If a PDA is seized in an investigation while the device is turned on, what would be the proper procedure?
A. Remove any memory cards immediately
B. Turn off the device immediately
C. Keep the device powered on
D. Remove the battery immediately
正解:C
質問 2:
Study the log given below and answer the following question:
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169 Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21 Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558 Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?
A. Disallow TCP53 in from secondaries or ISP server to DNS server
B. Block all UDP traffic
C. Disallow UDP53 in from outside to DNS server
D. Allow UDP53 in from DNS server to outside
正解:C
質問 3:
Why should you note all cable connections for a computer you want to seize as evidence?
A. to know what outside connections existed
B. to know what peripheral devices exist
C. in case other devices were connected
D. to know what hardware existed
正解:A
質問 4:
Printing under a Windows Computer normally requires which one of the following files types to be created?
A. EMF
B. MEM
C. CME
D. EME
正解:A
質問 5:
Which is a standard procedure to perform during all computer forensics investigations?
A. with the hard drive removed from the suspect PC, check the date and time in the system's RAM
B. with the hard drive removed from the suspect PC, check the date and time in the system's CMOS
C. with the hard drive in the suspect PC, check the date and time in the File Allocation Table
D. with the hard drive in the suspect PC, check the date and time in the system's CMOS
正解:B
質問 6:
You are employed directly by an attorney to help investigate an alleged sexual harassment case at a large pharmaceutical manufacture. While at the corporate office of the company, the CEO demands to know the status of the investigation. What prevents you from discussing the case with the CEO?
A. Trade secrets
B. ISO 17799
C. the attorney-work-product rule
D. Good manners
正解:C
Yoshikawa -
Pass4Testに感謝しかないです。EC0-349にやっと再受験して合格だよ!!早速次に受験したい312-38の問題集を購入させていただきました。今回もいい結果が出そう。