CHFI Exam Guide
✅✅
____ _____ allows information to be retrieved outside the areas reserved for
the web server. - -Directory traversal
✅✅
____ causes a query to be made using the user's identity such that it appears
that the user legitimately issued the command. - -Cross-site request
forgery (CSRF)
✅✅
____ requires observing the movement of electrons within the device using an
electron microscope. - -Micro-read
✅✅
______ is a 128 bit unique reference number used as an identifier in computer
software? - -Global Unique Identifier (GUID)
✅✅
A ____ attack occurs when an exploit is detected "in the wild" the same day a
vulnerability is announced. - -zero-day attack
✅✅
A ____ extraction requires a machine capable of reading protected memory. -
-Physical
✅✅
A file's MAC time is defined as the time the file was ____, ____, or ____ -
-modified, accessed, or created.
A forensic investigator is collecting evidence from an Apache web server
installed on Ubuntu Linux.
✅✅
Which log should the investigator use to find information about every request
sent to the web server? - -Access.log
A forensic investigator is collecting evidence from the database built into the
Windows network operating systems. The investigator needs to verify the
✅✅
privileges of the database by using one of the MySQL utility programs.
Which utility program should the investigator use? - -mysqlaccess
A forensic investigator is collecting evidence from the MySQL server. The
investigator needs to verify the status of the tables and repair them using one
✅✅
of the MySQL utility programs.
Which utility program should the investigator use? - -myisamchk
,A forensic investigator is investigating an attack on a WordPress database.
The investigator has already made a backup of the database from the MySQL
✅✅
server and needs to restore the data on the forensic investigator's laptop.
Which command creates a database named wordpress? - -Create
database wordpress;
✅✅
A forensic investigator is investigating an ext4 drive on a Linux system. What
is the minimum kernel that supports this? - -v2.6.19
A forensic investigator is performing malware analysis on a Windows
computer. The investigator believes malware has replaced the legitimate
✅✅
drivers with fake versions. What should the investigator look at to confirm
these suspicions? - -The digital signatures on the drivers
A forensic investigator is searching a Windows XP computer image for
information about a deleted Word document. The investigator already viewed
the sixth file that was deleted from the computer. Two additional files were
✅✅
deleted.
What is the name of the last file the investigator opens? - -$R7.doc
A forensic investigator is tasked with finding out if a suspect recently accessed
a specific folder on a network.
✅✅
Which registry key should the investigator analyze to retrieve only the folder
information? - -BagMRU
A forensic investigator is tasked with retrieving evidence where the primary
server has been erased. The investigator needs to rely on network logs and
backup tapes to base their conclusions on while testifying in court.
✅✅
Which information found in rules of evidence, Rule 1001, helps determine if
this testimony is acceptable to the court? - -Definition of original
evidence
A forensic investigator is using a hex editor to view file signatures for graphics.
✅✅
Which type of file is the investigator viewing when the first hexadecimal
characters are 42 4D? - -BMP
A forensic investigator needs to perform a bit-by-bit replication of the data on
✅✅
an Android device to search for deleted messages. Which tool gathers all the
evidence for analysis? - -dd
, A forensic investigator receives a virtual machine (VM) in a dd image file.
✅✅
Which program should the investigator use to convert the dd image into a
bootable VM? - -QEMU disk image utility
A forensic investigator uses The Sleuth Kit (TSK) to extract information about
✅✅
when directories were created and modified. Which command should the
investigator use to extract the information? - -fls
✅✅
A sequence of bits in a graphics file represents a single ____ on the screen. -
-Pixel
✅✅
A(n) ____ attack can be used when a set of constraints for password creation
is known. - -Rule-based.
Rule-based attacks take advantage of the rules used to specify the character
sets and the length of the password in order to minimize the search space.
✅✅
According to the Daubert decision, what criteria must third-party file and
partition recovery tools meet? - -Accurate, consistent, usable, and
verifiable.
✅✅
According to the EC-Council's investigative report template, which dates and
times should be recorded in a report? - -Date and time of alleged
incident.
Date and time the incident was reported to your agency.
Date and time the incident was assigned.
✅✅
Acquiring a call record for a cell phone would require a warrant or a subpoena
to get that information from the ____. - -MSC (mobile switch center)
An attacker uses "packer" software to what end? - ✅✅-Compress and
obfuscate file contents.
✅✅
As an expert witness, what does the government require you to do prior to
trial? - -Provide a report.
✅✅
Basic partitioning tools that displays details about GPT partition tables in
Windows OS. - -Diskpart
✅✅
____ _____ allows information to be retrieved outside the areas reserved for
the web server. - -Directory traversal
✅✅
____ causes a query to be made using the user's identity such that it appears
that the user legitimately issued the command. - -Cross-site request
forgery (CSRF)
✅✅
____ requires observing the movement of electrons within the device using an
electron microscope. - -Micro-read
✅✅
______ is a 128 bit unique reference number used as an identifier in computer
software? - -Global Unique Identifier (GUID)
✅✅
A ____ attack occurs when an exploit is detected "in the wild" the same day a
vulnerability is announced. - -zero-day attack
✅✅
A ____ extraction requires a machine capable of reading protected memory. -
-Physical
✅✅
A file's MAC time is defined as the time the file was ____, ____, or ____ -
-modified, accessed, or created.
A forensic investigator is collecting evidence from an Apache web server
installed on Ubuntu Linux.
✅✅
Which log should the investigator use to find information about every request
sent to the web server? - -Access.log
A forensic investigator is collecting evidence from the database built into the
Windows network operating systems. The investigator needs to verify the
✅✅
privileges of the database by using one of the MySQL utility programs.
Which utility program should the investigator use? - -mysqlaccess
A forensic investigator is collecting evidence from the MySQL server. The
investigator needs to verify the status of the tables and repair them using one
✅✅
of the MySQL utility programs.
Which utility program should the investigator use? - -myisamchk
,A forensic investigator is investigating an attack on a WordPress database.
The investigator has already made a backup of the database from the MySQL
✅✅
server and needs to restore the data on the forensic investigator's laptop.
Which command creates a database named wordpress? - -Create
database wordpress;
✅✅
A forensic investigator is investigating an ext4 drive on a Linux system. What
is the minimum kernel that supports this? - -v2.6.19
A forensic investigator is performing malware analysis on a Windows
computer. The investigator believes malware has replaced the legitimate
✅✅
drivers with fake versions. What should the investigator look at to confirm
these suspicions? - -The digital signatures on the drivers
A forensic investigator is searching a Windows XP computer image for
information about a deleted Word document. The investigator already viewed
the sixth file that was deleted from the computer. Two additional files were
✅✅
deleted.
What is the name of the last file the investigator opens? - -$R7.doc
A forensic investigator is tasked with finding out if a suspect recently accessed
a specific folder on a network.
✅✅
Which registry key should the investigator analyze to retrieve only the folder
information? - -BagMRU
A forensic investigator is tasked with retrieving evidence where the primary
server has been erased. The investigator needs to rely on network logs and
backup tapes to base their conclusions on while testifying in court.
✅✅
Which information found in rules of evidence, Rule 1001, helps determine if
this testimony is acceptable to the court? - -Definition of original
evidence
A forensic investigator is using a hex editor to view file signatures for graphics.
✅✅
Which type of file is the investigator viewing when the first hexadecimal
characters are 42 4D? - -BMP
A forensic investigator needs to perform a bit-by-bit replication of the data on
✅✅
an Android device to search for deleted messages. Which tool gathers all the
evidence for analysis? - -dd
, A forensic investigator receives a virtual machine (VM) in a dd image file.
✅✅
Which program should the investigator use to convert the dd image into a
bootable VM? - -QEMU disk image utility
A forensic investigator uses The Sleuth Kit (TSK) to extract information about
✅✅
when directories were created and modified. Which command should the
investigator use to extract the information? - -fls
✅✅
A sequence of bits in a graphics file represents a single ____ on the screen. -
-Pixel
✅✅
A(n) ____ attack can be used when a set of constraints for password creation
is known. - -Rule-based.
Rule-based attacks take advantage of the rules used to specify the character
sets and the length of the password in order to minimize the search space.
✅✅
According to the Daubert decision, what criteria must third-party file and
partition recovery tools meet? - -Accurate, consistent, usable, and
verifiable.
✅✅
According to the EC-Council's investigative report template, which dates and
times should be recorded in a report? - -Date and time of alleged
incident.
Date and time the incident was reported to your agency.
Date and time the incident was assigned.
✅✅
Acquiring a call record for a cell phone would require a warrant or a subpoena
to get that information from the ____. - -MSC (mobile switch center)
An attacker uses "packer" software to what end? - ✅✅-Compress and
obfuscate file contents.
✅✅
As an expert witness, what does the government require you to do prior to
trial? - -Provide a report.
✅✅
Basic partitioning tools that displays details about GPT partition tables in
Windows OS. - -Diskpart
