Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 676750

1000 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQhard

A forensic analyst is investigating a webshell on an IIS server. The access.log shows: 10.0.0.5, -, 12/Mar/2023:14:22:10 +0000, POST /uploads/cmd.aspx, 200, 0, 1234. Which log entry is most indicative of webshell activity?

A.The use of POST method on an ASPX file
B.The small response size of 1234 bytes
C.The lack of a user-agent in the log
D.The file path '/uploads/cmd.aspx' and the 200 status code
AnswerD

The name 'cmd.aspx' suggests command execution, and the uploads directory is a common webshell location.

Why this answer

A POST request to an ASPX file in an uploads directory returning 200 with a small response size and user-agent is suspicious.

677
MCQmedium

Refer to the exhibit. During a malware investigation, a forensic analyst runs the commands shown. What is the most likely conclusion?

A.Svchost.exe processes are hosting legitimate Windows services; no malware is present.
B.The malware has injected code into svchost.exe using a reflective DLL injection tool.
C.The malware is using port 4444 for Windows Update communications.
D.Rundll32.exe with PID 1500 is likely a backdoor listening on port 4444.
AnswerD

Rundll32.exe typically does not listen on network ports; PID 1500 is listening on a suspicious port, indicating malware.

Why this answer

Option D is correct because the netstat output shows a listening connection on port 4444 associated with PID 1500, which the tasklist command identifies as rundll32.exe. Port 4444 is a common backdoor port (often used by Metasploit or other RATs), and rundll32.exe is a legitimate Windows binary frequently abused by malware to host malicious code (e.g., via DLL sideloading or reflective injection). The combination of an unusual listening port and a process that is not a typical network service (like svchost.exe) strongly indicates a backdoor.

Exam trap

EC-Council often tests the ability to correlate netstat output (port and PID) with tasklist output (PID and process name) to identify suspicious process-port pairs, and the trap here is assuming that svchost.exe is always the culprit when a backdoor is present, when in fact rundll32.exe is a common masquerading host for injected code.

How to eliminate wrong answers

Option A is wrong because svchost.exe processes can host legitimate services, but the exhibit shows no evidence of svchost.exe listening on port 4444; the PID 1500 is rundll32.exe, not svchost.exe. Option B is wrong because while reflective DLL injection into svchost.exe is possible, the netstat output directly ties port 4444 to PID 1500 (rundll32.exe), not to any svchost.exe PID. Option C is wrong because Windows Update does not use port 4444; it uses HTTP (port 80) or HTTPS (port 443) over TCP, and the exhibit shows no svchost.exe process associated with that port.

678
MCQhard

A forensic examiner finds a file on an NTFS volume that appears to have data hidden in its alternate data stream. The file's size is reported as 10 KB, but the volume's cluster size is 4 KB. How many clusters of file slack could potentially contain hidden data in the primary stream?

A.12 KB
B.4 KB
C.2 KB
D.0 KB
AnswerC

The file uses 2 full 4 KB clusters (8 KB) and 2 KB of the third cluster, leaving 2 KB slack.

Why this answer

File slack is the unused space between the end of the file data and the end of the last cluster. A 10 KB file stored in 4 KB clusters occupies 3 clusters (12 KB), leaving 2 KB of slack space (cluster 3 unused portion). However, the question asks specifically about the primary stream's file slack, which is 2 KB.

But note that ADS can also occupy clusters. The answer is 2 KB of slack in the primary stream.

679
MCQhard

During a cloud forensics investigation, an analyst examines AWS CloudTrail logs and finds an event with "userIdentity":{"type":"AssumedRole","arn":"arn:aws:sts::123456789012:assumed-role/AdminRole/i-0abcd1234efgh5678"}. What does the 'i-0abcd1234efgh5678' portion most likely represent?

A.The AWS account ID of the role's trusted entity
B.The role's unique identifier assigned by IAM
C.The unique ID of the IAM user who assumed the role
D.The session name, which is typically the EC2 instance ID
AnswerD

EC2 instances use their instance ID as session name when assuming roles.

Why this answer

In CloudTrail, when an EC2 instance assumes a role, the session name is often the instance ID. The 'i-' prefix and alphanumeric string indicate an EC2 instance ID.

680
Multi-Selecthard

During dynamic analysis of a suspected malware sample, an analyst observes the following behaviors: (1) The process creates a service named 'WindowsDefender' that starts automatically. (2) It writes an encrypted payload to the registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. (3) It injects code into explorer.exe. (4) It attempts to resolve the domain 'malware-update.com'. (5) It creates a mutex named 'Global\MyMutex'. Which THREE behaviors are indicators of malware persistence? (Select THREE.)

Select 3 answers
A.Injecting code into explorer.exe
B.Writing an encrypted payload to the registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C.Creating a mutex named 'Global\MyMutex'
D.Creating a service named 'WindowsDefender' that starts automatically
E.Attempting to resolve the domain 'malware-update.com'
AnswersA, B, D

Code injection into a commonly running process helps maintain persistence.

Why this answer

Injecting code into explorer.exe (option A) is a persistence mechanism because the injected code runs within the context of a trusted system process that starts automatically at user logon. By hijacking explorer.exe, the malware ensures its malicious code executes every time the user logs into the system, surviving a reboot without needing a separate startup entry.

Exam trap

The trap here is that candidates confuse indicators of execution or communication (like mutex creation or DNS resolution) with persistence mechanisms, which specifically ensure the malware re-executes automatically after a reboot or logon.

681
MCQmedium

Which of the following Windows registry keys is commonly used by malware to achieve persistence by executing a program at user logon?

A.HKEY_LOCAL_MACHINE\SAM\SAM
B.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
C.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
D.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
AnswerC

Run keys launch programs at logon.

Why this answer

The Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a common persistence location; it runs the specified program when the user logs in.

682
MCQmedium

During a forensic investigation of a Linux system, you need to determine which commands a user executed in their shell session. Which file would you examine to find this information?

A./var/log/auth.log
B./etc/passwd
C./var/log/syslog
D./home/username/.bash_history
AnswerD

This file contains the command history for the user's bash shell.

Why this answer

The bash_history file in the user's home directory (e.g., /home/username/.bash_history) records commands entered by the user in bash. Note that history may not be complete if the user opened multiple sessions or the file was cleared.

683
MCQmedium

An incident responder is analyzing AWS CloudTrail logs to determine if an unauthorized user accessed an S3 bucket. Which of the following CloudTrail event fields should be examined to identify the IAM user or role that made the API call?

A.sourceIPAddress
B.eventSource
C.requestParameters
D.userIdentity
AnswerD

Contains identity details of the requester.

Why this answer

The userIdentity field contains details about the identity that made the request, including ARN, user name, and type (IAM user, role, etc.).

684
Multi-Selectmedium

An analyst is investigating a potential data breach on an Android device. Which TWO artefacts are MOST useful for determining which third-party apps were installed and used? (Select TWO.)

Select 2 answers
A.Full system dump (dd image)
B.packages.xml file in /data/system/
C.Wi-Fi connection logs
D./data/data/ directory listing
E.SMS database (mmssms.db)
AnswersB, D

This file lists all installed packages (apps) on the device.

Why this answer

The packages.xml file in /data/system/ records all installed packages, including third-party apps, their permissions, and installation metadata. The /data/data/ directory contains per-package subdirectories with application-specific data, confirming actual usage and stored data. Together, these two artefacts provide definitive evidence of which third-party apps were installed and used on the device.

Exam trap

Cisco often tests the misconception that a full system dump (dd image) is the most useful artefact for app analysis, when in reality the structured packages.xml and /data/data/ directory provide more direct and actionable evidence.

685
MCQmedium

A forensic analyst creates a forensic image of a hard drive using the dd command: dd if=/dev/sda of=/evidence/image.dd bs=4096 conv=noerror,sync. What is the purpose of the 'conv=noerror,sync' option?

A.It verifies the hash of the image after creation
B.It synchronizes the output with the input to ensure data integrity
C.It continues on read errors and pads the output with zeros to maintain the same size
D.It enables direct memory access for faster imaging
AnswerC

This is the correct purpose: continue on error and pad with zeros to preserve the image size.

Why this answer

The `conv=noerror,sync` option in the `dd` command instructs the tool to continue processing when a read error is encountered (`noerror`) and to pad the output block with zeros (`sync`) to maintain the same total size as the original drive. This ensures that the forensic image remains a bit-for-bit copy in terms of size, even if physical sectors are unreadable, preserving the integrity of the acquisition process for analysis.

Exam trap

EC-Council often tests the misconception that `sync` means 'synchronize data integrity' or 'flush buffers,' when in fact it specifically pads output with zeros on read errors to maintain block alignment.

How to eliminate wrong answers

Option A is wrong because hash verification is not performed by `conv=noerror,sync`; that would require a separate tool like `sha256sum` or `md5sum` after imaging. Option B is wrong because `sync` in this context pads with zeros on read errors, not synchronizes I/O operations; synchronization of data is handled by the kernel's buffer cache, not this option. Option D is wrong because direct memory access (DMA) is a hardware-level feature not controlled by `dd` options; `dd` uses standard system calls for reading and writing.

686
MCQmedium

A legal hold is issued by an organization's legal department. What is the primary purpose of a legal hold?

A.To notify employees that litigation is pending
B.To authorize law enforcement to seize computers
C.To preserve all relevant data that may be needed for a legal case
D.To encrypt all company data for security
AnswerC

The legal hold ensures that evidence is not destroyed or altered during the pendency of a legal matter.

Why this answer

A legal hold suspends normal document deletion and preservation policies to ensure that relevant electronically stored information (ESI) is retained for potential litigation or investigation.

687
MCQhard

You are investigating a Windows 10 workstation that exhibits slow performance and frequent pop-ups. The user reports that the system started acting strangely after installing a 'PDF Converter' from an email attachment. You suspect malware. You have captured a memory dump using FTK Imager and a network capture during the infection. In the memory dump, you find a suspicious process 'conhost.exe' running from a non-standard location (C:\Users\Public\Temp). The process has an open handle to a file named 'config.ini' in the same directory. The network capture shows periodic HTTPS connections to 'malicious.com' on port 443 from the workstation's IP. Using Volatility, you extract the process's command line: 'conhost.exe -hidden -log C:\Users\Public\Temp\output.log'. Which of the following is the BEST immediate course of action to contain the threat and preserve evidence?

A.Delete the config.ini file and the conhost.exe executable immediately.
B.Restore the system to a previous restore point.
C.Terminate the suspicious conhost.exe process and run a full antivirus scan.
D.Isolate the workstation from the network, then create a forensic image of the hard disk for analysis.
AnswerD

Isolation stops C2 communication and potential lateral movement; imaging preserves evidence for in-depth analysis.

Why this answer

Option D is correct because the primary goal in a malware incident is to contain the threat and preserve evidence for forensic analysis. Isolating the workstation from the network prevents further data exfiltration (e.g., the HTTPS connections to malicious.com) and stops the malware from communicating with its C2 server. Creating a forensic image of the hard disk preserves the full state of the system, including the malicious conhost.exe, config.ini, and output.log files, which are critical for reverse engineering and attribution.

Terminating the process or deleting files before imaging would destroy volatile evidence and potentially trigger anti-forensic mechanisms.

Exam trap

EC-Council often tests the principle that containment and evidence preservation take precedence over immediate remediation, so candidates mistakenly choose to terminate the process or delete files (Option A or C) thinking they are stopping the threat, but this destroys volatile evidence and may trigger anti-forensic behavior.

How to eliminate wrong answers

Option A is wrong because deleting the config.ini file and conhost.exe executable destroys evidence and may trigger anti-forensic routines (e.g., file wiping or self-deletion) that could corrupt the memory dump or hinder analysis. Option B is wrong because restoring to a previous restore point overwrites critical system files and registry keys, destroying evidence of the infection and potentially leaving remnants of the malware in shadow copies or unallocated space. Option C is wrong because terminating the process and running an antivirus scan may alter the system state (e.g., killing the process removes its memory artifacts) and the scan could quarantine or delete malicious files, compromising the forensic integrity of the evidence.

688
MCQhard

A forensic examiner uses Plaso (log2timeline) to create a timeline from a disk image. Which of the following artifacts would NOT be included in the timeline by default using the 'all' parser?

A.Event Log entries (evtx)
B.Registry SAM hive entries
C.Windows Prefetch files
D.Chrome browser history
AnswerB

SAM hive is not included in default Plaso parsing; it must be manually selected.

Why this answer

Plaso includes many parsers (WinReg, Windows Event Log, etc.) but the SAM registry hive (user accounts) is not parsed by default for timeline entries; it requires a specific parser and is not included in the 'all' set.

689
MCQhard

A forensic investigator is preparing to acquire the contents of a live system's RAM. Which of the following tools is specifically designed for this purpose and captures memory without altering the system state?

A.Tableau write blocker
B.EnCase
C.FTK Imager
D.dd
AnswerC

FTK Imager includes a memory capture feature that preserves the system state.

Why this answer

FTK Imager is specifically designed for live memory acquisition on Windows systems, capturing RAM contents via a kernel-level driver (e.g., win32dd or FTK Imager's own memory capture module) that reads physical memory without modifying the system state. It creates a forensic image (e.g., .mem or .raw) while maintaining data integrity through hashing (MD5/SHA1). This makes it the correct choice for acquiring RAM from a live system without altering evidence.

Exam trap

EC-Council often tests the misconception that dd is the universal forensic acquisition tool, but candidates forget that dd lacks built-in integrity verification and can alter system state when reading live memory on Windows, making FTK Imager the safer, purpose-built choice for RAM capture.

How to eliminate wrong answers

Option A is wrong because a Tableau write blocker is a hardware device used to prevent writes to storage media (e.g., hard drives) during acquisition, not for capturing RAM; it cannot access or image volatile memory. Option B is wrong because EnCase is a comprehensive forensic suite that can acquire RAM via its own module (e.g., EnCase Imager), but it is not specifically designed solely for memory capture and often requires additional configuration or licensing; FTK Imager is more lightweight and purpose-built for this task. Option D is wrong because dd is a Unix/Linux command-line tool for bit-for-bit copying of storage devices or memory (e.g., /dev/mem or /dev/pmem), but it can alter system state if not used carefully (e.g., reading /dev/mem may cause crashes on some kernels) and lacks built-in hashing or write-blocking guarantees; it is not specifically designed for forensic memory acquisition on live Windows systems.

690
Multi-Selectmedium

Which TWO of the following are valid justifications for a first responder to power off a computer at a crime scene? (Select TWO)

Select 2 answers
A.To prevent the computer from overheating
B.To save time during the investigation
C.The computer is destroying evidence (e.g., running a data wiping program)
D.The computer is in a hazardous environment (e.g., flooding)
E.The computer is actively being used to commit a crime
AnswersC, D

Powering off can stop the destruction, but ideally capture volatile data first if possible.

Why this answer

Option C is correct because if a computer is actively running a data wiping program (e.g., a tool that overwrites storage sectors with zeros or random data), leaving it powered on will cause the irreversible destruction of potential evidence. A first responder must immediately cut power to halt the wiping process and preserve the remaining data, as volatile memory (RAM) is not the primary concern in this scenario—the non-volatile storage is being actively sanitized.

Exam trap

EC-Council often tests the distinction between 'actively being used to commit a crime' (which requires live acquisition) and 'actively destroying evidence' (which justifies immediate power-off), causing candidates to mistakenly select Option E as a valid justification.

691
MCQhard

A forensics examiner finds a suspicious entry in the Windows Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to a PowerShell command. Which persistence mechanism does this represent, and what is the MOST likely impact?

A.Registry run key persistence; the command executes each time the user logs in.
B.Service persistence; the malware runs as a system service.
C.Scheduled task persistence; the command runs at a scheduled time.
D.Bootkit persistence; the malware loads before the OS.
AnswerA

Run keys run programs at user logon, providing persistence.

Why this answer

The Run key is a common persistence mechanism that executes programs at user logon. A PowerShell command here could execute malicious code each time the user logs in.

692
Multi-Selectmedium

Which TWO of the following are valid techniques for acquiring RAM in a Windows system?

Select 2 answers
A.WinPmem
B.Sleuth Kit
C.LiME
D.dd
E.FTK Imager
AnswersA, E

WinPmem is a memory acquisition tool for Windows.

Why this answer

WinPmem and FTK Imager are both capable of acquiring RAM on Windows systems. LiME is for Linux.

693
MCQmedium

During a malware analysis, a suspicious executable is detected. The analyst runs `strings` on the binary and finds references to `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` and a URL `http://evil.com/beacon`. What does this indicate?

A.The malware is a file infector that modifies system binaries
B.The malware uses a mutex for synchronization
C.The malware establishes persistence and communicates with a remote server
D.The malware performs privilege escalation via a known vulnerability
AnswerC

Registry Run key for persistence; URL for C2.

Why this answer

The presence of a registry key reference to `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` indicates the malware is configured to launch automatically at system startup, establishing persistence. The embedded URL `http://evil.com/beacon` suggests the malware will make outbound HTTP requests to a remote command-and-control (C2) server for beaconing or data exfiltration. Together, these artifacts confirm persistence and remote communication, making option C correct.

Exam trap

EC-Council often tests the distinction between persistence mechanisms (like registry Run keys) and other malware behaviors (like file infection or privilege escalation), so candidates mistakenly associate any registry reference with file infection or confuse a URL with an exploit payload.

How to eliminate wrong answers

Option A is wrong because a file infector modifies system binaries (e.g., .exe or .dll files) to inject malicious code, but the `strings` output shows no evidence of file modification or infection routines—only a registry run key and a URL. Option B is wrong because a mutex is a synchronization object used to prevent multiple instances of malware from running, and no mutex name or reference is present in the provided strings; the artifacts shown are purely persistence and network indicators. Option D is wrong because privilege escalation exploits target vulnerabilities (e.g., CVE-XXXX) to gain higher access, but the strings reveal no exploit code, DLL injection paths, or UAC bypass techniques—only a registry autorun key and a beacon URL.

694
MCQeasy

In Linux forensics, which file contains information about user account passwords in hashed form?

A./etc/passwd
B./etc/shadow
C./etc/group
D./var/log/auth.log
AnswerB

/etc/shadow contains hashed passwords and password policy information.

Why this answer

The /etc/shadow file stores password hashes (in modern Linux systems). It is readable only by root.

695
MCQeasy

According to Locard's exchange principle, which of the following is TRUE in a digital forensic context?

A.A suspect will always leave traces of their activity on a computer system.
B.Only physical evidence, not digital evidence, is subject to exchange.
C.Digital evidence is always volatile and cannot be preserved.
D.The absence of evidence proves the suspect is innocent.
AnswerA

Locard's principle implies that digital interactions leave residual data that can be recovered.

Why this answer

Locard's principle states that every contact leaves a trace. In digital forensics, this means that when a suspect interacts with a system, digital traces (e.g., logs, files) are left behind.

696
MCQmedium

An analyst is analyzing a disk image and finds a 512-byte sector at LBA 0 that contains a bootloader and a partition table. The partition table has four entries, each 16 bytes. What type of partition table is this?

A.Apple Partition Map
B.MBR
C.GPT
D.BSD disklabel
AnswerB

MBR has exactly this structure: boot code, 64-byte partition table, and signature.

Why this answer

The MBR (Master Boot Record) uses a 512-byte sector at LBA 0, with the first 446 bytes for boot code, a 64-byte partition table (4 entries of 16 bytes each), and a 2-byte signature (0x55AA). This description matches MBR exactly.

697
Multi-Selecthard

A forensic examiner has acquired a disk image using FTK Imager and needs to ensure the image is an exact duplicate of the original drive. Which THREE of the following methods can be used to verify integrity? (Select THREE)

Select 3 answers
A.Compute the SHA-256 hash of the image and compare it to the original drive's hash
B.Compute the MD5 hash of the image and compare it to the original drive's MD5 hash
C.Verify the cyclical redundancy check (CRC-32) of the image file
D.Use the 'verify' function within FTK Imager which automatically computes and compares hashes
E.Check the file size of the image matches the original drive's capacity
AnswersA, B, D

SHA-256 is a strong hash function and is recommended for forensic integrity verification.

Why this answer

Option A is correct because SHA-256 is a cryptographic hash function that produces a unique 256-bit digest. By computing the SHA-256 hash of the acquired image and comparing it to the hash computed from the original drive, the examiner can verify bit-for-bit integrity with extremely high collision resistance, ensuring the image is an exact duplicate.

Exam trap

EC-Council often tests the distinction between error-detection codes (CRC-32) and cryptographic hash functions (SHA-256, MD5), leading candidates to mistakenly select CRC-32 as a valid integrity verification method for forensic images.

698
MCQmedium

A forensic analyst is examining an Android device and wants to recover Google account artefacts, such as the last sync timestamp and cached email addresses. Where on the device (in /data/data/) would these artefacts MOST likely be stored?

A.com.google.android.gms
B.com.android.providers.telephony
C.com.android.providers.contacts
D.com.android.settings
AnswerA

Google Play Services (gms) manages account sync and stores related artefacts.

Why this answer

The Google account artefacts, including the last sync timestamp and cached email addresses, are stored within the package 'com.google.android.gms' (Google Play Services). This package manages authentication tokens, sync settings, and account metadata in its databases (e.g., 'accounts.db' or 'gms_credentials.db') under /data/data/com.google.android.gms/databases/. The last sync timestamp is typically recorded in the 'sync_state' table, while cached email addresses appear in the 'accounts' table.

Exam trap

EC-Council often tests the misconception that account-related artefacts are stored in the Contacts or Telephony providers, but the correct location is the Google Play Services package because it centrally manages authentication and sync for all Google services.

How to eliminate wrong answers

Option B is wrong because 'com.android.providers.telephony' handles SMS/MMS and carrier-related data (e.g., APN settings), not Google account sync artefacts. Option C is wrong because 'com.android.providers.contacts' stores contact data (names, phone numbers) from various sources, but it does not hold Google account metadata like sync timestamps or cached email addresses; those are managed by Google Play Services. Option D is wrong because 'com.android.settings' contains system settings UI data and preferences, not the underlying Google account authentication or sync state databases.

699
MCQmedium

During a Windows forensic analysis, you find a suspicious LNK file in a user's Recent folder. Which of the following is NOT typically retrievable from an LNK file?

A.Username of the user who created the LNK file
B.Target file creation timestamp
C.Volume serial number of the target drive
D.Target file path
AnswerA

LNK files do not store the username; they store machine and volume, but not user identity.

Why this answer

LNK (shortcut) files store metadata including creation/modification timestamps, target path, volume serial, and network share information, but they do not include the username of the user who accessed it.

700
MCQeasy

In email forensics, which artifact is stored in Outlook's Personal Folders (.pst) files and can be analyzed using tools like Aid4Mail or EmailTracker?

A.Only the email body text
B.Emails and attachments only
C.Email headers only
D.Emails, attachments, calendars, contacts, and other mailbox items
AnswerD

.pst files are comprehensive mailbox archives.

Why this answer

.pst files contain emails, attachments, calendars, contacts, and other mailbox items for offline access. Aid4Mail can parse these files for forensic analysis.

701
MCQhard

During a cloud forensic investigation, an analyst discovers that an AWS EC2 instance was used to launch an attack. The instance has been terminated. Which source is MOST likely to contain evidence of the commands executed on the instance?

A.VPC Flow Logs
B.EC2 instance metadata
C.AWS Systems Manager Agent logs
D.AWS CloudTrail logs
AnswerC

SSM Agent can log Run Command execution details, which may persist if configured to send to CloudWatch or S3.

Why this answer

AWS CloudTrail records API calls for EC2 instance management but not OS-level commands. VPC Flow Logs capture network traffic. EC2 instance metadata is about the instance configuration.

AWS Systems Manager Agent (SSM Agent) can log commands executed via AWS Systems Manager, including Run Command, which can capture command history even after instance termination if logs were sent to CloudWatch.

702
MCQeasy

Under the US Fourth Amendment, when is a warrant generally NOT required for a computer search and seizure?

A.When the evidence is stored in the cloud
B.When the computer is owned by a corporation
C.When the investigation involves a civil case
D.When the suspect has given consent
AnswerD

Consent is a valid exception to the warrant requirement, provided it is voluntary and informed.

Why this answer

Under the Fourth Amendment, a warrant is generally required for searches and seizures, but one well-established exception is voluntary consent. When a suspect freely and knowingly agrees to a search of their computer or digital device, law enforcement may proceed without a warrant, provided the consent is not coerced and the scope of the search is not exceeded. This principle applies regardless of whether the data is stored locally or remotely, as long as the consenting party has actual or apparent authority over the device or data.

Exam trap

EC-Council often tests the misconception that the Fourth Amendment does not apply to corporate-owned devices or cloud data, but the trap here is that consent is a specific, well-recognized exception that overrides the warrant requirement, whereas the other options describe scenarios where a warrant is still generally required unless another exception applies.

How to eliminate wrong answers

Option A is wrong because the Fourth Amendment generally requires a warrant for cloud-stored data, as the user retains a reasonable expectation of privacy in data held by a third-party provider under the Stored Communications Act (18 U.S.C. § 2703), unless an exception like consent or exigent circumstances applies. Option B is wrong because corporate ownership does not automatically waive Fourth Amendment protections; while business records may have reduced privacy expectations, a warrant is still required for a search unless an exception such as consent from an authorized corporate officer or the plain view doctrine is present. Option C is wrong because the Fourth Amendment applies to government searches in both criminal and civil cases; in civil investigations, a warrant or a valid exception (e.g., consent, subpoena) is still required, and the absence of criminal charges does not eliminate the need for a warrant.

703
MCQmedium

Which hashing algorithm is commonly used in forensic imaging to verify the integrity of evidence and is considered more secure than MD5?

A.SHA-256
B.SHA-1
C.CRC32
D.MD5
AnswerA

SHA-256 is part of the SHA-2 family and is currently considered secure.

Why this answer

SHA-256 is the correct answer because it is a widely adopted cryptographic hash function in forensic imaging tools (e.g., FTK Imager, EnCase) to verify evidence integrity. It produces a 256-bit (32-byte) hash value and is considered collision-resistant, making it significantly more secure than MD5, which has known collision vulnerabilities.

Exam trap

EC-Council often tests the misconception that SHA-1 is still acceptable for forensic integrity checks because it was once the standard, but the trap is that SHA-1 is now deprecated due to practical collision attacks, while SHA-256 is the current recommended minimum.

How to eliminate wrong answers

Option B is wrong because SHA-1 produces a 160-bit hash and has been deprecated by NIST since 2011 due to demonstrated collision attacks (e.g., SHAttered). Option C is wrong because CRC32 is a cyclic redundancy check designed for error detection in data transmission, not a cryptographic hash, and it is easily reversible and collision-prone. Option D is wrong because MD5 is a 128-bit hash that is cryptographically broken; collisions can be generated in seconds using tools like hashclash, making it unsuitable for forensic integrity verification.

704
MCQhard

A forensic analyst finds an LNK file on a Windows system pointing to a script located in a temporary folder. The LNK file's timestamps show creation time after the script's known execution time. What does this discrepancy likely indicate?

A.The system clock was changed
B.The file system is corrupted
C.The LNK file was planted by an attacker to mislead timeline analysis
D.The script was executed normally
AnswerC

An attacker may create a backdated or post-dated LNK to confuse forensic timelines.

Why this answer

LNK files are created when a file is accessed through certain methods; if the LNK creation time is after execution, it may have been created manually or by malware to hide evidence.

705
Multi-Selecteasy

A forensic analyst reviews a Windows system for signs of malware persistence. Which TWO registry locations are commonly used to achieve persistence via auto-start programs?

Select 2 answers
A.HKLM\SAM\SAM\Domains\Account\Users
B.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
C.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
D.HKLM\SYSTEM\CurrentControlSet\Services
E.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AnswersC, E

This registry key automatically launches programs for all users at logon.

Why this answer

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run are standard auto-start locations for all users and current user respectively. RunOnce keys execute once and are also used. But the most common are Run keys.

706
Multi-Selecteasy

A forensic analyst is examining a Docker container image for malware. Which TWO techniques can help analyze the image layers?

Select 2 answers
A.Use 'docker history' to view the build history of the image
B.Use 'docker images' to list all images
C.Use 'docker inspect' to view the image metadata
D.Use 'docker save' to export the image as a tar file and extract layers
E.Use 'docker export' on a running container
AnswersA, D

Shows each layer and the command that created it.

Why this answer

'docker history' shows the build commands and layers, which helps identify suspicious steps. 'docker export' exports the container filesystem but not layers individually. 'docker save' saves the image as a tar, allowing layer extraction. 'docker inspect' shows metadata only. 'docker images' lists images.

707
MCQmedium

A security analyst observes multiple Event ID 4625 logon failures for a single user account within a short time frame, followed by Event ID 4624 logon success. Which attack technique is MOST likely indicated?

A.Kerberos golden ticket attack
B.SQL injection attack on the authentication database
C.Brute-force or password spraying attack
D.Pass-the-hash attack
AnswerC

Multiple failed logins (4625) followed by a success (4624) is classic brute-force or password spraying behavior.

Why this answer

Event ID 4625 indicates failed logon attempts, and a series of these followed by a success (4624) is characteristic of a brute-force or password spraying attack where the attacker eventually guesses the correct password.

708
MCQhard

During dynamic analysis of a suspicious executable in Cuckoo Sandbox, the report shows that the process created a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run named 'WindowsUpdate' and dropped a file 'svchost.exe' in %AppData%. Which conclusion is MOST consistent with these indicators?

A.The executable is cleaning up after itself by deleting temporary files
B.The executable is a dropper that installs a rootkit
C.The executable is a legitimate Windows update component
D.The executable is attempting to establish persistence via a Run key and masquerading as a system process
AnswerD

Run key persistence and masquerading as svchost.exe indicates malware.

Why this answer

The creation of a Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism that causes the executable to launch automatically at user logon. Dropping a file named 'svchost.exe' in %AppData% is a common masquerading technique, as the legitimate svchost.exe (Service Host) resides in C:\Windows\System32, not in the user's AppData folder. Together, these actions indicate the executable is establishing persistence and disguising itself as a trusted system process.

Exam trap

EC-Council often tests the distinction between persistence mechanisms and other malware behaviors, and the trap here is that candidates may confuse a dropper with a rootkit or assume any file named 'svchost.exe' is legitimate, ignoring the abnormal file path.

How to eliminate wrong answers

Option A is wrong because creating a Run key and dropping a file are actions that establish persistence, not cleanup; deleting temporary files would involve removing artifacts, not adding them. Option B is wrong because while the executable is a dropper (it drops a file), there is no evidence of a rootkit—rootkits typically hide processes or files via kernel-level hooks, not by simply adding a Run key and a masqueraded executable. Option C is wrong because legitimate Windows Update components do not write themselves to HKCU\Run or drop svchost.exe in %AppData%; Windows Update uses trusted system paths like C:\Windows\System32 and is managed by Windows Update service, not user-level Run keys.

709
Multi-Selectmedium

A mobile forensic examiner is analyzing an Android device that has been factory reset. Which TWO of the following artefacts are MOST likely to still be recoverable after a factory reset? (Select TWO)

Select 2 answers
A.SMS messages
B.Deleted applications' data
C.Call logs
D.Google account tokens
E.Photos stored in internal storage
AnswersA, D

SMS messages are stored in SQLite databases that may leave remnants in unallocated space.

Why this answer

SMS messages (A) are stored in the Android internal database file `/data/data/com.android.providers.telephony/databases/mmssms.db`. A factory reset typically only marks the database file's storage blocks as free in the ext4 filesystem without performing a secure wipe, leaving the raw data recoverable via forensic tools like Cellebrite or Oxygen Forensic until overwritten. Google account tokens (D) are stored in the AccountManager service's SQLite database under `/data/system/users/0/accounts.db` and in the `authtoken` table; even after a factory reset, the underlying NAND flash memory may retain these tokens due to wear-leveling and garbage collection delays, allowing recovery with chip-off or JTAG techniques.

Exam trap

Cisco often tests the misconception that a factory reset securely erases all data, but the trap here is that the reset only performs a logical deletion and filesystem-level wipe, not a secure overwrite, so residual data like SMS and authentication tokens can persist in unallocated space or NAND flash cells.

710
MCQeasy

Which tool is specifically designed to extract and analyze email metadata, including headers, from various email client formats such as PST and OST files?

A.Wireshark
B.EmailTracker
C.Aid4Mail
D.FTK Imager
AnswerC

Aid4Mail is a forensic email extraction tool that supports PST, OST, MBOX, and many other formats, allowing metadata analysis.

Why this answer

Aid4Mail is a commercial forensic tool that can extract emails and metadata from PST, OST, MBOX, and other formats. EmailTracker is primarily for tracking email delivery, not forensic analysis of client files.

711
MCQmedium

An analyst reviews an Apache access log entry: '192.168.1.10 - - [10/Oct/2023:13:55:36 +0000] "GET /index.php?id=1%27%20OR%20%271%27%3D%271 HTTP/1.1" 200 1234 "-" "Mozilla/5.0"'. Which attack does this log entry most likely indicate?

A.SQL injection (SQLi) attack
B.Cross-site scripting (XSS) attack
C.Path traversal attack
D.Remote file inclusion (RFI) attack
AnswerA

The payload includes SQL logical operators and quotes, indicating a SQL injection attempt.

Why this answer

The URL-encoded payload contains SQL injection syntax (%27 is a single quote), attempting to inject an OR condition. This is indicative of a SQL injection attempt.

712
MCQmedium

In an AWS environment, a security analyst detects unusual API calls that created several IAM users with administrative privileges from an unfamiliar IP address. Which AWS service log should be examined first to identify the specific API calls and the IAM user that made them?

A.Amazon S3 access logs
B.AWS CloudWatch Logs
C.AWS CloudTrail
D.AWS Config
AnswerC

CloudTrail logs all AWS API calls, making it the primary source for investigating API activity.

Why this answer

AWS CloudTrail records all API calls made to the AWS environment, including IAM user creation. It provides details like the source IP, user identity, and the specific API action.

713
MCQmedium

In an investigation of a Windows system, the analyst uses Volatility's 'netscan' plugin and identifies a suspicious outbound connection to an IP address on port 4444. Which of the following is the most likely associated malicious activity?

A.Reverse shell connection from a backdoor
B.DNS tunneling exfiltration
C.HTTP data exfiltration
D.Remote desktop session
AnswerA

Correct: Port 4444 is a common reverse shell port.

Why this answer

Port 4444 is commonly used by reverse shells (e.g., Metasploit default) and indicates a potential command and control session.

714
MCQeasy

You are a forensic analyst investigating a Windows workstation that shows signs of malware infection. The user reports that the system is slow, network activity is high, and several files have been encrypted with a .encrypted extension. A ransom note named README.txt has been left on the desktop demanding payment. You have acquired a memory dump using FTK Imager and a disk image using dd. You need to identify the malware family and gather indicators of compromise (IOCs). Which of the following is the MOST appropriate first step?

A.Extract the ransom note and search for known ransomware identifiers such as Bitcoin wallet addresses or contact email.
B.Run the malware sample in a sandbox environment to observe its behavior.
C.Perform static analysis of the encrypted files to determine the encryption algorithm used.
D.Immediately disconnect the system from the network and power it off to preserve evidence.
AnswerA

Ransom notes often contain unique identifiers that link to specific ransomware families, enabling quick identification.

Why this answer

Option A is correct because the ransom note (README.txt) is a primary source of ransomware identifiers such as Bitcoin wallet addresses, contact emails, or Tor payment site URLs. Extracting these IOCs from the note allows you to quickly cross-reference known ransomware families (e.g., Ryuk, Maze, LockBit) via threat intelligence feeds, which is the most efficient first step in malware forensics before deeper analysis.

Exam trap

EC-Council often tests the principle of 'triage before deep analysis'—candidates mistakenly choose sandboxing (B) or static analysis (C) first, but the exam expects you to start with the most accessible, high-value IOC source (the ransom note) to quickly identify the malware family.

How to eliminate wrong answers

Option B is wrong because running the malware sample in a sandbox is premature; you must first identify the malware family and IOCs from the ransom note to safely handle the sample and avoid accidental encryption or network propagation. Option C is wrong because static analysis of encrypted files to determine the encryption algorithm is resource-intensive and often inconclusive without the encryption key; the ransom note provides faster, actionable intelligence. Option D is wrong because immediately disconnecting and powering off the system may destroy volatile evidence (e.g., network connections, running processes) and is not the first step—preservation should follow initial IOC collection.

715
MCQhard

During memory analysis, an examiner uses the Volatility 'malfind' plugin and discovers a process with executable code in an executable heap. Which technique is most likely being used by malware to avoid detection?

A.Process hollowing
B.DLL injection
C.Heap spraying
D.Reflective DLL loading
AnswerC

Heap spraying fills the heap with executable code to exploit vulnerabilities; malfind can detect it.

Why this answer

Executable heap is a sign of code injection; malware may allocate memory with execute permissions and inject shellcode.

716
MCQmedium

During malware analysis, an investigator finds that a suspicious process is injecting code into a legitimate system process (e.g., explorer.exe). Which technique is being used?

A.API hooking
B.Process hollowing
C.Code injection
D.DLL injection
AnswerC

Code injection is the technique of inserting code into a running process.

Why this answer

Code injection is the correct answer because the scenario describes a process injecting arbitrary code into a legitimate system process like explorer.exe. This is the generic term for techniques where malicious code is written into the address space of another process and executed, often via Windows API calls such as WriteProcessMemory and CreateRemoteThread. The question explicitly states 'injecting code,' which directly maps to the broad category of code injection, not a specific subtype.

Exam trap

Cisco often tests the distinction between generic code injection and its specific subtypes (like DLL injection or process hollowing), trapping candidates who choose a narrower term when the question uses the broad phrase 'injecting code' without specifying the delivery mechanism.

How to eliminate wrong answers

Option A is wrong because API hooking intercepts and modifies function calls within a process (e.g., using SetWindowsHookEx or Detours), but it does not involve injecting new code into a separate process's memory space; it redirects existing calls. Option B is wrong because process hollowing replaces the legitimate code of a process (e.g., suspending explorer.exe, unmapping its original code, and writing malicious code into the same process) rather than injecting code into an already-running legitimate process; it creates a hollowed process from the start. Option D is wrong because DLL injection is a specific subtype of code injection that loads a DLL into a target process (using LoadLibrary or reflective loading), but the question does not specify that a DLL is involved—it only mentions 'injecting code,' which could be shellcode or other executable code, making the broader term 'code injection' more accurate.

717
MCQmedium

You are a forensic analyst investigating a suspected malware infection on a Windows 10 workstation. The user reports that the system has been slow and that unexpected pop-ups appear. You have acquired a memory dump and a disk image. During analysis, you find a suspicious process named 'svch0st.exe' running with PID 4567. The process has loaded several DLLs, including 'wininet.dll' and 'ws2_32.dll'. You also find that the process has an active TCP connection to an external IP address 203.0.113.5 on port 4444. In the disk image, you find an executable file at C:\Users\Public\svch0st.exe with a creation date that matches the start of symptoms. The file's hash is not in any known malware database. You decide to perform dynamic analysis by running the file in a sandbox. However, the sandbox environment has no network connectivity. The executable runs but does not exhibit any malicious behavior. What should you do next to determine if the file is malicious?

A.Conduct a thorough static analysis using a disassembler and debugger to understand the code
B.Delete the suspicious file and run a full antivirus scan on the system
C.Re-run the sample in a sandbox with simulated network connectivity or a controlled network to observe C2 communication
D.Perform a forensic imaging of the system again and compare with the original image
AnswerC

Network connectivity may be required for the malware to activate its malicious payload.

Why this answer

Option C is correct because the sandbox lacked network connectivity, which prevented the malware from reaching its command-and-control (C2) server. Many malware samples, especially those using HTTP or raw TCP for C2, will remain dormant or exhibit no malicious behavior when they cannot connect to the external IP. By providing simulated or controlled network connectivity, you can trigger the malicious payload and observe the actual C2 communication, confirming the file's intent.

Exam trap

Cisco often tests the misconception that static analysis is always sufficient to determine maliciousness, but the trap here is that malware can be conditionally dormant and only activate when network connectivity is present, making dynamic analysis with network simulation essential.

How to eliminate wrong answers

Option A is wrong because static analysis alone cannot reliably determine if the file is malicious when it has no known hash and the sample is designed to only activate upon network connectivity; static analysis may miss obfuscated or conditionally executed code. Option B is wrong because deleting the file and running an antivirus scan is a reactive, non-analytical step that destroys evidence and does not answer whether the file is malicious; the file's hash is unknown, so antivirus may not detect it. Option D is wrong because performing another forensic imaging and comparing it to the original image would only show changes on disk, not reveal the runtime behavior or network-dependent activation of the malware; it is a redundant step that does not address the core question of whether the file is malicious.

718
MCQmedium

An investigator is using Autopsy to analyze a disk image from a suspected hacker's computer. They want to recover deleted JPEG images that may have been stored in unallocated clusters. Which Autopsy feature is best suited for this task?

A.File Type Sorting
B.Hash Set Analysis
C.Timeline Analysis
D.Keyword Search
AnswerA

Autopsy includes a file carving module that can recover files by type from unallocated space.

Why this answer

Autopsy's 'File Recovery by Type' module (also known as 'PhotoRec Carver' or 'File Carving') can recover files based on their headers/footers, such as JPEG magic bytes.

719
MCQhard

A security analyst suspects an attacker has hidden data in the Host Protected Area (HPA) of a suspect's hard drive. Which of the following tools is BEST suited to detect and access the HPA?

A.Foremost
B.EnCase
C.WinPmem
D.PhotoRec
AnswerB

EnCase can acquire and analyze HPA/DCO regions.

Why this answer

EnCase Forensic can image the entire disk including HPA and DCO, and is commonly used to detect hidden areas.

720
MCQhard

A forensic investigator examining a compromised Linux server finds a base64-encoded string in the Apache access log: 'GET /cgi-bin/test.cgi?cmd=ZWNobyAiPD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/PiI+...' After decoding, the string contains a PHP webshell. Which of the following is the MOST effective method to confirm the webshell was executed on the server?

A.Perform a memory dump of the server and search for the base64 string
B.Check the server's process accounting logs (e.g., auditd, 'lastcomm') for PHP process invocation with the cmd parameter
C.Analyze the MySQL transaction logs for any database queries triggered by the webshell
D.Search for the decoded PHP code in the web server's document root
AnswerB

Process logs can show that the PHP interpreter ran the cmd parameter, confirming execution.

Why this answer

To confirm execution, the investigator should examine the server's process history or audit logs (e.g., auditd, bash history) to see if the cmd parameter was processed by the PHP interpreter.

721
MCQmedium

A forensic lab is establishing a chain of custody procedure. Which practice is considered best according to CHFI guidelines?

A.Require biometric authentication for all lab personnel
B.Store evidence in a secure room with limited access
C.Use encryption to protect evidence files
D.Document every transfer of evidence with signatures and timestamps
AnswerD

Documentation is key to maintaining chain of custody.

Why this answer

Option D is correct because the chain of custody is fundamentally a legal and procedural requirement to demonstrate the integrity and admissibility of digital evidence. CHFI guidelines emphasize that every transfer of evidence must be meticulously documented with signatures, timestamps, and purpose to create an unbroken audit trail, which is the only practice that directly satisfies the legal standard for evidence handling.

Exam trap

EC-Council often tests the distinction between security controls (like encryption or access restrictions) and procedural documentation (like signatures and timestamps), leading candidates to confuse physical or technical safeguards with the legal requirement for an auditable chain of custody.

How to eliminate wrong answers

Option A is wrong because biometric authentication controls access to the lab but does not document the transfer or handling of evidence, which is the core requirement for chain of custody. Option B is wrong because storing evidence in a secure room with limited access is a physical security measure, not a documentation procedure; it does not create the required audit trail for each transfer. Option C is wrong because encryption protects evidence files from unauthorized access or tampering but does not provide a documented record of who handled the evidence and when, which is essential for chain of custody.

722
MCQmedium

An examiner is analyzing an NTFS volume and suspects that a suspect hid data using Alternate Data Streams (ADS). Which tool or method is MOST appropriate to list all ADS on the volume?

A.Execute 'dir /r' in a Windows command prompt on the mounted image
B.Run 'ls -la' from a Linux forensic environment
C.Use 'icacls' to view security descriptors and detect ADS
D.Mount the image in Autopsy and run the 'Find File' module
AnswerA

'dir /r' displays alternate data streams in NTFS. This is a standard Windows command.

Why this answer

Native Windows commands can list ADS: 'dir /r' shows alternate streams. Streams.exe from Sysinternals also lists streams. FTK and EnCase have built-in ADS detection.

723
MCQeasy

Which of the following is the BEST definition of Locard's exchange principle in computer forensics?

A.Every contact leaves a trace; an attacker will leave digital traces on a system
B.Chain of custody must be maintained to prove evidence integrity
C.The best evidence rule requires original evidence over copies
D.Digital evidence must be collected in a forensically sound manner to be admissible in court
AnswerA

Locard's principle posits that there is always a transfer of material between the perpetrator and the scene; in digital forensics, this translates to digital traces.

Why this answer

Locard's exchange principle states that when a person interacts with a scene, they leave something behind and take something with them. In digital forensics, this means that an attacker will leave traces of their activity on the system (e.g., logs, malware) and may also remove evidence.

724
MCQhard

You are a forensic investigator for a healthcare organization that uses a hybrid cloud model. Your team receives an alert that a large amount of protected health information (PHI) was exfiltrated from an AWS S3 bucket to an external IP address. The organization uses AWS CloudTrail for API logging and VPC Flow Logs for network traffic. The incident occurred between 02:00 and 03:00 UTC. Upon reviewing CloudTrail logs, you see that the bucket policy was modified at 01:55 UTC to allow public read access, and then a series of GetObject requests from an IP address in a foreign country occurred. The VPC Flow Logs show outbound traffic from the bucket's VPC to that IP. The bucket policy change was made using the root user credentials of the AWS account. The organization has multi-factor authentication (MFA) enabled for all users, including root. However, the CloudTrail log for the policy change does not indicate MFA usage. You need to determine the most likely root cause of the breach. Which of the following is the most plausible explanation?

A.The root user's credentials were compromised and used to modify the bucket policy
B.The bucket policy was automatically modified by an AWS service
C.An insider with IAM permissions made the change using a legitimate session
D.The CloudTrail logs are inaccurate and the policy change was not made
AnswerA

Root access without MFA indicates credential theft.

Why this answer

The root user credentials were likely compromised because the CloudTrail log for the bucket policy change at 01:55 UTC shows no MFA usage, despite MFA being enforced for all users including root. This indicates the attacker used stolen root access keys or password without the MFA token, which is a common attack vector when credentials are phished or leaked. The subsequent GetObject requests from a foreign IP and outbound VPC Flow Logs confirm the exfiltration path.

Exam trap

EC-Council often tests the misconception that MFA enforcement alone prevents credential misuse, but the trap here is that attackers can use stolen access keys or passwords without the MFA token if the session is initiated outside the MFA challenge (e.g., via API calls with long-term credentials).

How to eliminate wrong answers

Option B is wrong because AWS services do not automatically modify S3 bucket policies to allow public read access; such changes require explicit user action or an automated script using valid credentials. Option C is wrong because an insider with IAM permissions would have used a legitimate session that would show MFA usage in CloudTrail logs, given MFA is enforced for all users, and the log shows no MFA indicator. Option D is wrong because CloudTrail logs are immutable and tamper-evident; assuming inaccuracy without evidence contradicts forensic best practices and the question's premise that the logs are reliable.

725
Multi-Selectmedium

A forensic analyst is investigating a web application that was defaced. The Apache access logs show the following entries: (1) GET /cgi-bin/test.cgi HTTP/1.1 with status 200, (2) POST /cgi-bin/test.cgi HTTP/1.1 with status 200, (3) GET /index.html HTTP/1.1 with status 200, (4) GET /images/ HTTP/1.1 with status 301. Which TWO log entries are most suspicious and indicate a likely attack vector?

Select 2 answers
A.POST /cgi-bin/test.cgi
B.GET /index.html
C.GET /images/
D.GET /cgi-bin/test.cgi
E.All entries are equally suspicious
AnswersA, D

POST to a CGI script can indicate command injection.

Why this answer

Entries to /cgi-bin/test.cgi with both GET and POST suggest probing and command execution via CGI. The others are normal traffic.

726
Multi-Selectmedium

Which TWO of the following are valid reasons for using a hardware write blocker over a software write blocker? (Select two.)

Select 2 answers
A.Hardware write blockers support faster transfer speeds than software blockers
B.Hardware write blockers can be bypassed by malware on the forensic workstation
C.Hardware write blockers operate at the physical layer and are OS-independent
D.Hardware write blockers provide a physical barrier that prevents any writes from reaching the suspect drive
E.Hardware write blockers are cheaper than software solutions
AnswersC, D

This is a key advantage; they do not rely on the OS.

Why this answer

Option C is correct because hardware write blockers operate at the physical layer of the OSI model, intercepting SATA/IDE/PATA commands before they reach the operating system. This makes them completely OS-independent, so they work identically on Windows, Linux, or macOS without requiring any kernel-mode drivers or OS-specific configurations. In contrast, software write blockers rely on the OS storage stack and can be affected by OS-level bugs or driver conflicts.

Exam trap

Cisco often tests the misconception that hardware write blockers are faster than software blockers, when in reality the hardware bridge introduces overhead, and the key advantage is OS independence and physical write prevention, not speed.

727
MCQeasy

In Linux forensics, an investigator examines /var/log/auth.log and finds repeated entries of "Failed password for root from 10.0.0.5 port 22 ssh2". Which type of attack is most likely indicated?

A.DNS cache poisoning attack
B.SQL injection attack
C.ARP spoofing attack
D.Brute force attack on SSH
AnswerD

Multiple failed password attempts on SSH indicate a brute force or password guessing attack.

Why this answer

Repeated failed SSH login attempts for the root user from a single IP address is a classic sign of a brute force attack against SSH.

728
Multi-Selectmedium

Which TWO of the following are valid reasons for a first responder to power off a computer system at a crime scene? (Select TWO)

Select 2 answers
A.To save time during the investigation
B.To make it easier to transport the system
C.When the system is actively destroying evidence (e.g., a data wiping program is running)
D.To prevent the destruction of volatile data by allowing it to be captured before shutdown
E.When the system is a potential threat to first responders (e.g., a bomb or hazardous environment)
AnswersC, E

If evidence is being actively destroyed, powering off may be necessary to stop the process.

Why this answer

Option C is correct because if a system is actively running a data wiping program (e.g., a tool that overwrites sectors with zeros or random data per the Gutmann method or DoD 5220.22-M standard), immediate power-off is the only way to halt the destruction of evidence before it becomes unrecoverable. Pulling the power cord (hard shutdown) stops the wiping process in its tracks, preserving any data that has not yet been overwritten.

Exam trap

The trap here is that candidates confuse 'preventing destruction of volatile data' (which requires live acquisition, not shutdown) with 'preventing destruction of non-volatile data' (which may justify a hard power-off when a wiping program is active).

729
MCQmedium

An analyst executed the commands shown in the exhibit on a Windows system to prepare a forensic image for analysis. What is the most likely reason for the error message from e2fsck?

A.The analyst failed to properly dismount the source volume before imaging, leading to filesystem inconsistencies.
B.The forensic image was not acquired with a write-blocker, causing data corruption.
C.The image file contains an NTFS filesystem, but e2fsck is designed for ext filesystems.
D.The e2fsck command syntax is incorrect; it should be 'e2fsck -f -n' instead.
AnswerA

The fsutil dismount command was run on C:, but the image was taken later, possibly without ensuring the volume was cleanly unmounted.

Why this answer

The error message from e2fsck indicates that the filesystem has inconsistencies, which typically occur when a volume is imaged while it is still mounted and actively being written to. The analyst likely did not dismount the source volume before acquiring the forensic image, resulting in a snapshot that reflects an inconsistent state (e.g., dirty journal, unflushed writes). This is a common chain-of-custody and acquisition procedure error in forensic imaging.

Exam trap

EC-Council often tests the misconception that a write-blocker alone guarantees a forensically sound image, but the trap here is that even with a write-blocker, imaging a mounted volume can produce an inconsistent filesystem because the OS may have pending writes in cache.

How to eliminate wrong answers

Option B is wrong because a write-blocker prevents writes to the source drive during acquisition, but it does not affect the consistency of the filesystem on the source volume if the volume was mounted and active; the error is about filesystem state, not write-blocker usage. Option C is wrong because the exhibit shows the analyst used 'dd' to create a raw image, and e2fsck is designed for ext2/3/4 filesystems; if the image contained NTFS, e2fsck would produce a different error (e.g., 'bad magic number') rather than a filesystem inconsistency error. Option D is wrong because the syntax 'e2fsck -f -n' is valid (force check and non-interactive), but the error message shown is about filesystem inconsistencies, not a command syntax error; the command executed correctly and detected the issue.

730
MCQmedium

An investigator finds a webshell on a compromised web server. Which artifact would be MOST useful to determine what commands were executed through the webshell?

A.Firewall logs
B.System event logs
C.Web server access logs
D.Prefetch files
AnswerC

Access logs record HTTP requests, including those sent to the webshell, which may contain commands in query strings or POST data.

Why this answer

Web server access logs record every HTTP request made to the server, including the URI, method, user-agent, and response status. When a webshell is accessed, commands are typically passed via GET or POST parameters in the request URL or body, so the access log will contain the exact command strings executed. This makes it the most direct artifact for reconstructing attacker actions.

Exam trap

EC-Council often tests the distinction between network-level logs (firewall) and application-level logs (web server), and the trap here is that candidates mistakenly choose firewall logs because they think 'commands' imply network traffic, ignoring that webshell commands are embedded in HTTP requests captured only by the web server.

How to eliminate wrong answers

Option A is wrong because firewall logs only show network-level metadata (source/destination IP, port, protocol) and do not capture the application-layer payload or command parameters sent to a webshell. Option B is wrong because system event logs record OS-level events (logins, service starts, crashes) but do not log individual HTTP requests or the command strings passed to a web application. Option D is wrong because Prefetch files track application startup and module loading on Windows, not the execution of commands within a running web server process; they would show that the web server ran, but not what commands were issued through the webshell.

731
MCQeasy

A first responder arrives at a crime scene where a computer is turned on. What should the responder do FIRST?

A.Run antivirus software to check for malware
B.Immediately disconnect the power cord
C.Copy all files from the hard drive
D.Photograph the scene and document everything
AnswerD

Documentation is critical before any action.

Why this answer

Option D is correct because the first priority at a live crime scene is to preserve the state of the evidence through proper documentation and photography. This ensures an accurate record of the computer's condition, including screen contents, peripheral connections, and environmental context, before any volatile data is lost or altered. The CHFI methodology emphasizes that documentation precedes any seizure or data acquisition steps to maintain chain of custody and evidentiary integrity.

Exam trap

EC-Council often tests the misconception that immediate power disconnection is the safest action to prevent data alteration, but the trap is that this destroys volatile evidence and can trigger encryption lockouts, whereas proper documentation and live response preserve the most fragile data first.

How to eliminate wrong answers

Option A is wrong because running antivirus software modifies the system state by writing logs, updating signatures, and potentially altering malware artifacts, which violates forensic integrity principles. Option B is wrong because immediately disconnecting the power cord on a running system causes loss of volatile data (RAM contents, network connections, running processes) and may trigger anti-forensic mechanisms like encryption key destruction or disk wiping. Option C is wrong because copying files from the hard drive before proper imaging and write-blocking can modify file metadata (access timestamps) and does not capture unallocated space or slack space, compromising the forensic soundness of the evidence.

732
MCQmedium

During a forensic examination of a Linux ext4 file system, an investigator runs the `ls -i` command and sees inode numbers. They need to examine the inode structure. Which command should they use to display detailed inode information?

A.dd if=/dev/sda1 of=output.img
B.debugfs -R 'stat <inode>' /dev/sda1
C.mount -o loop image.img /mnt
D.fsck /dev/sda1
AnswerB

debugfs with the stat command shows inode details in an ext filesystem.

Why this answer

The `stat` command in Linux displays detailed inode metadata including permissions, timestamps, and block locations.

733
MCQhard

During a forensic investigation, the analyst needs to verify the integrity of a forensic image. The analyst originally computed MD5 and SHA-1 hashes of the source drive. Which action BEST ensures the image has not been altered?

A.Recompute MD5 and SHA-1 hashes of the image and compare with the original
B.Check that the image was created using a write blocker
C.Compare the file size of the image with the original drive's capacity
D.Open the image in FTK Imager and browse a few files
AnswerA

Hash comparison is the standard method for verifying data integrity.

Why this answer

Recomputing the hashes on the image and comparing them to the original hashes ensures that the image matches the source exactly, proving integrity.

734
Multi-Selectmedium

A forensic analyst is examining an Android device for evidence of a specific app's usage. Which TWO locations are MOST likely to contain app-specific data that can be recovered through a logical acquisition?

Select 2 answers
A./system/bin/
B./data/data/
C./mnt/sdcard/Android/data/
D./proc/
E./init.rc
AnswersB, C

Main internal storage for app data.

Why this answer

Option B is correct because /data/data/ is the primary directory on Android devices where installed applications store their private data, including databases, shared preferences, and cache files. This directory is accessible through logical acquisition (e.g., ADB backup) and contains app-specific evidence such as user credentials, chat logs, and configuration files.

Exam trap

Cisco often tests the misconception that /system/bin/ or /proc/ contain app-specific data because they sound like common storage locations, but in Android forensics, only /data/data/ and external storage paths like /mnt/sdcard/Android/data/ hold recoverable app artifacts during logical acquisition.

735
MCQeasy

An investigator needs to recover deleted emails from a Microsoft Outlook PST file. Which forensic technique is most appropriate?

A.Use a hex editor to manually reconstruct the PST headers
B.Convert the PST to EML and open each file individually
C.Perform file carving on the PST file to recover deleted email fragments
D.Mount the PST file and use Outlook's 'Recover Deleted Items' feature
AnswerC

Carving can recover deleted data from the PST binary structure.

Why this answer

Deleted items in PST files are often recoverable until overwritten; carving can recover remnants.

736
MCQeasy

A forensic investigator is analyzing a Microsoft SQL Server instance that was compromised. The investigator wants to identify all login attempts that failed due to incorrect passwords. Which system function or view should be queried?

A.sys.dm_exec_sessions
B.sys.dm_tran_locks
C.xp_readerrorlog with filter for 'Login failed'
D.sys.dm_exec_requests
AnswerC

Reads SQL Server error log for failed logins.

Why this answer

The xp_readerrorlog extended stored procedure reads the SQL Server error log, which records all login attempts, including failures. By filtering for 'Login failed', the investigator can retrieve the exact entries where authentication failed due to incorrect passwords. This is the standard method for auditing failed logins in SQL Server.

Exam trap

EC-Council often tests the misconception that dynamic management views (DMVs) like sys.dm_exec_sessions store historical authentication data, when in fact they only reflect current state, not past events.

How to eliminate wrong answers

Option A is wrong because sys.dm_exec_sessions shows current active sessions, not historical login failures; it only reflects successful connections. Option B is wrong because sys.dm_tran_locks provides information about current lock states and transactions, not authentication events. Option D is wrong because sys.dm_exec_requests displays currently executing requests, not past login attempts or failures.

737
MCQmedium

Which of the following best describes the purpose of the Host Protected Area (HPA) on a hard disk drive?

A.To accelerate read/write operations using flash cache
B.To store the file system journal
C.To provide a hidden storage area that is inaccessible through standard OS commands
D.To store the Master Boot Record
AnswerC

Correct: HPA can be used to hide data from the OS.

Why this answer

HPA is a reserved area on the drive that is not normally accessible by the OS, often used by manufacturers for diagnostics or by investigators to hide data.

738
MCQeasy

A security analyst is reviewing Windows Event Logs and notices multiple Event ID 4625 entries for a single user account within a short time frame. What does this most likely indicate?

A.Successful user logins
B.Account creation events
C.A brute-force password guessing attack
D.Service installation
AnswerC

Multiple failed logon attempts (Event ID 4625) in a short time for the same user is typical of a brute-force attack.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple such events for the same user in a short period strongly suggest a brute-force password guessing attack.

739
MCQmedium

During a forensic investigation, you find a file named ntuser.dat.LOG1 in a user's profile directory. What is the primary purpose of this file?

A.It contains the user's Internet browsing history
B.It logs changes to the user's registry hive for recovery purposes
C.It is a backup copy of the user's registry hive
D.It stores the user's recently accessed files
AnswerB

NTUSER.DAT.LOG1 records pending changes to the NTUSER.DAT hive to maintain integrity.

Why this answer

NTUSER.DAT.LOG1 is a transaction log file used to ensure registry consistency in case of a crash. It records changes before they are committed.

740
MCQmedium

A security analyst suspects a mobile device is infected with malware that exfiltrates data via DNS queries. Which tool or technique would be MOST effective for detecting this behavior during dynamic analysis?

A.PEiD to detect packers in the mobile app binary
B.Regshot to compare registry snapshots before and after execution
C.Process Monitor to observe registry and file system changes
D.Wireshark to capture and analyze network packets for anomalous DNS queries
AnswerD

Wireshark can capture DNS traffic and detect exfiltration patterns.

Why this answer

D is correct because DNS exfiltration involves encoding stolen data into DNS query fields (e.g., subdomains or TXT records) and sending them to a malicious server. Wireshark captures and analyzes raw network packets, allowing the analyst to inspect DNS query payloads for anomalous patterns such as unusually long hostnames, high query volume, or queries to suspicious domains, which are hallmarks of DNS tunneling.

Exam trap

EC-Council often tests the misconception that dynamic analysis of malware behavior requires host-based monitoring (like Process Monitor) rather than network-based analysis, but for data exfiltration via DNS, packet capture is essential.

How to eliminate wrong answers

Option A is wrong because PEiD is a tool for detecting packers and compilers in Windows PE files, not for analyzing mobile app binaries or network behavior; it cannot capture DNS queries. Option B is wrong because Regshot compares Windows registry snapshots, which is irrelevant for mobile device analysis and does not monitor network traffic. Option C is wrong because Process Monitor (Procmon) monitors Windows registry, file system, and process activity on a local system, not network packets; it cannot detect DNS exfiltration over the wire.

741
MCQeasy

Which mobile forensic tool is commonly used to perform a physical extraction of an iOS device, including bypassing the lock screen on certain models?

A.Magnet AXIOM
B.GrayKey
C.Oxygen Forensic Detective
D.FTK Imager
AnswerB

GrayKey is designed for iOS physical extraction and passcode bypass.

Why this answer

GrayKey is a specialized hardware tool designed by Grayshift that performs physical extraction of iOS devices, including bypassing the lock screen on certain models (e.g., iPhone 5 through iPhone X) by exploiting bootrom vulnerabilities or using brute-force techniques. It is widely used in law enforcement for forensic acquisition of iOS devices where logical extraction is insufficient.

Exam trap

EC-Council often tests the distinction between logical extraction tools (like Magnet AXIOM or Oxygen Forensic Detective) and hardware-based physical extraction tools (like GrayKey), leading candidates to mistakenly choose a familiar forensic suite that cannot bypass iOS lock screens.

How to eliminate wrong answers

Option A is wrong because Magnet AXIOM is a comprehensive digital forensics platform that supports logical and file system extractions from iOS devices but does not natively perform physical extraction or lock screen bypass; it relies on other tools (like GrayKey or checkra1n) for that capability. Option C is wrong because Oxygen Forensic Detective is a forensic suite that can extract data from iOS devices via logical or advanced logical methods, but it does not include hardware-based physical extraction or lock screen bypass; it depends on third-party tools or jailbreaks for deeper access. Option D is wrong because FTK Imager is a disk imaging tool for creating forensic images of storage media (e.g., hard drives, SD cards) and does not support mobile device extraction, let alone iOS physical extraction or lock screen bypass.

742
Multi-Selecthard

Which THREE of the following are indicators of a web shell on a web server? (Select three.)

Select 3 answers
A.Unexpected file modifications in web directories, especially .php, .asp, or .jsp files
B.Presence of processes like cmd.exe or /bin/bash running under the web server user
C.An increase in 404 errors due to directory traversal attempts
D.Regular successful logins from multiple IP addresses
E.Atypical HTTP requests containing system commands (e.g., ?cmd=whoami)
AnswersA, B, E

Attackers may modify or upload web shell files.

Why this answer

Web shells often allow attackers to execute commands, resulting in atypical HTTP requests with system commands, processes like cmd.exe or /bin/bash, and file modifications. Normal web activity does not include these.

743
MCQmedium

A forensic analyst is investigating a macOS system and wants to review a timeline of past application launches and file accesses across multiple days. Which forensic artifact is BEST suited for this purpose?

A.FSEvents log files
B.Unified logging (log show)
C..plist files in ~/Library/Preferences
D.~/Library/Application Support/com.apple.sharedfilelist
AnswerB

Correct. Unified logging provides a comprehensive timeline of system activity.

Why this answer

Unified logging in macOS contains a chronological log of system events including application launches, file accesses, and network connections. It can be queried with `log show`.

744
MCQmedium

A security analyst is investigating a potential intrusion and finds a webshell on a Linux web server. Which of the following logs would be MOST useful to determine how the webshell was uploaded?

A./var/log/syslog
B./var/log/apache2/access.log
C./var/log/auth.log
D./var/log/kern.log
AnswerB

Access logs record all HTTP requests, including file uploads.

Why this answer

Web server access logs (e.g., Apache access.log) record HTTP requests, including file uploads to the server, which can show the source IP and the method used to upload the webshell.

745
MCQmedium

During a database forensic investigation, an analyst discovers that multiple rows in a MySQL table have been deleted. The binary logs are enabled. Which approach should the analyst use to recover the deleted data?

A.Restore the transaction log files from backup and mount them to recover the deleted rows.
B.Use the 'SHOW UNDO' command to retrieve the deleted rows from undo tablespace.
C.Query the information_schema database to retrieve deleted rows from the data dictionary.
D.Parse the binary logs using mysqlbinlog to extract the DELETE statements and reconstruct the lost data.
AnswerD

Binary logs record all data changes; mysqlbinlog can output the SQL statements, including deletes.

Why this answer

MySQL binary logs record all changes to the database, including DELETE statements. The mysqlbinlog utility can parse these logs to reconstruct the exact DELETE operations, allowing the analyst to reverse-engineer the deleted rows by extracting the row data from the log events. This is the standard forensic method for recovering deleted data when binary logging is enabled.

Exam trap

EC-Council often tests the misconception that MySQL has a direct 'UNDO' command or that the information_schema stores row-level data, leading candidates to choose those plausible-sounding but incorrect options.

How to eliminate wrong answers

Option A is wrong because MySQL does not have a separate 'transaction log file' that can be mounted like a file system; the transaction log (redo log) is not designed for point-in-time recovery of individual rows, and restoring from backup would require a full restore, not a targeted row recovery. Option B is wrong because MySQL does not support a 'SHOW UNDO' command; undo tablespace is used internally for rollback operations and is not directly queryable for deleted row recovery. Option C is wrong because the information_schema database contains metadata about database objects (tables, columns, etc.), not the actual row data or deleted rows; it cannot be used to retrieve deleted records.

746
Multi-Selectmedium

A forensic analyst is investigating a Windows system and wants to identify recently executed programs. Which TWO artifacts should the analyst examine?

Select 2 answers
A.MRU lists
B.Prefetch files
C.UserAssist
D.ShellBags
E.Jump lists
AnswersB, C

Prefetch files record execution information for applications.

Why this answer

Prefetch files and UserAssist registry keys are both used to track program execution. Prefetch stores execution count and timestamps; UserAssist logs programs launched from the Start Menu or desktop.

747
Multi-Selecthard

Which TWO of the following are challenges specific to SSD forensics compared to HDD forensics?

Select 2 answers
A.Wear leveling distributes writes, complicating data location
B.File system metadata may be overwritten
C.Magnetic remanence allows data recovery
D.Slack space contains remnants of deleted files
E.TRIM command erases deleted data
AnswersA, E

Wear leveling moves data, making it harder to find specific sectors.

Why this answer

TRIM causes data erasure, and wear leveling makes data location unpredictable. The other options apply to both HDD and SSD.

748
Multi-Selectmedium

A forensic analyst is examining MySQL binary logs to identify a data exfiltration event. Which TWO fields are most critical for reconstructing the stolen data?

Select 2 answers
A.Error code
B.Timestamp
C.Server ID
D.SQL statement
E.Thread ID
AnswersB, D

Timestamp shows when the query executed, aiding timeline reconstruction.

Why this answer

The SQL statement reveals what data was retrieved, and the timestamp helps establish the timeline.

749
MCQeasy

Which of the following mobile forensic tools is specifically known for its ability to perform advanced extractions on iOS devices, including bypassing the lock screen on many models?

A.Cellebrite UFED
B.Magnet AXIOM
C.Oxygen Forensic Detective
D.GrayKey
AnswerD

GrayKey is known for iOS lock screen bypass and advanced extraction.

Why this answer

GrayKey is specifically designed for advanced iOS extractions, leveraging a combination of hardware and software exploits to bypass the lock screen on many iPhone models, including recent ones. Unlike general-purpose forensic tools, GrayKey focuses exclusively on iOS and uses techniques like checkm8 bootrom exploit or brute-force attacks via USB to gain access to encrypted device data.

Exam trap

EC-Council often tests the distinction between general-purpose forensic tools (like Cellebrite UFED) and specialized hardware-based extraction tools (like GrayKey), leading candidates to choose Cellebrite because of its brand recognition, even though GrayKey is the only option specifically designed for advanced iOS lock-screen bypass.

How to eliminate wrong answers

Option A is wrong because Cellebrite UFED is a versatile tool supporting many mobile OSes, but its iOS lock-screen bypass capabilities are limited compared to GrayKey, often relying on known vulnerabilities or physical extraction methods that may not work on newer iOS versions. Option B is wrong because Magnet AXIOM is a comprehensive digital forensics platform that processes data from multiple sources (mobile, cloud, computer), but it does not perform direct iOS lock-screen bypass; it relies on other tools or pre-extracted images. Option C is wrong because Oxygen Forensic Detective is a strong mobile forensic tool with advanced analysis features, but its iOS extraction capabilities typically require the device to be unlocked or use logical extraction methods, lacking the dedicated hardware-based lock-screen bypass that GrayKey offers.

750
MCQhard

Refer to the exhibit. A first responder runs netstat -ano on a Windows system. Which connection is MOST likely indicative of a potential C2 communication?

A.TCP 0.0.0.0:3389 LISTENING PID 668
B.TCP 192.168.1.10:49154 to 192.168.1.1:53 TIME_WAIT PID 2016
C.TCP 192.168.1.10:49153 to 203.0.113.50:443 TIME_WAIT PID 1204
D.TCP 192.168.1.10:49152 to 10.0.0.5:80 ESTABLISHED PID 3342
AnswerC

The foreign IP is external and the PID is not a standard Windows process; TIME_WAIT may indicate recent C2 communication.

Why this answer

Option C is correct because the connection from a high ephemeral port (49153) to an external IP (203.0.113.50) over HTTPS (port 443) with a short-lived TIME_WAIT state is a classic indicator of potential C2 beaconing. C2 communications often use HTTPS to blend with legitimate traffic, and the TIME_WAIT state suggests brief, periodic connections typical of beaconing, rather than sustained data transfer. The external IP is also in a documentation/test range (203.0.113.0/24), which is commonly used for examples but in a real scenario would be suspicious as an unknown external destination.

Exam trap

EC-Council often tests the misconception that any ESTABLISHED connection is suspicious, but here the trap is that TIME_WAIT to an external HTTPS port is more indicative of C2 beaconing than an ESTABLISHED connection to an internal HTTP server.

How to eliminate wrong answers

Option A is wrong because TCP port 3389 (RDP) listening on all interfaces (0.0.0.0) is a standard Windows Remote Desktop service, not C2 traffic; it is a legitimate administrative service that is expected to be in LISTENING state. Option B is wrong because the connection to 192.168.1.1:53 (DNS) is a normal DNS resolution from a local client to a local DNS server, and TIME_WAIT is typical after a short query-response; this is not C2. Option D is wrong because the connection to 10.0.0.5:80 (HTTP) is to a private IP address (RFC 1918), which is internal network traffic, and an ESTABLISHED state indicates an ongoing legitimate session (e.g., web browsing to an internal server), not C2.

Page 9

Page 10 of 14

Page 11