CHFI 477 Questions and Answers 100% Verified

What is a swap file? - Space on a hard disk used as virtual memory expansion for RAM System time is one example of volatile information that forensic investigators should collect. What are types of time that should be recorded? - System time, wall time, time system has been running (Date /t and Time /t can be typed in a command prompt in windows to retrieve the system time) Choose the list of tools and commands used to determine logged-on users: - PsLoggedOn, Net Sessions, LogonSession What tools can be used to see which files are open? - Net file, PsFile, Openfiles (Net file reveals names of all open shared files and the number of file locks, PsFile shows list of files open remotely, openfiles can be used to list or disconnect all open files and folders) True or False: When connections are made to other systems using NetBIOS communications, the system will maintain a list of other systems connected. By viewing the contents of the name table cache, an investigator might be able to find other systems affected. - True (A cache is duplicate data stored in a temporary location so a computer can rapidly access that data. In this case, the NetBIOS Remote Cache Name Table may contain a list of systems that a computer has connected to. nbtstat -c can be used to view the cache of NetBIOS names on the host operating system) It appears the suspect's computer is connected to a network, what is one thing an investigator should look for? - Network connections (Information about network connections can expire over time so an investigator must collect evidence as soon as possible after an incident.) What are two commands to obtain network information? - netstat -ano & netstat -r (* netstat -ano shows active connections including protocol, local address, foreign address, state and PID *netstat -r shows the routing table * netstat -b displays the executable involved in creating the connection * netstat -v is used in conjunction with -b to show sequence of components involved) What are two ways to view running processes on Windows? - TaskManager & Tasklist command When there is an open network connection, some process must be responsible for using that connection. What commands can be used to view the port? - netstat -o & fport (* netstat -o shows process to port mappings * netstat -b shows the executable involved in creating each connection (Windows XP) * fport shows process-to-port mappings but must be executed with administrator privileges) What command can be used to view command history? - doskey /history & scroll up in the command window