Volatile Memory is one of the leading problems for forensics. Worms such as code Red are memory resident and do write themselves to the hard drive, if you turn the system off they disappear. In a lab environment, which of the following options would you suggest as the most appropriate to overcome the problem of capturing volatile memory?

A. Use VMware to be able to capture the data in memory and examine it

B. Give the Operating System a minimal amount of memory, forcing it to use a swap file

C. Create a Separate partition of several hundred megabytes and place the swap file there

D. Use intrusion forensic techniques to study memory resident infections

What is the name of the Standard Linux Command that is also available as windows application that can be used to create bit-stream images?

A. mcopy

B. image

C. MD5

D. dd

Office Documents (Word, Excel and PowerPoint) contain a code that allows tracking the MAC or unique identifier of the machine that created the document. What is that code called?

A. Globally unique ID

B. Microsoft Virtual Machine Identifier

C. Personal Application Protocol

D. Individual ASCII string

You are a computer forensics investigator working with local police department and you are called to assist in an investigation of threatening emails. The complainant has printer out 27 email messages from the suspect and gives the printouts to you. You inform her that you will need to examine her computer because you need access to the _________________________ in order to track the emails back to the suspect.

A. Routing Table

B. Firewall log

C. Configuration files D. Email Header

Why should you never power on a computer that you need to acquire digital evidence from?

A. When the computer boots up, files are written to the computer rendering the data nclean

B. When the computer boots up, the system cache is cleared which could destroy evidence

C. When the computer boots up, data in the memory buffer is cleared which could destroy evidence

D. Powering on a computer has no affect when needing to acquire digital evidence from it

Jacob is a computer forensics investigator with over 10 years experience in investigations and has written over 50 articles on computer forensics. He has been called upon as a qualified witness to testify the accuracy and integrity of the technical log files gathered in an investigation into computer fraud. What is the term used for Jacob testimony in this case?

A. Justification

B. Authentication

C. Reiteration

D. Certification

When should an MD5 hash check be performed when processing evidence?

A. After the evidence examination has been completed

B. On an hourly basis during the evidence examination

C. Before and after evidence examination

D. Before the evidence examination has been completed

The Apache server saves diagnostic information and error messages that it encounters while processing requests. The default path of this file is usr/local/apache/logs/error.log in Linux. Identify the Apache error log from the following logs.

A. http://victim.com/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..% c0% af../..%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Winnt\system32\Logfiles\W3SVC1

B. [Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/ home/live/ap/htdocs/test

C. 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700]"GET /apache_pb.gif HTTP/1.0" 200 2326

D. 127.0.0.1 - - [10/Apr/2007:10:39:11 +0300] ] [error] "GET /apache_pb.gif HTTP/1.0" 200 2326

Which of the following email headers specifies an address for mailer-generated errors, like "no such user" bounce messages, to go to (instead of the sender's address)?

A. Mime-Version header

B. Content-Type header

C. Content-Transfer-Encoding header

D. Errors-To header

Ron, a computer forensics expert, is investigating a case involving corporate espionage. He has recovered several mobile computing devices from the crime scene. One of the evidence that Ron possesses is a mobile phone from Nokia that was left in ON condition. Ron needs to recover the IMEI number of the device to establish the identity of the device owner. Which of the following key combinations can he use to recover the IMEI number?

A. #*06*#

B. *#06#

C. #06#*

D. *IMEI#