. 80


In default, HTTPS services work on port ?
a. 80
b. 443
c. 25
d. 110
e. 81
b. 443


Search from common values associated with a protocol, information in encapsulated protocol, port numbers, server functions, common header values
a. Protocol identification
b. Protocol analysis
c. Active Acquisition
d. Modes of detection
a. Protocol identification


MAC refers to
a. Medium Access Control
b. Machine Address Control
c. Machine Assess Control
d. none of the above
b. Machine Address Control


______________ is forensics applied to information stored or transported
on network.
a. Information forensics
b. Data forensics
c. Computer forensics
d. Network forensics
d. Network forensics


A network sniffer program is an example of:
a. Evidence development tool
b. Packet collection tool
c. Packet formatting tool
d. none of the above
b. Packet collection tool


The following is an application layer protocol
a. HTTP
b. SMTP
c. BOOTP
d. All of the above
d. All of the above


Packet capture file format, pcap is based on a library called
a. libcap
b. libc
c. libpcap
d. libvmi
c. libpcap


NetFlow was developed by
a. Extreme
b. Juniper
c. Cisco
d. Brocade
c. Cisco


Anti-forensic prevents ____.
a. Forensic investigation process
b. Attacker to attack
c. Security threats
d. Malicious attacks
a. Forensic investigation process


Which of the following type of attack CANNOT be deterred solely through technical means?
a. Dictionary
b. Man in the middle
c. DoS (Denial of Service)
d. Social engineering
d. Social engineering


HTML is _____?
a. Hypertext Markup Language
b. Hypertext Makeup Language
c. High Markup Language
d. Hypertext Markup Loop
e. None of the above
a. Hypertext Markup Language


Why do social engineering attacks often succeed?
a. strong passwords are not required
b. lack of security awareness
c. multiple logins are allowed
d. audit logs are not monitored frequently
b. lack of security awareness


SSL is _____?
a. Secure Server Level
b. Secure Sockets Layer
c. Secure Sockets Level
d. Secure Server Layer
e. None of the above
b. Secure Sockets Layer


Which of the following is an example of the theft of network passwords without the use of software tools?
a. Trojan programs
b. Social engineering
c. Sniffing
d. Hacking
b. Social engineering


AJAX is ?
a. Asynchronous JavaScript And XML
b. Asynchronous Java And XML
c. Asynchronous JavaScript And XPATH
d. Asynchronous Java And XPATH
e. None of the above
a. Asynchronous JavaScript And XML


Which of the following measures can be used to guard against a social engineering attack?
a. Education, limit available information and security policy.
b. Education, firewalls and security policy.
c. Security policy, firewalls and incident response.
d. Security policy, system logging and incident response. e.
a. Education, limit available information and security policy.


Which of the following is the major difference between a worm and a Trojan horse?
a. Worms are spread via e-mail while Trojan horses are not.
b. Worms are self replicating while Trojan horses are not.
c. Worms are a form of malicious code while Trojan horses are not.
d. There is no difference.
b. Worms are self replicating while Trojan horses are not.


What type of program will record system keystrokes in a text file and e- mail it to the author, and will also delete system logs every five days or whenever a backup is performed?
a. Virus
b. Back door
c. Logic bomb
d. Trojan
d. Trojan


Which of the following is the boolean operator for logical-and?
a. *
b. &&
c. |
d. |&
e. None of the above
b. &&


Database/web/email/chat/voice mail servers
Application servers


What is the best statement for taking advantage of a weakness in the security of an IT system?
Exploit


HTTP is_____?
Hypertext Transfer Protocol


Metasploit is____?
Penetration testing software


Contain IP address to MAC address mapping, the time the IP was leased
DHCP Servers


Handles multiplexing of process communication, provides end-to-end reliability, sequencing, flowcontrol, congestion control. Connection established through 3-way handshake.
TCP


Evidence collected from network device logs
Packet analysis


What port isused to connect to the Active Directory in Windows 2000?
389


Monitor network traffic and alerts on suspicious activities
NIDS/NIPS


DDOS attack is______
Many-to-one IP addresses


Rules, Alerts, packet capture is
NIDS/NIPS components


Web server, Email server, network ports canning is
One-to-one IP address


Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
Logs successful/failed login attempts for all devices within its authentication system
Authentication Servers


What method can be used in online-password attack?
Dictionary attack - Bruteforce attack


Contains routing tables that map router port swith the network, may function as packet filters
Firewalls


Communicates error messages and other conditions via IP datagrams
Internet Control Message Protocol (ICMP)


Addressing and Routing (src and dst) at Layer 3
Internet Protocol (IP)


Contains tables that store mapping between physical port and MAC addresses
Switches


Devices that pierce the shielding of copper cables
Vampire Taps


Stores web surfing log for an entire organization
Web proxies


MAC flooding (over flowing table) or ARP spoofing (fill table with fake value)
Intercepting traffic from switches


DNS is____
Domain Name Server


Distributed database used to map between domain names and IP addresses
Domain Name System (DNS)


Sensor, collector, aggregator, analysis
Flow record processing system


One source IP, one or more destination IOP, destination port numbers increasing incrementally, large volume of packets, out bound protocol flags set to SYN
TCP port scan


Sniffing, protocol understanding, Alerting and high fidelity
NIDS/NIPS functionality


Recovering and analyzing digital evidence from network resources
Network Forensics


Connection less, unreliable, used by DNS, SNMP, audio/video streaming
User Datagram Protocol


What character can be used t ocomment at the end of your SQL injection?
# -


Pattern matching, parsing fields, packet filtering
Packet analysis techniques


Provides mapping between IP addresses and MAC for a local subnet
Address Resolution Protocol (ARP)


Tool for capturing, filtering, and analyzing traffic
tcpdump


Comprehensive study of protocols, packets and flows, and methods for dissecting them
Packet analysis use cases


Data is broadcasted, easy to eavesdrop
Intercepting traffic from hubs


Libraries: libpcap and WinPcap, Tools: Wireshark, snort, nmap, ngrep, tcpdump
Traffic acquisition software


1.Physical, 2.DataLink, 3.Network, 4.Transport, 5.Session, 6. Presentation, 7.Application
Open System Inter connection (OSI)


Facilitates sending and receiving documents on the web
Hyper Text Transfer Protocol (HTTP)


Understand how a protocol works, how to identify and dissect it; canuse RFCs and standards to understands protocols
Protocol analysis


How do you prevent SQL Injection?
Use Parameterized Queries


May detect attacks in progress, can be tuned to give more granular data
Network Intrusion Detection/Prevention Systems


In default, HTTP services work on port?
80


In default, HTTPS services work on port?
443


Search from common values associated with a protocol, information in encapsulated protocol, port numbers, server functions, common header values
Protocol identification


MAC refers to
Machine Address Control


______________ is forensics applied to information stored or transported on network.
Network forensics


A network sniffer program is an example of:
Packet collection tool


The following is an application layer protocol
All of the above (HTTP, SMTP, BOOTP)


Packet capture file format, pcap is based on a library called
libp cap


Net Flow was developed by
Cisco


Anti-forensic prevents____.
Forensic investigation process


Which of the following type of attack CANNOT be deterred solely through technical means?
Social engineering


HTML is_____?
Hypertext Markup Language


Why do social engineering attacks often succeed?
lack of security awareness


SSL is_____?
Secure Sockets Layer


Which of the following is an example of the theft of network passwords without the use of software tools?
Social engineering


AJAX is?
Asynchronous JavaScript And XML


Which of the following measures can be used to guard against a social engineering attack?
Education, limit available information and security policy.


Which of the following is the major difference between a worm and a Trojan horse?
Worms are self replicating while Trojan horses are not.


What type of program will record system key strokes in a text file and email it to the author, and will also delete system logs every five days or whenever a backup is performed?
Trojan


Which of the following is the boolean operator for logical-and?
&&


In ISO 27002, which sections defines the responses and procedures around a security incident
Information security incident management


Which involves impersonation of users/devices?
Impersonation


In ISO 27002, which sections defines the restriction of access rights to networks, systems, applications, functions and data?
Access control


______________ are the two common data classification schemes
Government and private sector/commercial business


Which attack involves continual requests from a range of remote hosts?
DDoS attack


Which is a hashing function?
MD5


The mark average of Bob and Alice is 70%, Bob and Eve is 60%, and Alice and Eve is 60%. What is Eve's mark?
50%


The mark average of Bob and Alice is 20%, Bob and Eve is 30%, and Alice and Eve is 40%. What is Eve's mark?
50%


Which protocol is not supported by Snort?
IGMP


For an ARP reply, which destination MAC address is used?
The destionation host


What happens to the MD5 signature when a single character is changed in a file?
The whole signature is changed


Layer 4 the transmitted encapsulated data is know as a _____________
segment


Which is the easiest way for an intruder to defeat an IDS?
Compromise the firewall


What does the "SYN", "SYN,ACK", "ACK" sequence signify?
The initial negotiation of a client-server connection


Which commercial business/private sector data classification is used to control information about individuals within an organization?
Private


What hacker does not have many skills, and use standard scripting tools:
Script kiddies


Which involves actual deception of users and system operators?
Mispresentation


Which TCP does MSN Messenger use?
1863


STRIDE is often used in relation to assessing threats against applications or operating systems. _______ is NOT an element of STRIDE
Disclousre


Which Snort command will filter for an incoming FTP response from an FTP server?
alert tcp any 21 -> any any msg "FTP response"


How many characters does a Hex MD5 signature have:
32


How many characters does a Hex SHA-1 signature have:
40


How many bits does an MD5 signature have:
128


How many bits does an SHA-1 signature have:
160


How many bits does an SHA-256 signature have:
160


Which is a valid MD5 Hex signature:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Which is an example of a one-way function
MD5 and SHA-1


Which is the following is an example of a MD5 signature:
455D04D3EBDE98FB5AB92B7363DFF33D


What is the Diffie-Hellman method used for:
To pass a secret key


What is MD5 used for:
To create a unique signature


"What happens to the MD5 signature when a single character is changed in a file:"
The signature cannot be produced


What is the main weakness of the Diffie-Hellman method:
It allows for a man-in-the-middle attack


What does the "SYN", "SYN,ACK", "ACK" sequence signify:
The initial negotiation of a client-server connection


"For the ""SYN"", ""SYN,ACK"", ""ACK"" sequence, who generates the initial ""SYN"""
The client


"For the ""SYN"", ""SYN,ACK"", ""ACK"" sequence, who generates the ""SYN,ACK"""
The server


"For the ""SYN"", ""SYN,ACK"", ""ACK"" sequence, who
generates the ""ACK"""
The client


Which type of traffic cannot be deeply inspected:
SSH, SFTP, SHTTP


Which TCP port does SMTP use:
25


Which TCP port does IMAP use:
143


Which TCP port does POP-3 use:
110


What is ARP used for:
Discovering the MAC address of a host


For an ARP request, which source MAC address is used
The local host


For an ARP request, which destination MAC address is used
The broadcast address


For an ARP reply which source MAC address is used
The local host


For an ARP reply, which destination MAC address is used
The destination host


Which is the encrypted port used for IMAP over SSL
993


Which tool can determine if a file has been changed
Hash signature


Which tool shows the open TCP ports
netstat


Which tool shows the MAC address of the local host
ipconfig


Which tool shows the IP address of a domain name
nslookup


Which tool determines if a host is on-line
ping


Which transport protocol does DNS use
UDP


Which UDP port does DNS use
53


"When a host sends an ARP for a node at 1.2.3.4, who will receive the reply"
Only the host that asked for it


"When a host sends an ARP for a node at 1.2.3.4, who will receive the ARP request"
The whole network bounded by a router port


Which tool does a vunerability analysis for a host
nmap


What does .NET use to provide hardware compatibility:
MSIL


"What does .NET use to provide different DLL versions to be supported:"
Global Assembly Cache


"What does .NET use to provide different languages to be used in .NET:"
Common Language


"What does .NET use to provide common classes, methods and properties:"
Framework Class Library


Where do .NET programs run:
Within the CLR


Which folder contains the .NET framework:
C:\WINDOWS\Microsoft.NET\Framework\


Which is the most recent .NET version
.NET 3.5


Which reference is required for Role-based security:
System.Security.Principal


Which method is used with WindowsPrinciple (myPrin) to test a role:
myPrin.IsInRole()


"What does .NET use to provide different DLL versions to be supported:"
Global Assembly Cache


What is the main advantage of the Global Assembly Cache in .NET:
It stores different versions of DLLs


Which XML tags will allow users access to a Web service:
<authorization> <allow users="*"></authorization>


"Which file contains the security settings for an ASP.NET Web service:"
Web.config


What is the strong name used in .NET assemblies:
It uniquely identifies an assembly


"Which command line option would generate the encryption keys for a
strong name in a .NET assembly:"
sn -k


Which is the correct format for the version number in .NET:
"<major version>.<minor version>.<build
number>.<revision>"


"For an assembly version number of 2.1.1500.10. What does the 2 represent:"
Major version


"For an assembly version number of 2.1.1500.10. What does the 1 represent:"
Minor version


"For an assembly version number of 2.1.1500.10. What does the 1500 represent:"
Build version


"For an assembly version number of 2.1.1500.10. What does the 10 represent:"
Revision


Which is the following is not stored in an assembly:
The type of operating system used


Which of the following sets the version number for an assembly:
[assembly:AssemblyVersionAttribute("2.5.*")]


Which of the following is true for the version number of 2.5.*:
"A wild card is
used for the build and the revision numbers, where the build process
automatically generates these numbers."


Which best defines the global assembly cache:
"It is a cache within a machine that contains
the assemblies which are to be shared with applications."


In which file is the Version attribute normally defined (for Form1):
AssemblyInfo.cs


Multiple versions of assemblies can exist in the GAC. True or false?
True


"An assembly can be dragged into the GAC using the Windows explorer.
True or false?"
True


"You have created a class that is derived from the ServicedComponent
class called DistributionApp. You need to install it into the Global Assembly
Cache and create the key pair that will be used to give the compiled assembly
a strong name. Which of the following commands will produce the key pair?
(Select the best choice.)"
sn -k "mykey.snk"


Which applications require the strongest security:
Web services, and in .NET remoting


"Which file is stored in the Config directory of the default
.NET Framework installation. It contains settings that are applied to all the
applications which run on the host."
Machine configuration file


"Which file contains settings which relate to a specific application.
These are named are Web.config (for Web applications) and App.config (for Windows applications)."
Application configuration file


"Which file defines the security policy for a hierarchy of
groups. It defines enterprise-level (Enterprise-sec.config), machine-level (Security.config), and user-level (Security.config) security policies:"
Security configuration file


Which is the .NET Framework Configuration Tool:
Mscorcfg.msc


"What occurs when a remote user tries to access the Web.config file on the Web server"
It displays a message that it is forbidden to access the file.


What is the default Web service security level for authentication:
Windows


Which authentication process uses IIS to authentication the client:
Windows


"Which authentication process uses an HTML log-in form to authenticate the client, which are then passed to the Web server for authentication:"
Forms


"Which authentication process uses a centralized authentication service is used to define access, with a single logon and profile services for member sites:"
Passport


"Which authentication process, when, on a successful authentication, the server issues a cookie to the client, which is then used by the client to access the Web service:"
Forms


"Which authentication process is typically used to register sites with a single passport, and grants a site-specific key:"
Passport


"Which of following is true for the authorization script of:
<authorization><deny users=""Fred""/> <allow
role=""Administrator"" /></authorization>"
Fred is not allowed access to the service


"Which of following is true for the authorization script of:
<authorization> <deny users=""Fred""/> <allow
role=""Administrator"" /> </authorization>"
"Anyone in the Administrator role is allowed access to the service"


"Which method verifies if the caller is a member the specified role. It returns a True if it is, else it returns a False. "
Object.IsCallerInRole()


Why is PGP computationaly efficient:
It uses a shared-secret key


How many bits, at a time, are used to encode using Base-64:
6 bits


What is the advantage of using Base-64 as a convertor:
It can convert binary


How does HMAC differ from normal hashing methods:
It uses a secret key to generate the hash function


What is "silent" as Base64:
Z29vZGJ5


Which is not a method of obfuscation in .NET:
Licencing checking


Which WinPCap display filter will only show SYN/ACK TCP flags:
tcp.flags.syn==1 and tcp.flags.ack==1


Which WinPCap display filter will only show HTTP traffic:
tcp.port == 80


Which WinPCap display filter will only show FTP traffic:
tcp.port == 21


Which WinPCap display filter will only show TELNET traffic:
tcp.port == 23


Which WinPCap display filter will only show SMTP traffic:
tcp.port == 25


Which WinPCap display filter will only show IMAP traffic:
tcp.port == 143


Which WinPCap display filter will only show POP-3 traffic:
tcp.port == 110


"With a tunnelling DNS covert channel, Bob sends a request for dGVzdA==.alicehost.com.
What is the covert message (Refer to table, such as
from www.aardwulf.com/tutor/base64/base64.pdf):"
test


"With a tunnelling DNS covert channel, Bob sends a request for aGVsbG8=.alicehost.com.
What is the covert message (Refer to table, such as
from www.aardwulf.com/tutor/base64/base64.pdf):"
hello


"With a tunnelling DNS covert channel, Bob sends a
request for Z29vZGJ5ZQ==.alicehost.com.
What is the covert message (Refer to
table, such as from www.aardwulf.com/tutor/base64/base64.pdf):"
goodbye


"With a tunnelling DNS covert channel, Bob sends a request for aGFwcHk=.alicehost.com.
What is the covert message (Refer to table, such as
from www.aardwulf.com/tutor/base64/base64.pdf):"
happy


"With a tunnelling DNS covert channel, Bob sends a request for c2Fk.alicehost.com.
What is the covert message (Refer to table, such as from
www.aardwulf.com/tutor/base64/base64.pdf):"
sad


What is the main advantage of the one-time password system:
Requires the password to be entered once


Which tag in the Web.Config file is used to deny certain users:
Authorization


Which tag in the Web.Config file is used to deny certain groups:
Authorization


"Which tag in the Web.Config file is used to specify a forms-based login:"
Authentication


"Which tag in the Web.Config file is used to specify that the authentication is from the Windows user base:"
Authentication


"For the code of
""EventLog evt = new System.Diagnostics.EventLog();"",
which is an invalid property:"
evt.Events


"For the code of ""EventLog evt = new System.Diagnostics.EventLog();"",
which contains the contents of the Event log:"
evt.Entries


Which method is used to encrypt the encryption key in PGP:
RSA


"PGP uses RSA for the main encryption of the email content.
True or false:"
False


"A scan of a disk identifies the string ""JFIF"".
What is the likely type of file associated with this:"
Document"


"A scan of a disk identifies the string ""GIF89a"". What is the likely type of file associated with this:"
Image


"A scan of a disk identifies the hex sequence of 504B0304. What is the likely type of file associated with this:"
ZIP file


"An investigator wants to scan for the word ""test""
on a disk which contains the string in 16-bit Unicode. What is the search string:"
\0t\0e\0s\0t


How many colours are contained in a GIF colour table:
256


How many colours are possible for each pixel in a GIF file:
16.7 million


"For a 64-bit hash signature. How many Base-64 characters would be used:"
12


"For a 192-bit hash signature. How many Base-64 characters would be used:"
32


"For a 256-bit hash signature. How many Base-64 characters would be used:"
44


"Which protocol on a switch should be setup to allow a host to capture traffic from other hosts:"
SPAN


Which TCP port does MSN Messenger use:
1863


Which filter shows traffic for both 1.2.3.4 and 2.3.4.5:
ip.addr == 1.2.3.4 or ip.addr == 2.3.4.5


Which filter shows traffic between 1.2.3.4 and 2.3.4.5:
ip.addr == 1.2.3.4 and ip.addr == 2.3.4.5


"Which filter shows traffic that is not destined
for either 1.2.3.4 nor 2.3.4.5:"
not ip.addr == 1.2.3.4 and not ip.addr == 2.3.4.5


"Which filter will only show traffic for host 1.2.3.4 for FTP
traffic:"
ip.addr == 1.2.3.4 and tcp.port == 21


Which is a possible place to hide a convert message in an IP header:
Identification


Which field in the IP header identifies AH (Authentication Header):
Protocol field


"Which field in the IP header identifies ESP (Encapsulating Security Payload):"
Protocol field


Where should a standard ACLs be placed:
As near the destination


Where should an extended ACLs be placed:
As near the source address as possible


"For an address an ACL of <BR>access-list 1 deny 192.168.1.1
0.0.0.255<BR><BR>Will a node at 192.168.1.200 be denied:"
Yes


"For an address an ACL of <BR>access-list 1 deny 192.168.1.1
0.0.0.0<BR><BR>Will a node at 192.168.1.200 be denied:"
No


"Which is an example of apply an access-list of 5
on an interface for the incoming direction:"
(config-if)# access-group 5 in


"Which is an example of apply an access-list of 15 on an interface for the outgoing direction:"
(config-if)# access-group 15 in


For Static NAT, what is translated for incoming traffic:
The destination IP address


For Static NAT, what is translated for outgoing traffic:
The source IP address


For Dynamic NAT, what is translated for incoming traffic:
The destination IP address


For Dynamic NAT, what is translated for outgoing traffic:
The destination IP address


For PAT, what is translated for incoming traffic:
The source IP address and TCP port


For PAT, what is translated for outgoing traffic:
The source IP address and TCP port


"For a question of ""What is your favourite football team?"", what is the authentication method:"
Something you know


"For a question of ""What is your mother's maiden name?"", what is the authentication method:"
Something you know


"For a question of ""What is the name of your pet"", what is the authentication method:"
Something you know


"For a user to be authenticated with a smart card, what is the authentication method:"
Something you have


"For a user to be authenticated with a USB stick, what is the authentication method:"
Something you have


"For a user to be authenticated with a Visa card, what is the authentication method:"
Something you have


"For a user to be authenticated with a digital certificate, what is the authentication method:"
Something you have


"For a user to be authenticated with their fingerprints, what is the authentication method:"
Something you are


"For a user to be authenticated with their handprints, what is the authentication method:"
Something you are


"Which access-list blocks only even IP addresses
from 156.1.1.0/24 access to 10.0.0.0/24:"
"access-list 100 deny ip
156.1.1.0 0.0.0.254 10.0.0.0 0.0.0.255"


Which access-list allows traffic from all addresses in the range 192.168.3.0
to 192.168.3.255 :
access-list 10 permit 192.168.3.0 0.0.0.255


"Which access-list permits traffic originating from
any address on the 63.36.9.0 network to a Web site:"
"access-list
101 permit tcp 63.36.9.0 0.0.0.255 any eq 21"


Which command is used to define an ACL on an interface:
ip access-group


"Which command is used to define an ACL which can be applied to an interface:"
access-list


Which ACL bars every node from the 192.168.10.0 subnet:
access-list 1 deny 192.168.10.0 0.0.0.255


Which command can be used to prevent DOS attacks:
ip inspect


What does the ip host command achieve:
Sets up a hosts table


Which commands set the line console password:
line con 0, password


Which commands set the telnet password:
line vty 0 4, password


"Which command is ignored by the router in the set-up on an interface:"
description


How would 10.11.12.13 with a subnet mask of 255.0.0.0 be displayed:
10.11.12.13\8


"How would 10.11.12.13 with a subnet mask of 255.255.0.0 be displayed:"
10.11.12.13\16


"How would 10.11.12.13 with a subnet mask of 255.255.255.0 be displayed:"
10.11.12.13\24


"How would 10.11.12.13 with a subnet mask of 255.255.255.240 be displayed:"
10.11.12.13\28


"How would 192.168.0.22 with a subnet mask of 255.255.255.128 be displayed:"
192.168.0.22\25


"How would 192.168.0.22 with a subnet mask of 255.255.255.192 be displayed:"
192.168.0.22\26


"How would 192.168.0.22 with a subnet mask of 255.255.255.224 be displayed:"
192.168.0.22\27


"How would 192.168.0.22 with a subnet mask of 255.255.255.240 be displayed:"
192.168.0.22\28


Which command defines the message of the day:
banner motd hello


Which command defines the login message:
banner login hello


Which command defines the EXEC message:
banner exec hello


Which command enables the Web server:
ip http server


Which command defines a username named fred:
username fred password bert


Which TCP ports are typically used for SNMP:
161,162


Which of the following IP address is not a private address:
146.176.1.5


Which of the following is not a valid subnet mask:
255.164.0.0


Which layer of the OSI model do routers operate:
1, 2 and 3


Which layer of the OSI model do firewalls (packet filter) operate:
1, 2, 3 and 4


Which router command is used to set the host name:
hostname


Which router command is used to set name server:
ip name-server


Which router command is used to set the domain name:
ip domain-name


What is the range of access-lists which relate to standard ACLs:
1-99


What is the range of access-lists which relate to extended ACLs:
100-199


"Which of the following is an example of a named
access list command:"
(config-std-nacl)# deny 156.1.1.0 0.0.0.255


Which of the following creates an access-list named Test1:
(config)# ip access-list standard Test1

Which device could be used as a form of entrapment?
A.IDS
B. Virus checker
C. Honeypot
D. Firewall
E. None of the mentioned
C


What is the best statement for taking advantage of a weakness in the security of an IT system?
A. Attack
B. Exploit
C. None of the mentioned
D. Vulnerability
E. Threat
B


Which has the highest likelihood of fire?
A. Explosion
B. Catastrophic
C. Minor
D. None ofthe mentioned
E. Major
C


Which of the following is the major difference between a worm and a Trojan horse?
A. Worms are spread via e-mail while Trojan horses are not.
B. Worms are a form of malicious code while Trojan horses are not.
C. None of the mentioned
D. There is no difference.
E. Worms are self replicating while Trojan horses are not.
E


With Diffie-Hellman, as in the textbook, G = 2 and n = 7, Bob generates an x = 3, and Alice generates a y = 5. What value does Bob send?
A. 4
B. 2
C. 0
D. None of the mentioned
E. 1
E


A data packet goes from a client to a Web server, which will be true?
A. The source port will be 80 only
B. None of the other choices
C. The source and destination ports will not be 80
D. The source and destination ports will be 80
E. The destination port will be 80
E


Monitor network traffic and alerts on suspicious activities
A. None of the mentioned
B. Firewalls
C. Switches
D. NIDS/NIPS
E. TCP
D


If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, ______ is the process called that is used to ensure that these entities support sufficient security.
A. None of the mentioned
B. exit interview
C. third-party governance
D. asset identification
E. qualitative analysis
C


______ May detect attacks in progress, can be tuned to give more granular data
A. Open System Interconnection (OSI)
B. None of the mentioned
C. Flow record processing system
D. Network Forensics
E. Network Intrusion Detection/Prevention Systems
E


Which are skills required for an ethical hacker? (Choose 1 answer)
A. Up-to-date on threats
B. Politics
C. Report writing
D. None of the mentioned
E. Mainframes
A, C, E are correct answers
Choose one? magic!


HTTP is ______ ?
A. Hypertext Transfer Protocol
B. Hypertext Text Protocol
C. High Transfer Protocol
D. Hypertext Transfer Programming
E. None of the other choices
A


Comprehensive study of protocols, packets and flows, and methods for dissecting them
A. None of the mentioned
B. Protocol analysis
C. Packet analysis
D. Flow analysis
E. Packet analysis use cases
C


Which method verifies if the caller is a member the specified role? (It returns a True if it is, else it retums a False)
A. Object.CurrentCall()
B. None of the mentioned
C. Object.IsUserInRole()
D. Object.IsCallerInRole()
E. Object.ShowUser()
D


In ISO 27002, which section ensures compliance of systems with organizational security policies and standards?
A. System Acquisition, Development and Maintenance
B. None of the other choices
C. Business Continuity Planning
D. Compliance
E. Physical and Environmental Security
D


SSL is ______?
A. None of the mentioned
B. Secure Server Layer
C. Secure Sockets Level
D. Secure Server Level
E. Secure Sockets Layer
E


Communicates error messages and other conditions via IP datagrams
A. Intemet Control Message Protocol (ICMP)
B. Intemet Protocol (IP)
C. None of the mentioned
D. HyperText Transfer Protocol (HTTP)
E. Address Resolution Protocol (ARP)
A


Sniffing, protocol understanding, Alerting and high fidelity
A. NIDS/NIPS functionality
B. NIDS/NIPS Evidence Acquisition
C. NIDS/NlPS components
D. Induction coils
E. None of the mentioned
A


Which is a hashing function?
A. Diffie-Hellman
B. DES
C. None of the mentioned
D. MD5
E. RSA
D


You have created a class that is derived from the ServicedComponent class called DistributionApp. You need to install it into the Global Assembly Cache and create the key pair that will be used to give the compiled assembly a strong name. Which of the following commands will produce the key pair? (Select the best choice)
A. Tlbexp
B. al -k "mykey.snk"
C. sn -k "mykey.snk"
D. None of the mentioned
E. sn -p "mykey.snk"
C


In default. HTTPS services work on port ?
A. 443
B. 80
C. 110
D. 81
E. 25
A


The item ______ is typically NOT a characteristic considered when classifying data.
A. Size of object
B. None of the other choices
C. Value
D. Useful lifetime
E. National security implications
A


Which type of virus is applied within Microsoft Office, and runs within it?
A. Macro
B. Boot sector
C. Program
D. Stealth
E. None of the mentioned
A


Contains tables that store mapping between physical port and MAC addresses
A. None of the mentioned
B. Switches
C. Routers
D. tcpdump
E. TCP
B


What type of program will record system keystrokes in a text file and e-mail it to the author, and will also delete system logs every five days or whenever a backup is performed?
A. Logic bomb
8. Trojan
C. Back door
D. None of the mentioned
E. Virus
A


The key networking elements that are typically used in an analysis of network traffic are
A. TCP flags, ARP activity, ICMP activity, DNS activity
B. None of the mentioned
C. TCP flags, ARP activity
D. TCP flags, ARP activity, ICMP activity, DNS activity, Application protocol activity
E. TCP flags
D


Evidence collected from network device logs
A. Active Acquisition
B. Packet analysis
C. Flow analysis
D. Modes of detection
E. None of the mentioned
A


How many Base64 characters are used for an MD5 hash signature?
A. 32
B. 64
C. 24
D. 40
E. None of the mentioned
C


Which is used to send out unsolicited bulk messages?
A. Spam
B. None of the mentioned
C. Logic bombs
D. Viruses
E. Trojans
A


______ is NOT a focus of data classifications.
A. Layering
B. Processing
C. Storage
D. None of the other choices
E. Transfer
A


Which IDS evaluation tool uses a polymorphic buffer overflow engine?
A. CiscolDS
B. ADMutate
C. IDSOne
D. None of the mentioned
E. Fallover
B


The item ______ is the primary objective of data classification schemes.
A. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
B. None of the other choices
C. To control access to objects for authorized subjects
D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality
E. To establish a transaction trail for auditing accountability
A


______ often a sign of a host machine connected to another computer on the local network, or to the default gateway.
A. TOP flags
B. None of the mentioned
C. DNS activity
D. ICMP activity
E. ARP activity
E


Which tool determines if a host is on-line?
A. Ipconfig
B. None of the mentioned
C. nslookup
D. netstat
E. ping
E


One source IP, one or more destination IOP, destination port numbers increasing incrementally, large volume of packets, outbound protocol flags set to SYN
A. None of the mentioned
B. Vampire Taps
C. Web proxies
D. TCP port scan
E. DHCP Servers
D


In ISO 27002, which section focuses on the maintenance of application system software and data?
A. Physical and Environmental Security
B. Compliance
C. System Acquisition, Development and Maintenance
D. Business Continuity Planning
E. None of the other choices
C


Search from common values associated with a protocol, information in encapsulated protocol, port numbers, server functions, common header values
A. Protocol identification
B. Active Acquisition
C. Modes of detection
D. Protocol analysis
E. None of the mentioned
A


In which file is the Version attribute normally defined (for Form1)?
A. AssemblyInfo.cs
B. Webconfig
C. None of the mentioned
D. Form1.resx
E. Form1.cs
A


Which involves intercepting communications?
A. Eavesdropping
B. None of the mentioned
C. Mispresentation
D. Visual Spying
E. Interference
A


The item ______ would generally NOT be considered an asset of the organization in a risk analysis.
A. A development process
B. A proprietary system resource
C. Users' personal files
D. An IT infrastructure
E. None of the mentioned
C


How do you prevent SQL Injection ?
A. Use PHP language, don't use .Net or Java language
B. Use SQLmap
C. Use Parameterized Queries
D. None of the mentioned
E. Use mysql, don't use microsoft sql
C


The option ______ is the lowest military data classification for classified data.
A. None of the other choices
B. Sensitive
C. Proprietary
D. Private
E. Secret
E


For an IDS, which component detects and sends data to the system?
A. Database/storage component
B. Response box
C. Central monitoring system
D. None of the mentioned
E. Network sensors
E


The statement ______ is NOT true.
A. None of the mentioned
B. The process by which the goals of risk management are achieved is known as risk analysis
C. An asset is anything used in a business process or task
D. IT security can provide protection only against logical or technical attacks
E. Risks to an IT infrastructure are all computer based
E


What is the result of -54 mod 10
A. 4
B. 6
C. -6
D. None of the mentioned
E. -4
B


______ is the most important and distinctive concept in relation to layered security.
A. Multiple
B. Series
C. Parallel
D. Filter
E. None of the other choices
B


Which commercial business/private sector data classification is used to control information about individuals within an organization?
A. Confidential
B. Private
C. Sensitive
D. Proprietary
E. None of the other choices
B


DDOS attack is ______
A. One-to-many IP addresses
B. Many-to-one IP addresses
C. One-to-one IP address
D. Many-to-many IP addresses
E. None of the mentioned
B


What method can be used in online-password attack ? (choose two)
A. Dictionary attack
B. Brute force attack
C. SQL injection
D. Cross-site-scripting
E. None of the above
A, B


Devices that pierce the shielding of copper cables
A. Vampire Taps
B. DHCP Servers
C. Routers
D. NIDS/NIPS
E. None of the mentioned
A


Which protocol is not supported by Snort?
A. IP
B. UDP
C. IGMP
D. ICMP
E. None of the mentioned
C


Distributed database used to map between domain names and IP addresses
A.Modes of detection
B. Inline Network Taps
C. Vampire Taps
D. Domain Name System (DNS)
E. None of the mentioned
D


Which attack involves continual requests from a range of remote hosts?
A. DoS attack
B. Man-in-the-middle
C. Worm spread
D. DDoS attack
E. None of the mentioned
D


The mark average of Bob and Alice is 20%, Bob and Eve is 30%, and Alice and Eve is 40%. What is Bob's mark?
A. 10%
B. 30%
C. 50%
D. 40%
E. 20%
A
Bob + Alice = 2 * 20 = 40
Bob + Eve = 2 * 30 = 60
Alice + Eve = 2 * 40 = 80
=> Bob + Alice + Eve = (40 + 60 + 80)/2 = 90
=> Bob = (Bob + Alice + Eve) - (Alice + Eve) = 90 - 80 = 10


The item ______ is a primary purpose of an exit interview.
A. To return the exiting employee's personal belongings
B. To review the NDA (nondisclosure agreement)
C. To evaluate the exiting employee's performance
D. To cancel the exiting employee's network access accounts
E. None of the mentioned
B


What is something that the organization owns?
A. An asset
B. A vulnerability
C. An exploit
D. A risk
E. None of the mentioned
A


MAC refers to
A. Medium Access Control
B. Machine Address Control
C. Machine Assess Control
D. None of the mentioned
D. Media Access Control instead


HTML is ______?
A. Hypertext Markup Language
B. Hypertext Makeup Language
C. High Markup Language
D. Hypertext Markup Loop
E. None of the mentioned
A


Which of the following is an example of the theft of network passwords without the use of software tools?
A. Trojan programs
B. Social engineering
C. Sniffing
D. Hacking
E. None of the mentioned
B


Which device could be used as a form of entrapment?
A.IDS
B. Virus checker
C. Honeypot
D. Firewall
E. None of the mentioned
C


What is the best statement for taking advantage of a weakness in the security of an IT system?
A. Attack
B. Exploit
C. None of the mentioned
D. Vulnerability
E. Threat
B


Which has the highest likelihood of fire?
A. Explosion
B. Catastrophic
C. Minor
D. None ofthe mentioned
E. Major
C


Which of the following is the major difference between a worm and a Trojan horse?
A. Worms are spread via e-mail while Trojan horses are not.
B. Worms are a form of malicious code while Trojan horses are not.
C. None of the mentioned
D. There is no difference.
E. Worms are self replicating while Trojan horses are not.
E


With Diffie-Hellman, as in the textbook, G = 2 and n = 7, Bob generates an x = 3, and Alice generates a y = 5. What value does Bob send?
A. 4
B. 2
C. 0
D. None of the mentioned
E. 1
E


A data packet goes from a client to a Web server, which will be true?
A. The source port will be 80 only
B. None of the other choices
C. The source and destination ports will not be 80
D. The source and destination ports will be 80
E. The destination port will be 80
E


Monitor network traffic and alerts on suspicious activities
A. None of the mentioned
B. Firewalls
C. Switches
D. NIDS/NIPS
E. TCP
D


Handles multiplexing of process communication, provides end-to-end reliability, sequencing, flow control, congestion control. Connection established through 3-way handshake.
A. Routers
B. Switches
C. TCP
D. NIDS/NIPS
C


Connection less, unreliable, used by DNS, SNMP, audio/video streaming
A. User Datagram Protocol
B. Internet Protocol (IP)
C. Fiber optic taps
D. Web proxies
A


If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, ______ is the process called that is used to ensure that these entities support sufficient security.
A. None of the mentioned
B. exit interview
C. third-party governance
D. asset identification
E. qualitative analysis
C


______ May detect attacks in progress, can be tuned to give more granular data
A. Open System Interconnection (OSI)
B. None of the mentioned
C. Flow record processing system
D. Network Forensics
E. Network Intrusion Detection/Prevention Systems
E


Which are skills required for an ethical hacker? (Choose 1 answer)
A. Up-to-date on threats
B. Politics
C. Report writing
D. None of the mentioned
E. Mainframes
A


Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
HTTP is ______ ?
A. Hypertext Transfer Protocol
B. Hypertext Text Protocol
C. High Transfer Protocol
D. Hypertext Transfer Programming
E. None of the other choices
A


Comprehensive study of protocols, packets and flows, and methods for dissecting them
A. None of the mentioned
B. Protocol analysis
C. Packet analysis
D. Flow analysis
E. Packet analysis use cases
C


Which method verifies if the caller is a member the specified role? (It returns a True if it is, else it retums a False)
A. Object.CurrentCall()
B. None of the mentioned
C. Object.IsUserInRole()
D. Object.IsCallerInRole()
E. Object.ShowUser()
D


In ISO 27002, which section ensures compliance of systems with organizational security policies and standards?
A. System Acquisition, Development and Maintenance
B. None of the other choices
C. Business Continuity Planning
D. Compliance
E. Physical and Environmental Security
D


In the US which regulations define the rights of US Citizens to the use of encryption without key escrow
A. Gramm-Leach-Bliley Act
B. US Health Insurance Portablity and Accountablity Act (HIPAA)
C. Sarbanes-Oxley (SOX) Act
D. Security and Freedom through Encryption (SAFE)
E. Computer Fraud and Abuse Act
D


SSL is ______?
A. None of the mentioned
B. Secure Server Layer
C. Secure Sockets Level
D. Secure Server Level
E. Secure Sockets Layer
E


Communicates error messages and other conditions via IP datagrams
A. Intemet Control Message Protocol (ICMP)
B. Intemet Protocol (IP)
C. None of the mentioned
D. HyperText Transfer Protocol (HTTP)
E. Address Resolution Protocol (ARP)
A


Sniffing, protocol understanding, Alerting and high fidelity
A. NIDS/NIPS functionality
B. NIDS/NIPS Evidence Acquisition
C. NIDS/NlPS components
D. Induction coils
E. None of the mentioned
A


Which is a hashing function?
A. Diffie-Hellman
B. DES
C. None of the mentioned
D. MD5
E. RSA
D


You have created a class that is derived from the ServicedComponent class called DistributionApp. You need to install it into the Global Assembly Cache and create the key pair that will be used to give the compiled assembly a strong name. Which of the following commands will produce the key pair? (Select the best choice)
A. Tlbexp
B. al -k "mykey.snk"
C. sn -k "mykey.snk"
D. None of the mentioned
E. sn -p "mykey.snk"
C


Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
In default. HTTPS services work on port ?
A. 443
B. 80
C. 110
D. 81
E. 25
A


The item ______ is typically NOT a characteristic considered when classifying data.
A. Size of object
B. None of the other choices
C. Value
D. Useful lifetime
E. National security implications
A


Which type of virus is applied within Microsoft Office, and runs within it?
A. Macro
B. Boot sector
C. Program
D. Stealth
E. None of the mentioned
A


Contains tables that store mapping between physical port and MAC addresses
A. None of the mentioned
B. Switches
C. Routers
D. tcpdump
E. TCP
B


What type of program will record system keystrokes in a text file and e-mail it to the author, and will also delete system logs every five days or whenever a backup is performed?
A. Logic bomb
8. Trojan
C. Back door
D. None of the mentioned
E. Virus
A


The key networking elements that are typically used in an analysis of network traffic are
A. TCP flags, ARP activity, ICMP activity, DNS activity
B. None of the mentioned
C. TCP flags, ARP activity
D. TCP flags, ARP activity, ICMP activity, DNS activity, Application protocol activity
E. TCP flags
D


Evidence collected from network device logs
A. Active Acquisition
B. Packet analysis
C. Flow analysis
D. Modes of detection
E. None of the mentioned
A


How many Base64 characters are used for an MD5 hash signature?
A. 32
B. 64
C. 24
D. 40
E. None of the mentioned
C


Which is used to send out unsolicited bulk messages?
A. Spam
B. None of the mentioned
C. Logic bombs
D. Viruses
E. Trojans
A


______ is NOT a focus of data classifications.
A. Layering
B. Processing
C. Storage
D. None of the other choices
E. Transfer
A


Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
Which IDS evaluation tool uses a polymorphic buffer overflow engine?
A. CiscolDS
B. ADMutate
C. IDSOne
D. None of the mentioned
E. Fallover
B


The item ______ is the primary objective of data classification schemes.
A. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
B. None of the other choices
C. To control access to objects for authorized subjects
D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality
E. To establish a transaction trail for auditing accountability
A


______ often a sign of a host machine connected to another computer on the local network, or to the default gateway.
A. TOP flags
B. None of the mentioned
C. DNS activity
D. ICMP activity
E. ARP activity
E


_______ is often a sign of the discovery of hosts, or for the route to a host
A. None of the mentioned
B. ARP activity
C. ICMP activity
D. TCP flags
E. DNS activity
C


Which tool determines if a host is on-line?
A. Ipconfig
B. None of the mentioned
C. nslookup
D. netstat
E. ping
E


One source IP, one or more destination IOP, destination port numbers increasing incrementally, large volume of packets, outbound protocol flags set to SYN
A. None of the mentioned
B. Vampire Taps
C. Web proxies
D. TCP port scan
E. DHCP Servers
D


In ISO 27002, which section focuses on the maintenance of application system software and data?
A. Physical and Environmental Security
B. Compliance
C. System Acquisition, Development and Maintenance
D. Business Continuity Planning
E. None of the other choices
C


Search from common values associated with a protocol, information in encapsulated protocol, port numbers, server functions, common header values
A. Protocol identification
B. Active Acquisition
C. Modes of detection
D. Protocol analysis
E. None of the mentioned
A


In which file is the Version attribute normally defined (for Form1)?
A. AssemblyInfo.cs
B. Webconfig
C. None of the mentioned
D. Form1.resx
E. Form1.cs
A


Which involves intercepting communications?
A. Eavesdropping
B. None of the mentioned
C. Mispresentation
D. Visual Spying
E. Interference
A


Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
The item ______ would generally NOT be considered an asset of the organization in a risk analysis.
A. A development process
B. A proprietary system resource
C. Users' personal files
D. An IT infrastructure
E. None of the mentioned
C


How do you prevent SQL Injection ?
A. Use PHP language, don't use .Net or Java language
B. Use SQLmap
C. Use Parameterized Queries
D. None of the mentioned
E. Use mysql, don't use microsoft sql
C


The option ______ is the lowest military data classification for classified data.
A. None of the other choices
B. Sensitive
C. Proprietary
D. Private
E. Secret
E


For an IDS, which component detects and sends data to the system?
A. Database/storage component
B. Response box
C. Central monitoring system
D. None of the mentioned
E. Network sensors
E


The statement ______ is NOT true.
A. None of the mentioned
B. The process by which the goals of risk management are achieved is known as risk analysis
C. An asset is anything used in a business process or task
D. IT security can provide protection only against logical or technical attacks
E. Risks to an IT infrastructure are all computer based
E


What is the result of -54 mod 10
A. 4
B. 6
C. -6
D. None of the mentioned
E. -4
B


______ is the most important and distinctive concept in relation to layered security.
A. Multiple
B. Series
C. Parallel
D. Filter
E. None of the other choices
B


Which commercial business/private sector data classification is used to control information about individuals within an organization?
A. Confidential
B. Private
C. Sensitive
D. Proprietary
E. None of the other choices
B


DDOS attack is ______
A. One-to-many IP addresses
B. Many-to-one IP addresses
C. One-to-one IP address
D. Many-to-many IP addresses
E. None of the mentioned
B


What method can be used in online-password attack ? (choose two)
A. Dictionary attack
B. Brute force attack
C. SQL injection
D. Cross-site-scripting
E. None of the above
A, B


Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
Devices that pierce the shielding of copper cables
A. Vampire Taps
B. DHCP Servers
C. Routers
D. NIDS/NIPS
E. None of the mentioned
A


Which protocol is not supported by Snort?
A. IP
B. UDP
C. IGMP
D. ICMP
E. None of the mentioned
C


Distributed database used to map between domain names and IP addresses
A.Modes of detection
B. Inline Network Taps
C. Vampire Taps
D. Domain Name System (DNS)
E. None of the mentioned
D


Which attack involves continual requests from a range of remote hosts?
A. DoS attack
B. Man-in-the-middle
C. Worm spread
D. DDoS attack
E. None of the mentioned
D


...
...


The mark average of Bob and Alice is 20%, Bob and Eve is 30%, and Alice and Eve is 40%. What is Bob's mark?
A. 10%
B. 30%
C. 50%
D. 40%
E. 20%
A


The mark average of Bob and Alice is 20%, Bob and Eve is 30%, and Alice and Eve is 40%. What is Eve's mark?
A. 20%
B. 40%
C. 30%
D. 50%
E. 10%
D


The mark average of Bob and Alice is 70%, Bob and Eve is 60%, and Alice and Eve is 30%. What is Alice's mark?
A. 40%
B. 100%
C. 20%
D. 30%
E. 10%
A


The item ______ is a primary purpose of an exit interview.
A. To return the exiting employee's personal belongings
B. To review the NDA (nondisclosure agreement)
C. To evaluate the exiting employee's performance
D. To cancel the exiting employee's network access accounts
E. None of the mentioned
B


What is something that the organization owns?
A. An asset
B. A vulnerability
C. An exploit
D. A risk
E. None of the mentioned
A


MAC refers to
A. Medium Access Control
B. Machine Address Control
C. Machine Assess Control
D. None of the mentioned
D. Media Access Control instead


HTML is ______?
A. Hypertext Markup Language
B. Hypertext Makeup Language
C. High Markup Language
D. Hypertext Markup Loop
E. None of the mentioned
A


Which of the following is an example of the theft of network passwords without the use of software tools?
A. Trojan programs
B. Social engineering
C. Sniffing
D. Hacking
E. None of the mentioned
B


Database/web/email/chat/voicemail servers
A. DNS/Name Servers
B. DHCP Servers
C. Application servers
D. Authentication Servers
C


What port is used to connect to the Active Directory in Windows 2000?
A. 80
B. 445
C. 139
D. 389
D


The item _____ is NOT considered an example of data hiding
A. Keeping a database from being accessed by unauthorized visitors
B. Preventing an authorized reader of an object from deleting that object
C. None of the above
D. Restricting a subject at a lower classification level from accessing data at a higher classification level
E. Preventing an application from accessing hardware directly
B


A network sniffer program is an example of
A. Evidence development tool
B. Packet collection tool
C. Packet formatting tool
D. None of the above
B


Which of the following type of attack CANNOT be deterred solely through technical means?
A. Dictionary
B. Man in the middle
C. DoS (Denial of Service)
D. Social engineering
D


Which type of IDS matches to well-known patterns
A. Anomaly detection
B. Passive
C. Honeypot
D. Signature-based
E. None of the above
D


How many keys (in total) are used in public-key encryption:
A. None
B. One
C. Two
D. Four
D


The item ______ is the primary goal of change management
A. Preventing security compromises
B. Keeping users informed of changes
C. Allowing rollback of failed changes
D. Maintaining documentation
E. None of the other choices
A


Which is not an in-build role in .NET
A. WindowsBuiltInRole.Guest
B. WindowsBuiltInRole.User
C. WindowsBuiltInRole.Anonymous
D. WindowsBuiltInRole.Administrator
E. None of the above
C


The SYN flag is
A. Key to finding the starting point of a connection
B. Last packet in that specific transmission
C. None of the above
D. The least most significant bit in the first nibble (4 bits make a nibble and two nibbles make a byte)
A


What is the likelihood of the occurance of something that could cause harm, loss or damage:
A. A risk
B. A threat
C. An asset
D. A vulnerability
E. An exploit
A


Rules, Alerts, packet capture is
A. DNS/Name Servers
B. NIDS/NIPS components
C. NIDS/NIPS
D. Induction coils
B


The item ________ is the weakest element in any security solution
A. Internet connections
B. Security policies
C. Software products
D. None of the mentioned
E. Humans
E


Provides mapping between IP addresses and MAC for a local subnet
A. Address Resolution Protocol (ARP)
B. Internet Protocol (IP)
C. HyperText Transfer Protocol (HTTP)
D. Internet Control Message Protocol (ICMP)
A


What element of data categorization management can override all other forms of access control?
A. Classification
B. Physical access
C. Custodian responsibilities
D. Taking ownership
D


Which is the easiest way for an intruder to defeat an IDS?
A. Compromise the firewall
B. Create a tunnel
C. Install a good virus scanner
D. None of the mentioned
E. Use UDP for the transport layer
B


Layer 4 the transmitted encapsulated data is know as a _____________
A. segment
B. data frame
C. None of the mentioned
D. data packet
A


Stores web surfing log for an entire organization
A. Routers
B. DHCP Servers
C. Web proxies
D. Firewalls
C


Which threat involves users gaining access to a system using another person's user ID and password:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
1.Unauthorized access


Which threat involves the loss of data:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
2.Stolen/Lost/Damaged/Modified Data


Which threat involves information being showin to unauthorized people:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
3.Disclosure of Confidential Information


Which threat involves an unauthorized person attacking systems and/or data within an organisation:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
4.Hacker attacks


Which threat involves an attack against national infrastructures:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
5.Cyber Terrorism


Which threat involves malious software against which intend to do damage:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Viruses and Malware
4.Denial of Service
5.Natural Disasters
3.Viruses and Malware


Which threat involves a continuous drain in network and/or server resources from continual accesses for a service:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Viruses and Malware
4.Denial of Service
5.Natural Disasters
4.Denial of Service


Which threat involves natural disasters:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Viruses and Malware
4.Denial of Service
5.Natural Disasters
5.Natural Disasters


What is the likelihood of the occurance of something that could cause harm, loss or damage:
1.A risk
2.A threat
3.An asset
4.A vulnerability
5.An exploit
1.A risk


What is something that could cause harm, loss or damage:
1.A risk
2.A threat
3.An asset
4.A vulnerability
5.An exploit
2.A threat


What is something that the organisation owns:
1.A risk
2.A threat
3.An asset
4.A vulnerability
5.An exploit
3.An asset


What is a weakness in a system:
1.A risk
2.A threat
3.An asset
4.A vulnerability
5.An exploit
4.A vulnerability


What is a entity which takes advantage of a weakness in a system:
1.A risk
2.A threat
3.An asset
4.A vulnerability
5.An exploit
5.An exploit


Which is the term used to describe the focus of the security testing:
1.Target of evaluation
2.Target of interest
3.Asset of interest
4.Asset infrastructure
1.Target of evaluation


Which is the term used for testing with no knowledge of the target of interest:
1.Blackbox
2.Whitebox
3.Graybox
4.Yellobox
1.Blackbox


Which is the term used for testing with an extensive knowledge of the target of interest:
1.Blackbox
2.Whitebox
3.Graybox
4.Yellobox
2.Whitebox


Which is the term used for testing with a partial knowledge of the target of interest:
1.Blackbox
2.Whitebox
3.Graybox
4.Yellobox
3.Graybox


What does C stand for in CIA:
1.Compression
2.Collection
3.Comparison
4.Confidentiality
5.Containment
4.Confidentiality


What does I stand for in CIA:
1.Information
2.Integrity
3.Integrate
4.Immediate
5.Isolate
2.Integrity


What does A stand for in CIA:
1.Assurance
2.Avoidance
3.Anti-spoof
4.Anomoly
5.Artifical
1.Assurance


Which can be defined as the best definition of integrity:
1.Only authorized entities can access sensitive data
2.Only authorized entities can change sensitive data
3.Only authorized entities have continual access to data
2.Only authorized entities can change sensitive data


Which can be defined as the best definition of integrity:
1.Only authorized entities can access sensitive data
2.Changes data by unauthorized entities is detected
3.Only authorized entities have continual access to data
2.Changes data by unauthorized entities is detected


Which can be defined as the best definition of confidentiality:
1.Only authorized entities can access sensitive data
2.Only authorized entities can change sensitive data
3.Only authorized entities have continual access to data
1.Only authorized entities can access sensitive data


Which can be defined as the best definition of availability:
1.Only authorized entities can access sensitive data
2.Only authorized entities can change data
3.Only authorized entities have continual access to data
3.Only authorized entities have continual access to data


Which helps with Confidentiality:
1.Mirrored servers
2.Locked doors
3.Failover devices
4.Fast network speeds
5.Improved network interfaces
2.Locked doors


Which helps with Confidentiality:
1.Mirrored servers
2.Armed guards
3.Failover devices
4.Fast network speeds
5.Improved network interfaces
2.Armed guards


Which helps with Confidentiality:
1.Mirrored servers
2.Fences
3.Failover devices
4.Fast network speeds
5.Improved network interfaces
2.Fences


Which threat involves users gaining access to a system using another person's user ID and password:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
1


Which threat involves the loss of data:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
2


Which threat involves information being showin to unauthorized people:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
3


Which threat involves an unauthorized person attacking systems and/or data within an organisation:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
4


Which threat involves an attack against national infrastructures:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
5


Which threat involves malious software against which intend to do damage:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Viruses and Malware
4.Denial of Service
5.Natural Disasters
3


Which threat involves a continuous drain in network and/or server resources from continual accesses for a service:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Viruses and Malware
4.Denial of Service
5.Natural Disasters
4


Which threat involves natural disasters:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Viruses and Malware
4.Denial of Service
5.Natural Disasters
5


What is the likelihood of the occurance of something that could cause harm loss or damage:
1.A risk
2.A threat
3.An asset
4.A vulnerability
5.An exploit
1


What is something that could cause harm loss or damage:
1.A risk
2.A threat
3.An asset
4.A vulnerability
5.An exploit
2


What is something that the organisation owns:
1.A risk
2.A threat
3.An asset
4.A vulnerability
5.An exploit
3


What is a weakness in a system:
1.A risk
2.A threat
3.An asset
4.A vulnerability
5.An exploit
4


What is a entity which takes advantage of a weakness in a system:
1.A risk
2.A threat
3.An asset
4.A vulnerability
5.An exploit
5


Which is the term used to describe the focus of the security testing:
1.Target of evaluation
2.Target of interest
3.Asset of interest
4.Asset infrastructure
1


Which is the term used for testing with no knowledge of the target of interest:
1.Blackbox
2.Whitebox
3.Graybox
4.Yellobox
1


Which is the term used for testing with an extensive knowledge of the target of interest:
1.Blackbox
2.Whitebox
3.Graybox
4.Yellobox
2


Which is the term used for testing with a partial knowledge of the target of interest:
1.Blackbox
2.Whitebox
3.Graybox
4.Yellobox
3


What does C stand for in CIA:
1.Compression
2.Collection
3.Comparison
4.Confidentiality
5.Containment
4


What does I stand for in CIA:
1.Information
2.Integrity
3.Integrate
4.Immediate
5.Isolate
2


What does A stand for in CIA:
1.Assurance
2.Avoidance
3.Anti-spoof
4.Anomoly
5.Artifical
1


Which can be defined as the best definition of integrity:
1.Only authorized entities can access sensitive data
2.Only authorized entities can change sensitive data
3.Only authorized entities have continual access to data
2


Which can be defined as the best definition of integrity:
1.Only authorized entities can access sensitive data
2.Changes data by unauthorized entities is detected
3.Only authorized entities have continual access to data
2


Which can be defined as the best definition of confidentiality:
1.Only authorized entities can access sensitive data
2.Only authorized entities can change sensitive data
3.Only authorized entities have continual access to data
1


Which can be defined as the best definition of availability:
1.Only authorized entities can access sensitive data
2.Only authorized entities can change data
3.Only authorized entities have continual access to data
3


Which helps with Confidentiality:
1.Mirrored servers
2.Locked doors
3.Failover devices
4.Fast network speeds
5.Improved network interfaces
2


Which helps with Confidentiality:
1.Mirrored servers
2.Armed guards
3.Failover devices
4.Fast network speeds
5.Improved network interfaces
2


Which helps with Confidentiality:
1.Mirrored servers
2.Fences
3.Failover devices
4.Fast network speeds
5.Improved network interfaces
2


Which helps with Confidentiality:
1.Mirrored servers
2.Firewalls
3.Failover devices
4.Fast network speeds
5.Improved network interfaces
2


Which helps with Confidentiality:
1.Mirrored servers
2.Passwords
3.Failover devices
4.Fast network speeds
5.Improved network interfaces
2


Which helps with Confidentiality:
1.Mirrored servers
2.Encryption
3.Access control
4.Fast network speeds
5.Improved network interfaces
2


Which helps with Integrity:
1.Mirrored servers
2.Encryption
3.Access control
4.Fast network speeds
5.Improved network interfaces
3


Which helps with Integrity:
1.Mirrored servers
2.Windows File Protection
3.Failover
4.Fast network speeds
5.Improved network interfaces
2


Which helps with Integrity:
1.Mirrored servers
2.MD5 checksum
3.Failover
4.Fast network speeds
5.Improved network interfaces
2


Which helps with Integrity:
1.Mirrored servers
2.SHA-1 checksum
3.Failover
4.Fast network speeds
5.Improved network interfaces
2


Which helps with Availability:
1.Failover equipment
2.Encryption
3.Authentication
4.Fast network speeds
5.Improved network interfaces
1


Which helps with Assurance:
1.Mirrored servers
2.Encryption
3.Access control
4.Fast network speeds
5.Improved network interfaces
1


Which entity helps with Confidentiality:
1.Mirroring server
2.VPN server
3.Network Operating System
2


Which entity helps with Integrity:
1.Mirroring server
2.VPN server
3.Network Operating System
3


Which entity helps with Assurance:
1.Mirroring server
2.VPN server
3.Network Operating System
1


Which is an Ethical hacker:
1.White hat
2.Black hat
3.Grey hat
4.Blue hat
5.Top hat
1


Which is an Unethical hacker:
1.White hat
2.Black hat
3.Grey hat
4.Blue hat
5.Top hat
2


Which is both an Unethical and an Ethical hacker:
1.White hat
2.Black hat
3.Grey hat
4.Blue hat
5.Top hat
3


Which is a bug tester:
1.White hat
2.Black hat
3.Grey hat
4.Blue hat
5.Top hat
4


Which hacker is motivated by financial gain and has criminal intent:
1.White hat
2.Cracker
3.Phreakers
4.Script kiddies
5.Hacktvist
2


Which hacker hacks telephone systems:
1.White hat
2.Cracker
3.Phreakers
4.Script kiddies
5.Hacktvist
3


Which hacker does not have many skills and use standard
scripting tools:
1.White hat
2.Cracker
3.Phreakers
4.Script kiddies
5.Hacktvist
4


Which hacker has a political agenda:
1.White hat
2.Cracker
3.Phreakers
4.Script kiddies
5.Hacktvist
5


Which hacker focuses on wireless LAN and WANs:
1.Whacker
2.Cracker
3.Phreakers
4.Script kiddies
5.Hacktvist
1


Which hacker tries to reverse engineer software applications:
1.Software Cracker
2.Cracker
3.Phreakers
4.Script kiddies
5.Hacktvist
1


Which test does not include a hand-on test:
1.High-level assessment
2.Network evaluation
3.Penetration tests
1


Which is a Level I assessment:
1.High-level assessment
2.Network evaluation
3.Penetration tests
1


Which test involves information gathering scanning and vulnerability assessment scanning:
1.High-level assessment
2.Network evaluation
3.Penetration tests
2


Which is a Level II assessment:
1.High-level assessment
2.Network evaluation
3.Penetration tests
2


Which test involves taking on an adversarial role:
1.High-level assessment
2.Network evaluation
3.Penetration tests
3


Which is a Level III assessment:
1.High-level assessment
2.Network evaluation
3.Penetration tests
3


Which type of user can often bypass security implementations:
1.Script kiddies
2.External data miners
3.Inside attackers
4.Internet-based worms
3


Which attack simulates an authorized user with legitimate connections to the organisations network:
1.Inside attack
2.Outsider attack
3.Stolen equipment attack
4.Physical entry attack
5.Bypassed authentication attack
1


Which attack simulates an attack launched across the Internet:
1.Inside attack
2.Outsider attack
3.Stolen equipment attack
4.Physical entry attack
5.Bypassed authentication attack
2


Which attack tests the removal of physical equipment:
1.Inside attack
2.Outsider attack
3.Stolen equipment attack
4.Physical entry attack
5.Bypassed authentication attack
3


Which attack tests for the actual entry into the organisation:
1.Inside attack
2.Outsider attack
3.Stolen equipment attack
4.Physical entry attack
5.Bypassed authentication attack
4


Which attack tests for weaknesses in the authentication into the system:
1.Inside attack
2.Outsider attack
3.Stolen equipment attack
4.Physical entry attack
5.Bypassed authentication attack
5


Which attack tests employees for weaknesses in their procedures:
1.Inside attack
2.Outsider attack
3.Stolen equipment attack
4.Physical entry attack
5.Social engineering attack
5


In the US which regulations allow banks, security firms and insurance companies to merge/share data:
1.Gramm-Leach-Bliley Act
2.US Health Insurance Portablity and Accountablity Act (HIPAA)
3.Sarbanes-Oxley (SOX) Act
4.Security and Freedom through Encryption (SAFE)
5.Computer Fraud and Abuse Act
1


In the US which regulations relate to the security of electronic patient records:
1.Gramm-Leach-Bliley Act
2.US Health Insurance Portablity and Accountablity Act (HIPAA)
3.Sarbanes-Oxley (SOX) Act
4.Security and Freedom through Encryption (SAFE)
5.Computer Fraud and Abuse Act
2


In the US which regulations relate to transparent account and reporting of companies:
1.Gramm-Leach-Bliley Act
2.US Health Insurance Portablity and Accountablity Act (HIPAA)
3.Sarbanes-Oxley (SOX) Act
4.Security and Freedom through Encryption (SAFE)
5.Computer Fraud and Abuse Act
3


In the US which regulations define the rights of US Citizens to the use of encryption without key escrow:
1.Gramm-Leach-Bliley Act
2.US Health Insurance Portablity and Accountablity Act (HIPAA)
3.Sarbanes-Oxley (SOX) Act
4.Security and Freedom through Encryption (SAFE)
5.Computer Fraud and Abuse Act
4


In the US which regulations aim to reduce hacking by defining penalties against incidents:
1.Gramm-Leach-Bliley Act
2.US Health Insurance Portablity and Accountablity Act (HIPAA)
3.Sarbanes-Oxley (SOX) Act
4.Security and Freedom through Encryption (SAFE)
5.Computer Fraud and Abuse Act
5


In the US which regulations respects the rights of the individual unless permission is given:
1.Gramm-Leach-Bliley Act
2.US Health Insurance Portablity and Accountablity Act (HIPAA)
3.Sarbanes-Oxley (SOX) Act
4.Security and Freedom through Encryption (SAFE)
5.Privacy Act of 1974
5


In the US which regulations aim to strengthen US federal government security by the use of yearly audits:
1.Federal Information Security Management Act (FISMA)
2.US Health Insurance Portablity and Accountablity Act (HIPAA)
3.Sarbanes-Oxley (SOX) Act
4.Security and Freedom through Encryption (SAFE)
5.Privacy Act of 1974
1


In the US which regulations aims to criminalise the minuse of trade secrets:
1.Federal Information Security Management Act (FISMA)
2.Economic Espionage Act of 1996
3.Sarbanes-Oxley (SOX) Act
4.Security and Freedom through Encryption (SAFE)
5.Privacy Act of 1974
2


In the US which is the main statute for computer crime related to fraud and related activity with access devices:
1.Title 18: Crimes and Criminal Procedure ... Sections 1029
2.Title 18: Crimes and Criminal Procedure ... Sections 1030
3.Sarbanes-Oxley (SOX) Act
4.Security and Freedom through Encryption (SAFE)
5.Privacy Act of 1974
1


In the US which is the main statute for computer crime related to fraud and related activity with computers:
1.Title 18: Crimes and Criminal Procedure ... Sections 1029
2.Title 18: Crimes and Criminal Procedure ... Sections 1030
3.Sarbanes-Oxley (SOX) Act
4.Security and Freedom through Encryption (SAFE)
5.Privacy Act of 1974
2


In the US which permits the government to monitor hackers without a warrant:
1.Title 18: Crimes and Criminal Procedure ... Sections 1029
2.Title 18: Crimes and Criminal Procedure ... Sections 1030
3.Providing Approporiate Tools Required to Intercept and Obstruct Terrorism (PATRIOT)
4.Security and Freedom through Encryption (SAFE)
5.Privacy Act of 1974
3


Which is the first phase of a security test:
1.Scope the project
2.Perform the assessment
3.Post assessment activities
1


Which is the second phase of a security test:
1.Scope the project
2.Perform the assessment
3.Post assessment activities
2


Which is the third phase of a security test:
1.Scope the project
2.Perform the assessment
3.Post assessment activities
3


What is required before a security assessment is undertaken:
1.Payment
2.Written permission
3.Air conditioning
4.Heating
5.A desk
2


Which threat involves users gaining access to a system using another person's user ID and password:
1.Unauthorized access
2.Stolen/Lost/Damaged/Modified Data
3.Disclosure of Confidential Information
4.Hacker attacks
5.Cyber Terrorism
1


Which is normally the first step in compromising targets/applications:
1.Reconnaissance
2.Enumerate applications/operating systems
3.Manipulate users to gain access
4.Escalate priviliges
5.Maintaining access
1


Which is normally the second step in compromising targets/applications:
1.Reconnaissance
2.Enumerate applications/operating systems
3.Manipulate users to gain access
4.Escalate priviliges
5.Maintaining access
2


Which is normally the third step in compromising targets/applications:
1.Reconnaissance
2.Enumerate applications/operating systems
3.Manipulate users to gain access
4.Escalate priviliges
5.Maintaining access
3


Which is normally the forth step in compromising targets/applications:
1.Reconnaissance
2.Enumerate applications/operating systems
3.Manipulate users to gain access
4.Escalate priviliges
5.Maintaining access
4


Which is normally the fifth step in compromising targets/applications:
1.Reconnaissance
2.Enumerate applications/operating systems
3.Manipulate users to gain access
4.Escalate priviliges
5.Maintaining access
5


Which is normally the last step in compromising targets/applications:
1.Reconnaissance
2.Enumerate applications/operating systems
3.Manipulate users to gain access
4.Escalate priviliges
5.Coverting tracks/adding backdoors
5


Which layer of the OSI model represents the Application Layer:
1.3
2.4
3.5
4.6
5.7
5


Which layer of the OSI model represents the Presentation Layer:
1.3
2.4
3.5
4.6
5.7
4


Which layer of the OSI model represents the Session Layer:
1.3
2.4
3.5
4.6
5.7
3


Which layer of the OSI model represents the Transport Layer:
1.3
2.4
3.5
4.6
5.7
2


Which layer of the OSI model represents the Network Layer:
1.3
2.4
3.5
4.6
5.7
1


Which organization originally developed the OSI model:
1.DARPA
2.ISO
3.CERN
4.IEEE
5.TCP/IP
2


The three lower layers of the OSI model are:
1.Physical data link and application
2.Physical, network and transport
3.Physical, data link and network
4.Physical, network and session
5.TCP/IP
3


Which of the following is not an advantage of the OSI model:
1.
It allows manufacturers of different systems to interconnect their equipment through standard interfaces

2.It allows computers to operate faster
3.It allows software and hardware to integrate well and be portable on differing systems
4.It creates a model which all the countries of the world use
5.TCP/IP
2


The function of the data link layer in the OSI model is:
1.Control of session between two nodes
2.Ensures reliable transmission of bits
3.Routing switching and flow control over a network
4.Network transparent data transfer and transmission control
5.TCP/IP
2


Which of the following is a MAC address:
1.0000.0E64.5432
2.146.176.151.130
3.F5332B10:00000E645432
4.NETPRINTER
5.
1


What is a source address:
1.An address that the host receives data on
2.An address that the host sends data on
3.An address that changes as the host transmits data
4.An address that changes as the host receives data
5.
1


Which of the following is the correct order of the OSI model:
1.Physical data, network, session , transport, application, presentation
2.Physical, network, data, transport, session, presentation, application
3.Physical, data, network, transport, session, presentation, application
4.Physical, data, network, transport, presentation, session, application
5.
3


Which of the following is not a reason for using a layered network model:
1.Standardizes interfaces of hardware and software
2.Simplifies teaching and learning
3.Reduces overlap
4.Improve interoperability
5.
3


Which of the following is not a purpose of the OSI model:
1.Ensures that computers can operate as stand-alone devices
2.Defines a standard way to describe how data travels on a network
3.Replaces a number of competing standards with a single standard
4.Simplifies the networking process by splitting it up into seven layers
5.
1


Which of the following best describes the session layer:
1.Defines data structures and negotiation data transfer syntax
2.Ensures reliable transit of data across the physical layer
3.Provides connectivity and path selection between two end systems
4.Manages data exchange between presentation layer entities
5.
4


Which of the following best describes the presentation layer:
1.Defines data structures and negotiation data transfer syntax
2.Ensures reliable transit of data across the physical layer
3.Provides connectivity and path selection between two end systems
4.Manages data exchange between presentation layer entities
5.
4


What functions are the data link layer concerned with:
1.Physical addressing network topology, and media access
2.Manages data exchange between presentation layer entities
3.Provides connectivity and path selection between two end systems
4.Establishment, maintenance, and termination of virtual circuits, transport fault detection, recovery, and information flow control
5.
1


Which of the following best defines data encapsulation:
1.Segmenting data into a number of data packets
2.Encrypting data so that it can only be read by the destination user
3.Adding additional information that the data can be viewed properly
4.Wrapping the data in a particular protocol header
5.
4


What is one function of the physical layer of the OSI model?
1.Physical addressing of computers on the network media
2.Data transmission across the network media
3.Defines the format of the data frame that is transmitted
4.Network services to applications
5.
2


How is the function of the physical layer accomplished:
1.Using networking protocols
2.Using physical addressing
3.Conversion of signals into binary patterns
4.Using wires
4


Which server port does FTP typically use:
1.21
2.23
3.161
4.1723
5.455
1


Which server port does Telnet typically use:
1.21
2.23
3.161
4.1723
5.445
2


Which server port does SNMP typically use:
1.21
2.23
3.161
4.1723
5.445
3


Which server port does PPTP typically use:
1.21
2.23
3.161
4.1723
5.445
4


Which server port does Direct Host typically use:
1.21
2.23
3.161
4.1723
5.445
5


Which server port does NetBIOS over TCP typically use:
1.139
2.3389
3.161
4.1723
5.455
1


Which server port does Terminal Services typically use:
1.139
2.3389
3.161
4.1723
5.455
2


Which server port does Microsoft Remote Desktop typically use:
1.139
2.3389
3.161
4.1723
5.455
2


Which is the TCP flag for start of a connection:
1.RST
2.SYN
3.ACK
4.URG
5.FIN
2


In the three-way handshake who generates a "SYN":
1.Client
2.Server
3.Either client or server
4.Neither client nor server
1


In the three-way handshake who generates a "SYN, ACK":
1.Client
2.Server
3.Either client or server
4.Neither client nor server
2


In the three-way handshake who generates a "ACK":
1.Client
2.Server
3.Either client or server
4.Neither client nor server
1


<quest id="000005">
What advantage does SSH have over TELNET:
1.It is faster
2.It is more compatiable
3.It is more secure
4.It is easier to configure
5.It supports more connections
3


Which layer of the OSI Model does HTTP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does FTP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does SMTP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does FTP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does POP3 fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does NTP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does SNMP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does TFTP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does DNS fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does DHCP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does Telnet fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
1


Which layer of the OSI Model does the login part of Telnet fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
3


Which layer of the OSI Model does the login part of SQL fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
3


Which layer of the OSI Model does TCP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
4


Which layer of the OSI Model does UDP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
4


Which layer of the OSI Model does IP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
5


Which layer of the OSI Model does IPX fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
5


Which layer of the OSI Model does ICMP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
5


Which layer of the OSI Model does OSPF fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
5


Which layer of the OSI Model does IGRP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
5


Which layer of the OSI Model does EIGRP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
5


Which layer of the OSI Model does RIP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
5


Which layer of the OSI Model does ISIS fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
5


Which layer of the OSI Model does ARP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
5


Which layer of the OSI Model does RARP fit into:
1.Application
2.Presentation
3.Session
4.Transport
5.Network
5


Which transport layer protocol does DNS use:
1.IP
2.TCP
3.UDP
4.ICMP
5.HTTP
3


Which port does DNS use:
1.21
2.23
3.53
4.80
5.110
3


Typically which TCP server port does FTP use:
1.21
2.23
3.53
4.80
5.110
1


Typically which TCP server port does TELNET use:
1.21
2.23
3.53
4.80
5.110
2


Typically which TCP server port does TFTP use:
1.21
2.23
3.53
4.69
5.1433
4


Typically which TCP server port does MS-SQL use:
1.21
2.23
3.53
4.69
5.1433
5


Typically which TCP server port does LDAP use:
1.389
2.23
3.53
4.69
5.1433
1


Typically which TCP server port does HTTP use:
1.21
2.23
3.53
4.80
5.110
4


Typically which TCP server port does POP-3 use:
1.21
2.23
3.53
4.80
5.110
5


Which application layer protocol is used to send email:
1.SMTP
2.SNMP
3.POP-3
4.IMAP
5.SSH
1


Which application layer protocol is used to read email:
1.SMTP
2.SNMP
3.POP-3
4.FTP
5.SSH
3


Which application layer protocol is used to read email:
1.SMTP
2.SNMP
3.IMAP
4.FTP
5.SSH
3


<quest>
Which TCP port does SMTP use
1.21
2.23
3.25
4.110
5.143
3


Which TCP port does IMAP use
1.21
2.23
3.25
4.110
5.143
5


Which UDP port does DNS use
1.21
2.23
3.53
4.80
5.110
3


Which layer of the OSI Model does Ethernet fit into:
1.Transport
2.Network
3.Data link
4.Physical
5.Application
3


Which layer of the OSI Model does Frame Relay fit into:
1.Transport
2.Network
3.Data link
4.Physical
5.Application
3


Which layer of the OSI Model does PPP fit into:
1.Transport
2.Network
3.Data link
4.Physical
5.Application
3


Which layer of the OSI Model does HDLC fit into:
1.Transport
2.Network
3.Data link
4.Physical
5.Application
3


Which layer of the OSI Model does CDP fit into:
1.Transport
2.Network
3.Data link
4.Physical
5.Application
3


The three lower layers of the OSI model are:
1.Physical data link and application
2.Physical, network and transport
3.Physical, data link and network
4.Physical, network and session
5.TCP/IP
3


As a baseline how can the overall security of a system be assessed:
1.It is as secure as the most secure element
2.It is as secure as the least secure element
3.It is as secure as the average of all the elements
2


Which are layer 3 protocols (select four):
1.IP
2.IPX
3.ICMP
4.ARP
5.TCP
<6>UDP</6>
1


Which are layer 4 protocols (select four):
1.IP
2.IPX
3.ICMP
4.ARP
5.TCP
<6>UDP</6>
4


At which layer to switches typically work at:
1.Layer 1
2.Layer 2
3.Layer 3
4.Layer 4
5.Layer 5
2


Which casting method sends a seperate packet to each destination:
1.Unicast
2.Broadcast
3.Multicast
4.Forecast
1


Which casting method sends a single packet to all subscribed destinations:
1.Unicast
2.Altcast
3.Multicast
4.Forecast
3


Which is a Class A address:
1.10.0.0.1
2.146.10.10.1
3.192.168.0.1
4.224.0.0.2
5.240.10.10.1
1


Which is a Class B address:
1.10.0.0.1
2.146.10.10.1
3.192.168.0.1
4.224.0.0.2
5.240.10.10.1
2


Which is a Class C address:
1.10.0.0.1
2.146.10.10.1
3.192.168.0.1
4.224.0.0.2
5.240.10.10.1
3


Which is a multicast address:
1.10.0.0.1
2.146.10.10.1
3.192.168.0.1
4.224.0.0.2
5.240.10.10.1
4


Which IP address classification does multicast use:
1.Class A
2.Class B
3.Class C
4.Class D
5.Class E
4


Which casting method sends a seperate packet to each destination:
1.Unicast
2.Broadcast
3.Multicast
4.Forecast
1


Which casting method sends a single packet to all subscribed destinations:
1.Unicast
2.Altcast
3.Multicast
4.Forecast
3


Which is a Class A address:
1.10.0.0.1
2.146.10.10.1
3.192.168.0.1
4.224.0.0.2
5.240.10.10.1
1


Which is a Class B address:
1.10.0.0.1
2.146.10.10.1
3.192.168.0.1
4.224.0.0.2
5.240.10.10.1
2


Which is a Class C address:
1.10.0.0.1
2.146.10.10.1
3.192.168.0.1
4.224.0.0.2
5.240.10.10.1
3


Which is a multicast address:
1.10.0.0.1
2.146.10.10.1
3.192.168.0.1
4.224.0.0.2
5.240.10.10.1
4


Which IP address classification does multicast use:
1.Class A
2.Class B
3.Class C
4.Class D
5.Class E
4


Which layer of the OSI model represents the Application Layer:
1.3
2.4
3.5
4.6
5.7
5


For a network address of 192.168.5.0/26 what is the last IP address on the first subnet:
1.192.168.5.254
2.192.168.5.128
3.192.168.5.127
4.192.168.5.255
5.192.168.5.64
3


For a network address of 192.168.5.0/26 what is the first IP address on the first subnet:
1.192.168.5.0
2.192.168.5.1
3.192.168.5.64
4.192.168.5.65
5.192.168.5.128
3


For a network address of 172.16.0.0/18 what is the last IP address on the first subnet:
1.172.16.32.254
2.172.16.127.254
3.172.16.255.254
4.172.16.0.254
5.172.16.64.254
2


For a network address of 172.16.0.0/18 what is the first IP address on the first subnet:
1.172.16.16.1
2.172.16.32.1
3.172.16.64.1
4.172.16.128.1
5.172.16.1.1
3


For a network address of 10.0.0.0/10 what is the last IP address on the first subnet:
1.10.32.255.254
2.10.127.255.254
3.10.255.255.254
4.10.32.0.254
5.10.64.0.254
2


For a network address of 10.0.0.0/10 what is the first IP address on the first subnet:
1.10.16.0.1
2.10.32.0.1
3.10.64.0.1
4.10.128.0.1
5.10.1.0.1
3


For a network address of 172.16.0.0/18 what is the first usable subnet network address:
1.172.16.8.0
2.172.16.16.0
3.172.16.32.0
4.172.16.64.0
5.172.16.128.0
4


For a network address of 172.16.0.0/18 what is the second usable subnet network address:
1.172.16.8.0
2.172.16.16.0
3.172.16.32.0
4.172.16.64.0
5.172.16.128.0
5


For a network address of 192.168.3.0/26 what is the first usable subnet network address:
1.192.168.3.8
2.192.168.3.16
3.192.168.3.32
4.192.168.3.64
5.192.168.3.128
4


For a network address of 192.168.3.0/26 what is the second usable subnet network address:
1.192.168.3.8
2.192.168.3.16
3.192.168.3.32
4.192.168.3.64
5.192.168.3.128
4


For a network address of 10.0.0.0/10 what is the first usable subnet network address:
1.10.8.0.0
2.10.16.0.0
3.10.32.0.0
4.10.64.0.0
5.10.128.0.0
4


For a network address of 10.0.0.0/10 what is the second usable subnet network address:
1.10.8.0.0
2.10.16.0.0
3.10.32.0.0
4.10.64.0.0
5.10.128.0.0
5


For a network address of 10.0.0.0/11 what is the first usable subnet network address:
1.10.8.0.0
2.10.16.0.0
3.10.32.0.0
4.10.64.0.0
5.10.96.0.0
3


For a network address of 10.0.0.0/11 what is the second subnet network address:
1.10.8.0.0
2.10.16.0.0
3.10.32.0.0
4.10.64.0.0
5.10.96.0.0
4


For a network address of 10.0.0.0/11 what is the third usable subnet network address:
1.10.8.0.0
2.10.16.0.0
3.10.32.0.0
4.10.64.0.0
5.10.96.0.0
5


For a network address of 10.0.0.0/11 what is the fourth usable subnet network address:
1.10.16.0.0
2.10.64.0.0
3.10.128.0.0
4.10.160.0.0
5.10.192.0.0
3


For a network address of 10.0.0.0/11 what is the fifth usable subnet network address:
1.10.16.0.0
2.10.64.0.0
3.10.128.0.0
4.10.160.0.0
5.10.192.0.0
4


For a network address of 10.0.0.0/11 what is the sixth usable subnet network address:
1.10.16.0.0
2.10.64.0.0
3.10.128.0.0
4.10.160.0.0
5.10.192.0.0
5


For a network address of 172.16.0.0/19 what is the first usable subnet network address:
1.172.16.8.0
2.172.16.16.0
3.172.16.32.0
4.172.16.64.0
5.172.16.96.0
3


For a network address of 172.16.0.0/19 what is the second subnet network address:
1.172.16.8.0
2.172.16.16.0
3.172.16.32.0
4.172.16.64.0
5.172.16.96.0
4


For a network address of 172.16.0.0/19 what is the third usable subnet network address:
1.172.16.8.0
2.172.16.16.0
3.172.16.32.0
4.172.16.64.0
5.172.16.96.0
5


For a network address of 172.16.0.0/19 what is the fourth usable subnet network address:
1.172.16.16.0
2.172.16.64.0
3.172.16.128.0
4.172.16.160.0
5.172.16.192.0
3


For a network address of 172.16.0.0/19 what is the fifth usable subnet network address:
1.172.16.16.0
2.172.16.64.0
3.172.16.128.0
4.172.16.160.0
5.172.16.192.0
4


For a network address of 172.16.0.0/19 what is the sixth usable subnet network address:
1.172.16.16.0
2.172.16.64.0
3.172.16.128.0
4.172.16.160.0
5.172.16.192.0
5


For a network address of 192.168.5.0/27 what is the first usable subnet network address:
1.192.168.5.8
2.192.168.5.16
3.192.168.5.32
4.192.168.5.64
5.192.168.5.96
3


For a network address of 192.168.5.0/27 what is the second subnet network address:
1.192.168.5.8
2.192.168.5.16
3.192.168.5.32
4.192.168.5.64
5.192.168.5.96
4


For a network address of 192.168.5.0/27 what is the third usable subnet network address:
1.192.168.5.8
2.192.168.5.16
3.192.168.5.32
4.192.168.5.64
5.192.168.5.96
5


For a network address of 192.168.5.0/27 what is the fourth usable subnet network address:
1.192.168.5.16
2.192.168.5.64
3.192.168.5.128
4.192.168.5.160
5.192.168.5.192
3


For a network address of 192.168.5.0/27 what is the fifth usable subnet network address:
1.192.168.5.16
2.192.168.5.64
3.192.168.5.128
4.192.168.5.160
5.192.168.5.192
4


For a network address of 192.168.5.0/27 what is the sixth usable subnet network address:
1.192.168.5.16
2.192.168.5.64
3.192.168.5.128
4.192.168.5.160
5.192.168.5.192
5


For a Class B address and a subnet mask of 255.255.192.0 how many hosts/subnet are possible:
1.16,382
2.8,190
3.4,094
4.2,046
5.1,022
1


For a Class B address and a subnet mask of 255.255.224.0 how many hosts/subnet are possible:
1.16,382
2.8,190
3.4,094
4.2,046
5.1,022
2


For a Class B address and a subnet mask of 255.255.240.0 how many hosts/subnet are possible:
1.16,382
2.8,190
3.4,094
4.2,046
5.1,022
3


For a Class B address and a subnet mask of 255.255.248.0 how many hosts/subnet are possible:
1.16,382
2.8,190
3.4,094
4.2,046
5.1,022
4


For a Class B address and a subnet mask of 255.255.252.0 how many hosts/subnet are possible:
1.16,382
2.8,190
3.4,094
4.2,046
5.1,022
5


For a Class B address and a subnet mask of 255.255.254.0 how many hosts/subnet are possible:
1.8,190
2.4,094
3.2,046
4.1,022
5.510
5


For a Class B address and a subnet mask of 255.255.255.0 how many hosts/subnet are possible:
1.4,094
2.2,046
3.1,022
4.510
5.254
5


For a Class B address and a subnet mask of 255.255.255.128 how many hosts/subnet are possible:
1.510
2.254
3.126
4.62
5.30
3


For a Class B address and a subnet mask of 255.255.255.192 how many hosts/subnet are possible:
1.510
2.254
3.126
4.62
5.30
4


For a Class B address and a subnet mask of 255.255.255.224 how many hosts/subnet are possible:
1.510
2.254
3.126
4.62
5.30
5


For a Class B address and a subnet mask of 255.255.255.240 how many hosts/subnet are possible:
1.62
2.30
3.14
4.6
5.2
3


Which transport layer protocol does SNMP use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
2


Which transport layer protocol does MS-SQL use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
1


Which transport layer port does FTP use:
1.20/21
2.22
3.23
4.25
5.53
1


Which transport layer port does SSH use:
1.20/21
2.22
3.23
4.25
5.53
2


Which transport layer port does Telnet use:
1.20/21
2.22
3.23
4.25
5.53
3


Which transport layer port does SMTP use:
1.20/21
2.22
3.23
4.25
5.53
4


Which transport layer port does DNS use:
1.20/21
2.22
3.23
4.25
5.53
5


Which transport layer port does TFTP use:
1.69
2.80
3.110
4.135
5.161/162
1


Which transport layer port does HTTP use:
1.69
2.80
3.110
4.135
5.161/162
2


Which transport layer port does POP3 use:
1.69
2.80
3.110
4.135
5.161/162
3


Which transport layer port does RPC use:
1.69
2.80
3.110
4.135
5.161/162
4


Which transport layer port does SNMP use:
1.69
2.80
3.110
4.135
5.161/162
5


Which transport layer port does SNMP use:
1.69
2.80
3.110
4.135
5.1433/1434
5


With Windows which is a data structure which identifies user, group and computer accounts:
1.SID (Security Identifier)
2.RID (Relative Identifiers)
3.UID (User ID)
4.GID (Group ID)
5.LSASS (Local Security Authentority Subsystem)
1


With Windows which is a data structure which identifies a user or group in relation to the authority that the user has:
1.SID (Security Identifier)
2.RID (Relative Identifiers)
3.UID (User ID)
4.GID (Group ID)
5.LSASS (Local Security Authentority Subsystem)
2


For a SID of "S-1-5-21-7623811015-3361044348-030300820-1013" what does the "S" stand for:
1.Security ID
2.Selective ID
3.System ID
4.Subsystem ID
1


For a SID of "S-1-5-21-7623811015-3361044348-030300820-1013" what is the user ID:
1.21
2.7623811015
3.3361044348
4.030300820
5.1013
5


For a SID of "S-1-5-21-7623811015-3361044348-030300820-1013" what does the "-1-" stand for:
1.Update number
2.Revision level
3.System ID
4.NT Authority
2


For a SID of "S-1-5-21-7623811015-3361044348-030300820-1013" what is the domain ID:
1.S-1-5-21
2.5-21-7623811015
3.21-7623811015-3361044348
4.7623811015-3361044348-030300820
5.3361044348-030300820-1013
4


<level>13</level>


For a SID of "S-1-5-21-7623811015-3361044348-030300820-1013" what does the "-5-" stand for:
1.Update number
2.Revision level
3.System ID
4.NT Authority
4


For an SID of "S-1-5-21-7623811015-3361044348-030300820-500" what type of user is it:
1.Guest
2.Kerberos target
3.Admin
4.First user
5.Second user
3


For an SID of "S-1-5-21-7623811015-3361044348-030300820-501" what type of user is it:
1.Guest
2.Kerberos target
3.Admin
4.First user
5.Second user
1


For an SID of "S-1-5-21-7623811015-3361044348-030300820-502" what type of user is it:
1.Guest
2.Kerberos target
3.Admin
4.First user
5.Second user
2


For an SID of "S-1-5-21-7623811015-3361044348-030300820-1000" what type of user is it:
1.Guest
2.Kerberos target
3.Admin
4.First user
5.Second user
4


For an SID of "S-1-5-21-7623811015-3361044348-030300820-1001" what type of user is it:
1.Guest
2.Kerberos target
3.Admin
4.First user
5.Second user
5


Which is the most priviledged mode in the Windows architecture:
1.Ring 0
2.Ring 1
3.Ring 2
4.Ring 3
1


Which is the most priviledged mode in the Windows architecture:
1.Kernal mode
2.Ring 1
3.Ring 2
4.User mode
1


Which is the least priviledged mode in the Windows architecture:
1.Ring 0
2.Ring 1
3.Ring 2
4.Ring 3
4


Which is the least priviledged mode in the Windows architecture:
1.Kernal mode
2.Ring 1
3.Ring 2
4.User mode
4


In the Windows architecture where do device drivers run:
1.Ring 0
2.Ring 1
3.Ring 2
4.Ring 3
1


In the Windows architecture where does the Kernel run:
1.Ring 0
2.Ring 1
3.Ring 2
4.Ring 3
1


In the Windows architecture where is the Hardware Abstraction Layer (HAL):
1.Ring 0
2.Ring 1
3.Ring 2
4.Ring 3
1


In the Windows architecture where do user applications run:
1.Ring 0
2.Ring 1
3.Ring 2
4.Ring 3
4


In the Windows architecture where do service processes run:
1.Ring 0
2.Ring 1
3.Ring 2
4.Ring 3
4


In the Windows where is the SAM database stored:
1.HKEY_USERS\.DEFAULT
2.HKEY_LOCAL_MACHINE\SYSTEM
3.HKEY_LOCAL_MACHINE\SOFTWARE
4.HKEY_LOCAL_MACHINE\SECURITY
5.HKEY_LOCAL_MACHINE\SAM
5


In the Windows where is the SAM database stored:
1.HKEY_USERS\.DEFAULT
2.HKEY_LOCAL_MACHINE\SYSTEM
3.HKEY_LOCAL_MACHINE\SOFTWARE
4.HKEY_LOCAL_MACHINE\SECURITY
5.HKEY_LOCAL_MACHINE\SAM
5


In the Windows how is HKEY_LOCAL_MACHINE accessed:
1.Click Start -> Run -> "klm.exe"
2.Click Start -> Run -> "edit.exe"
3.Click Start -> Run -> "vi.exe"
4.Click Start -> Run -> "cmd.exe"
5.Click Start -> Run -> "regedit.exe"
5


In the Windows which port is used for MS-RPC endpoint mapper:
1.135
2.137
3.138
4.139
5.445
1


In the Windows which port is used for NetBIOS name service:
1.135
2.137
3.138
4.139
5.445
2


In the Windows which port is used for NetBIOS datagram service:
1.135
2.137
3.138
4.139
5.445
3


In the Windows which port is used for NetBIOS session service:
1.135
2.137
3.138
4.139
5.445
4


In the Windows which port is used for SMB over TCP:
1.135
2.137
3.138
4.139
5.445
5


Who originally created NetBIOS:
1.Microsoft
2.Sun Microsystems
3.Novell
4.Intel
5.IBM
5


What is the maximum number of characters for a NetBIOS name:
1.8
2.12
3.15
4.16
5.24
3


<level>13</level>


Which command shows the available domains:
1.net view /domain
2.net view /domain:name
3.net view \\mydomain
4.net use \\mydomain\test w:
1


Which command shows a specific group domain (name):
1.net view /domain
2.net view /domain:name
3.net view \\mymachine
4.net use \\mydomain\test w:
2


Which command shows the details of a specific machine (name):
1.net view /domain
2.net view /domain:name
3.net view \\name
4.net use \\mydomain\name w:
2


Which command mounts a remote system as a drive:
1.net view /domain
2.net view /domain:name
3.net view \\name
4.net use \\mydomain\name w:
4


Refer to the figure. Which command has been used for COMMAND A:
1.net view /domain
2.net view /domain:name
3.net view \\name
4.net use \\mydomain\name w:
1


Refer to the figure. Which command has been used for COMMAND B:
1.net view /domain
2.net view /domain:name
3.net view \\name
4.net use \\mydomain\name w:
2


Refer to the figure. Which command has been used for COMMAND C:
1.net view /domain
2.net view /domain:name
3.net view \\name
4.net use \\mydomain\name w:
3


Which is a known Windows password-cracking program:
1.LOphtcrack
2.Netcat
3.Wireshark
4.Netbus
1


Which is a known program to read and write from a network connection:
1.LOphtcrack
2.Netcat
3.Wireshark
4.Netbus
2


Which is a known program to capture network traffic:
1.LOphtcrack
2.Netcat
3.Wireshark
4.Netbus
3


Which is a known program to remotely control a remote computer:
1.LOphtcrack
2.Netcat
3.Wireshark
4.Netbus
4


Which is a known program to remotely control a remote computer:
1.LOphtcrack
2.Netcat
3.Wireshark
4.Netbus
4


Which is true for an LM Hash of less than 8 characters:
1.The left-most eight bytes are always the same
2.The centre eight bytes are always the same
3.The right-most eight bytes are always the same
4.None of the bytes will be the same
3


How many bytes are used in an LM hash:
1.6
2.8
3.16
4.32
5.48
3


Which command sets up a null session on the IPC$ share:
1.net use \\192.168.0.1\c$ "" /user:""
2.net use \\192.168.0.1\pc$ "" /user:""
3.net use \\192.168.0.1\ipc$ "" /user:""
4.net use \\192.168.0.1\$ "" /user:""
5.net use \\192.168.0.1\i$ "" /user:""
3


Which command sets up a null session on the IPC$ share:
1.net use \\192.168.0.1\c$ "" /user:""
2.net use \\192.168.0.1\pc$ "" /user:""
3.net use \\192.168.0.1\ipc$ "" /user:""
4.net use \\192.168.0.1\$ "" /user:""
5.net use \\192.168.0.1\i$ "" /user:""
3


Which provides strong encryption techniques to increase protection of account password information stored in the registry by the Security Account Manager (SAM):
1.Simple Key (Simkey.exe)
2.Alt-Del Key (AltDelKey.exe)"
3.Crypto Key (Crypto.exe)"
4.Gen Key (Genkey.exe)
5.System Key (Syskey.exe)
5


Which is the main weakness of SNMP Version 1:
1.It is not compatiable with many systems
2.It has high processing rates
3.It sends community strings in cleartext
4.It cannot be decoded on desktops
4


Which program can be used to clear log files:
1.Elsave
2.Auditpol
3.PWdump
4.Cain
1


Which program can be used to disable auditing:
1.Elsave
2.Auditpol
3.PWdump
4.Cain
2


Which program can be used to extract LM and NTLM password hashes:
1.Elsave
2.Auditpol
3.PWdump
4.Cain
3


Which program can be used to perform password recovery:
1.Elsave
2.Auditpol
3.PWdump
4.Cain and Abel
4


What type of encryption does SYSKEY use:
1.32-bit
2.64-bit
3.128-bit
4.256-bit
3


<level>13</level>


Which is a lookup table that resolves the hash signature from a plaintext password:
1.Forward table
2.Repeat table
3.Rainbow table
4.Rapid table
3


After Windows NT SYSKEY is enabled by default. True or false:
1.True
2.False
3.
1


Which folder contains the root directory:
1./
2./bin
3./dev
4./etc
5./home
1


Which folder contains command Linux command (such as ls):
1./
2./bin
3./dev
4./etc
5./home
2


Which folder contains device access points (such as for CD-ROMs and hard disks):
1./
2./bin
3./dev
4./etc
5./home
3


Which folder contains administrative configuration files (such as for the passwd file):
1./
2./bin
3./dev
4./etc
5./home
4


Which folder contains the user's home directories:
1./
2./bin
3./dev
4./etc
5./home
5


Which folder contains the location for mounting devices (such as CD-ROMs):
1./mnt
2./sbin
3./usr
4./etc
5./home
1


Which folder contains administrative commands and daemon processes:
1./mnt
2./sbin
3./usr
4./etc
5./home
2


Which folder contains the location for user documentation and libraries:
1./mnt
2./sbin
3./usr
4./etc
5./home
3


Which file attributes defines that the owner can only read from a file:
1.-rwxr-x-wx
2.-r-x-wxr-x
3.-r--rw-rw-
4.--wxr--rwx
5.---x---r--
3


Which file attributes defines that the owner's group can only read from a file:
1.-rwxr-x-wx
2.-r-x-wxr-x
3.-r--rw-rw-
4.--wxr--rwx
5.---x---r--
4


Which file attributes defines that everyone can only read from a file:
1.-rwxr-x-wx
2.-r-x-wxr-x
3.-r--rw-rw-
4.--wxr--rwx
5.---x---r--
5


Which file attributes defines that everyone has full access to a file:
1.-rwxr-x-wx
2.-r-x-wxr-x
3.-r--rw-rw-
4.--wxr--rwx
5.---x---r--
4


Which file attributes defines that user's group has full access to a file:
1.-rwxr-x-wx
2.-r-x-wxr-x
3.-r--rwxrw-
4.--wxr--rwx
5.---x---r--
3


Which file attributes defines that user has full access to a file:
1.-rwxr-x-wx
2.-r-x-wxr-x
3.-r--rwxrw-
4.--wxr--rwx
5.---x---r--
1


Which command is used to set full access for everyone on a file:
1.chmod 000 filename
2.chmod 111 filename
3.chmod 333 filename
4.chmod 555 filename
5.chmod 777 filename
5


Which command is used to set read/write access for the owner:
1.chmod 400 filename
2.chmod 200 filename
3.chmod 100 filename
4.chmod 600 filename
5.chmod 800 filename
4


Which command is used to set read/write/execute access for the owner:
1.chmod 400 filename
2.chmod 200 filename
3.chmod 100 filename
4.chmod 600 filename
5.chmod 700 filename
5


Which is the target protocol for Smurf:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
1


Which is the target protocol for Fraggle:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
2


Which is the target protocol for Chargen:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
2


Which is the target protocol for SYN flood:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
3


Which is the target protocol for Ping of Death:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
1


Which is the target protocol for Teardrop:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
4


Which is the target protocol for Land:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
3


Which is the target protocol for SMBdie:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
5


Which is the target protocol for CPU hog:
1.ICMP
2.CPU
3.TCP
4.IP
5.NetBIOS
5


Which is the main attribute for DoS with Smurf:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
1


Which is the main attribute for DoS with Fraggle:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
1


Which is the main attribute for DoS with Chargen:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
1


Which is the main attribute for DoS with SYN flood:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
2


Which is the main attribute for DoS with CPU hog:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
2


Which is the main attribute for DoS with Ping of death:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
3


Which is the main attribute for DoS with Teardrop:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
3


Which is the main attribute for DoS with Land:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
3


Which is the main attribute for DoS with SMBdie:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
3


Which threat uses port 31337:
1.Donald Dick
2.Beast
3.Backdoor Orifice
4.Citrix ICA
5.NetBus
3


Which threat uses port 23476:
1.Donald Dick
2.Beast
3.Backdoor Orifice
4.Citrix ICA
5.NetBus
1


Which threat uses port 23476:
1.Donald Dick
2.Beast
3.Backdoor Orifice
4.Citrix ICA
5.NetBus
2


Which threat uses port 1494:
1.Donald Dick
2.Beast
3.Backdoor Orifice
4.Citrix ICA
5.NetBus
4


Which threat uses port 12345:
1.Donald Dick
2.Beast
3.Backdoor Orifice
4.Citrix ICA
5.NetBus
5


What is a likely goal for a trojan:
1.Gain credit card details
2.Gain passwords
3.Delete malicous files
4.Perform acts of mischief
5.Insider information
1


...
2


...
4


...
5


Which is a likely infection source for a trojan:
1.P2P networks
2.Instant messenger
3.Voice mail
4.Internet Relay Chat
5.Email attachments
1


Which is a likely infection source for a trojan:
1.P2P networks
2.Freeware
3.Voice mail
4.Browser bugs
5.Physical access
1


...
5


Which is the term for setting a network card into a state where it will read see all the packets on the network:
1.Promiscuous mode
2.Passive sniffing
3.Active sniffing
4.Collision domain
5.Denial of Service
1


Which is the term for sniffing on a hub:
1.Promiscuous mode
2.Passive sniffing
3.Active sniffing
4.Collision domain
5.Denial of Service
2


Which type of sniffing is running dsniff on a network composed of hubs:
1.Promiscuous mode
2.Passive sniffing
3.Active sniffing
4.Collision domain
5.Denial of Service
2


Which is the term for sniffing on a switch:
1.Promiscuous mode
2.Passive sniffing
3.Active sniffing
4.Collision domain
5.Denial of Service
3


Which is the term for a logical area where data packets can collide:
1.Promiscuous mode
2.Passive sniffing
3.Active sniffing
4.Collision domain
5.MAC flooding
4


Which is the term the overloading of the content addressable memory (CAM) table on a switch:
1.Promiscuous mode
2.Passive sniffing
3.Active sniffing
4.Collision domain
5.MAC flooding
5


Which tool floods a network with Ethernet frames using random MAC addresses so that switches start to send out frames:
1.EtherFlood
2.SMAC
3.Macof
4.Hping
1


Which tool allows users to spoof their MAC addresses:
1.EtherFlood
2.SMAC
3.Macof
4.Hping
2


Which tool floods LANs with false MAC addresses in order to overload switches:
1.EtherFlood
2.SMAC
3.Macof
4.Hping
3


Which protocol resolves a domain name to an IP address:
1.DNS
2.ARP
3.RARP
4.Hping
1


Which protocol resolves a IP address to a MAC address:
1.DNS
2.ARP
3.RARP
4.Hping
2


Which protocol resolves a MAC address to an IP address:
1.DNS
2.ARP
3.RARP
4.Hping
3


Which type of ARP message is "Who has this IP address?":
1.ARP Request
2.ARP Reply
3.ARP Null
4.ARP Broadcast
1


Which type of ARP message is "I have this address and here is my MAC address":
1.ARP Request
2.ARP Reply
3.ARP Null
4.ARP Broadcast
2


Which technique reduces the ARP traffic on a network:
1.ARP Proxy
2.ARP Cache
3.ARP Server
4.Reverse ARP
2


Which command shows the ARP cache:
1.arp -d
2.arp -a
3.arp -r
4.arp -c
2


For Windows typically, how long does an ARP entry stay in the ARP cache before it is refreshed:
1.1 minute
2.2 minutes
3.10 minutes
4.15 minutes
2


For many Linux versions typically, how long does an ARP entry stay in the ARP cache before it is refreshed:
1.1 minute
2.2 minutes
3.10 minutes
4.15 minutes
4


Which tool sends a victim ARP answers says that the MAC address belonging to the IP of the gateway machine is the attackers MAC address.
1.Arpspoof
2.Ettercap
3.Cain
4.WINDNSSpoof
1


Which tool is part of Dsniff and sends a victim ARP answers saying that the MAC address belonging to the IP of the gateway machine is the attackers MAC address:
1.Arpspoof
2.Ettercap
3.Cain
4.WINDNSSpoof
1


Which tool is a passive sniffer which can be used for ARP posioning/packet capture/protocol decoder:
1.Arpspoof
2.Ettercap
3.Cain
4.WINDNSSpoof
2


Which is the target protocol for Smurf:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
1


Which is the target protocol for Fraggle:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
2


Which is the target protocol for Chargen:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
2


Which is the target protocol for SYN flood:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
3


Which is the target protocol for Ping of Death:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
1


Which is the target protocol for Teardrop:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
4


Which is the target protocol for Land:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
3


Which is the target protocol for SMBdie:
1.ICMP
2.UDP
3.TCP
4.IP
5.NetBIOS
5


Which is the target protocol for CPU hog:
1.ICMP
2.CPU
3.TCP
4.IP
5.NetBIOS
5


Which is the main attribute for DoS with Smurf:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
1


Which is the main attribute for DoS with Fraggle:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
1


Which is the main attribute for DoS with Chargen:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
1


Which is the main attribute for DoS with SYN flood:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
2


For a Class B address and a subnet mask of 255.255.255.248 how many hosts/subnet are possible:
1.62
2.30
3.14
4.6
5.2
4


For a Class B address and a subnet mask of 255.255.255.252 how many hosts/subnet are possible:
1.62
2.30
3.14
4.6
5.2
5


For a Class C address and a subnet mask of 255.255.255.192 how many hosts/subnet are possible:
1.62
2.30
3.14
4.6
5.2
1


For a Class C address and a subnet mask of 255.255.255.224 how many hosts/subnet are possible:
1.62
2.30
3.14
4.6
5.2
2


For a Class C address and a subnet mask of 255.255.255.240 how many hosts/subnet are possible:
1.62
2.30
3.14
4.6
5.2
3


For a Class C address and a subnet mask of 255.255.255.248 how many hosts/subnet are possible:
1.62
2.30
3.14
4.6
5.2
4


For a Class C address and a subnet mask of 255.255.255.252 how many hosts/subnet are possible:
1.62
2.30
3.14
4.6
5.2
5


For a Class B address and a subnet mask of 255.255.192.0 what is the CIDR:
1./18
2./19
3./20
4./21
5./22
1


For a Class B address and a subnet mask of 255.255.224.0 what is the CIDR:
1./18
2./19
3./20
4./21
5./22
2


For a Class B address and a subnet mask of 255.255.240.0 what is the CIDR:
1./18
2./19
3./20
4./21
5./22
3


For a Class B address and a subnet mask of 255.255.248.0 what is the CIDR:
1./18
2./19
3./20
4./21
5./22
4


For a Class B address and a subnet mask of 255.255.252.0 what is the CIDR:
1./18
2./19
3./20
4./21
5./22
5


For a Class B address and a subnet mask of 255.255.255.128 what is the CIDR:
1./25
2./26
3./27
4./28
5./29
1


For a Class B address and a subnet mask of 255.255.255.192 what is the CIDR:
1./25
2./26
3./27
4./28
5./29
2


For a Class B address and a subnet mask of 255.255.255.224 what is the CIDR:
1./25
2./26
3./27
4./28
5./29
3


For a Class B address and a subnet mask of 255.255.255.240 what is the CIDR:
1./25
2./26
3./27
4./28
5./29
4


For a Class B address and a subnet mask of 255.255.255.248 what is the CIDR:
1./25
2./26
3./27
4./28
5./29
5


For a Class B address and a subnet mask of 255.255.192.0 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
1


For a Class B address and a subnet mask of 255.255.224.0 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
2


For a Class B address and a subnet mask of 255.255.240.0 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
3


For a Class B address and a subnet mask of 255.255.248.0 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
4


For a Class B address and a subnet mask of 255.255.252.0 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
5


For a Class C address and a subnet mask of 255.255.255.192 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
1


For a Class C address and a subnet mask of 255.255.255.224 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
2


For a Class C address and a subnet mask of 255.255.255.240 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
3


For a Class C address and a subnet mask of 255.255.255.248 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
4


For a Class C address and a subnet mask of 255.255.255.252 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
5


For a Class A address and a subnet mask of 255.192.0.0 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
1


For a Class A address and a subnet mask of 255.224.0.0 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
2


For a Class A address and a subnet mask of 255.240.0.0 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
3


For a Class A address and a subnet mask of 255.248.0.0 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
4


For a Class A address and a subnet mask of 255.252.0.0 how many usable subnets are there:
1.2
2.6
3.14
4.30
5.62
5


For a Class A address and a subnet mask of 255.254.0.0 how many usable subnets are there:
1.62
2.126
3.253
4.510
5.1022
2


For a Class A address and a subnet mask of 255.255.0.0 how many usable subnets are there:
1.62
2.126
3.253
4.510
5.1022
3


For a Class A address and a subnet mask of 255.255.128.0 how many usable subnets are there:
1.62
2.126
3.253
4.510
5.1022
4


For a Class A address and a subnet mask of 255.255.192.0 how many usable subnets are there:
1.62
2.126
3.253
4.510
5.1022
5


For a Class A address and a subnet mask of 255.255.224.0 how many usable subnets are there:
1.1022
2.2046
3.4094
4.8190
5.16,382
2


For a Class A address and a subnet mask of 255.255.240.0 how many usable subnets are there:
1.1022
2.2046
3.4094
4.8190
5.16,382
3


For a Class A address and a subnet mask of 255.255.248.0 how many usable subnets are there:
1.1022
2.2046
3.4094
4.8190
5.16,382
4


For a Class A address and a subnet mask of 255.255.252.0 how many usable subnets are there:
1.1022
2.2046
3.4094
4.8190
5.16,382
5


Which of the following IP address is not a private address:
1.146.176.1.5
2.10.0.0.1
3.172.16.1.1
4.192.168.0.1
5.10.10.10.1
1


Which of the following is not a valid subnet mask:
1.255.164.0.0
2.255.128.0.0
3.255.192.0.0
4.255.224.0.1
5.255.255.240.0
1


For a network address of 192.168.1.0 with two subnets, what is the subnet mask:
1.255.255.255.128
2.255.255.255.192
3.255.255.255.224
4.255.255.255.240
5.255.255.255.248
2


For a network address of 192.168.1.0 with four subnets, what is the subnet mask:
1.255.255.255.128
2.255.255.255.192
3.255.255.255.224
4.255.255.255.240
5.255.255.255.248
3


For a network address of 192.168.1.0 with six subnets, what is the subnet mask:
1.255.255.255.128
2.255.255.255.192
3.255.255.255.224
4.255.255.255.240
5.255.255.255.248
3


For a network address of 192.168.1.0 with 10 subnets, what is the subnet mask:
1.255.255.255.128
2.255.255.255.192
3.255.255.255.224
4.255.255.255.240
5.255.255.255.248
4


For a network address of 192.168.1.0 with 20 subnets, what is the subnet mask:
1.255.255.255.128
2.255.255.255.192
3.255.255.255.224
4.255.255.255.240
5.255.255.255.248
5


For a network address of 192.168.1.0 with 30 subnets, what is the subnet mask:
1.255.255.255.128
2.255.255.255.192
3.255.255.255.224
4.255.255.255.240
5.255.255.255.248
5


For a network address of 192.168.1.0 with 40 subnets, what is the subnet mask:
1.255.255.255.192
2.255.255.255.224
3.255.255.255.240
4.255.255.255.248
5.255.255.255.252
5


For a network address of 172.168.0.0 with two subnets, what is the subnet mask:
1.255.255.255.128
2.255.255.255.192
3.255.255.255.224
4.255.255.255.240
5.255.255.255.248
2


For a network address of 172.168.0.0 with four subnets, what is the subnet mask:
1.255.255.128.0
2.255.255.192.0
3.255.255.224.0
4.255.255.240.0
5.255.255.248.0
3


For a network address of 172.168.0.0 with six subnets, what is the subnet mask:
1.255.255.128.0
2.255.255.192.0
3.255.255.224.0
4.255.255.240.0
5.255.255.248.0
3


For a network address of 172.168.0.0 with 12 subnets, what is the subnet mask:
1.255.255.128.0
2.255.255.192.0
3.255.255.224.0
4.255.255.240.0
5.255.255.248.0
4


For a network address of 172.168.0.0 with 19 subnets, what is the subnet mask:
1.255.255.128.0
2.255.255.192.0
3.255.255.224.0
4.255.255.240.0
5.255.255.248.0
5


For a network address of 172.168.0.0 with 28 subnets, what is the subnet mask:
1.255.255.128.0
2.255.255.192.0
3.255.255.224.0
4.255.255.240.0
5.255.255.248.0
5


For a network address of 172.168.0.0 with 38 subnets, what is the subnet mask:
1.255.255.193.0
2.255.255.224.0
3.255.255.240.0
4.255.255.248.0
5.255.255.252.0
5


For a network address of 10.0.0.0 with two subnets, what is the subnet mask:
1.255.128.0.0
2.255.192.0.0
3.255.224.0.0
4.255.240.0.0
5.255.248.0.0
2


For a network address of 10.0.0.0 with four subnets, what is the subnet mask:
1.255.128.0.0
2.255.192.0.0
3.255.224.0.0
4.255.240.0.0
5.255.248.0.0
3


For a network address of 10.0.0.0 with six subnets, what is the subnet mask:
1.255.128.0.0
2.255.192.0.0
3.255.224.0.0
4.255.240.0.0
5.255.248.0.0
3


For a network address of 10.0.0.0 with 12 subnets, what is the subnet mask:
1.255.128.0.0
2.255.192.0.0
3.255.224.0.0
4.255.240.0.0
5.255.248.0.0
4


For a network address of 10.0.0.0 with 19 subnets, what is the subnet mask:
1.255.128.0.0
2.255.192.0.0
3.255.224.0.0
4.255.240.0.0
5.255.248.0.0
5


For a network address of 10.0.0.0 with 28 subnets, what is the subnet mask:
1.255.128.0.0
2.255.192.0.0
3.255.224.0.0
4.255.240.0.0
5.255.248.0.0
5


For a network address of 10.0.0.0 with 38 subnets, what is the subnet mask:
1.255.192.0.0
2.255.224.0.0
3.255.240.0.0
4.255.248.0.0
5.255.252.0.0
5


What must be common to computers if they are to communicate over a network:
1.Use the same operating system
2.Use the same protocol
3.Manufactured by the same company
4.Use similar hardware
2


If a host on a network has the address 172.16.49.14/30 what is the address of the subnetwork to which this host belongs?
1.172.16.49.0
2.172.16.49.4
3.172.16.49.8
4.172.16.49.12
5.172.16.49.18
4


If a host on a network has the address 10.16.49.22/30 what is the address of the subnetwork to which this host belongs?
1.10.16.49.22
2.10.16.49.12
3.10.16.49.16
4.10.16.49.24
5.10.16.49.20
5


You have a class C address and you want to have ten subnets while maximising the number of host available.Which subnet mask would you use
1.255.255.255.192
2.255.255.255.224
3.255.255.255.240
4.255.255.255.248
5.255.255.255.0
3


You have a class C address and you want to have 16 subnets while maximising the number of host available.Which subnet mask would you use:
1.255.255.255.192
2.255.255.255.224
3.255.255.255.240
4.255.255.255.248
5.255.255.255.0
4


You have a class C address and you want to have 1 subnets while maximising the number of host available. Which subnet mask would you use:
1.255.255.255.192
2.255.255.255.224
3.255.255.255.240
4.255.255.255.248
5.255.255.255.0
5


You have a class C address and you want to have 4 subnets while maximising the number of host available.Which subnet mask would you use
1.255.255.255.192
2.255.255.255.224
3.255.255.255.240
4.255.255.255.248
5.255.255.255.0
2


You have a class C address and you want to make the most efficent use of the IP address space. What subnet mask would you use on a point to point serial link:
1.255.255.255.192
2.255.255.255.224
3.255.255.255.240
4.255.255.255.252
5.255.255.255.0
4


You are designing your network using VLSM. What subnet mask would you use between a point-to-point link to conserve the IP address space
1./27
2./28
3./29
4./30
5./24
4


You are using a subnet mask of 255.255.255.224. How many hosts can you have in each subnet :
1.30
2.32
3.16
4.14
5.64
1


You are using a subnet mask of 255.255.255.240. How many hosts can you have in each subnet :
1.30
2.32
3.16
4.14
5.64
4


You are using a subnet mask of 255.255.255.192. How many hosts can you have in each subnet :
1.30
2.32
3.60
4.14
5.64
3


You are using a subnet mask of 255.255.255.0. How many hosts can you have in each subnet :
1.252
2.253
3.254
4.256
5.255
3


You are using a subnet mask of 255.255.252.0. How many hosts can you have in each subnet :
1.1024
2.1022
3.254
4.64
5.62
2


You are using the IP address 121.12.0.0. You want to use 8 subnets in your network. The command IP subnet zero has been issued on the router. What valid IP addresses can be assigned to the host from the third subet (choose three) :
1.121.12.78.243
2.121.12.72.0
3.121.12.94.255
4.121.12.96.18
5.121.12.100.16
1


A host on your network has been configured with the IP address 120.17.3.66/23. Which two statements describe this IP address? (Choose two)
1.The broadcast address of the subnet is 10.16.3.255 255.255.254.0
2.This network is not subnetted
3.The last valid host address in the subnet is 10.16.2.254 255.255.254.0
4.The subnet address is 10.16.3.0 255.255.254.0
5.The lowest host address in the subnet is 10.16.2.1 255.255.254.0
1


how many subnetworks and hosts are available per subnet if you apply a /28 mask to the 192.168.2.0 class C network?
1.30 networks and 6 hosts
2.6 networks and 30 hosts
3.8 networks and 32 hosts
4.32 networks and 18 hosts
5.16 networks and 14 hosts
5


What is the subnet for the host IP address 172.17.210.0/22?
1.172.17.42.0
2.172.17.107.0
3.172.17.208.0
4.172.17.252.0
5.172.17.254.0
3


What is the subnet for the host IP address 202.100.5.68/22?
1.202.100.5.0
2.202.100.5.32
3.202.100.5.64
4.202.100.5.31
5.202.100.5.31
3


Which type of attack is a teardrop attack:
1.Ethernet frame fragmentation
2.IP fragmentation
3.Denial-of-Service
4.Distributed Denial-of-Service
5.Worm
2


Which type of attack involves sending mangled IP fragments with overlapping over-sized payloads to the target machine:
1.Ping of death
2.Teardrop
3.Smurf attack
4.Peer-to-peer attack
5.SYN flood
2


Which type of attack involves sending attack on a computer that involves sending a malformed/malicious ping to a computer:
1.Ping of death
2.Teardrop
3.Smurf attack
4.Peer-to-peer attack
5.SYN flood
1


Which type of attack involves floods a target system with spoofed broadcast ping messages:
1.Ping of death
2.Teardrop
3.Smurf attack
4.Peer-to-peer attack
5.SYN flood
3


Which type of attack involves exploiting bugs in peer-to-peer servers to initiate a DDoS attack:
1.Ping of death
2.Teardrop
3.Smurf attack
4.Peer-to-peer attack
5.SYN flood
4


Which type of attack involves sending continual SYN flags to a remote host:
1.Ping of death
2.Teardrop
3.Smurf attack
4.Peer-to-peer attack
5.SYN flood
5


On using ping which ICMP type is used to send from the requestor to the requestee:
1.Echo Response
2.Destination Unreachable
3.Echo Request
4.Time Exceeded
5.Redirect
3


On using ping which ICMP type is used to send from the requestee to the requestor, if the requestee exists:
1.Echo Response
2.Destination Unreachable
3.Echo Request
4.Time Exceeded
5.Redirect
1


On using ping which ICMP type is used to send from the requestee to the requestor, if the requestee does not exists:
1.Echo Response
2.Destination Unreachable
3.Echo Request
4.Time Exceeded
5.Redirect
2


In Proxy ARP when an end station sends an ARP request for a node on another subnet, what does the gateway router respond with:
1.It responds with the IP address of itself
2.It responds with the MAC address of the other node
3.It responds with its own MAC address
4.It responds back with a "node not available" message"
5.It ignores the request
3


Which MAC address is a unicast address:
1.00-50-56-C0-00-08
2.01-50-56-C0-00-08
3.FF-FF-FF-FF-FF-FF
4.00-1F-3C-4F-30-1D
1


...
4


Which MAC address is a multicast address:
1.00-50-56-C0-00-08
2.01-50-56-C0-00-08
3.FF-FF-FF-FF-FF-FF
4.00-1F-3C-4F-30-1D
2


Which MAC address is a broadcast address:
1.00-50-56-C0-00-08
2.01-50-56-C0-00-08
3.FF-FF-FF-FF-FF-FF
4.00-1F-3C-4F-30-1D
3


ARP authenticates the a requestor. True or false
1.True
2.False
3.
2


Which attack is where the intruder gets in-between a communication channel:
1.Man-in-the-middle
2.DoS attack
3.DDoS attack
4.Worm spread
1


Which attack involves continual requests from a specific remote host:
1.Man-in-the-middle
2.DoS attack
3.DDoS attack
4.Worm spread
2


Which attack involves continual requests from a range of remote hosts:
1.Man-in-the-middle
2.DoS attack
3.DDoS attack
4.Worm spread
3


Which attack involves spoofing:
1.Man-in-the-middle
2.DoS attack
3.DDoS attack
4.Worm spread
1


Which attack involves packet sniffing:
1.Protocol analysis
2.Port scanning
3.Ping sweeps
4.Dumpster diving
5.Social engineering
1


Which attack involves determining the TCP ports which are open:
1.Protocol analysis
2.Port scanning
3.Ping sweeps
4.Dumpster diving
5.Social engineering
2


Which attack involves determining the hosts that are connected to a network:
1.Protocol analysis
2.Port scanning
3.Ping sweeps
4.Dumpster diving
5.Social engineering
3


Which attack involves scavaging through discarded media:
1.Protocol analysis
2.Port scanning
3.Ping sweeps
4.Dumpster diving
5.Social engineering
4


Which attack involves getting information from individuals:
1.Protocol analysis
2.Port scanning
3.Ping sweeps
4.Dumpster diving
5.Social engineering
5


Which attack tunnels one protocol within another:
1.Overt channels
2.Covert channels
3.Emanations capturing
4.Dumpster diving
5.Social engineering
1


Which attack hides information within legitmate content:
1.Overt channels
2.Covert channels
3.Emanations capturing
4.Dumpster diving
5.Social engineering
2


Which attack captures electrical and radio frequency emmissions:
1.Overt channels
2.Covert channels
3.Emanations capturing
4.Dumpster diving
5.Social engineering
3


Which is a proprietary comprehensive vulnerability scanning software:
1.Ping
2.Tracert
3.IPCONFIG
4.Nessus
5.Hping
4


In a DNS server which defines how an email address should be routed to an SMTP server:
1.MX record
2.CNAME
3.A record
4.Start of Authority
1


In a DNS server which defines the IP address for a domain name:
1.MX record
2.CNAME
3.A record
4.Start of Authority
3


In a DNS server which defines the server that is the primary nameserver:
1.MX record
2.CNAME
3.A record
4.Start of Authority
4


Which NMAP command would be used to identify the Operating System:
1.nmap -O
2.nmap -s
3.nmap -F
4.nmap -PO
1


Which is the first step for pen testing:
1.OS scanning
2.Passive information gathering
3.User password determination
4.Ping sweep
2


What is the small MTU with an IP packet:
1.20 bytes
2.68 bytes
3.685 bytes
4.1500 bytes
2


For a ping what is the ICMP value for a ping request:
1.5
2.8
3.3
4.0
2


For a ping what is the ICMP value for a ping reply:
1.5
2.8
3.3
4.0
4


For the command "nc -v -w 2 localhost -z 1-1000" how many ports will be scanned:
1.0
2.1
3.2
4.1000
5.1001
4


For the command "nc -v -w 2 localhost -z 1-1000" what is the timeout for each scan of a port:
1.0 seconds
2.1 seconds
3.2 seconds
4.1000 seconds
5.1001 seconds
3


For the command gets the banner for 192.168.0.1 from port 80:
1.nc -v -w 2 80 192.168.0.1
2.nc -v -w 2 192.168.0.1 80
3.nc -v -w 192.168.0.1 80
4.nc -v -w 2 192.168.0.1 -p 80
2


Which are used to fingerprint an OS:
1.IP TTL value
2.TCP Window size
3.Destination IP address
4.IP DF Option
5.IP ToS Option
1


Which is a 802.11 wireless network detector sniffer and IDS:
1.Kismit
2.Netstumbler
3.Airsnort
4.Airsnare
1


Which is a 802.11 wireless network detector for both Mac and handhelds:
1.Kismit
2.Netstumbler
3.Airsnort
4.Airsnare
2


Which is a 802.11 wireless cracking tool:
1.Kismit
2.Netstumbler
3.Airsnort
4.Airsnare
3


Which is a 802.11 wireless IDS system for monitoring a wireless network:
1.Kismit
2.Netstumbler
3.Airsnort
4.Airsnare
4


Which is the term of looking for open access points:
1.Slinking
2.NetFinding
3.Wardriving
4.AirCapture
5.War dialers
3


Which is the term of looking for modems to connect to:
1.Slinking
2.NetFinding
3.Wardriving
4.Port Knocking
5.War dialers
5


Which is the term of accessing TCP ports for a connection in a prearranged order (which is a secret order):
1.Slinking
2.NetFinding
3.Wardriving
4.Port Knocking
5.War dialers
4


Which scan uses a normal type of connection:
1.TCP Connect scan
2.TCP SYN scan
3.TCP FIN scan
4.TCP NULL scan
5.TCP ACK scan
1


Which scan uses a half open connection:
1.TCP Connect scan
2.TCP SYN scan
3.TCP FIN scan
4.TCP NULL scan
5.TCP ACK scan
2


Which scan uses a shutdown signal for the connection:
1.TCP Connect scan
2.TCP SYN scan
3.TCP FIN scan
4.TCP NULL scan
5.TCP ACK scan
3


Which scan uses a packets which does not have any TCP flags set:
1.TCP Connect scan
2.TCP SYN scan
3.TCP FIN scan
4.TCP NULL scan
5.TCP ACK scan
4


Which scan tries to identify access control lists:
1.TCP Connect scan
2.TCP SYN scan
3.TCP FIN scan
4.TCP NULL scan
5.TCP ACK scan
5


Which scan uses a the FIN URG and PSH flags set:
1.TCP Connect scan
2.TCP SYN scan
3.TCP FIN scan
4.TCP XMAS scan
5.TCP ACK scan
4


What is the correct sequence of TCP flags for a successful client-server connection:
2.SYN, SYN/ACK, FIN
3.SYN, SYN/ACK, ACK
4.SYN, ACK, SYN/ACK
5.SYN, SYN/ACK, ACK
1.SYN, ACK, FIN
3


Which attack involves multiple SYN requests for which there is no actual connection:
1.Botnets
2.ICMP floods
3.SYN floods
4.DDoS
5.Electrical power reduction
3


Which is the TCP flag for start of a connection:
1.RST
2.SYN
3.ACK
4.URG
5.FIN
2


In the three-way handshake who generates a "SYN":
1.Client
2.Server
3.Either client or server
4.Neither client nor server
1


In the three-way handshake who generates a "SYN, ACK":
1.Client
2.Server
3.Either client or server
4.Neither client nor server
2


In the three-way handshake who generates a "ACK":
1.Client
2.Server
3.Either client or server
4.Neither client nor server
1


Which transport layer protocol does FTP use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
1


Which transport layer protocol does SSH use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
1


Which transport layer protocol does Telnet use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
1


Which transport layer protocol does SMTP use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
1


Which transport layer protocol does DNS use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
3


Which transport layer protocol does TFTP use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
2


Which transport layer protocol does HTTP use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
1


Which transport layer protocol does POP3 use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
1


Which transport layer protocol does RPC use:
1.TCP only
2.UDP only
3.TCP or UDP
4.NetBIOS
1


Which is the main attribute for DoS with CPU hog:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
2


Which is the main attribute for DoS with Ping of death:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
3


Which is the main attribute for DoS with Teardrop:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
3


Which is the main attribute for DoS with Land:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
3


Which is the main attribute for DoS with SMBdie:
1.Bandwidth attack
2.Resource starvation
3.Programming flaw
4.Administrator incorrect configuration
3


For DDoS what is the attack method(s) of Trinoo:
1.UDP
2.TCP
3.ICMP
4.ARP
1


For DDoS, what is the attack method(s) of TFN:
1.UDP
2.TCP
3.ICMP
4.ARP
1,2,3


For DDoS, what is the attack method(s) of Stacheldraht:
1.UDP
2.TCP
3.ICMP
4.ARP
1,2,3


For DDoS, what is the attack method(s) of TFN2K:
1.UDP
2.TCP
3.ICMP
4.ARP
1,2,3


For DDoS, what is the attack method(s) of Shaft:
1.UDP
2.TCP
3.ICMP
4.ARP
1,2,3


For DDoS, what is the attack method(s) of MStream:
1.UDP
2.TCP
3.ICMP
4.ARP
2


For DDoS, what is the attack method(s) of Trinity:
1.UDP
2.TCP
3.ICMP
4.ARP
1,2


How many steps are involved in the ARP process:
1.1
2.2
3.3
4.4
5.5
1


For an ARP request who will receive the ARP request packet:
1.Only the host which has the requestor IP address
2.Only the host which has the requestee IP address
3.All the hosts on the enterprise network
4.All the hosts bounded by a router
5.All the hosts on a certain switch
4


For an ARP reply who will receive the ARP reply packet:
1.Only the host which has the requestor IP address
2.Only the host which has the requestee IP address
3.All the hosts on the enterprise network
4.All the hosts bounded by a router
5.All the hosts on a certain switch
1


In a log there are many Ethernet packets, which are broadcast into the network which seem to be from a local server (but which were not sent by it). Which is the type of attack that has been used:
1.Smurf
2.SYN flood
3.Chargen
4.Ping of death
1


In a log there are more than 65,536 fragments when reconstructured. Which DoS attack is it:
1.Smurf
2.SYN flood
3.Chargen
4.Ping of death
4


Which is not a DDoS tool:
1.Tribal Flood Network (TFN)
2.Trinoo
3.Shachldraht
4.Chargen
5.WinTrinoo
5


Which is not a DDoS tool:
1.Tribal Flood Network (TFN)
2.Trinoo
3.Shachldraht
4.Fraggle
5.WinTrinoo
5


Which is not a DDoS tool:
1.Tribal Flood Network (TFN)
2.Trinoo
3.Shachldraht
4.Land
5.WinTrinoo
5


Which is not a DoS tool:
1.Smurf
2.Fraggle
3.Chargen
4.Land
5.Trinoo
5


Which is not a DoS tool:
1.Smurf
2.Fraggle
3.Chargen
4.Land
5.Tribal Flood Network (TFN)
5


Which is not a DoS tool:
1.Smurf
2.Fraggle
3.Chargen
4.Land
5.Shacheldraht
5


Which is not a DoS tool:
1.Smurf
2.Fraggle
3.Chargen
4.Land
5.TFN2K
5


Which is not a DoS tool:
1.Smurf
2.Fraggle
3.Chargen
4.Land
5.Shaft
5


Which is not a DoS tool:
1.Smurf
2.Fraggle
3.Chargen
4.Land
5.MStream
5


Which is not a DoS tool:
1.Smurf
2.Fraggle
3.Chargen
4.Land
5.Trinity
5


Which TCP port does the DDoS tool Trinity use:
1.31335
2.16660
3.34555
4.6723
5.6667
5


Which TCP port does the DDoS tool Tribal Flood Network (TFN) use:
1.31335
2.16660
3.34555
4.6723
5.6667
1


Which TCP port does the DDoS tool Stacheldraht use:
1.31335
2.16660
3.34555
4.6723
5.6667
2


Which TCP port does the DDoS tool WinTrinoo use:
1.31335
2.16660
3.34555
4.6723
5.6667
3


Which TCP port does the DDoS tool MStream use:
1.31335
2.16660
3.34555
4.6723
5.6667
4


Which is typical for DDoS tools:
1.They use low order ports and encrypt their communications
2.They use low order ports and do not encrypt their communications
3.They use high order ports and encrypt their communications
4.They use high order ports and do not encrypt their communications
3


Which network address is a historical broadcast:
1.0.0.0.0/8
2.10.0.0.0/8
3.127.0.0./8
4.169.254.0.0/16
5.224.0.0.0/5
1


Which network address is a private network:
1.0.0.0.0/8
2.10.0.0.0/8
3.127.0.0.0/8
4.169.254.0.0/16
5.224.0.0.0/5
2


Which network address is a private network:
1.0.0.0.0/8
2.172.16.0.0/12
3.127.0.0.0/8
4.169.254.0.0/16
5.224.0.0.0/5
2


Which network address is a private network:
1.0.0.0.0/8
2.192.168.0.0/16
3.127.0.0.0/8
4.169.254.0.0/16
5.224.0.0.0/5
2


Which network address is a loopback address:
1.0.0.0.0/8
2.10.0.0.0/8
3.127.0.0.0/8
4.169.254.0.0/16
5.224.0.0.0/5
3


Which network address is link local address:
1.0.0.0.0/8
2.10.0.0.0/8
3.127.0.0.-/8
4.169.254.0.0/16
5.224.0.0.0/5
3


Which network address is a Class D multicast address:
1.0.0.0.0/8
2.10.0.0.0/8
3.127.0.0.0/8
4.169.254.0.0/16
5.224.0.0.0/4
5


Which network address is a broadcast address:
1.0.0.0.0/8
2.10.0.0.0/8
3.127.0.0.0/8
4.255.255.255.255/32
5.224.0.0.0/4
4


Which method overcomes DNS poisoning:
1.Blocking port 53
2.DNSSEC
3.Disable DNS requests
4.Disable private addresses
2


Which filter is used by ettercap to perform a MITM method of ARP poisoning:
1.-T
2.-q
3.-M
4.-a
3


If a SYN packet contains a sequence number of 0AAC4210 what is the acknowledgement number of the acknowledgement:
1.0AAC4210
2.0AAC4209
3.0AAC4211
4.0AAC4212
3


Which port does HTTP typically use:
1.80
2.88
3.8080
4.8088
1


Which port does Kerberos typically use:
1.80
2.88
3.8080
4.8088
2


Which port does Squid typically use:
1.80
2.88
3.8080
4.8088
3


Which port is used as an alternative Web Server typically use:
1.80
2.88
3.8080
4.8088
5.443
4


Which port is typically used by HTTPS:
1.80
2.88
3.8080
4.8088
5.443
5


Which command will capture a "Bad Request" response from a Web Server (192.168.0.1):
1.telnet 192.168.0.1
2.telnet 192.168.0.1 80
3.show 192.168.0.1
4.config 192.168.0.1
5.read 80 192.168.0.1
2


Which command will capture a "Bad Request" response from a Web Server (192.168.0.1):
1.telnet 192.168.0.1
2.nc -vv 192.168.0.1 80 &lt
...


head.txt
3.show 192.168.0.1
4.config 192.168.0.1
5.read 80 192.168.0.1
2


Which is a Windows website scanner and site ripper:
1.Black Widow
2.Telnet Pro
3.Wget
4.Hping
1


Which is a Windows website scanner and site mapping tool:
1.Black Widow
2.Telnet Pro
3.Wget
4.Hping
2


Which is a Windows/UNIX website ripper and duplicator:
1.Black Widow
2.Telnet Pro
3.Wget
4.Hping
3


Which IIS vulnerability involves the server running into memory which was not allocated for the program:
1.Buffer overflow
2.Source disclosure
3.File system traversal
4.Printer overflow
1


Which IIS vulnerability involves viewing script/active code:
1.Buffer overflow
2.Source disclosure
3.File system traversal
4.Printer overflow
2


Which IIS vulnerability involves viewing the file structure within the Web server:
1.Buffer overflow
2.Source disclosure
3.File system traversal
4.Printer overflow
3


On IIS which file should not be shown to an intruder:
1.Global.asa
2.httpd.conf
3.readme.txt
4.ipconfig
1


For a Web server which command will get index.html:
1.GET /index.html HTTP/1.1
2.PUT /index.html HTTP/1.1
3.POST /index.html HTTP/1.1
4.CONNECT /index.html HTTP/1.1
5.TRACE /index.html HTTP/1.1
1


For a Web server which is the correct response for a successful transfer:
1.200
2.400
3.403
4.404
5.500
1


For a Web server which is the correct response for a Bad request:
1.200
2.400
3.403
4.404
5.500
2


For a Web server which is the correct response for a Forbidden reply:
1.200
2.400
3.403
4.404
5.500
3


For a Web server which is the correct response for a Not found reply:
1.200
2.400
3.403
4.404
5.500
4


For a Web server which is the correct response for an Internal Server Error reply:
1.200
2.400
3.403
4.404
5.500
5


For a Web server which is the correct response for a Gateway Timeout reply:
1.200
2.400
3.403
4.404
5.500
6


Which is an equivalent URI to"http://ABC.com/%7Esmith/home.html":
1.http://abc.com:80/-smith/home.html
2.http://abc.com:80/~smith/home.html
3.http://abc.com:80/#smith/home.html
4.http://abc.com:80/+smith/home.html
5.http://abc.com:80/=smith/home.html
2


What must following the GET request in HTTP:
1.One carriage return
2.Two carriage returns
3.One line feed
4.Two line feeds
5.A delete character
2


What is the ASCII character for 13decimal:
1.Carriage return
2.Line feed
3.Null
4.Space
5.Bell
1


<explain>http://www.asciitable.com/</explain>


What is the ASCII character for 10 decimal:
1.Carriage return
2.Line feed
3.Null
4.Space
5.Bell
2


What is the ASCII character for 0decimal:
1.Carriage return
2.Line feed
3.Null
4.Space
5.Bell
3


What is the ASCII character for 32 decimal:
1.Carriage return
2.Line feed
3.Null
4.Space
5.Bell
4


What is the ASCII character for 7 decimal:
1.Carriage return
2.Line feed
3.Null
4.Space
5.Bell
5


What is the IP address of the URL obfuscated version of "http://0x92.0xb0.0x05.0x17/":
1.146.176.5.23
2.90.223.233.144
3.192.168.0.1
4.175.10.10.23
5.10.12.43.10
1


What is the IP address of the URL obfuscated version of "http://0x5A.0xDF.0xDF.0x90/":
1.146.176.5.23
2.90.223.233.144
3.192.168.0.1
4.175.10.10.23
5.10.12.43.10
2


Which port does Oracle Net Listener listen to:
1.1579
2.1433
3.3306
4.8080
5.88
1


Which port does Microsoft SQL listen to:
1.1579
2.1433
3.3306
4.8080
5.88
2


Which port does MySQL listen to:
1.1579
2.1433
3.3306
4.8080
5.88
3


Which SQL Injection tool performs a dictionary attack on an SQL server:
1.SQLDict
2.SQLExec
3.SQLLbf
4.SQLSmack
5.SQL2
1


Which SQL Injection tool executes commands on a compromised SQL server:
1.SQLDict
2.SQLExec
3.SQLLbf
4.SQLSmack
5.SQL2
2


Which SQL Injection tool performs both dictionary and brute force attacks on an SQL server:
1.SQLDict
2.SQLExec
3.SQLLbf
4.SQLSmack
5.SQL2
3


Which SQL Injection tool has a Linux-based command shell:
1.SQLDict
2.SQLExec
3.SQLLbf
4.SQLSmack
5.SQL2
4


Which SQL Injection tool performs a UDP buffer overflow on an SQL server:
1.SQLDict
2.SQLExec
3.SQLLbf
4.SQLSmack
5.SQL2
5


Which SQL Injection tool is an SQL infection exploit:
1.SQLDict
2.SQLExec
3.SQLLbf
4.SQLSmack
5.Msadc.pl
5


What encryption type does WPA use:
1.TKIP
2.AES
3.WEP
4.DES
5.3DES
1


What encryption type does WPA use:
1.TKIP
2.AES
3.WEP
4.DES
5.3DES
1


What encryption type does WPA2 use:
1.TKIP
2.AES
3.WEP
4.DES
5.3DES
2


A network administrator wants to secure their wireless network. Which method would you recommend:
1.WPA
2.WPA2
3.WEP
4.DES
5.3DES
2


Which security standard uses pre-shared keys:
1.WPA
2.WPA2
3.WEP
4.DES
5.3DES
3


Which security standard uses dynamic keys: (choose two)
1.WPA
2.WPA2
3.WEP
4.DES
5.3DES
1,2


Which machine has the digital certificate in PEAP:
1.The wireless client
2.The authentication server
3.Both the client and server
4.Neither client nor server
2


Which machine has the digital certificate in LEAP:
1.The wireless client
2.The authentication server
3.Both the client and server
4.Neither client nor server
4


Which machine has the digital certificate in EAP-TLS:
1.The wireless client
2.The authentication server
3.Both the client and server
4.Neither client nor server
1


Which authentication method is an updated version of LEAP:
1.EAP-FAST
2.LEAP
3.EAP-TLS
4.EAP-SIM
1


Which authentication method has a serious secure flaw:
1.EAP-FAST
2.LEAP
3.EAP-TLS
4.EAP-SIM
5.EAP-TTLS
2


Which encryption method does WEP use:
1.AES
2.TKIP
3.SHA-1
4.RC4
5


Which type of cipher is RC4:
1.Block
2.Stream
3.
2


Which is the size of the IV in WEP:
1.16 bits
2.24 bits
3.32 bits
4.64 bits
2


For a 64-bit WEP key how many bits are used for the encryption key:
1.64 bits
2.52 bits
3.50 bits
4.40 bits
4


For a 128-bit WEP key how many bits are used for the encryption key:
1.128 bits
2.104 bits
3.100 bits
4.96 bits
2


Which standard defines a centralized authenticaton infrastructure:
1.IEEE 802.3
2.IEEE 802.11b
3.IEEE 802.1x
4.IEEE 802.1q
3


Which protocol is used to provide authentication:
1.TCP
2.TELNET
3.FTP
4.RADIUS
5.EAP-MD5
4


Which authentication method uses both client and sever digital certificates:
1.PEAP
2.LEAP
3.EAP-TLS
4.EAP-FAST
5.EAP-MD5
3


Which authentication method uses a username and password:
1.PEAP
2.LEAP
3.EAP-TLS
4.EAP-FAST
5.EAP-MD5
2


Which authentication method uses a username and password:
1.PEAP (MS-CHAPv2)
2.EAP-MD5
3.EAP-TLS
4.EAP-FAST
1


Which protocol uses TKIP for encryption and optional AES:
1.WPA
2.WPA2
3.PEAP (MS-CHAPv2)
4.EAP-FAST
1


Which protocol uses AES for encryption and not TKIP:
1.WPA
2.WPA2
3.PEAP (MS-CHAPv2)
4.EAP-FAST
2


Which information is not stored on a distributable digital certificate:
1.User name
2.Issuer
3.Valid dates
4.Private key
4


Which information is not stored on a distributable digital certificate:
1.Serial number
2.Password
3.Valid dates
4.Public key
2


What type of key does EAP-FAST use:
1.Protected Access Credential
2.Partial Access Controller
3.Protected Alone Controller
4.Partial Architecture Control
1


For WPA Enterprise mode what is the typical authentication infrastructure:
1.IEEE 802.1x/EAP
2.TKIP/MIC
3.PSK
4.AES-CCMP
5.WEP
1


For WPA Enterprise mode what is the typical encryption method:
1.IEEE 802.1x/EAP
2.TKIP/MIC
3.PSK
4.AES-CCMP
5.WEP
2


For WPA2 Enterprise mode what is the typical authentication infrastructure:
1.IEEE 802.1x/EAP
2.TKIP/MIC
3.PSK
4.AES-CCMP
5.WEP
1


For WPA2 Enterprise mode what is the typical encryption method:
1.IEEE 802.1x/EAP
2.TKIP/MIC
3.PSK
4.AES-CCMP
5.WEP
4


For WPA Personal mode what is the typical authentication infrastructure:
1.IEEE 802.1x/EAP
2.TKIP/MIC
3.PSK
4.AES-CCMP
5.WEP
3


For WPA Personal mode what is the typical encryption method:
1.IEEE 802.1x/EAP
2.TKIP/MIC
3.PSK
4.AES-CCMP
5.WEP
2


For WPA2 Personal mode what is the typical authentication infrastructure:
1.IEEE 802.1x/EAP
2.TKIP/MIC
3.PSK
4.AES-CCMP
5.WEP
3


For WPA2 Personal mode, what is the typical encryption method:
1.IEEE 802.1x/EAP
2.TKIP/MIC
3.PSK
4.AES-CCMP
5.WEP
4


What are features of Cisco LEAP:
1.Server certificates
2.Client certificates
3.Single sign-on for Windows login
4.Fast secure roaming
5.Supports WPA and WPA2
3,4,5


What are features of EAP-FAST:
1.Server certificates
2.Client certificates
3.Single sign-on for Windows login
4.Fast secure roaming
5.Supports WPA and WPA2
3,4,5


What are features of EAP-TLS:
1.Server certificates
2.Client certificates
3.Single sign-on for Windows login
4.Fast secure roaming
5.Supports WPA and WPA2
2,3,5


What are features of EAP-GTC:
1.Server certificates
2.Client certificates
3.Single sign-on for Windows login
4.Fast secure roaming
5.Supports WPA and WPA2
1,5


What are features of PEAP-MSCHAPv2:
1.Server certificates
2.Client certificates
3.Single sign-on for Windows login
4.Fast secure roaming
5.Supports WPA and WPA2
1,3,5


Which are components of 802.1x authentication:
1.Supplicant
2.Authenticator
3.Authentication server
4.Digital Certificate
1,2,3


Which type of system is an EAP-capable client:
1.Supplicant
2.Authenticator
3.Authentication server
4.Digital Certificate
1


Which type of system is an 802.1x-capable access point:
1.Supplicant
2.Authenticator
3.Authentication server
4.Digital Certificate
2


Which type of system is an EAP-capable RADIUS server:
1.Supplicant
2.Authenticator
3.Authentication server
4.Digital Certificate
3


What is the main advantage of PSK:
1.Easy to setup and user for users
2.Enhanced authentication
3.It is support by Windows 3.1
4.It is the most complex encryption method
1


Which wireless technology has the lowest range:
1.ZigBee
2.Bluetooth
3.IEEE 802.11b
4.WiMax
5.3G/GSM
2


Which wireless technology was originally seen as a replacement to RS-232 communications:
1.ZigBee
2.Bluetooth
3.IEEE 802.11b
4.WiMax
5.UWB
2


Which wireless technology has the highest achievable data rate:
1.ZigBee
2.Bluetooth
3.IEEE 802.11b
4.WiMax
5.UWB
5


Which organisation developed the DECT (Digital Enchanced Cordless Telecommunications) standard:
1.ETSI
2.IEEE
3.ACM
4.ITU
1


Which type of network architecture does Bluetooth use:
1.PAN
2.WAN
3.LAN
4.MAN
1


Which carrier frequency does Bluetooth use:
1.1.2GHz
2.2.4HGz
3.2.8GHz
4.5GHz
2


Which carrier frequency does Zigbee use:
1.1.2GHz
2.2.4HGz
3.2.8GHz
4.5GHz
2


Where is the key application of WiMax:
1.Core network infrastructure
2.Fast backbone
3.The last mile access
4.Local connections
3


Which standard is WiMax based on:
1.IEEE 802.3
2.IEEE 802.11
3.IEEE 802.16
4.IEEE 802.5
3


Which is the most recent standard which defines WiMax:
1.IEEE 802.15a
2.IEEE 802.16b
3.IEEE 802.16c
4.IEEE 802.16d
5.IEEE 802.16e
5


Which is a good application of ZigBee:
1.Home automation
2.Backbone communications
3.Mobile applications
4.The last mile access
1


Which is a good application of ZigBee:
1.Monitoring
2.Backbone communications
3.Mobile applications
4.The last mile access
1


Which is a good application of ZigBee:
1.Control systems
2.Backbone communications
3.Mobile applications
4.The last mile access
1


Which group were responsible for defining Bluetooth standards:
1.Bluetooth 16w
2.Bluetooth SIG
3.PAN 101
4.IEEE 802.3
2


Which are maximum number of Bluetooth devices that can be paired together:
1.One
2.Two
3.Four
4.Eigth
5.Sixteen
4


In the US which is the standard used to differentiate US devices from a European one:
1.DECT US
2.DECT 1.1
3.DECT 6.0
4.DECT+
3


Which is the most up-to-date Bluetooth version:
1.Version 1.0
2.Version 1.2
3.Version 2.0
4.Version 2.1 + EDR
4


What is the bit rate for Bluetooth Version 1.2:
1.500kbps
2.1Mbps
3.3Mbps
4.11Mbps
2


What is the bit rate for Bluetooth Version 2.1 + EDR:
1.500kbps
2.1Mbps
3.3Mbps
4.11Mbps
3


For a Bluetooth piconet how many masters can there be:
1.One
2.Two
3.Six
4.Seven
5.Eigth
1


For a Zigbee star network how many coordinators can there be:
1.One
2.Two
3.Six
4.Seven
5.Eigth
1


For a Zigbee cluster network how many coordinators can there be:
1.One
2.Two
3.Six
4.Seven
5.Eigth
1