Download 2024 C702 EXAM WITH CORRECT ANSWERS and more Exams Advanced Education in PDF only on Docsity! 2024 C702 EXAM WITH CORRECT ANSWERS Which documentation should a forensic examiner prepare prior to a dynamic analysis? - CORRECT-ANSWERSThe full path and location of the file being investigated What allows for a lawful search to be conducted without a warrant or probable cause? - CORRECT-ANSWERSConsent of person with authority Core Services Layer - CORRECT-ANSWERSis mainly responsible for managing basic system services used by iOS applications. The Core OS Layer - CORRECT-ANSWERSis the most important layer because it provides the maximum features for the applications. It provides most of the frameworks required by the applications for their accurate functionality Non-volatile - CORRECT-ANSWERSHKEY_LOCAL_MACHINE, HKEY_USERS Volatile - CORRECT-ANSWERSHKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG Recover My Files - CORRECT-ANSWERS▪ Recovers files even if emptied from Recycle Bin data ▪ Recovers files after accidental format, even after Windows is reinstalled ▪ Performs disk recovery after a hard disk crash ▪ Recovers files after a partitioning error ▪ Recovers data from RAW hard drives ▪ Recovers documents, photos, videos, music, and email ▪ Recovers from a hard drive, camera card, USB, Zip, floppy disk, or other media EaseUS Data Recovery - CORRECT-ANSWERSThis software supports hardware RAID and hard drive, USB drive, SD card, memory card, etc. DiskDigger - CORRECT-ANSWERSprogram that undeletes and recovers lost files from hard drives, memory cards, and USB flash drives. Quick Recovery - CORRECT-ANSWERSsoftware recovers files that have been lost, deleted, corrupted, or even deteriorated. The application searches, scans, and recovers files that are encrypted and password protected and restores them. Features Total Recall Data Recovery Software - CORRECT-ANSWERSrecovers lost data from hard drives, RAID, photos, deleted files, iPods, and even removable disks connected via FireWire or USB. Advanced Disk Recovery Source - CORRECT-ANSWERSIt scans the hard drives, partitions, external devices, and even CDs and DVDs for recoverable files. It provides two types of scans: the Quick Scan that uses MFT and the Deep Scan that uses file signatures. Spotlight - Mac - CORRECT-ANSWERSthe database information parsed from Spotlight retrieves details such as dates, last opened, and number of times an application or file is opened Mac Trash directory - CORRECT-ANSWERS%%users.homedir%%/.Trash/ The directory of the State file in the Tor browser folder - CORRECT-ANSWERS\ Tor Browser\Browser\TorBrowser\Data\Tor\ Rule 101 - CORRECT-ANSWERSScope (Proceedings) Rule 102 - CORRECT-ANSWERSPurpose and Construction (Just) Rule 103 - CORRECT-ANSWERSRulings on Evidence Rule 104 - CORRECT-ANSWERSPreliminary Evidence Rule 105 - CORRECT-ANSWERSLimited Admissibility (Restrictions) Rule 801 - CORRECT-ANSWERSHearsay Rule 1001 - CORRECT-ANSWERSDefinitions Rule 1002 - CORRECT-ANSWERSRequirement of Original Rule 1003: - CORRECT-ANSWERSAdmissibility of Duplicates Rule 1004 - CORRECT-ANSWERSAdmissibility of Other Evidence of Content Rule 402 - CORRECT-ANSWERSGeneral Admissibility of Relevant Evidence Rule 901 - CORRECT-ANSWERSRequirement of authentication or identification Linux trash directory - CORRECT-ANSWERS.local/share/Trash/ istat - CORRECT-ANSWERS- Display details of a meta-data structure (inode) fls - CORRECT-ANSWERSList file and directory names in a disk image. img_stat - CORRECT-ANSWERSDisplay details of an image file . NIST SP 800-88 Guidelines - CORRECT-ANSWERSClear, Purge, Destroy PsLoggedOn - CORRECT-ANSWERSdisplays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. net sessions - CORRECT-ANSWERSdisplays information about all logged in sessions of the local computer LogonSessions - - CORRECT-ANSWERSIt lists the currently active logged-on sessions and, if you specify the -p option, it can provide you the information of processes running in each session. net file - CORRECT-ANSWERSdisplays the names of all open shared files on a server and the number of file locks, if any, on each file. You can also close files and remove file locks PsFile - CORRECT-ANSWERSis a command-line utility that can retrieve the list of remotely opened files on a system and allows investigator to close open files Openfiles - CORRECT-ANSWERSThis command queries or displays open files and also queries, displays, or disconnects files opened by network users. Pslist.exe - CORRECT-ANSWERSdisplays basic information about the already running processes on a system, including the amount of time each process has been running. -x details about threads and memory, -t task tree, -d detail, -m memory, -e exact match for process name ListDLLs - CORRECT-ANSWERSreports DLLs loaded into processes. Processname, Pid, Dllname, -r relocated, -u unsigned, -v version Handle - CORRECT-ANSWERSdisplays information about open handles for any process Fsutil - CORRECT-ANSWERSperforms tasks related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume. PsLogList - CORRECT-ANSWERSallows users to login to remote systems in situations when current set of security credentials would not permit access to the Event Log. It retrieves message strings from the computer on which the event log resides. It shows the contents of the System Event Log on the local computer and allows formatting of Event Log records. dmesg - CORRECT-ANSWERSThe command displays the kernel ring buffers, which contains the information about the drivers loaded into kernel during boot process and error messages produced at the time of loading the drivers into kernel. These messages are helpful in resolving the restoring the device's driver issues. fsck - CORRECT-ANSWERS, is meant for File System Consistency Check. It is a tool to check the consistency of Linux file system and repair. lsof - CORRECT-ANSWERSThe command lsof is the short for 'list open files' Lsmod - CORRECT-ANSWERSthe information about the loaded modules Aureport - CORRECT-ANSWERSis used to produce summary reports of the audit system logs. readelf - CORRECT-ANSWERSThe command is used to analyze the file headers and section of the ELF files. A forensic investigator is tasked with retrieving evidence where the primary server has been erased. The investigator needs to rely on network logs and backup tapes to base their conclusions on while testifying in court. Which information found in rules of evidence, Rule 1001, helps determine if this testimony is acceptable to the court? - CORRECT-ANSWERSDefinition of original evidence When can a forensic investigator collect evidence without formal consent? - CORRECT-ANSWERSWhen properly worded banners are displayed on the computer screen Who determines whether a forensic investigation should take place if a situation is undocumented in the standard operating procedures? - CORRECT-ANSWERSDecision maker Which situation leads to a civil investigation? - CORRECT-ANSWERSDisputes between two parties that relate to a contract violation Which rule does a forensic investigator need to follow? - CORRECT- ANSWERSUse well-known standard procedures What is the focus of Locard's exchange principle? - CORRECT- ANSWERSAnyone entering a crime scene takes something with them and leaves something behind. What is the focus of the enterprise theory of investigation (ETI)? - CORRECT- ANSWERSSolving one crime can tie it back to a criminal organization's activities. A forensic investigator is searching a Windows XP computer image for information about a deleted Word document. The investigator already viewed the sixth file that was deleted from the computer. Two additional files were deleted. What is the name of the last file the investigator opens? - CORRECT-ANSWERS$R7.doc What is a benefit of a web application firewall (WAF)? - CORRECT- ANSWERSActs as a reverse proxy to inspect all HTTP traffic How does a hacker bypass a web application firewall (WAF) with the toggle case technique? - CORRECT-ANSWERSBy randomly capitalizing some of the characters During a recent scan of a network, a network administrator sent ICMP echo 8 packets to each IP address being used in the network. The ICMP echo 8 packets contained an invalid media access control (MAC) address. Logs showed that one device replied with ICMP echo 0 packets. What does the reply from the single device indicate? - CORRECT-ANSWERSThe machine is in promiscuous mode. What is the goal for an attacker using a directory traversal attack? - CORRECT-ANSWERSTo access areas in the system in which the attacker should not have access A forensic investigator is performing malware analysis on a Windows computer. The investigator believes malware has replaced the legitimate drivers with fake versions. What should the investigator look at to confirm these suspicions? - CORRECT-ANSWERSThe digital signatures on the drivers Where should an investigator look in the registry to find artifacts if there is malware on a Windows system? - CORRECT-ANSWERSHKLM\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run A forensic investigator is investigating an ext4 drive on a Linux system. What is the minimum kernel that supports this? - CORRECT-ANSWERSv2.6.19 Which application should a forensic investigator use to analyze information on a Mac OSX? - CORRECT-ANSWERSData Rescue 4 Microsoft Security IDs - CORRECT-ANSWERSare available in Windows Registry Editor HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\ProfileList HFS (Hierarchical File System) Plus - CORRECT-ANSWERSfile system developed by Apple for Mac OS X. It is also referred to as Mac OS Extended. The EXT file system - CORRECT-ANSWERScreated to be used with the Linux kernel. Windows and Mac OS cannot read EXT file systems. exFAT file system - CORRECT-ANSWERSMicrosoft file system that is compatible with Windows and Mac OS 10.6+. It is also compatible with many media devices such as TVs and portable media players. The FAT file system - CORRECT-ANSWERSfile system is a general purpose file system that is compatible with all major operating systems. default file system for all Windows operating systems prior to Windows 2000.only used for devices with small capacity where portability between operating systems is paramount. The NTFS file system - CORRECT-ANSWERSmodern, well-formed file is a system that is most commonly used by Windows Vista, 7 & 8. It has feature- rich, yet simple organization that allows it to be used on very large volumes. Logical block addressing (LBA) - CORRECT-ANSWERSUse for specifying the location of blocks of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. fsutil command. - CORRECT-ANSWERScommand performs the tasks that are related to file allocation table (FAT) and NTFS file systems such as managing reparse points, managing sparse files, or dismounting a volume Metasploit framework and what you can do with that. - CORRECT- ANSWERSTimestomp, which is part of the Metasploit Framework, is a trail obfuscation tool that attackers use to modify, edit, and delete the date and time metadata on a file and make it useless for the investigators Tasklists - CORRECT-ANSWERS- displays the list of applications and services along with the process IDs (PID) for all tasks that are running on either a local or a remotely connected computer. On older FAT file systems (Windows 98 and prior), - CORRECT- ANSWERSDrive:\RECYCLED On Windows 2000, NT, and XP - CORRECT-ANSWERSDrive:\RECYCLER\<SID Windows Vista and later versions - CORRECT-ANSWERSDrive:\$Recycle.Bin\ <SID> Cocoa Touch Layer - CORRECT-ANSWERSfirst and topmost layer in the iOS architecture; it contains some of the most important frameworks related to applications UIKit. - CORRECT-ANSWERSIt defines simple application basics and offers advanced technologies such as multitasking and touch-based input.