EC-Council CHFI
What does the Windows operating system examine to determine which application should be used to
open a file? Correct Answer: The file extension
Which of the following BEST defines the term e-discovery? Correct Answer: A process of producing
electronically stored information for use as evidence.
A CHFI is engaged by the owner of a privately owned pharmaceutical firm to investigate possible
computer abuse by one of the firm's employees. She discovers that the company has never published a
Dervis policy stating that they reserve the right to inspect their computing assets at will. Which of the
following is her BEST recommendation to the owner? Correct Answer: B. Inform the owner that
conducting an investigation without a policy is a violation of the employee's expectation of privacy
Which of the following would best prevent contamination of disk-stored digital evidence? Correct
Answer: A write blocker
You have been asked to investigate after a user has reported a threatening e-mail they have received
from an external source. Which of the following are you most interested in when trying to trace the
source of the message? Correct Answer: The e-mail header
Which of the following standards is based on a legal precedent regarding the admissibility of scientific
examinations or experiments in legal cases? Correct Answer: Frye Standard
What is the name of the standard Linux command that can be used to create bit-stream images? Correct
Answer: dd
During the course of an investigation, you locate evidence that may prove the innocence of the suspect
of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding
process, therefore you report this evidence. This type of evidence is known as: Correct Answer:
Exculpatory evidence
In what circumstance would an expert witness be allowed to state an opinion? Correct Answer: C. the
opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the
ordinary experience of lay jurors
Which of following refers to the location of data that might still exist in a cluster even though the
original file has been overwritten by another file? Correct Answer: B. Slack space
To make sure the evidence you recover and analyze with computer forensics software can be admitted
in court, you must test and validate the software. What group is actively providing tools and creating
procedures for testing and validating computer forensics software? Correct Answer: National Institute
of Standards and Technology (NIST)
What does "message repudiation" refer to in the context De of e-mail investigations? Correct Answer:
Message repudiation means a sender can claim they did not actually send a particular message
, Which of the following BEST defines the term e-discovery? Correct Answer: D. A process of producing
electronically stored information for use as evidence.
Which of the following file systems is most closely associated with the Mac OS? Correct Answer: A. HFS+
of An investigator uses a process comparing monitored events to a specific attack model to determine
whether or not the event qualifies as an intrusion. What is this called? process Correct Answer: A.
Signature-based detection
When obtaining a search warrant it is important to Correct Answer: C. Particularly describe the place to
be searched and particularly describe the items to be seized
One technique for hiding information is to change the file extension from the correct one to one that
Dennis Thibo might not be noticed by an investigator, such as changing a .jpg extension to a .doc
extension so that a picture file appears to be a document. What can an investigator examine to verify
that a file has the correct extension? Correct Answer: B. the file header
When investigating a Windows system, it is important to view the contents of the page file or swap file
because: Correct Answer: C. a large volume of data can exist within the swap file of which the computer
user has no knowledge
If a file on a hard drive has a size of 2600 bytes, how many sectors are normally allocated to this file?
Correct Answer: C. 6 sectors
When investigating a security incident involving a Dennis company-owned mobile device, what would
the incident responder most likely describe as the most serious violation of the company's security
policy requirements? Correct Answer: B. User has modified the default OS of the device
You have been asked to perform a live capture of evidence contained in a desktop PC. Which of the
following is the best order of analysis? Correct Answer: C. RAM, HDD, backup tape
You have used a newly released forensic investigation tool, which does not meet the Daubert Test,
during a case. The case goes to court. What argument could the defense make to weaken case? your
Correct Answer: The tool has not been reviewed and accepted by your peers
While investigating an data breach, you notice that a user from the building maintenance department is
a member of the Domain Administrators in Active Directory, and the group account was used to access
sensitive data. Which of the following does this indicate? Correct Answer: C. Privilege escalation
A forensic practitioner is reviewing the process performed for the protection of digital evidence. Which
of the following findings should be of MOST concern? Correct Answer: C. There are no logs
documenting the transportation of evidence
Which organization is well known for its online collection of digital forensic guidelines, best practices,
and procedure references? Correct Answer: C. SWGDE
What does the Windows operating system examine to determine which application should be used to
open a file? Correct Answer: The file extension
Which of the following BEST defines the term e-discovery? Correct Answer: A process of producing
electronically stored information for use as evidence.
A CHFI is engaged by the owner of a privately owned pharmaceutical firm to investigate possible
computer abuse by one of the firm's employees. She discovers that the company has never published a
Dervis policy stating that they reserve the right to inspect their computing assets at will. Which of the
following is her BEST recommendation to the owner? Correct Answer: B. Inform the owner that
conducting an investigation without a policy is a violation of the employee's expectation of privacy
Which of the following would best prevent contamination of disk-stored digital evidence? Correct
Answer: A write blocker
You have been asked to investigate after a user has reported a threatening e-mail they have received
from an external source. Which of the following are you most interested in when trying to trace the
source of the message? Correct Answer: The e-mail header
Which of the following standards is based on a legal precedent regarding the admissibility of scientific
examinations or experiments in legal cases? Correct Answer: Frye Standard
What is the name of the standard Linux command that can be used to create bit-stream images? Correct
Answer: dd
During the course of an investigation, you locate evidence that may prove the innocence of the suspect
of the investigation. You must maintain an unbiased opinion and be objective in your entire fact finding
process, therefore you report this evidence. This type of evidence is known as: Correct Answer:
Exculpatory evidence
In what circumstance would an expert witness be allowed to state an opinion? Correct Answer: C. the
opinion, inferences, or conclusions depend on special knowledge, skill, or training not within the
ordinary experience of lay jurors
Which of following refers to the location of data that might still exist in a cluster even though the
original file has been overwritten by another file? Correct Answer: B. Slack space
To make sure the evidence you recover and analyze with computer forensics software can be admitted
in court, you must test and validate the software. What group is actively providing tools and creating
procedures for testing and validating computer forensics software? Correct Answer: National Institute
of Standards and Technology (NIST)
What does "message repudiation" refer to in the context De of e-mail investigations? Correct Answer:
Message repudiation means a sender can claim they did not actually send a particular message
, Which of the following BEST defines the term e-discovery? Correct Answer: D. A process of producing
electronically stored information for use as evidence.
Which of the following file systems is most closely associated with the Mac OS? Correct Answer: A. HFS+
of An investigator uses a process comparing monitored events to a specific attack model to determine
whether or not the event qualifies as an intrusion. What is this called? process Correct Answer: A.
Signature-based detection
When obtaining a search warrant it is important to Correct Answer: C. Particularly describe the place to
be searched and particularly describe the items to be seized
One technique for hiding information is to change the file extension from the correct one to one that
Dennis Thibo might not be noticed by an investigator, such as changing a .jpg extension to a .doc
extension so that a picture file appears to be a document. What can an investigator examine to verify
that a file has the correct extension? Correct Answer: B. the file header
When investigating a Windows system, it is important to view the contents of the page file or swap file
because: Correct Answer: C. a large volume of data can exist within the swap file of which the computer
user has no knowledge
If a file on a hard drive has a size of 2600 bytes, how many sectors are normally allocated to this file?
Correct Answer: C. 6 sectors
When investigating a security incident involving a Dennis company-owned mobile device, what would
the incident responder most likely describe as the most serious violation of the company's security
policy requirements? Correct Answer: B. User has modified the default OS of the device
You have been asked to perform a live capture of evidence contained in a desktop PC. Which of the
following is the best order of analysis? Correct Answer: C. RAM, HDD, backup tape
You have used a newly released forensic investigation tool, which does not meet the Daubert Test,
during a case. The case goes to court. What argument could the defense make to weaken case? your
Correct Answer: The tool has not been reviewed and accepted by your peers
While investigating an data breach, you notice that a user from the building maintenance department is
a member of the Domain Administrators in Active Directory, and the group account was used to access
sensitive data. Which of the following does this indicate? Correct Answer: C. Privilege escalation
A forensic practitioner is reviewing the process performed for the protection of digital evidence. Which
of the following findings should be of MOST concern? Correct Answer: C. There are no logs
documenting the transportation of evidence
Which organization is well known for its online collection of digital forensic guidelines, best practices,
and procedure references? Correct Answer: C. SWGDE
