FREE CHFI (312-49) Questions and Answers

Question 1

The Inspect Pane can be used to view the file content of evidence files. To display file content, the View pane offers a number of tabs. Which of these tabs offers native views of the formats that Oracle supports outside of its own technology?

Accepted Answer

Doc tab

Answer

The Doc tab in forensic tools like EnCase is designed to provide native views of various document formats, including those created by applications like Microsoft Office, Adobe PDF, and other common business software. It allows investigators to view these files as they would appear in their original applications, without needing the applications themselves. This functionality is crucial for examining a broad range of document types, including those that might be supported by or interact with Oracle technologies, but are not exclusively Oracle's proprietary format.

Question 2

You can access and examine a large portion of the Registry's data during live response, and all of it during post-mortem analysis. Which registry Hive in the system stores configuration data connected to the software that is used to open different file types?

Accepted Answer

HKEY_CLASSES_ROOT

Answer

The HKEY_CLASSES_ROOT (HKCR) hive in the Windows Registry is crucial for defining file associations and OLE (Object Linking and Embedding) information. It stores data that tells the operating system which application should open a specific file type based on its extension, as well as information about COM objects. This hive is essential for the system to correctly launch programs when a user double-clicks a file, making it a key source for understanding software usage and file interactions.

Question 3

Which of the following is a hard disk's smallest allocation unit? Depending on the formatting system, a hard disk can have anywhere between 2 and 32 tracks and sectors.

Accepted Answer

Cluster

Answer

A cluster is the smallest logical unit of disk space that the operating system can allocate to hold a file. While a sector is the smallest physical unit of storage on a disk, the operating system groups multiple sectors together to form a cluster. Files are stored in whole clusters, meaning even a tiny file will occupy at least one full cluster, leading to potential slack space which can contain remnants of previous data.

Question 4

The gathering, evaluation, and reporting of evidence are standard investigation procedures that are automated and streamlined using Source Processor. Which of these source processor modules can access the target computer's disks and memory?

Accepted Answer

Acquisition Module

Answer

The Acquisition Module in forensic tools like Source Processor is specifically designed to perform the initial and critical step of data collection. Its primary function is to create forensically sound copies of data from target computers, including imaging hard drives (disks) and capturing volatile data from RAM (memory). This module ensures that evidence is gathered completely and without alteration, preserving its integrity for subsequent analysis.

Question 5

Which of these attack methods combines a dictionary attack and a brute-force attack to break a password?

Accepted Answer

Hybrid Attack

Answer

A hybrid attack combines elements of both dictionary attacks and brute-force attacks to crack passwords more efficiently. It starts by using a dictionary of common words and phrases, then systematically adds variations such as numbers, symbols, or character substitutions (e.g., 'P@ssw0rd') to those dictionary words. This approach significantly expands the potential password space beyond a simple dictionary while being more targeted than a pure brute-force attack.

CHFI - Computer Hacking Forensic Investigator Practice Test

CHFI - Computer Hacking Forensic Investigator Practice Test

FREE CHFI (312-49) Questions and Answers