Question 6 of 793
You are using DriveSpy, a forensic tool and want to copy 150 sectors where the starting sector is 1709 on the primary hard drive. Which of the following formats correctly specifies these sectors?
    Correct Answer: B

    The correct format to specify copying 150 sectors starting from sector 1709 on the primary hard drive using DriveSpy is '0:1709, 150'. The '0:' indicates the primary hard drive, '1709' is the starting sector, and '150' specifies the number of sectors to be copied.

Question 7 of 793
A honey pot deployed with the IP 172.16.1.108 was compromised by an attacker. Given below is an excerpt from a Snort binary capture of the attack. Decipher the activity carried out by the attacker by studying the log. Please note that you are required to infer only what is explicit in the excerpt.
(Note: The student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)
03/15-20:21:24.107053 211.185.125.124:3500 -> 172.16.1.108:111
TCP TTL:43 TOS:0x0 ID:29726 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x9B6338C5 Ack: 0x5820ADD0 Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 23678634 2878772 =+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
03/15-20:21:24.452051 211.185.125.124:789 -> 172.16.1.103:111
UDP TTL:43 TOS:0x0 ID:29733 IpLen:20 DgmLen:84

Len: 64 -
01 0A 8A 0A 00 00 00 00 00 00 00 02 00 01 86 A0 . .............
00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 01 86 B8 00 00 00 01 . ..............
00 00 00 11 00 00 00 00 ........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
03/15-20:21:24.730436 211.185.125.124:790 -> 172.16.1.103:32773
UDP TTL:43 TOS:0x0 ID:29781 IpLen:20 DgmLen:1104

Len: 1084 -
47 F7 9F 63 00 00 00 00 00 00 00 02 00 01 86 B8
    Correct Answer: A

    The attacker initiated connections to different IP addresses on port 111. Consistent with classical network sweep behavior, the entries show repeated access attempts to the same port at different addresses. No evidence indicates payloads associated with buffer overflow or backdoor installation in the provided log snippet.

Question 8 of 793
The newer Macintosh Operating System is based on:
    Correct Answer: B

Question 9 of 793
Before you are called to testify as an expert, what must an attorney do first?
    Correct Answer: D

    Before you can testify as an expert witness, the attorney must first qualify you as an expert witness. This involves demonstrating your education, experience, skill, and training related to the subject matter to ensure the court recognizes you as an expert.

Question 10 of 793
You are contracted to work as a computer forensics investigator for a regional bank that has four 30 TB storage area networks that store customer data.
What method would be most efficient for you to acquire digital evidence from this network?
    Correct Answer: C

    The most efficient method for acquiring digital evidence from a network with such large storage capacity is to make a bit-stream disk-to-image file. This method creates an exact copy of the entire disk, preserving all the data, including hidden and deleted files, as well as system and metadata. Creating a bit-stream disk-to-image file is crucial in forensics to ensure the integrity and admissibility of the evidence.