GIAC GCFA Exam Dumps & Practice Test Questions

Question 1:

Which tools are commonly used for footprinting in network security? Select all that apply.

A. Sam Spade
B. Traceroute
C. Whois
D. Brutus

Correct Answers: A, B, C

Explanation:

Footprinting is the initial phase in a cybersecurity assessment where an attacker or security professional collects as much information as possible about a target system or network. This reconnaissance step is crucial because it helps map the target’s environment, identify its weaknesses, and plan further security tests or attacks.

Several tools assist in footprinting by gathering network details, domain ownership information, or tracing the route packets take through a network.

Sam Spade (Option A) is a versatile network utility that combines multiple functions such as DNS lookup, ping, traceroute, and Whois queries. It helps collect IP addresses, domain names, and other metadata, which are vital pieces of information for footprinting. Its multi-tool approach makes it highly valuable for reconnaissance.

Traceroute (Option B) is specifically designed to trace the path that data packets follow from the source computer to a target destination over the internet or an internal network. This tool reveals all the routers and intermediate devices involved, including their IP addresses and possibly their geographic locations. This information allows footprinting professionals to understand the network topology and locate potential points of entry.

Whois (Option C) queries global databases containing domain registration details. When conducting footprinting, Whois is critical because it discloses the registrant’s contact info, domain expiration dates, name servers, and related technical details. This information can be used to identify the entity behind a website or network and find contacts for further social engineering or security testing.

On the other hand, Brutus (Option D) is a password-cracking tool used for brute force attacks on authentication systems. While useful in penetration testing, it is not designed for footprinting, which focuses on gathering passive information rather than attacking credentials.

In summary, footprinting relies on information-gathering tools like Sam Spade, Traceroute, and Whois, making options A, B, and C correct. Brutus is excluded as it serves a different purpose in security testing.

Question 2:

Which types of viruses are capable of infecting the Master Boot Record (MBR) on a hard drive? Select two options.

A. Stealth Virus
B. Boot Sector Virus
C. Multipartite Virus
D. File Virus

Correct Answers: B, C

Explanation:

The Master Boot Record (MBR) is a critical section located at the very beginning of a hard disk. It contains the boot loader responsible for starting the operating system when the computer powers on. Because the MBR is essential for system startup, it becomes a prime target for certain types of viruses that aim to gain control early in the boot process.

Understanding which viruses can infect the MBR helps in identifying and defending against these stealthy and persistent threats.

Boot Sector Viruses (Option B) directly target the boot sector or the MBR itself. They modify the boot loader code, inserting malicious instructions that execute before the operating system even loads. This allows them to evade many traditional antivirus solutions since they activate early in the boot sequence. These viruses can spread via infected removable media or compromised disks and are well-known for infecting the MBR.

Multipartite Viruses (Option C) are hybrid viruses that can infect multiple parts of a system simultaneously, including both the MBR and executable files. Because of their ability to attack the system on several fronts, multipartite viruses are particularly dangerous and harder to remove. They combine boot sector infection techniques with file infection, affecting the system broadly.

Stealth Viruses (Option A) primarily aim to hide their presence by intercepting system calls or manipulating antivirus detection mechanisms but typically do not infect the MBR. Their focus is more on disguising themselves within files or memory, not on boot record infection.

File Viruses (Option D) infect executable files and spread by attaching themselves to programs. They do not target the MBR or boot sector, focusing instead on spreading through application files.

In conclusion, only Boot Sector Viruses and Multipartite Viruses can infect the Master Boot Record directly. They compromise the system at the earliest stage of booting, making Options B and C the correct answers.

Question 3:

Which file system among the following supports security at the individual file level, allowing permissions to be set for users and groups?

A CDFS
B FAT
C FAT32
D NTFS

Correct Answer: D

Explanation:

File-level security is the capability of a file system to manage and enforce access controls on individual files or directories. This means that the file system allows administrators to specify which users or groups can read, write, or execute a particular file or folder, ensuring that unauthorized access is prevented.

Among the options given, NTFS (New Technology File System) is the only one that inherently supports file-level security through detailed permission settings and Access Control Lists (ACLs). NTFS is the modern file system used primarily in Windows environments and offers robust security features, including encryption, auditing, and permissions management at a granular level.

Option A, CDFS (Compact Disc File System), is designed mainly for optical discs like CDs and DVDs. It focuses on compatibility and file access for media but lacks any file-level security capabilities. CDFS does not support permissions or restrictions on files.

Option B, FAT (File Allocation Table), is an older file system used in early DOS and Windows systems. FAT is simple and widely compatible but does not include any mechanism for setting individual file or folder permissions. All users have equal access to files stored on a FAT volume.

Option C, FAT32, is an enhanced version of FAT that supports larger disk sizes and files but retains the same limitation—it does not support file-level security. FAT32 cannot enforce different permissions for different users or groups.

In contrast, NTFS (option D) allows system administrators to assign precise permissions for files and directories. These permissions control access such as read, write, execute, delete, or modify, and are stored within ACLs. This makes NTFS suitable for business and security-sensitive environments.

Therefore, the only file system among the choices that offers true file-level security is NTFS, making D the correct answer.

Question 4:

What term describes the exclusive rights granted by a government to an inventor or their assignee for a limited time, in return for publicly revealing their invention?

A Snooping
B Copyright
C Utility model
D Patent

Correct Answer: D

Explanation:

This question deals with the concept of intellectual property rights and how governments protect inventions. The answer focuses on the type of legal protection that gives inventors exclusive rights over their innovations for a certain period, encouraging technological progress while sharing knowledge.

A patent is a legal instrument issued by a government that grants the inventor (or their assignee) exclusive rights to prevent others from making, using, selling, or distributing the invention without permission. This protection typically lasts for 20 years from the filing date. In exchange, the inventor must publicly disclose detailed information about the invention, which allows society to benefit from the knowledge and stimulates further innovation.

Option A, snooping, is unrelated to intellectual property. It refers to unauthorized spying or surveillance and has no connection to legal protections for inventions.

Option B, copyright, protects creative works such as books, music, art, and software code. However, copyright does not apply to inventions or functional ideas. It protects expression rather than concepts or utilitarian designs.

Option C, utility model, is a form of intellectual property similar to a patent but with a shorter protection period (usually 6 to 10 years). It often applies to inventions that might not meet the full criteria for patentability but still have practical utility. Though a type of protection, it is less comprehensive than a patent.

The correct answer is D, patent, because it is the exclusive right granted for inventions for a defined period in exchange for public disclosure. This mechanism incentivizes inventors by offering legal protection and the potential for commercial gain, while contributing to the public knowledge base.

Thus, the correct answer is D.

Question 5:

Which standard defines the sequence for collecting data based on its volatility in a Windows environment?

A RFC 3227

Correct Answer: A

Explanation:

When performing forensic investigations or incident responses on Windows-based systems, it’s critical to understand the concept of the "order of volatility." This concept refers to the priority or sequence in which data should be collected, starting with the most ephemeral or easily lost data and moving toward more persistent data. Capturing data in the correct order helps preserve evidence and ensures the most valuable information is not overwritten or lost during system shutdowns or operations.

The specification that provides guidelines for this is RFC 3227. This Request for Comments document outlines a systematic approach to evidence collection, emphasizing that volatile data such as system memory, network connections, and running processes should be collected first, as they are highly transient. For example, data residing in RAM or active network sessions may disappear quickly once the system is powered off or restarted, so they must be prioritized.

In Windows systems specifically, following RFC 3227 ensures that investigators collect volatile data like running processes and system caches before capturing less volatile data, such as files on disk or logs stored in persistent storage. The document serves as a foundational standard guiding forensic teams to maximize the integrity and completeness of digital evidence by adhering to an optimal sequence of data acquisition.

Other guidelines or standards do not focus as precisely on this crucial sequence for data collection in volatile environments. Therefore, RFC 3227 is the correct reference for specifying the order of volatility when handling Windows-based system evidence.

Question 6:

John, an employee at a U.S. Internet Service Provider (ISP), discovers child pornography hosted on a website managed by the ISP. 

Which law requires him to report this immediately to law enforcement?

A Civil Rights Act of 1991
B PROTECT Act
C Civil Rights Act of 1964
D Sexual Predators Act

Correct Answer: B

Explanation:

The appropriate law governing John’s responsibility to report child pornography discovered on an ISP-hosted site is the PROTECT Act. Officially known as the Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today Act of 2003, the PROTECT Act is a federal statute aimed specifically at combating child exploitation, including child pornography.

Under this Act, any individual who becomes aware of child pornography being distributed or hosted via an online platform—such as an ISP—is legally obligated to report this material to law enforcement authorities immediately. The law is designed to ensure swift action to stop the exploitation and facilitate the prosecution of offenders. Failure to report can result in criminal penalties.

The PROTECT Act strengthens the framework for protecting children by making reporting mandatory for service providers and individuals who discover illegal content on their networks. This legislation reflects the importance of timely intervention in preventing harm to minors and aiding law enforcement investigations.

Other options are unrelated to this specific requirement:

• The Civil Rights Acts of 1964 and 1991 primarily address discrimination issues in employment, education, and public accommodations, without provisions related to child pornography reporting.

• The Sexual Predators Act generally concerns the registration and monitoring of convicted sex offenders but does not impose a reporting mandate on ISPs regarding child pornography discovery.

Therefore, John’s immediate reporting aligns with the obligations set forth in the PROTECT Act, making it the correct legal framework for his action.

Question 7:

Which directory in a Linux system contains information related to the hardware configuration?

A /var
B /etc
C /proc
D /home

Correct Answer: C

Explanation:

Linux organizes its system files and directories with specific purposes, and understanding these helps in locating hardware-related data. Among the options, the directory that contains hardware configuration information is /proc.

Let’s break down each choice:

• /var is primarily for variable data such as logs, spool files, and temporary files. This directory is dynamic and stores files that change frequently, but it does not hold hardware-related information.

• /etc is the location of system-wide configuration files. It contains configuration files for software and services (like network settings or filesystem mount points), but it does not directly store hardware state or real-time hardware info.

• The /proc directory is unique because it is a virtual filesystem that provides real-time access to kernel data structures and system information. It includes numerous pseudo-files representing current hardware details and kernel parameters. For example, /proc/cpuinfo lists CPU details, /proc/meminfo displays memory usage, and /proc/partitions shows disk partition information. This dynamic interface is invaluable for monitoring and interacting with hardware components.

• /home is dedicated to user data and personal configurations. It contains users’ files and preferences but nothing related to hardware settings.

Therefore, the /proc directory is the correct answer because it acts as a window into the current hardware state and system internals, making it essential for accessing hardware information on a Linux machine.

Question 8:

When setting up a dual-boot system with Windows Me and Windows XP Professional on a single 40GB hard drive, which file system is the best choice for compatibility?

A NTFS
B FAT32
C CDFS
D FAT

Correct Answer: B

Explanation:

When configuring a dual-boot system involving Windows Me and Windows XP Professional on the same hard disk, selecting the appropriate file system is critical for both operating systems to work harmoniously.

Let’s evaluate the options:

• NTFS (New Technology File System) is the modern Windows file system offering enhanced security, support for large files, and better stability. While Windows XP supports NTFS fully, Windows Me does not support NTFS natively, meaning Windows Me cannot read or write NTFS partitions. Therefore, NTFS is unsuitable for dual-boot scenarios involving Windows Me.

• FAT32 (File Allocation Table 32) is widely supported by both Windows Me and Windows XP. FAT32 supports larger partitions and file sizes compared to older FAT systems and allows both OSes to read and write to the same partition without compatibility issues. Given the 40GB disk size, FAT32 comfortably supports the entire disk and allows for shared access, making it the ideal choice.

• CDFS (Compact Disc File System) is designed specifically for optical media like CDs and DVDs. It cannot be used for hard disk partitions or OS installations, so it’s irrelevant for dual-boot hard disk setups.

• FAT (usually FAT16) is an older file system with significant limitations on partition size (typically max 2GB or 4GB) and file size. While it’s compatible with both OSes, it’s not practical for a 40GB disk and modern use cases.

In summary, FAT32 is the best choice because it is fully compatible with both Windows Me and Windows XP Professional, enabling a seamless dual-boot configuration on a single 40GB hard drive.

Question 9:

Which of the following file systems are unsuitable for installing an operating system on a hard disk drive? (Select two.)

A Windows NT File System (NTFS)
B High Performance File System (HPFS)
C Log-Structured File System (LFS)
D Compact Disc File System (CDFS)
E Novell Storage Services (NSS)

Correct answer: C, D

Explanation:

When installing an operating system (OS) onto a hard disk drive, the chosen file system must support essential OS functions such as file management, security, and efficient access to system resources. Not all file systems are designed with these requirements in mind. Let’s examine each option in this context.

A, NTFS, is the standard file system for Windows operating systems. It provides robust support for security, file permissions, journaling, and large file sizes, making it fully capable of hosting an OS installation. Hence, NTFS is suitable.

B, HPFS, originally used by IBM's OS/2, supports features like metadata and extended attributes. Although it is older and less commonly used today, HPFS is still capable of supporting OS installation on a hard drive.

C, LFS is a log-structured file system designed primarily to optimize write operations by sequentially logging changes. While this is efficient for specific applications like certain databases or write-heavy storage, LFS lacks the conventional structure and general-purpose optimization needed for OS installation. It does not support common OS tasks like efficient random file access and system metadata management required during boot and operation.

D, CDFS is a file system specifically designed for reading data from optical media such as CDs. It is read-only and lacks write support and system-level features necessary for installing and running an OS on a hard disk. Its architecture is unsuitable for OS installation because it cannot manage the dynamic file changes an OS demands.

E, NSS is a file system used by Novell’s NetWare and Open Enterprise Server environments. It is designed to support networked environments and can host an OS installation in those contexts.

In conclusion, the Log-Structured File System (C) and Compact Disc File System (D) are not designed to handle the requirements of OS installation on a hard disk drive. They lack critical features such as write support, efficient random access, and system metadata management needed for this purpose.

Question 10:

Nathan works as a Computer Hacking Forensic Investigator at SecureEnet Inc. He utilizes Visual TimeAnalyzer software to monitor computer usage by logging into users’ accounts or project folders and generating detailed reports on time spent per application. 

Which of the following functions are NOT performed by Visual TimeAnalyzer? Select all that apply.

A Monitoring all user data, including passwords and personal files
B Allowing parents to control their children’s PC usage
C Tracking work hours, breaks, projects, costs, software, and internet activity
D Logging specific keystrokes and capturing screenshots discreetly

Correct answer: A, D

Explanation:

Visual TimeAnalyzer is a professional monitoring tool designed primarily to record and report how users spend time on various computer activities. It is typically used in workplaces or forensic investigations to track productivity, software usage, and project-related time allocation. However, its capabilities are focused on activity monitoring rather than invasive data capture.

Starting with A, Visual TimeAnalyzer does not monitor sensitive personal data such as passwords or private documents. This level of surveillance would require keylogging or spyware capabilities, which would violate user privacy and legal regulations in many regions. Visual TimeAnalyzer respects privacy boundaries by focusing on application and project usage instead.

Option B refers to parental control features, which are typically part of specialized software designed for home use to restrict or monitor children’s computer activity. Visual TimeAnalyzer is geared toward corporate or forensic environments and does not include parental control functionalities.

C is a core feature of the software. Visual TimeAnalyzer tracks how much time users spend working, taking breaks, which projects they work on, the software applications used, internet activity, and associated costs. This detailed tracking helps organizations analyze productivity and resource allocation.

Finally, D states that Visual TimeAnalyzer logs keystrokes and takes screen captures secretly. This is not within the scope of Visual TimeAnalyzer. Recording keystrokes and screenshots is characteristic of keyloggers or spyware, which have different legal and ethical implications. Visual TimeAnalyzer operates transparently and focuses on application usage rather than covert monitoring.

Therefore, the correct answers are A and D, as these represent activities that Visual TimeAnalyzer does not perform.