Sample questions
Computer Hacking Forensic Investigator CHFI practice questions
Which TWO of the following are valid reasons for using a hardware write blocker during disk acquisition? (Choose two.)
Trap 1: It compresses the acquired data to save storage space
Compression is a feature of imaging tools, not write blockers.
Trap 2: It increases the speed of data acquisition
Write blockers do not affect transfer speed.
Trap 3: It creates a forensic image of the drive
The write blocker does not create an image; it only prevents writes.
- A
It compresses the acquired data to save storage space
Why wrong: Compression is a feature of imaging tools, not write blockers.
- B
It increases the speed of data acquisition
Why wrong: Write blockers do not affect transfer speed.
- C
It allows the source drive to be connected to a forensic workstation without risking modification
The write blocker presents the drive as read-only to the host system.
- D
It prevents any accidental writes to the source drive
Hardware write blockers physically prevent write commands from reaching the drive.
- E
It creates a forensic image of the drive
Why wrong: The write blocker does not create an image; it only prevents writes.
During a forensic investigation, an analyst needs to acquire the contents of a live server's RAM without altering the evidence. Which tool and technique should the analyst use to minimize the footprint on the system?
Trap 1: Install FTK Imager on the server and capture memory to a network…
Installing FTK Imager writes to the disk, altering the evidence.
Trap 2: Use a remote acquisition tool over SSH to capture memory to a…
Remote tools may cause network traffic and memory changes.
Trap 3: Use the built-in task manager to create a memory dump and save it…
Using task manager writes the dump to disk, potentially overwriting evidence.
- A
Install FTK Imager on the server and capture memory to a network share
Why wrong: Installing FTK Imager writes to the disk, altering the evidence.
- B
Run a trusted version of win32dd.exe from a write-protected USB drive and capture memory to the USB
Running from a write-protected USB minimizes changes; capturing to USB avoids writing to the system drive.
- C
Use a remote acquisition tool over SSH to capture memory to a remote server
Why wrong: Remote tools may cause network traffic and memory changes.
- D
Use the built-in task manager to create a memory dump and save it locally
Why wrong: Using task manager writes the dump to disk, potentially overwriting evidence.
You are a forensic investigator responding to a data breach at a mid-sized company. The company uses a hybrid cloud environment with AWS for production workloads and on-premises servers for legacy applications. The breach was detected when an internal monitoring system flagged unusual outbound traffic from an AWS EC2 instance (i-0a1b2c3d4e5f) to an external IP address (198.51.100.20) on TCP port 4444 during off-hours. The EC2 instance runs a Linux-based web server. The security team has already isolated the instance by removing its security group rules and stopping the instance. You have been provided with the following: (1) AWS CloudTrail logs for the past 72 hours, (2) VPC Flow Logs for the same period, (3) a snapshot of the instance’s root volume (EBS), and (4) the instance metadata log from the AWS console. The company’s incident response policy requires preservation of all volatile data before powering off the instance. Which of the following steps should you take FIRST to ensure a forensically sound investigation?
Trap 1: Acquire a memory dump from the stopped instance by re-attaching the…
Memory is volatile and lost when the instance is stopped; cannot be acquired after power-off.
Trap 2: Review the instance metadata log to identify the user who launched…
Metadata is not disk evidence; disk preservation is higher priority.
Trap 3: Analyze the VPC Flow Logs to determine if other instances…
While useful, this is an analysis step, not the first preservation step.
- A
Acquire a memory dump from the stopped instance by re-attaching the root volume to a forensic workstation.
Why wrong: Memory is volatile and lost when the instance is stopped; cannot be acquired after power-off.
- B
Review the instance metadata log to identify the user who launched the instance.
Why wrong: Metadata is not disk evidence; disk preservation is higher priority.
- C
Create a forensic copy of the EBS snapshot and attach it to a separate analysis EC2 instance in a different AWS account to avoid altering evidence.
The snapshot is the only disk evidence; making a copy in a separate account prevents accidental modification.
- D
Analyze the VPC Flow Logs to determine if other instances communicated with the same external IP.
Why wrong: While useful, this is an analysis step, not the first preservation step.
Which TWO of the following are valid techniques for collecting volatile network evidence from a live system during incident response?
Trap 1: Using route print to view the IP routing table.
Routing table is relatively static and not volatile evidence of current activity.
Trap 2: Using ipconfig /displaydns to view the DNS resolver cache.
DNS cache is not directly network evidence; it's a cached resolution.
Trap 3: Running arp -a to view the ARP table.
ARP table is volatile but not as indicative of active network connections.
- A
Using route print to view the IP routing table.
Why wrong: Routing table is relatively static and not volatile evidence of current activity.
- B
Using ipconfig /displaydns to view the DNS resolver cache.
Why wrong: DNS cache is not directly network evidence; it's a cached resolution.
- C
Running arp -a to view the ARP table.
Why wrong: ARP table is volatile but not as indicative of active network connections.
- D
Running netstat -an to view active TCP/UDP connections.
Active connections are volatile and show current network activity.
- E
Executing tcpdump -i eth0 -w capture.pcap to capture live packets.
Live packet capture is volatile network evidence.
A first responder is responding to a ransomware incident on a Windows server. Which TWO actions should be performed to preserve evidence? (Choose two.)
Trap 1: Run an antivirus scan to remove the ransomware.
Running AV alters the system and may destroy evidence.
Trap 2: Restore the system from backup to minimize downtime.
Restoration destroys the current state and evidence.
Trap 3: Disconnect the network cable immediately.
Disconnecting may lose network evidence; should be done after memory capture.
- A
Run an antivirus scan to remove the ransomware.
Why wrong: Running AV alters the system and may destroy evidence.
- B
Power off the server to prevent further data encryption.
Powering off stops the ransomware and preserves the disk state.
- C
Restore the system from backup to minimize downtime.
Why wrong: Restoration destroys the current state and evidence.
- D
Capture a memory dump using a forensic tool.
Memory contains encryption keys and running processes.
- E
Disconnect the network cable immediately.
Why wrong: Disconnecting may lose network evidence; should be done after memory capture.
Refer to the exhibit. A first responder runs the netstat command on a compromised Windows workstation. Which of the following conclusions is BEST supported by the output?
Exhibit
Refer to the exhibit. C:\Users\Forensic> netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 192.168.1.10:49152 10.2.3.4:443 ESTABLISHED 1234 TCP 192.168.1.10:49153 192.168.1.1:80 TIME_WAIT 0 TCP 192.168.1.10:49154 10.2.3.4:80 ESTABLISHED 1234 UDP 0.0.0.0:5353 *:* 5678
Trap 1: The connection to 192.168.1.1:80 is suspicious because it is in…
TIME_WAIT is a normal TCP state for closed connections.
Trap 2: The UDP listener on port 5353 indicates a malware infection.
Port 5353 is commonly used by mDNS (Bonjour) and is often benign.
Trap 3: The workstation is running multiple virtual machines based on the…
Only one local IP is shown.
- A
The connection to 192.168.1.1:80 is suspicious because it is in TIME_WAIT state.
Why wrong: TIME_WAIT is a normal TCP state for closed connections.
- B
The UDP listener on port 5353 indicates a malware infection.
Why wrong: Port 5353 is commonly used by mDNS (Bonjour) and is often benign.
- C
A process with PID 1234 is likely communicating with a remote C2 server at 10.2.3.4.
Process 1234 has two established connections to the same remote IP on different ports.
- D
The workstation is running multiple virtual machines based on the local addresses.
Why wrong: Only one local IP is shown.
Refer to the exhibit. The FTK Imager output shows a disk with an NTFS partition. The examiner notes that the $MFT mirror is at cluster 2. What is the logical size of the $MFT mirror in bytes?
Exhibit
Refer to the exhibit. FTK Imager command output: Sector size: 512 Total sectors: 625142448 Partition start: 2048 Partition end: 625139712 Partition type: NTFS (07) Flags: 0x80 (Bootable) File system: NTFS Volume label: EVIDENCE_DRIVE Serial number: 1234-5678 $MFT mirror: cluster 2 $MFT: cluster 0 Clusters per record: 1 Bytes per cluster: 4096
Trap 1: 320 GB
Incorrect: This is the total disk capacity, not the $MFT mirror size.
Trap 2: 512 bytes
Incorrect: 512 bytes is the sector size, not the $MFT mirror size.
Trap 3: 8192 bytes
Incorrect: This would be two clusters, but the output shows clusters per record = 1.
- A
320 GB
Why wrong: Incorrect: This is the total disk capacity, not the $MFT mirror size.
- B
512 bytes
Why wrong: Incorrect: 512 bytes is the sector size, not the $MFT mirror size.
- C
4096 bytes
Correct: The $MFT mirror occupies one cluster (4096 bytes) when clusters per record = 1.
- D
8192 bytes
Why wrong: Incorrect: This would be two clusters, but the output shows clusters per record = 1.
Refer to the exhibit. During a malware investigation, a forensic analyst runs the commands shown. What is the most likely conclusion?
Exhibit
Refer to the exhibit. C:\> tasklist /svc Image Name PID Services ========================= ======== ============================================ svchost.exe 1236 CryptSvc, Dnscache, LmHosts, EventSystem svchost.exe 1344 W32Time, WdiServiceHost svchost.exe 768 BFE, MpsSvc notepad.exe 1456 N/A svchost.exe 524 SessionEnv, TermService, UmRdpService rundll32.exe 1500 N/A C:\> netstat -ano | findstr :4444 TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING 1500 C:\> wmic process where processid=1500 get executablepath ExecutablePath C:\Windows\System32\rundll32.exe
Trap 1: Svchost.exe processes are hosting legitimate Windows services; no…
Svchost.exe hosting many services is normal, but the network connection on port 4444 is suspicious.
Trap 2: The malware has injected code into svchost.exe using a reflective…
No evidence of injection into svchost.exe; the suspicious process is rundll32.exe.
Trap 3: The malware is using port 4444 for Windows Update communications.
Windows Update does not use port 4444; it uses port 80/443.
- A
Svchost.exe processes are hosting legitimate Windows services; no malware is present.
Why wrong: Svchost.exe hosting many services is normal, but the network connection on port 4444 is suspicious.
- B
The malware has injected code into svchost.exe using a reflective DLL injection tool.
Why wrong: No evidence of injection into svchost.exe; the suspicious process is rundll32.exe.
- C
The malware is using port 4444 for Windows Update communications.
Why wrong: Windows Update does not use port 4444; it uses port 80/443.
- D
Rundll32.exe with PID 1500 is likely a backdoor listening on port 4444.
Rundll32.exe typically does not listen on network ports; PID 1500 is listening on a suspicious port, indicating malware.
A forensic investigator is analyzing a Microsoft SQL Server instance that was compromised. The investigator wants to identify all login attempts that failed due to incorrect passwords. Which system function or view should be queried?
Trap 1: sys.dm_exec_sessions
Shows active sessions, not login failures.
Trap 2: sys.dm_tran_locks
Shows lock information, not logins.
Trap 3: sys.dm_exec_requests
Shows current requests, not login history.
- A
sys.dm_exec_sessions
Why wrong: Shows active sessions, not login failures.
- B
sys.dm_tran_locks
Why wrong: Shows lock information, not logins.
- C
xp_readerrorlog with filter for 'Login failed'
Reads SQL Server error log for failed logins.
- D
sys.dm_exec_requests
Why wrong: Shows current requests, not login history.
Which THREE of the following are indicators of malware persistence via registry run keys? (Choose three.)
Trap 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows…
This key stores scheduled tasks, not run key values.
Trap 2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
This key stores service configurations, not run keys.
- A
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
RunOnce keys execute programs once at next logon, used for persistence.
- B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
Why wrong: This key stores scheduled tasks, not run key values.
- C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This is a standard startup folder registry key used for persistence.
- D
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Why wrong: This key stores service configurations, not run keys.
- E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
RunOnceEx is an extended run key used for installation tasks but also abused by malware.
Which THREE of the following are essential steps in the incident response process as defined by NIST SP 800-61? (Select exactly 3.)
Trap 1: Vulnerability Assessment
Vulnerability assessment is a separate proactive security activity, not a step in incident response.
Trap 2: Penetration Testing
Penetration testing is a proactive assessment, not part of incident response.
- A
Vulnerability Assessment
Why wrong: Vulnerability assessment is a separate proactive security activity, not a step in incident response.
- B
Post-Incident Activity
This phase includes lessons learned and evidence retention.
- C
Preparation
Preparation is the first phase, involving training, tools, and procedures.
- D
Detection and Analysis
This phase involves identifying and analyzing potential incidents.
- E
Penetration Testing
Why wrong: Penetration testing is a proactive assessment, not part of incident response.
During an incident response, a first responder needs to preserve the integrity of evidence. Which action ensures the best chain of custody?
Trap 1: Use a write blocker when acquiring the disk image.
Write blockers prevent modification during acquisition but do not provide an integrity check after.
Trap 2: Document every person who handled the evidence.
Documentation is important but does not verify data integrity.
Trap 3: Place the evidence in an evidence bag and lock it in a secure room.
Physical security does not guarantee data integrity; hashing is needed.
- A
Use a write blocker when acquiring the disk image.
Why wrong: Write blockers prevent modification during acquisition but do not provide an integrity check after.
- B
Compute a SHA-256 hash of the acquired image immediately after collection and record it in the chain of custody form.
Hashing provides a verifiable integrity check.
- C
Document every person who handled the evidence.
Why wrong: Documentation is important but does not verify data integrity.
- D
Place the evidence in an evidence bag and lock it in a secure room.
Why wrong: Physical security does not guarantee data integrity; hashing is needed.
Which TWO of the following are considered essential steps in the computer forensics investigation process according to EC-Council guidelines?
Trap 1: Data recovery from damaged media
This is a specific technique, not a universal step.
Trap 2: Deletion of irrelevant data
Deleting data would destroy evidence.
Trap 3: Public disclosure of findings
Findings are confidential and disclosed only as required.
- A
Identification of potential evidence
Identification is the first step in the forensic process.
- B
Data recovery from damaged media
Why wrong: This is a specific technique, not a universal step.
- C
Deletion of irrelevant data
Why wrong: Deleting data would destroy evidence.
- D
Preservation of the integrity of evidence
Preservation is critical to maintain chain of custody.
- E
Public disclosure of findings
Why wrong: Findings are confidential and disclosed only as required.
During incident response, a first responder discovers a compromised system with signs of an active command-and-control (C2) connection. What is the MOST important immediate action to preserve evidence and prevent further damage?
Trap 1: Create a full disk image before taking any other action.
Imaging is important but should be done after isolating the system to prevent tampering during the imaging process.
Trap 2: Immediately shut down the system to prevent further data…
Shutting down destroys volatile data (RAM, network connections) that may contain critical evidence.
Trap 3: Run a full antivirus scan to remove the malware.
Antivirus scans modify file timestamps and may delete malicious files, destroying evidence.
- A
Create a full disk image before taking any other action.
Why wrong: Imaging is important but should be done after isolating the system to prevent tampering during the imaging process.
- B
Disconnect the network cable to isolate the system from the network.
Disconnecting the network cable stops C2 communication, preserves volatile data, and allows for a controlled forensic acquisition.
- C
Immediately shut down the system to prevent further data exfiltration.
Why wrong: Shutting down destroys volatile data (RAM, network connections) that may contain critical evidence.
- D
Run a full antivirus scan to remove the malware.
Why wrong: Antivirus scans modify file timestamps and may delete malicious files, destroying evidence.
During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?
Trap 1: Use dd if=/dev/sda of=/mnt/evidence/image.dd conv=noerror,sync
While noerror,sync is useful for skipping bad sectors, it may alter the image; standard practice is to use dd without such flags.
Trap 2: Use dd if=/dev/mapper/root of=/mnt/evidence/image.dd
/dev/mapper/root captures only a logical volume, not the entire disk.
Trap 3: Use dd if=/dev/sda1 of=/mnt/evidence/image.dd
/dev/sda1 is a partition, not the full disk; missing partition table and other partitions.
- A
Use dd if=/dev/sda of=/mnt/evidence/image.dd conv=noerror,sync
Why wrong: While noerror,sync is useful for skipping bad sectors, it may alter the image; standard practice is to use dd without such flags.
- B
Use dd if=/dev/sda of=/mnt/evidence/image.dd bs=4M
dd copying the entire disk (/dev/sda) creates a complete forensic image.
- C
Use dd if=/dev/mapper/root of=/mnt/evidence/image.dd
Why wrong: /dev/mapper/root captures only a logical volume, not the entire disk.
- D
Use dd if=/dev/sda1 of=/mnt/evidence/image.dd
Why wrong: /dev/sda1 is a partition, not the full disk; missing partition table and other partitions.
Match each forensic tool to its primary purpose.
Drag a concept onto its matching description — or click a concept then click the description.
Acquisition and preview of disk images
Forensic analysis and evidence processing
Memory forensics and analysis
Network packet capture and analysis
Open-source file system analysis
Which of the following is the primary purpose of using a hardware write blocker during disk acquisition?
Trap 1: To decrypt the drive during acquisition
Write blockers do not perform decryption.
Trap 2: To compress the acquired image
Compression is done by software, not hardware write blockers.
Trap 3: To increase the speed of the acquisition
Write blockers do not increase speed.
- A
To decrypt the drive during acquisition
Why wrong: Write blockers do not perform decryption.
- B
To prevent any writes to the original evidence drive
This ensures the integrity of the evidence.
- C
To compress the acquired image
Why wrong: Compression is done by software, not hardware write blockers.
- D
To increase the speed of the acquisition
Why wrong: Write blockers do not increase speed.
Which THREE of the following are recommended practices for maintaining the integrity of digital evidence in a forensics lab?
Trap 1: Perform regular backups of all evidence
Backups are for preservation, not integrity.
Trap 2: Run antivirus scans on evidence before analysis
Antivirus software may modify files.
- A
Maintain a detailed chain of custody log
Documents handling and prevents tampering.
- B
Generate cryptographic hashes of evidence files
Hashes verify that evidence has not been altered.
- C
Use hardware write-blockers during acquisition
Prevents modification of source drive.
- D
Perform regular backups of all evidence
Why wrong: Backups are for preservation, not integrity.
- E
Run antivirus scans on evidence before analysis
Why wrong: Antivirus software may modify files.
A forensic lab is designing a network architecture to ensure the integrity of evidence during acquisition. What is the most critical design consideration?
Trap 1: Deploy multiple forensic workstations to parallelize tasks
Parallelization improves efficiency, not integrity.
Trap 2: Use a segmented network to isolate forensic tools
Segmentation helps but does not directly ensure integrity.
Trap 3: Encrypt all data in transit over the network
Encryption protects confidentiality, not integrity.
- A
Deploy multiple forensic workstations to parallelize tasks
Why wrong: Parallelization improves efficiency, not integrity.
- B
Use a segmented network to isolate forensic tools
Why wrong: Segmentation helps but does not directly ensure integrity.
- C
Encrypt all data in transit over the network
Why wrong: Encryption protects confidentiality, not integrity.
- D
Implement hardware write-blockers on all acquisition stations
Write-blockers prevent any writes to the source drive, ensuring integrity.
You are a forensic analyst in a corporate lab. A compromised server was taken offline and brought to the lab. The server runs Windows Server 2019 with a RAID 5 array of three 1TB SATA drives. The drives are hot-swappable. The server was shut down properly before removal. The lab has a forensic workstation with write-blockers, a hardware RAID controller, and imaging software. The analyst needs to acquire a forensic image of the RAID array. What is the correct course of action?
Trap 1: Send the drives to a vendor for specialized RAID recovery
Outsourcing risks chain of custody and is not necessary.
Trap 2: Image each drive individually using a write-blocker and then…
Individual images lack RAID metadata and cannot be combined correctly.
Trap 3: Connect all drives to the forensic workstation and use a software…
Software RAID may not correctly parse hardware RAID metadata.
- A
Reconstruct the RAID array using the same controller model in the lab, then image the logical volume via a write-blocker
This preserves the logical structure and ensures integrity.
- B
Send the drives to a vendor for specialized RAID recovery
Why wrong: Outsourcing risks chain of custody and is not necessary.
- C
Image each drive individually using a write-blocker and then combine the images in software
Why wrong: Individual images lack RAID metadata and cannot be combined correctly.
- D
Connect all drives to the forensic workstation and use a software RAID tool to assemble the array
Why wrong: Software RAID may not correctly parse hardware RAID metadata.
During a network forensic investigation, you need to capture live network traffic from a switch span port. Which tool would best capture the traffic in a forensically sound manner?
Trap 1: Nmap
Nmap is a port scanner, not a packet capture tool.
Trap 2: Netcat
Netcat is for data transfer, not packet capture.
Trap 3: Tcpdump
Tcpdump can capture but is command-line only; Wireshark is more suitable for forensics.
- A
Nmap
Why wrong: Nmap is a port scanner, not a packet capture tool.
- B
Wireshark
Wireshark captures packets and can save them in standard formats.
- C
Netcat
Why wrong: Netcat is for data transfer, not packet capture.
- D
Tcpdump
Why wrong: Tcpdump can capture but is command-line only; Wireshark is more suitable for forensics.
The command used to acquire a disk image resulted in an I/O error. What is the most likely cause?
Exhibit
Refer to the exhibit. [root@forensics ~]# dc3dd if=/dev/sda of=/evidence/sda.img hash=sha256 log=/evidence/log.txt Output: Fatal error: Input/output error while reading /dev/sda
Trap 1: The output file already exists and is being overwritten
This would not cause an I/O error.
Trap 2: The target directory does not have write permissions
This would cause a permission error.
Trap 3: The target drive is full
A full drive would cause a no space error.
- A
The source disk has bad sectors
Bad sectors cause read errors.
- B
The output file already exists and is being overwritten
Why wrong: This would not cause an I/O error.
- C
The target directory does not have write permissions
Why wrong: This would cause a permission error.
- D
The target drive is full
Why wrong: A full drive would cause a no space error.
An organization uses a cloud-based SIEM to collect logs from multiple sources. The investigator notices gaps in the log data for a critical system during the incident timeframe. What is the MOST likely cause?
Trap 1: Network latency delayed log delivery
Latency delays but does not create gaps.
Trap 2: Log rotation policy deleted logs prematurely
Log rotation may delete old logs but would not cause gaps in the middle of an incident.
Trap 3: The system's log level was set to ERROR only
This would reduce log volume but not create specific gaps.
- A
Network latency delayed log delivery
Why wrong: Latency delays but does not create gaps.
- B
Log rotation policy deleted logs prematurely
Why wrong: Log rotation may delete old logs but would not cause gaps in the middle of an incident.
- C
Time drift between the system and the SIEM
Clock skew can cause logs to appear missing or out of order.
- D
The system's log level was set to ERROR only
Why wrong: This would reduce log volume but not create specific gaps.
A forensic analyst is investigating a network breach and finds that the attacker used a technique that bypasses Network Access Control (NAC). Which of the following methods is commonly used to evade 802.1X authentication?
Trap 1: VLAN hopping using double tagging
VLAN hopping attacks target network segmentation, not authentication.
Trap 2: DNS tunneling to exfiltrate data
DNS tunneling is used for data exfiltration, not bypassing authentication.
Trap 3: ARP poisoning to redirect traffic
ARP poisoning manipulates MAC-IP mappings but does not bypass NAC.
- A
MAC address spoofing
Spoofing the MAC of an authorized device can allow the attacker to authenticate via 802.1X.
- B
VLAN hopping using double tagging
Why wrong: VLAN hopping attacks target network segmentation, not authentication.
- C
DNS tunneling to exfiltrate data
Why wrong: DNS tunneling is used for data exfiltration, not bypassing authentication.
- D
ARP poisoning to redirect traffic
Why wrong: ARP poisoning manipulates MAC-IP mappings but does not bypass NAC.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.