- (Exam Topic 1)
What does mactime, an essential part of the coroner's toolkit do?

1. A. It traverses the file system and produces a listing of all files based on the modification, access and change timestamps
2. B. It can recover deleted file space and search it for dat
3. C. However, it does not allow the investigator to preview them
4. D. The tools scans for i-node information, which is used by other tools in the tool kit
5. E. It is too specific to the MAC OS and forms a core component of the toolkit

Correct Answer: A

- (Exam Topic 2)
What must be obtained before an investigation is carried out at a location?

1. A. Search warrant
2. B. Subpoena
3. C. Habeas corpus
4. D. Modus operandi

Correct Answer: A

- (Exam Topic 2)
Depending upon the jurisdictional areas, different laws apply to different incidents. Which of the following law is related to fraud and related activity in connection with computers?

1. A. 18 USC §1029
2. B. 18 USC §1030
3. C. 18 USC §1361
4. D. 18 USC §1371

Correct Answer: B

- (Exam Topic 1)
You just passed your ECSA exam and are about to start your first consulting job running security audits for a financial institution in Los Angeles. The IT manager of the company you will be working for tries to see if you remember your ECSA class. He asks about the methodology you will be using to test the company's network. How would you answer?

1. A. Microsoft Methodology
2. B. Google Methodology
3. C. IBM Methodology
4. D. LPT Methodology

Correct Answer: D

- (Exam Topic 4)
Williamson is a forensic investigator. While investigating a case of data breach at a company, he is maintaining a document that records details such as the forensic processes applied on the collected evidence, particulars of people handling It. the dates and times when it Is being handled, and the place of storage of the evidence. What do you call this document?

1. A. Consent form
2. B. Log book
3. C. Authorization form
4. D. Chain of custody

Correct Answer: D