Certified Hacking Forensic Investigator (CHFI) - Exam Prep Latest Update Graded A+

What is a swap file? Space on a hard disk used as virtual memory expansion for RAM What is a swap file? Space on a hard disk used as virtual memory expansion for RAM System time is one example of volatile information that forensic investigators should collect. What are types of time that should be recorded? System time, wall time, time system has been running (Date /t and Time /t can be typed in a command prompt in windows to retrieve the system time) System time is one example of volatile information that forensic investigators should collect. What are types of time that should be recorded? System time, wall time, time system has been running (Date /t and Time /t can be typed in a command prompt in windows to retrieve the system time) Choose the list of tools and commands used to determine logged-on users: PsLoggedOn, Net Sessions, LogonSessionChoose the list of tools and commands used to determine logged-on users: PsLoggedOn, Net Sessions, LogonSession What tools can be used to see which files are open? Net file, PsFile, Openfiles (Net file reveals names of all open shared files and the number of file locks, PsFile shows list of files open remotely, openfiles can be used to list or disconnect all open files and folders) What tools can be used to see which files are open? Net file, PsFile, Openfiles (Net file reveals names of all open shared files and the number of file locks, PsFile shows list of files open remotely, openfiles can be used to list or disconnect all open files and folders) True or False: When connections are made to other systems using NetBIOS communications, the system will maintain a list of other systems connected. By viewing the contents of the name table cache, an investigator might be able to find other systems affected. True (A cache is duplicate data stored in a temporary location so a computer can rapidly access that data. In this case, the NetBIOS Remote Cache Name Table may contain a list of systems that a computer has connected to. nbtstat -c can be used to view the cache of NetBIOS names on the host operating system)True or False: When connections are made to other systems using NetBIOS communications, the system will maintain a list of other systems connected. By viewing the contents of the name table cache, an investigator might be able to find other systems affected. True (A cache is duplicate data stored in a temporary location so a computer can rapidly access that data. In this case, the NetBIOS Remote Cache Name Table may contain a list of systems that a computer has connected to. nbtstat -c can be used to view the cache of NetBIOS names on the host operating system) It appears the suspect's computer is connected to a network, what is one thing an investigator should look for? Network connections (Information about network connections can expire over time so an investigator must collect evidence as soon as possible after an incident.) It appears the suspect's computer is connected to a network, what is one thing an investigator should look for? Network connections (Information about network connections can expire over time so an investigator must collect evidence as soon as possible after an incident.) What are two commands to obtain network information? netstat -ano & netstat -r(* netstat -ano shows active connections including protocol, local address, foreign address, state and PID * netstat -r shows the routing table * netstat -b displays the executable involved in creating the connection * netstat -v is used in conjunction with -b to show sequence of components involved) What are two commands to obtain network information? netstat -ano & netstat -r (* netstat -ano shows active connections including protocol, local address, foreign address, state and PID *