1. Sally has come to you for advice and guidance.

She is trying to configure a network

device to block attempts to connect on certain ports, but when she finishes the
configuration, it works for a period of time but them changes back to the original
configuration. She cannot understand why the setting continue to change back. When you
examine the configuration, you find that the _______ are incorrect, and are allowing Bob
to change the configuration, although he is not supposed to operate or configure this
device. Since he did not know avout Sally, he kept changing the configuration back.
a) Permissions
b) DAC settings
c) MAC settings
d) ACL settings
5. What happens when a file is deleted by a Microsoft operating system using the FAT file
system?
a) the file is erased and cannot be recovered
b) the file is erased but can be recovered
c) a copy of the file is stored and the original file is erased
d) only the reference to the file is removed from the FAT
6. Which part of the Windows Registry contains the user's password file?
a) HKEY_CURRENT_USER
b) HKEY_CURRENT_CONFIGURATION
c) HKEY_LOCAL_MACHINE
d) HKEY_USER
8. What does the acronym POST mean as it relates to a PC?
a) Primary Operations Short Test
b) Power On Self Test
c) Pre Operational Situation Test
d) Primary Operating System Test
9. You are setting up a test plan for verifying thta new code being placed on a Web server is
secure and does not cause any problems with the production Web server. What is the best way to
test the code prior to deploying it to the production Web server?
a) Test all new code on another user's PC prior to transferring it to the production web
server
b) Test all new code on a development PC prior to transferring it to the production Web
server
c) Test all new code on a duplicate web server prior to transferring it to the production web
server
d) Test all new code on an active internal Web sever prior to transferring it to the production
web server

10.What file structure database would you expect to find on floppy disks?
a) FAT 12
b) Fat 32
c) NTFS
d) Fat 16
11. The MD5 program is used to:
a) view graphics files on an evidence drive
b) wipe magnetic media before recycling it
c) make directories on a evidence disk
d) verify that a disk is not altered when you examine it
12. It has been discovered that a former member of the IT department who switched to the
development team still has administrative access to many major network infrastructure devices
and servers. Which of the following mitigation techniques should be implemented to help reduce
the risk of this event recurring?
a) DLP
b) Incident management and response policy
c) Change management notifications
d) Regular user permission and rights reviews
13. In what way do the procedures for dealing with evidence in a criminal case differ from the
procedures for dealing with evidence in a civil case?
a) evidence must be handled in the same way regardless of the type of case
b) evidence procedures are not important unless you work for a law enforcement agency
c) evidence in a criminal case must be secured more tightly than in a civil case
d) evidence in a civil case must be secured more tightly than in a criminal case
14.You are creating a DMZ for a company and need to allow eternal users to access Web servers
in the DMZ using HTTP/S as well as allow internal users to access the same Web firewalls to
meet these requirements
a) Open port 80 on the external firewall and port 443 on the internal firewall
b) Open port 80 on the external firewall and port 110 on the internal firewall
c) Open port 110 on the external firewall and port 80 on the internal firewall
d) Open port 443 on the external firewall and port 80 on the internal firewall
15.The use of VPNs and _______ have enabled users to be able to telecommute
a) Wireless NICs
b) PGP
c) RASs
d) S/MIME
16. There are three recognize levels of hacking ability in the internet community. The first is the
skilled hacker, who writes the programs and scripts that script kiddies use for their attacks. Next
comes the script kiddie, who knows how to run the scripts written by the skilled hackers. After

the script kiddies come the _______, who lack the basic knowledge of networks and security to
lunch an attack themselves
a) Clickers
b) Web kiddies
c) Dunce kiddies
d) Click kiddies
18. Which is the most important reason for the removal of unused, unnecessary, or unneeded
protocols, services, andapplications?
a) Less need for administration
b) Increased security
c) Increased performance
d) Less machine resource use
19. Corporate investigations are typically easier than public investigations because ...
a) the investigator does not have to get a warrant
b) the users have standard corporate equipment and software
c) the investigator has to get a warrant
d) the users can load whatever they want on their machines
21. When monitoring for both intrusion and security events between multiple computers, it is
essential that the computers' clocks are synchronized. Synchronized time allows an administrator
to reconstruct what took place during an attack against multiple computers. Without
synchronized time, it is very difficult to determine exactly when specific events took place, and
how events interlace. What is the name of the service used to synchronize time among multiple
computers?
a) SyncTime Service
b) Universal Time Set
c) Time-Sync Protocol
d) Network Time Protocol
23.Which of the following is the best way to protect your organization from revealing sensitive
information through dumpster diving?
a) Add a new firewall to the network
b) Establish a policy requiring employees to change passwords every 30 to 60 days
c) Shared all sensitive documentation
d) Teach employees the value of not disclosing restricted information over the telephone to
unknown parties
24.To calculate the number of bytes on a disk, the formula is: CHS**
a) number of cylinders x number of halves x number of shims x 512 bytes per sector and
number of cylinders x number of halves x number of shims x 512 bytes per sector
number of cylinders x number of halves x number of shims x 512 bytes per sector
b) The answers is wrong
c) number of circles x number of halves x number of sides x 512 bytes per sector
d) number of cells x number of heads x number of sides x 512 bytes per sector

A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker . Given below
is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the
attacker by studying the log. Please note that you are required to infer only what is explicit in the
excerpt. (Note: The student is being tested on concepts learnt during passive OS fingerprinting,
basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)
03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111 TCP TTL:43 TOS:0x0
ID:29726 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win:
0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 23678634 2878772
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+= 03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111 UDP TTL:43 TOS:0x0
ID:29733 IpLen:20 DgmLen:84 Len: 64 01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86
A0 ................ 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00
00 00 01 86 B8 00 00 00 01 ................ 00 00 00 11 00 00 00 00 ........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+= 03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773 UDP TTL:43 TOS:0x0
ID:29781 IpLen:20 DgmLen:1104 Len: 1084 47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8
G..c............ 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20 ............... 3A B1 5E E5 00 00 00
09 6C 6F 63 61 6C 68 6F 73 :.^.....localhost
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+= + 03/15-20:21:36.539731 211.185.125.124:4450 -> 172.16.1.108:39168 TCP TTL:43
TOS:0x0 ID:31660 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0x9C6D2BFF Ack: 0x59606333
Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 23679878 2880015 63 64 20 2F
3B 20 75 6E 61 6D 65 20 2D 61 3B 20 cd /; uname -a; 69 64 3B id;
a) The attacker has conducted a network sweep on port 111
b) The attacker has used a Trojan on port 32773
c) The attacker has scanned and exploited the system using Buffer
d) The attacker has used a Trojan on port 32773

26.How is Annualized Loss Expectancy (ALE) derived from a threat?

a) SLE x ARO
b) SLE/EF
c) AV x EF
d) ARO x (SLE - EF)
27.The network team at your company has placed a sniffer on the network to analyze an ongoing
network-related problem. The team connects to the sniffer using Telnet to view the data going
accross the network. What would you recommend to increase the security of this connection
without making it significantly more difficult for the network team members to do their jobs?
a) Require the network team to view the data from the local console of the sniffer
b) Encrypt the connection to the sniffer using PAP
c) Require the network team to remove the sniffer immediately
d) Use SSH to make the connection to the sniffer rather than Telnet

28An employee is attempting to wipe out data stored on a couple of compact discs (CDs) and
digital video discs (DVDs) by using a large magnet. You inform him that this method will not be
effective in wiping out the data because CDs and DVDs are______________ media used to store
large amounts of data and are not affected by the magnet.
a) logical
b) anti-magnetic
c) optical
d) magnetic
30.PDAs, cell phones, and certain network cards have the ability to use _______ networks.
Choose the BEST answer
a) Wired
b) Wireless
c) Antique
d) Private
29. If a suspect computer is located in an area that may have toxic chemicals, you must:
a) assume the suspect machine is contaminated
b) coordinate with the HAZMAT team
c) do not enter alone
d) determine a way to obtain the suspect computer
27.The network team at your company has placed a sniffer on the network to analyze an ongoing
network-related problem. The team connects to the sniffer using Telnet to view the data going
accross the network. What would you recommend to increase the security of this connection
without making it significantly more difficult for the network team members to do their jobs?
a) Require the network team to view the data from the local console of the sniffer
b) Encrypt the connection to the sniffer using PAP
c) Require the network team to remove the sniffer immediately
d) Use SSH to make the connection to the sniffer rather than Telnet

20.The component of a DDoS attack that sends commands to DDoS zombie agents is known as a
_____.
a) Rootkit
b) Console
c) Master
d) System Commander
17. What term is used to describe a cryptographic technique for embedding information into
something else for the sole purpose of hiding that information from the casual observer?
a) Offset
b) key escrow

c) rootkit
d) steganography
The act of attempting to appear to be someone youre not in order to gain access to a
system is known as which of the following?
Replay
DDoS
Spoofing
Sniffing

Which of the following is most likely to make systems vulnerable to MITM attacks?
Authentication misconfiguration on routers
Weak passwords
Weak TCP sequence number
Use of the wrong operation system

When an investigator contacts by telephone the domain administrator or controller listed by a

whois lookup to request all e-mails sent and received for a user account be preserved, what
U.S.C. statute authorizes this phone call and obligates the ISP to preserve e-mail records?
Title 18, Section 1030
Title 18, Section Chapter 90
Title 18, Section 2703(d)
Title 18, Section 2703(f)

You are contracted to work as a computer forensics investigator for a regional bank that has four
30 TB storage area networks that store customer data. What method would be most efficient for
you to acquire digital evidence from this network?
create a compressed copy of the file with DoubleSpace
make a bit-stream disk-to-disk file
create a sparse data copy of a folder or file
make a bit-stream disk-to-image file
If you plan to startup a suspect's computer, you must modify the ___________ to ensure that you
do not contaminate or alter data on the suspect's hard drive by booting to the hard drive.
Scandisk utility
Boot sys
CMOS

deltree command