[GIAC] GIAC - GCFA Exam Dumps & Study Guide

Free [GIAC] GIAC - GCFA Practice Questions Preview

• Question 1

  Adam, a malicious hacker has successfully gained unauthorized access to the Linux system of
  Umbrella Inc. Web server of the company runs on Apache. He has downloaded sensitive documents and database files from the computer. After performing these malicious tasks, Adam finally runs the following command on the Linux command box before disconnecting. for (( i = 0;i<11;i++ )); do dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hda done
  Which of the following actions does Adam want to perform by the above command?
  

  • A. Making a bit stream copy of the entire hard disk for later download.
  • B. Deleting all log files present on the system.
  • C. Wiping the contents of the hard disk with zeros.
  • D. Infecting the hard disk with polymorphic virus strings.

  Correct Answer: C

  Explanation:

  I agree with the suggested answer C. The command sequence provided is a classic destructive anti-forensics technique designed to overwrite the primary storage device multiple times to prevent data recovery.

  Reason

  Option C is correct because the bash loop runs 11 times, executing two dd commands per iteration. The command dd if=/dev/random of=/dev/hda fills the first IDE hard drive (/dev/hda) with random data, while dd if=/dev/zero of=/dev/hda overwrites it again with null bytes (zeros). This multi-pass wiping ensures that the original documents, database files, and system logs are effectively destroyed and cannot be easily recovered by forensic tools.

  Why the other options are not as suitable

  • Option A is incorrect because the of= (output file) parameter points to the hard drive itself, not a remote location or image file; it is overwriting, not copying.
  • Option B is incorrect because while logs will be deleted as a byproduct of wiping the entire disk, the command is far broader than just targeting log files.
  • Option D is incorrect because /dev/random and /dev/zero do not contain viral code; they generate entropy and null characters respectively, which are used for data destruction, not infection.

  Citations

  • https://man7.org/linux/man-pages/man1/dd.1.html
  • https://man7.org/linux/man-pages/man4/random.4.html

• Question 2

  Adam works as a Computer Hacking Forensic Investigator for a garment company in the United States. A project has been assigned to him to investigate a case of a disloyal employee who is suspected of stealing design of the garments, which belongs to the company and selling those garments of the same design under different brand name. Adam investigated that the company does not have any policy related to the copy of design of the garments. He also investigated that the trademark under which the employee is selling the garments is almost identical to the original trademark of the company. On the grounds of which of the following laws can the employee be prosecuted?
  

  • A. Trademark law
  • B. Cyber law
  • C. Copyright law
  • D. Espionage law

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A (Trademark law). The scenario explicitly states that the employee is selling garments under a trademark that is almost identical to the original company's trademark, which constitutes infringement based on consumer confusion.

  Reason

  Trademark law is the correct choice because the most actionable evidence found by the investigator is the use of a nearly identical brand name or logo. Under U.S. law, trademarks protect brand identifiers to prevent likelihood of confusion among consumers. Since the company lacks internal policies regarding design copying, the strongest legal ground for prosecution is the misuse of the company's brand identity.

  Why the other options are not as suitable

  Cyber law is too broad and typically deals with computer-specific crimes like hacking or unauthorized access rather than intellectual property theft in physical commerce. Copyright law generally does not protect the functional design of clothing (garments are considered 'useful articles'), making it difficult to prosecute based on the design alone. Espionage law (such as the Economic Espionage Act) typically requires the theft of trade secrets; however, the prompt notes the company lacks a policy protecting these designs, and the primary evidence provided focuses on the brand/trademark violation rather than secret proprietary processes.

  Citations

  • https://www.uspto.gov/trademarks/basics/what-trademark
  • https://www.copyright.gov/registration/fashion/

• Question 3

  You work as a Network Administrator for Perfect Solutions Inc. You install Windows 98 on a computer. By default, which of the following folders does Windows 98 setup use to keep the registry tools?
  

  • A. $SYSTEMROOT$REGISTRY
  • B. $SYSTEMROOT$WINDOWS
  • C. $SYSTEMROOT$WINDOWSREGISTRY
  • D. $SYSTEMROOT$WINDOWSSYSTEM32

  Correct Answer: B

  Explanation:

  I agree with the chosen answer B. In Windows 9x architectures (including Windows 95, 98, and ME), standard system utilities like the Registry Editor (regedit.exe) are located directly in the C:\Windows directory rather than a specific subfolder.

  Reason

  Option B is correct because Windows 98 setup places the main registry tool, regedit.exe, in the %WINDIR% folder (typically C:\WINDOWS) by default. Other registry-related files like user.dat and system.dat are also found within this root Windows directory or the hidden system attributes of the root.

  Why the other options are not as suitable

  • Option A is incorrect because REGISTRY is not a standard top-level system folder in Windows 98.
  • Option C is incorrect as WINDOWSREGISTRY is not a valid default path for system tools in any Windows version.
  • Option D is incorrect because while SYSTEM32 exists in Windows 98 for compatibility and specific drivers, the registry tools themselves remained in the main WINDOWS directory; the heavy use of System32 for core administrative tools is more characteristic of the Windows NT/2000/XP lineage.

  Citations

  • https://support.microsoft.com/en-us/topic/description-of-the-windows-registry-ss-8354fd4b-6f81-54b2-03d1-02685002df35

• Question 4

  Which of the following tools can be used to perform tasks such as Windows password cracking, Windows enumeration, and VoIP session sniffing?
  

  • A. John the Ripper
  • B. L0phtcrack
  • C. Obiwan
  • D. Cain

  Correct Answer: D

  Explanation:

  I agree with the community consensus that D is the correct answer. Cain & Abel (commonly referred to as Cain) is a multi-purpose security tool specifically designed for Microsoft operating systems that combines credential recovery, network sniffing, and protocol analysis.

  Reason

  Cain is the correct choice because it is a versatile tool capable of all three tasks mentioned: Windows password cracking (via dictionary, brute-force, and cryptanalysis attacks), Windows enumeration (extracting user accounts, shares, and services via SID), and VoIP session sniffing (capturing and recording SIP/RTP traffic to reconstruct conversations).

  Why the other options are not as suitable

  John the Ripper (A) is primarily a command-line password cracker; while highly effective, it does not natively perform VoIP sniffing or network-based Windows enumeration. L0phtcrack (B) is a famous tool for auditing and cracking Windows passwords but lacks the networking and VoIP sniffing capabilities of Cain. Obiwan (C) is a niche tool primarily used for searching for web-based password files and lacks the broader suite of network enumeration and VoIP analysis features.

  Citations

  • https://www.giac.org/certifications/certified-forensic-analyst-gcfa/
  • http://www.oxid.it/cain.html

• Question 5

  Which of the following type of file systems is not supported by Linux kernel?
  

  • A. vFAT
  • B. NTFS
  • C. HFS
  • D. FAT32

  Correct Answer: C

  Explanation:

  I disagree with the chosen answer C (HFS) being the only possible correct answer in a modern context, but it is the intended answer for the GCFA exam based on legacy courseware. While the Linux kernel has long supported HFS and NTFS (via ntfs-3g or the newer ntfs3 driver), this question likely targets older forensic curriculum where HFS+ or APFS (Apple's newer systems) were the primary focus of non-support, or it mistakenly groups HFS as unsupported because it is a proprietary Apple format.

  Reason

  In the context of typical certification materials, C (HFS) is often selected because it is a legacy Apple file system. Although the Linux kernel technically includes a module for HFS (Hierarchical File System), it is often disabled in standard distributions or treated as read-only/unreliable compared to native Linux or FAT-based systems.

  Why the other options are not as suitable

  vFAT (A) is a variant of the FAT file system used to support long filenames and is natively supported by the Linux kernel via the vfat module. NTFS (B) has been supported for years through FUSE (Filesystem in Userspace) and more recently through a high-performance native kernel driver (ntfs3) added in kernel version 5.15. FAT32 (D) is the most universally supported file system across almost all operating systems, including Linux, for cross-platform compatibility.

  Citations

  • https://www.kernel.org/doc/html/latest/filesystems/index.html
  • https://man7.org/linux/man-pages/man8/mount.8.html

• Question 6

  Which of the following modules of OS X kernel (XNU) provides the primary system program interface?
  

  • A. BSD
  • B. LIBKERN
  • C. I/O Toolkit
  • D. Mach

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A (BSD). In the XNU hybrid kernel architecture, while Mach handles low-level primitives, the BSD layer is specifically responsible for providing the primary, POSIX-compliant system programming interface (syscalls) that applications and userspace libraries interact with.

  Reason

  The BSD component of the XNU kernel provides the primary system interface. It implements the POSIX API, process models (PIDs), signals, basic security policies (uids/gids), and the networking stack (sockets). Most standard programming environments on macOS rely on the BSD layer to communicate with the kernel.

  Why the other options are not as suitable

  LIBKERN is a library used within the kernel for C++ support and basic utility functions; it is not a system-facing program interface. The I/O Toolkit (I/O Kit) is the framework designed specifically for device drivers and power management, rather than general system programming. Mach is the microkernel foundation that manages low-level tasks like thread scheduling, IPC, and virtual memory, but its interfaces are considered 'low-level' and are generally abstracted away from the primary system program interface by the BSD layer.

  Citations

  • https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelProgramming/Architecture/Architecture.html

• Question 7

  You work as a Network Administrator for Blue Bell Inc. You want to install Windows XP Professional on your computer, which already has Windows Me installed.
  You want to configure your computer to dual boot between Windows Me and Windows XP Professional. You have a single 40GB hard disk.
  Which of the following file systems will you choose to dual-boot between the two operating systems?
  

  • A. NTFS
  • B. FAT32
  • C. CDFS
  • D. FAT

  Correct Answer: B

  Explanation:

  I agree with the community choice of FAT32. In a dual-boot scenario involving legacy operating systems like Windows Me, the shared or system partition must use a file system that both operating systems can natively read and write. Since Windows Me cannot recognize NTFS, FAT32 is the only viable choice among the options provided for a shared environment.

  Reason

  FAT32 is the correct answer because it is the primary file system for Windows Me and is fully supported by Windows XP Professional. For both operating systems to access data on the same partition or for Windows Me to boot at all, the file system must be compatible with its limitations.

  Why the other options are not as suitable

  NTFS is incorrect because Windows Me (a DOS-based 9x kernel OS) cannot natively read or write to NTFS partitions, which would make the drive inaccessible to one of the operating systems. CDFS is incorrect because it is the Compact Disc File System used for optical media, not for installing operating systems on a hard disk. FAT (specifically FAT16) is incorrect because it has a maximum volume size of 2GB (or 4GB with specific block sizing), which is inefficient and impractical for a 40GB hard disk compared to FAT32.

  Citations

  • https://support.microsoft.com/en-us/topic/description-of-the-fat32-file-system-in-windows-xp-3d3663a1-7788-662f-1a9c-a1f7d468165b
  • https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc938438(v=technet.10

• Question 8

  John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He receives the following e- mail:
  
  The e-mail that John has received is an example of __________.
  

  • A. Virus hoaxes
  • B. Spambots
  • C. Social engineering attacks
  • D. Chain letters

  Correct Answer: D

  Explanation:

  I agree with the suggested answer D. Chain letters. The email explicitly instructs the recipient to forward the message to as many people as possible, promising a reward (money and a Disney trip) once a certain threshold of recipients is reached, which is the textbook definition of a digital chain letter.

  Reason

  D. Chain letters is correct because the core mechanism of the attack is encouraging the victim to propagate the message further. The email uses a false incentive (a free trip to Disney World) to convince users to forward the message, creating a geometric growth in traffic and potential data collection of email addresses.

  Why the other options are not as suitable

  A. Virus hoaxes is incorrect because these specifically warn about a non-existent threat or virus to cause panic or trick users into deleting system files. B. Spambots refers to the automated software used to send bulk messages, whereas the question asks what the received email itself is an example of. C. Social engineering attacks is a broad category that includes chain letters; however, in a professional certification context like the GCFA or CEH, the most specific and accurate term for a message requiring forwarding is a chain letter.

  Citations

  • https://gva.sans.org/resources/glossary.php
  • https://csrc.nist.gov/glossary/term/chain_letter

• Question 9

  Which of the following Acts enacted in United States allows the FBI to issue National Security Letters (NSLs) to Internet service providers (ISPs) ordering them to disclose records about their customers?
  

  • A. Wiretap Act
  • B. Computer Fraud and Abuse Act
  • C. Economic Espionage Act of 1996
  • D. Electronic Communications Privacy Act of 1986

  Correct Answer: D

  Explanation:

  I agree with the community and the suggested answer of D. The Electronic Communications Privacy Act (ECPA) of 1986 is the primary statute that governs how the government can access stored electronic communications and subscriber records, specifically authorizing the use of National Security Letters (NSLs) through 18 U.S.C. § 2709.

  Reason

  Option D is correct because the ECPA (specifically the Stored Communications Act portion) allows the FBI to issue NSLs to wire or electronic communication service providers. These letters function as administrative subpoenas that require providers to turn over non-content information, such as name, address, and length of service, for investigations involving foreign intelligence or counterintelligence.

  Why the other options are not as suitable

  • Option A (Wiretap Act) primarily governs the real-time interception of wire, oral, and electronic communications rather than the issuance of administrative subpoenas for records.
  • Option B (Computer Fraud and Abuse Act) is a criminal statute used to prosecute hacking and unauthorized access to computers.
  • Option C (Economic Espionage Act of 1996) focuses on the theft of trade secrets and industrial espionage, not the procedural mechanisms for the FBI to obtain subscriber records from ISPs.

  Citations

  • https://www.fbi.gov/investigate/civil-rights/legal-authorities
  • https://www.justice.gov/archives/jm/criminal-resource-manual-2001-electronic-communications-privacy-act-1986-ecpa

• Question 10

  TCP FIN scanning is a type of stealth scanning through which the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and sends the RST packet to the attacker. If the port is open, the FIN packet will be ignored and the port will drop the packet. Which of the following operating systems can be easily identified with the help of TCP FIN scanning?
  

  • A. Solaris
  • B. Red Hat
  • C. Knoppix
  • D. Windows

  Correct Answer: D

  Explanation:

  I agree with the suggested answer D (Windows). TCP FIN scanning relies on the target's compliance with RFC 793, which specifies that a closed port should respond with an RST packet and an open port should ignore the packet. However, Windows systems deviate from this standard by sending an RST regardless of whether the port is open or closed, making them easily distinguishable from Unix-based systems.

  Reason

  Windows is correct because its TCP/IP stack implementation does not follow the RFC 793 standard for 'stealth' flags. When a FIN, NULL, or Xmas packet is sent to a Windows machine, it will respond with an RST (Reset) packet even if the port is open. This unique behavior allows scanners like Nmap to perform OS fingerprinting and identify Windows environments quickly.

  Why the other options are not as suitable

  Solaris, Red Hat, and Knoppix are all Unix or Linux-based operating systems. These systems generally follow RFC 793, meaning an open port will silently drop an unsolicited FIN packet without responding. Because they behave as expected under the standard, they cannot be 'easily identified' in the same way Windows can, as the scanner would see the ports as 'open|filtered' rather than receiving a definitive, non-standard response.

  Citations

  • https://nmap.org/book/scan-methods-null-fin-xmas-scan.html
  • https://datatracker.ietf.org/doc/html/rfc793