GIAC Certified Forensics Analyst (GCFA) Free Practice Test

Question 1

John works as a Network Administrator for DigiNet Inc. He wants to investigate failed logon attempts to a network. He uses Log Parser to detail out the failed logons over a specific time frame. He uses the following commands and query to list all failed logons on a specific date:
logparser.exe file:FailedLogons.sql -i:EVT -o:datagrid
SELECT
timegenerated AS LogonTime,
extract_token(strings, 0, '|') AS UserName
FROM Security
WHERE EventID IN (529;
530;
531;
532;
533;
534;
535;
537;
539)
AND to_string(timegenerated,'yyyy-MM-dd HH:mm:ss') like '2004-09%'
After investigation, John concludes that two logon attempts were made by using an expired account.
Which of the following EventID refers to this failed logon?

A. 534

B. 532

C. 531

D. 529

Correct Answer: B

Question 2

Your Windows XP hard drive has 2 partitions. The system partition is NTFS and the other is FAT. You wish to encrypt a folder created on the system partition for the purpose of data security. Which of the following statements is true about this situation?

A. You can only encrypt files on the NTFS partition.

B. Since the operating system is on the NTFS partition, you can encrypt files on both.

C. You can only encrypt files on the FAT partition.

D. You cannot encrypt files on either partition.

Correct Answer: A

Question 3

Which of the following statements best describes the consequences of the disaster recovery plan test?

A. The results of the test should be kept secret.

B. If no deficiencies were found during the test, then the test was probably flawed.

C. If no deficiencies were found during the test, then the plan is probably perfect.

D. The plan should not be changed no matter what the results of the test would be.

Correct Answer: B

Question 4

Fill in the blank with the appropriate name.
_____is a list, which specifies the order of volatility of data in a Windows based system.

A. RFC 3227

Correct Answer: A

Question 5

Which of the following is included in a memory dump file?

A. List of loaded drivers

B. Stop message and its parameters

C. Security ID

D. The kernel-mode call stack for the thread that stopped the process from execution

Correct Answer: A,B,D

Question 6

Sarah has created a site on which she publishes a copyrighted material. She is ignorant that she is infringing copyright. Is she guilty under copyright laws?

A. No

B. Yes

Correct Answer: B

Question 7

Mark works as a Network administrator for SecureEnet Inc. His system runs on Mac OS X.
He wants to boot his system from the Network Interface Controller (NIC). Which of the following snag keys will Mark use to perform the required function?

A. D

B. C

C. N

D. Z

Correct Answer: C

Question 8

Which of the following tools are used for footprinting?
Each correct answer represents a complete solution. Choose all that apply.

A. Whois

B. Traceroute

C. Sam spade

D. Brutus

Correct Answer: A,B,C

Question 9

Normally, RAM is used for temporary storage of data. But sometimes RAM data is stored in the hard disk, what is this method called?

A. Volatile memory

B. Virtual memory

C. Cache memory

D. Static memory

Correct Answer: B

Welcome to TestSimulate

GIAC Certified Forensics Analyst (GCFA) Free Practice Test