Eccouncil 312-49v10 practice test

You are contracted to work as a computer forensics investigator for a regional bank that has four 30
TB storage area networks that store customer data.
What method would be most efficient for you to acquire digital evidence from this network?

• A. create a compressed copy of the file with DoubleSpace
• B. create a sparse data copy of a folder or file
• C. make a bit-stream disk-to-image file
• D. make a bit-stream disk-to-disk file

You are working for a large clothing manufacturer as a computer forensics investigator and are called
in to investigate an unusual case of an employee possibly stealing clothing designs from the company
and selling them under a different brand name for a different company. What you discover during
the course of the investigation is that the clothing designs are actually original products of the
employee and the company has no policy against an employee selling his own designs on his own
time. The only thing that you can find that the employee is doing wrong is that his clothing design
incorporates the same graphic symbol as that of the company with only the wording in the graphic
being different. What area of the law is the employee violating?

• A. trademark law
• B. copyright law
• C. printright law
• D. brandmark law

What file structure database would you expect to find on floppy disks?

• A. NTFS
• B. FAT32
• C. FAT16
• D. FAT12

What type of attack occurs when an attacker can force a router to stop forwarding packets by
flooding the router with many open connections simultaneously so that all the hosts behind the
router are effectively disabled?

• A. digital attack
• B. denial of service
• C. physical attack
• D. ARP redirect

When examining a file with a Hex Editor, what space does the file header occupy?

• A. the last several bytes of the file
• B. the first several bytes of the file
• C. none, file headers are contained in the FAT
• D. one byte at the beginning of the file

In the context of file deletion process, which of the following statement holds true?

• A. When files are deleted, the data is overwritten and the cluster marked as available
• B. The longer a disk is in use, the less likely it is that deleted files will be overwritten
• C. While booting, the machine may create temporary files that can delete evidence
• D. Secure delete programs work by completely overwriting the file in one go

A suspect is accused of violating the acceptable use of computing resources, as he has visited adult
websites and downloaded images. The investigator wants to demonstrate that the suspect did
indeed visit these sites. However, the suspect has cleared the search history and emptied the cookie
cache. Moreover, he has removed any images he might have downloaded. What can the investigator
do to prove the violation?

• A. Image the disk and try to recover deleted files
• B. Seek the help of co-workers who are eye-witnesses
• C. Check the Windows registry for connection data (you may or may not recover)
• D. Approach the websites for evidence

A(n) _____________________ is one that's performed by a computer program rather than the
attacker manually performing the steps in the attack sequence.

• A. blackout attack
• B. automated attack
• C. distributed attack
• D. central processing attack

The offset in a hexadecimal code is:

• A. The last byte after the colon
• B. The 0x at the beginning of the code
• C. The 0x at the end of the code
• D. The first byte after the colon

It takes _____________ mismanaged case/s to ruin your professional reputation as a computer
forensics examiner?

• A. by law, three
• B. quite a few
• C. only one
• D. at least two