What do you think would be the next sequence of events?
Chris has been called upon to investigate a hacking incident reported by one of his clients. The
company suspects the involvement of an insider accomplice in the attack. Upon reaching the
incident scene, Chris secures the physical area, records the scene using visual mediA. He shuts
the system down by pulling the power plug so that he does not disturb the system in any way. He
labels all cables and connectors prior to disconnecting any. What do you think would be the next
sequence of events?
When investigating a Windows System, it is important to view the contents of the page or swap file because:
When investigating a Windows System, it is important to view the contents of the page or swap file
because:
Where did the incident team go wrong?
A state department site was recently attacked and all the servers had their disks eraseD. The
incident response team sealed the area and commenced investigation. During evidence collection
they came across a zip disks that did not have the standard labeling on it. The incident team ran
the disk on an isolated system and found that the system disk was accidentally eraseD. They
decided to call in the FBI for further investigation. Meanwhile, they short listed possible suspects
including three summer interns. Where did the incident team go wrong?
Which of the following refers to the data that might still exist in a cluster even though the original file ha
Which of the following refers to the data that might still exist in a cluster even though the original
file has been overwritten by another file?
What should you do when approached by a reporter about a case that you are working on or have worked on?
What should you do when approached by a reporter about a case that you are working on or have
worked on?
It is written to the outermost track of a disk and contains information about each file stored on the drive
This is original file structure database that Microsoft originally designed for floppy disks. It is
written to the outermost track of a disk and contains information about each file stored on the
drive.
What port do you send the email to on the company SMTP server?
You are working in the security Department of law firm. One of the attorneys asks you about the
topic of sending fake email because he has a client who has been charged with doing just that. His
client alleges that he is innocent and that there is no way for a fake email to actually be sent. You
inform the attorney that his client is mistaken and that fake email is possibility and that you can
prove it. You return to your desk and craft a fake email to the attorney that appears to come from
his boss. What port do you send the email to on the company SMTP server?
which of the following options would you suggest as the most appropriate to overcome the problem of capturing
Volatile Memory is one of the leading problems for forensics. Worms such as code Red are
memory resident and do write themselves to the hard drive, if you turn the system off they
disappear. In a lab environment, which of the following options would you suggest as the most
appropriate to overcome the problem of capturing volatile memory?
Diskcopy is:
Diskcopy is:
What do you do?
You are working as Computer Forensics investigator and are called by the owner of an accounting
firm to investigate possible computer abuse by one of the firms employees. You meet with the
owner of the firm and discover that the company has never published a policy stating that they
reserve the right to inspect their computing assets at will.
What do you do?