GCED Exam Questions

Total 88 Questions

Last Updated Exam : 16-Dec-2024

Following a Digital Forensics investigation, which of the following should be included in the final forensics report?


A.

An executive summary that includes a list of all forensic procedures performed.


B.

A summary of the verified facts of the incident and the analyst’s unverified opinions.


C.

A summary of the incident and recommended disciplinary actions to apply internally.


D.

An executive summary that includes high level descriptions of the overall findings.





D.
  

An executive summary that includes high level descriptions of the overall findings.



A professional forensic report should include an executive summary, including a description of the incident and the overall findings. The written report needs to be factually accurate and free from speculation or bias, meaning that an analyst’s unverified or unsubstantiated opinions should not be included in the report. Beyond the executive summary, the detailed report should include a description of the data preserved, a detailed explanation of the procedures performed, and a summary of the facts. Disciplinary action, if needed, would be addressed through other channels and not included in the forensic analyst’s report.

An analyst wants to see a grouping of images that may be contained in a pcap file. Which tool natively meets this need?


A.

Scapy


B.

NetworkMiner


C.

TCPReplay


D.

Wireshark





A.
  

Scapy



When identifying malware, what is a key difference between a Worm and a Bot?


A.

A Worm gets instructions from an external control channel like an IRC server.


B.

A Worm, unlike a Bot, is installed silently as an add-on to a legitimate program.


C.

A Bot, unlike a Worm, is frequently spread through email attachments.


D.

A Bot gets instructions from an external control channel like an IRC server.





D.
  

A Bot gets instructions from an external control channel like an IRC server.



The creation of a filesystem timeline is associated with which objective?


A.

Forensic analysis


B.

First response


C.

Access control


D.

Incident eradication





A.
  

Forensic analysis



Of the following pieces of digital evidence, which would be collected FIRST from a live system involved in an incident?


A.

Event logs from a central repository


B.

Directory listing of system files


C.

Media in the CDrom drive


D.

Swap space and page files





D.
  

Swap space and page files



Best practices suggest that live response should follow the order of volatility, which means that you want to collect data which is changing the most rapidly. The order of volatility is:
Memory
Swap or page file
Network status and current / recent network connections
Running processes
Open files

What are Browser Helper Objects (BHO)s used for?


A.

To provide multi-factor authentication support for Firefox


B.

To provide a more feature-rich interface for Internet Explorer


C.

To allow Internet Explorer to process multi-part URLs


D.

To allow Firefox to process JavaScript in a sandbox





B.
  

To provide a more feature-rich interface for Internet Explorer



When scanning your system, you may notice many BHOs since they are widely used by software developers to provide a more feature rich interface for Microsoft Internet Explorer.

Which Windows CLI tool can identify the command-line options being passed to a program at startup?


A.

netstat


B.

attrib


C.

WMIC


D.

Tasklist





C.
  

WMIC



What is needed to be able to use taskkill to end a process on remote system?


A.

Svchost.exe running on the remote system


B.

Domain login credentials


C.

Port 445 open


D.

Windows 7 or higher on both systems





B.
  

Domain login credentials



Domain login credentials are needed to kill a process on a remote system using taskkill.

Which could be described as a Threat Vector?


A.

A web server left6 unpatched and vulnerable to XSS


B.

A coding error allowing remote code execution


C.

A botnet that has infiltrated perimeter defenses


D.

A wireless network left open for anonymous use





A.
  

A web server left6 unpatched and vulnerable to XSS



A threat vector is the method (crafted packet) that would be used to exercise a vulnerability (fragmentation to bypass IDS signature). An unpatched web server that is susceptible to XSS simply describes a vulnerability (unpatched) paired with a specific threat (XSS) and does not touch on the method to activate the threat. Similarly, the coding error that allows remote code execution is simply describing the pairing of a vulnerability with a threat, respectively. The botnet is an unspecified threat; there is no indication of how the threat was activated (or it’s intention/capabilities; the threat).

What would be the output of the following Google search?
filetype:doc inurl:ws_ftp


A.

Websites running ws_ftp that allow anonymous logins


B.

Documents available on the ws_ftp.com domain


C.

Websites hosting the ws_ftp installation program


D.

Documents found on sites with ws_ftp in the web address





D.
  

Documents found on sites with ws_ftp in the web address