EC-COUNCIL EC1-349 Online Practice Questions and Exam Preparation

EC-COUNCIL EC1-349 Online Questions & Answers

• Question 391:

  What file is processed at the end of a Windows XP boot to initialize the logon dialog box?

  A. NTOSKRNL.EXE
  B. NTLDR
  C. LSASS.EXE
  D. NTDETECT.COM
  C. LSASS.EXE

• Question 392:

  What must an investigator do before disconnecting an iPod from any type of computer?

  A. Unmount the iPod
  B. Mount the iPod
  C. Disjoin the iPod
  D. Join the iPod
  A. Unmount the iPod

• Question 393:

  Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system or device that holds electronic information.

  A. True
  B. False
  A. True

• Question 394:

  Using Linux to carry out a forensics investigation, what would the following command accomplish? dd if=/usr/home/partition.image of=/dev/sdb2 bs=4096 conv=notrunc,noerror

  A. Search for disk errors within an image file
  B. Backup a disk to an image file
  C. Copy a partition to an image file
  D. Restore a disk from an image file
  D. Restore a disk from an image file

• Question 395:

  Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in Windows 7 is:

  A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion \ProfileList
  B. HKEY_LOCAL_MACHlNE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \NetworkList
  C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentsVersion \setup
  D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
  A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion \ProfileList

• Question 396:

  What is a chain of custody?

  A. A legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory
  B. It is a search warrant that is required for seizing evidence at a crime scene
  C. It Is a document that lists chain of windows process events
  D. Chain of custody refers to obtaining preemptive court order to restrict further damage of evidence in electronic seizures
  A. A legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory

• Question 397:

  When using Windows acquisitions tools to acquire digital evidence, it is important to use a well-tested hardware write-blocking device to _________

  A. Automate collection from image files
  B. Avoiding copying data from the boot partition
  C. Acquire data from the host-protected area on a disk
  D. Prevent contamination to the evidence drive
  D. Prevent contamination to the evidence drive

• Question 398:

  Daryl, a computer forensics investigator, has just arrived at the house of an alleged computer hacker. Daryl takes pictures and tags all computer and peripheral equipment found in the house. Daryl packs all the items found in his van and takes them back to his lab for further examination. At his lab, Michael his assistant helps him with the investigation. Since Michael is still in training, Daryl supervises all of his work very carefully. Michael is not quite sure about the procedures to copy all the data off the computer and peripheral devices. How many data acquisition tools should Michael use when creating copies of the evidence for the investigation?

  A. Two
  B. One
  C. Three
  D. Four
  A. Two

• Question 399:

  SIM is a removable component that contains essential information about the subscriber. It has both volatile and non-volatile memory. The file system of a SIM resides in _____________ memory.

  A. Volatile
  B. Non-volatile
  B. Non-volatile

• Question 400:

  All Blackberry email is eventually sent and received through what proprietary RIM-operated mechanism?

  A. Blackberry Message Center
  B. Microsoft Exchange
  C. Blackberry WAP gateway
  D. Blackberry WEP gateway
  A. Blackberry Message Center