Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 751825

1000 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQmedium

Based on the ARP table exhibit, what is the most likely security issue?

A.The gateway is unreachable
B.Duplicate IP addresses on the network
C.ARP poisoning attack
D.MAC address filtering is enabled
AnswerC

Multiple IPs with same MAC is a classic sign of ARP spoofing.

Why this answer

The ARP table exhibit shows a single IP address (192.168.1.1) mapped to two different MAC addresses (00:11:22:33:44:55 and AA:BB:CC:DD:EE:FF). This is a classic indicator of an ARP poisoning attack, where an attacker sends forged ARP replies to associate their MAC address with the gateway's IP, enabling man-in-the-middle interception of traffic.

Exam trap

The trap here is that candidates may confuse ARP poisoning with duplicate IP addresses, but duplicate IPs cause a 'conflict' message and only one MAC survives in the ARP table, whereas ARP poisoning shows two distinct MACs for the same IP simultaneously.

How to eliminate wrong answers

Option A is wrong because the gateway being unreachable would result in no ARP entry or an incomplete entry, not multiple MAC addresses for the same IP. Option B is wrong because duplicate IP addresses cause address conflicts and connectivity issues, but the ARP table would typically show only one MAC per IP (the last to respond), not two simultaneous entries. Option D is wrong because MAC address filtering restricts which devices can connect, but it does not cause multiple MAC addresses to appear for a single IP in the ARP table.

752
MCQmedium

During a forensic investigation, the analyst needs to create a forensic image of a hard drive that also hashes the data during acquisition. Which command-line tool would be MOST appropriate for this task?

A.dd
B.fdisk
C.memdump
D.dcfldd
AnswerD

dcfldd can compute hashes on-the-fly, ensuring integrity.

Why this answer

dcfldd is a modified version of dd that includes built-in hashing (e.g., MD5, SHA-1, SHA-256) during the imaging process, allowing the analyst to verify data integrity in real time without a separate hashing step. This makes it the most appropriate tool for creating a forensic image that also hashes the data during acquisition.

Exam trap

Cisco often tests the distinction between dd and dcfldd, trapping candidates who assume dd is sufficient because it can create a raw image, ignoring the explicit requirement for integrated hashing during acquisition.

How to eliminate wrong answers

Option A (dd) is wrong because while dd can create a bit-for-bit copy, it does not natively compute or embed a hash during acquisition; any hashing must be done as a separate post-processing step, which is less efficient and can introduce integrity gaps. Option B (fdisk) is wrong because it is a partitioning tool used to manipulate partition tables, not to create forensic images or compute hashes. Option C (memdump) is wrong because it is designed to capture volatile memory (RAM), not to image a hard drive, and it does not provide hashing capabilities.

753
Multi-Selectmedium

Which TWO of the following are considered types of evidence under the rules of evidence?

Select 2 answers
A.Best evidence rule
B.Direct evidence
C.Circumstantial evidence
D.Hearsay evidence
E.Exculpatory evidence
AnswersB, C

Direct evidence directly proves a fact without inference.

Why this answer

Direct and circumstantial evidence are two main categories. Hearsay and best evidence are rules, not types.

754
MCQhard

An investigator uses FTK Imager to capture a forensic image of a suspect's hard drive. During acquisition, the tool reports that the DCO (Device Configuration Overlay) is present. What does this indicate?

A.The drive is failing and needs replacement
B.The drive supports hardware encryption
C.The drive has a GPT partition table
D.The drive has been tampered with to hide data
AnswerD

DCO can be used to hide data from the OS and forensic tools.

Why this answer

DCO is a region beyond the HPA that can hide data; its presence suggests possible data hiding.

755
MCQeasy

Which Wireshark filter should an analyst use to display only TCP packets that have the SYN flag set and the ACK flag not set?

A.tcp.flags.syn == 1 or tcp.flags.ack == 0
B.tcp.flags.syn == 1 and tcp.flags.ack == 0
C.tcp.flags.syn == 1
D.tcp.flags == 0x002
AnswerB

This correctly isolates initial SYN packets by requiring SYN=1 and ACK=0.

Why this answer

A TCP SYN packet has SYN=1 and ACK=0. The Wireshark display filter 'tcp.flags.syn == 1 and tcp.flags.ack == 0' precisely matches this condition.

756
MCQhard

During a forensic investigation of a Windows 10 system, an examiner finds the following registry key: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count. The values contain Rot‑13 encoded data. What is the primary purpose of this artifact?

A.Store recently opened documents (MRU list)
B.Track programs executed by the user
C.Record USB device insertion history
D.Log network share connections
AnswerB

UserAssist records the execution count and last run time of applications started via the UI.

Why this answer

The UserAssist key tracks applications launched via the Windows shell (Start Menu, Run, etc.). The data is Rot‑13 encoded to obscure the count and last execution time.

757
MCQeasy

Which tool is commonly used for timeline analysis in digital forensics, combining multiple artifacts into a super timeline?

A.Plaso
B.Autopsy
C.Sleuth Kit
D.Wireshark
AnswerA

Plaso (formerly log2timeline) creates comprehensive timelines from forensic artifacts.

Why this answer

Plaso (log2timeline) is a tool that parses various log files and artifacts to create a super timeline for forensic analysis.

758
Multi-Selecthard

Which THREE of the following are essential steps in the digital forensics investigation process? (Select three.)

Select 3 answers
A.Examination
B.Analysis
C.Encryption
D.Collection
E.Destruction
AnswersA, B, D

Examination involves searching for relevant data.

Why this answer

Option A (Examination) is correct because it is a core phase in the digital forensics process where investigators identify and extract potential evidence from collected data without altering it. This step involves techniques such as hashing (e.g., SHA-256) to verify integrity and using tools like FTK Imager or EnCase to preview files, ensuring the evidence is preserved in a forensically sound manner. Without examination, the raw collected data cannot be systematically reviewed for relevant artifacts.

Exam trap

EC-Council often tests the distinction between the forensic process steps and unrelated technical concepts like encryption or destruction, so candidates may mistakenly select 'Encryption' because they confuse a common obstacle with a required phase, or 'Destruction' because they think evidence must be destroyed after analysis.

759
MCQeasy

You are a forensic investigator responding to an incident on a Windows 10 workstation used by a finance manager. The user reports that a critical spreadsheet containing quarterly budget data was accidentally deleted from the Desktop yesterday at approximately 3:00 PM. The system has been used normally since then, and the user has not emptied the Recycle Bin. You have created a forensic image of the drive using FTK Imager. The Recycle Bin contains a file named 'Quarterly_Budget.xlsx', but it appears to be a shortcut (size 1 KB). The user insists the original file was several megabytes. You need to recover the original file. Which action should you take next?

A.Search the $Recycle.Bin folder on the forensic image to locate the original file data, which may be stored under a different name.
B.Restore a previous version of the Desktop folder from Volume Shadow Copy.
C.Use file carving techniques to recover the file from unallocated space on the Desktop.
D.Check the Recycle Bin on the live system; the file should be there and can be restored.
AnswerA

The Recycle Bin stores original file data in the $Recycle.Bin folder, often with a renamed file. The shortcut is just a reference.

Why this answer

When a file is moved to the Recycle Bin on Windows 10, the original file data is not stored in the Recycle Bin itself; instead, a hidden file (with a random name) is created in the `$Recycle.Bin` folder on the volume, and a shortcut (the visible entry) is placed in the Recycle Bin. The shortcut points to the hidden file, which retains the original data. Since the visible entry is only 1 KB, the actual file content must be located in the `$Recycle.Bin` folder under a different name, making option A the correct next step.

Exam trap

The trap here is that candidates assume the Recycle Bin contains the actual file data, but Cisco tests the understanding that the Recycle Bin only stores a shortcut, and the real data is hidden in the `$Recycle.Bin` folder under a different name.

How to eliminate wrong answers

Option B is wrong because restoring a previous version from Volume Shadow Copy would only work if the file was deleted via a system restore point or if the Desktop folder had versioning enabled, which is not guaranteed and is not the primary mechanism for Recycle Bin recovery. Option C is wrong because file carving from unallocated space is a last-resort technique for when the file is not recoverable via the Recycle Bin or file system metadata; here, the file is still logically present in the Recycle Bin structure, so carving is unnecessary and less reliable. Option D is wrong because the user has already created a forensic image, and checking the live system could alter evidence; moreover, the Recycle Bin on the live system would show the same shortcut, not the original data.

760
Multi-Selectmedium

An investigator is analyzing a memory dump with Volatility and wants to identify network connections. Which TWO commands can provide information about TCP and UDP connections? (Select 2)

Select 2 answers
A.volatility -f mem.dmp netscan
B.volatility -f mem.dmp connections
C.volatility -f mem.dmp netstat
D.volatility -f mem.dmp pslist
E.volatility -f mem.dmp dlllist
AnswersA, C

netscan scans for network connections on Windows systems.

Why this answer

Volatility's netscan and netstat plugins list network connections from memory.

761
MCQeasy

During a mobile device investigation, an examiner needs to acquire the maximum amount of data from a locked iOS device without modifying it. Which acquisition type should be used?

A.Manual acquisition
B.Physical acquisition
C.Logical acquisition
D.File system acquisition
AnswerB

Physical acquisition provides a complete bit-for-bit copy, including deleted data, and can often bypass lock screens with tools like GrayKey or Cellebrite UFED.

Why this answer

Physical acquisition is the correct choice because it creates a bit-for-bit copy of the entire flash storage, including the operating system, user data, and deleted file remnants, without relying on the iOS operating system to be unlocked or cooperative. This method bypasses the lock screen by exploiting hardware or software vulnerabilities (e.g., checkm8 bootrom exploit) or using advanced forensic tools (e.g., Cellebrite, GrayKey) to read the raw NAND memory, ensuring maximum data extraction while maintaining forensic integrity.

Exam trap

EC-Council often tests the misconception that logical acquisition is sufficient for locked devices because it can extract backups, but the trap is that logical acquisition still requires the device to be unlocked or have a trusted relationship established, whereas physical acquisition is the only method that can bypass the lock screen to capture the entire storage image.

How to eliminate wrong answers

Option A is wrong because manual acquisition requires the device to be unlocked and interactive, which is impossible with a locked iOS device and only captures visible data on the screen, not the full storage. Option C is wrong because logical acquisition only extracts files and databases accessible through the iOS operating system’s APIs (e.g., via iTunes backup or libimobiledevice), which requires the device to be unlocked and does not capture deleted data or system partitions. Option D is wrong because file system acquisition, while more detailed than logical, still requires the device to be unlocked (e.g., via jailbreak or trusted connection) and only retrieves the file system hierarchy, not the raw blocks of the storage, missing unallocated space and hidden partitions.

762
MCQeasy

A security analyst reviews an Apache access log entry: 192.168.1.5 - - [10/Jan/2024:08:12:35 +0000] "GET /index.php?id=1 UNION SELECT username,password FROM users-- HTTP/1.1" 200 4321 "-" "Mozilla/5.0". What type of attack is MOST likely indicated?

A.Cross-site scripting (XSS)
B.Path traversal
C.Remote file inclusion
D.SQL injection
AnswerD

The UNION SELECT clause indicates an attempt to extract data from the database.

Why this answer

The log entry shows a UNION SELECT statement appended to the id parameter, which is a classic SQL injection attempt.

763
MCQmedium

An investigator finds a suspicious LNK file on a Windows desktop pointing to an executable in the Temp folder. What is the significance of LNK files in forensic analysis?

A.They provide evidence of file access and execution
B.They store network share credentials in plaintext
C.They contain the full content of the target file
D.They are used exclusively for system files
AnswerA

LNK files are created when a user opens a file or runs a program, recording access.

Why this answer

LNK files are shortcuts that contain metadata including target path, creation time, and sometimes volume information, indicating user activity.

764
MCQmedium

A forensic analyst needs to create a forensic image of a suspect's hard drive using FTK Imager. Which of the following image formats is MOST appropriate for maintaining evidence integrity and allowing compression?

A.ISO image format (.iso)
B.EnCase image format (.E01)
C.Advanced Forensic Format (AFF)
D.Raw/DD image (.dd)
AnswerB

E01 supports compression, integrity checks, and is widely accepted in court.

Why this answer

FTK Imager natively supports the EnCase image format (.E01), which is the most appropriate choice because it maintains evidence integrity through embedded CRC32 and MD5/SHA-1 hash verification while also supporting optional compression. Unlike raw/DD images, .E01 files can be segmented and compressed without losing forensic integrity, making them ideal for both storage efficiency and court-admissible evidence.

Exam trap

The trap here is that candidates often choose Raw/DD (.dd) because it is the simplest and most universally accepted format, but they overlook that FTK Imager's .E01 format provides built-in compression and hash verification, which are critical for both integrity and practical storage management in forensic acquisitions.

How to eliminate wrong answers

Option A is wrong because ISO image format (.iso) is designed for optical disc images and does not support forensic metadata, hash integrity checks, or compression in a forensically sound manner; it is not a forensic image format. Option C is wrong because Advanced Forensic Format (AFF) is an open-source format that supports compression and metadata, but it is not natively supported by FTK Imager for image creation; FTK Imager primarily uses .E01 and raw/DD formats. Option D is wrong because Raw/DD image (.dd) is a bit-for-bit copy that preserves integrity but does not support built-in compression or embedded hash verification, requiring separate hash files and lacking the efficiency of .E01 for large drives.

765
MCQeasy

You are a forensic examiner at a corporate security firm. You receive a laptop from the HR department that belonged to a terminated employee. The laptop was used for company business and is suspected of containing unauthorized file-sharing software. The laptop is running Windows 10 with BitLocker drive encryption enabled. Before shutdown, the employee was logged into the system. HR claims the laptop was shut down properly and then handed over within an hour. You are asked to acquire a forensic image of the hard drive for analysis. However, when you boot the laptop, you are prompted for the BitLocker recovery key. HR does not have the key, and the employee refuses to cooperate. The laptop also has a TPM chip. Which of the following is the most appropriate course of action to acquire the data?

A.Contact IT to obtain the BitLocker recovery key from Active Directory.
B.Perform a cold boot attack to extract the BitLocker key from memory.
C.Boot from a Linux live USB and use tools to bypass BitLocker.
D.Boot the laptop normally and let BitLocker unlock the drive using the TPM.
AnswerD

Correct: Since the laptop was shut down properly and has TPM, normal boot should unlock the drive without the recovery key.

Why this answer

Option D is correct because the laptop was shut down properly and handed over within an hour, meaning the TPM (Trusted Platform Module) still holds the BitLocker key in its secure storage. When the system boots normally, BitLocker will automatically unlock the drive using the TPM without requiring a recovery key or user PIN, as long as the boot configuration has not changed. This is the standard behavior for a TPM-only protector configuration, which is common in corporate Windows 10 deployments.

Exam trap

EC-Council often tests the misconception that BitLocker always requires a recovery key or that a cold boot attack is a standard forensic technique, when in fact a properly shut-down system with TPM will unlock automatically, making the simplest boot the correct first step.

How to eliminate wrong answers

Option A is wrong because contacting IT to obtain the BitLocker recovery key from Active Directory is a valid step only if the key was escrowed, but the question states HR does not have the key and the employee refuses to cooperate; however, the most appropriate immediate action is to boot normally first, as the TPM will unlock the drive without needing the recovery key. Option B is wrong because a cold boot attack is a specialized technique used to extract memory contents from a system that was recently running, but here the laptop was shut down properly an hour ago, so the memory contents (including any BitLocker key remnants) are long gone; this attack is impractical and not the most appropriate course. Option C is wrong because booting from a Linux live USB and using tools to bypass BitLocker is not feasible against a fully encrypted drive with TPM-bound keys; BitLocker with TPM protection cannot be bypassed by simply booting an alternate OS, as the TPM will not release the key to an untrusted boot environment.

766
MCQmedium

An expert witness is preparing to testify in a computer forensics case. Which of the following is a key requirement for the expert's testimony to be admissible under the Daubert standard?

A.The expert's methods must be generally accepted in the scientific community
B.The expert's techniques must be based on reliable principles and methods
C.The expert must have personally examined all evidence
D.The expert must have a law degree
AnswerB

Daubert focuses on reliability and relevance, including whether methods have been tested and subjected to peer review.

Why this answer

Under the Daubert standard, the admissibility of expert testimony hinges on whether the expert's techniques are based on reliable principles and methods, not merely on general acceptance. This standard, established in Daubert v. Merrell Dow Pharmaceuticals, requires the trial judge to act as a gatekeeper, evaluating the scientific validity and reliability of the methodology used.

In computer forensics, this means the expert must demonstrate that their acquisition, preservation, and analysis methods (e.g., using write-blockers, cryptographic hashing like SHA-256, and chain-of-custody documentation) are scientifically sound and consistently applied.

Exam trap

Cisco often tests the distinction between the Daubert and Frye standards, and the trap here is that candidates mistakenly choose 'general acceptance' (Option A) because it was the historical standard, but Daubert requires a more rigorous focus on the reliability and scientific validity of the methodology itself.

How to eliminate wrong answers

Option A is wrong because while general acceptance (the Frye standard) is a factor under Daubert, it is not the sole or key requirement; Daubert emphasizes reliability and relevance over mere acceptance. Option C is wrong because the expert witness does not need to personally examine all evidence; they can rely on reports, logs, and data provided by other qualified personnel, as long as the underlying methodology is reliable. Option D is wrong because a law degree is not a requirement for expert testimony in computer forensics; the expert's qualification comes from technical expertise, certifications (e.g., CHFI, EnCE), and practical experience, not legal credentials.

767
Matchingmedium

Match each email forensic artifact to its source.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Message source (RFC 5322 headers)

Microsoft Outlook personal folder

Microsoft Exchange server

Unix-based email clients

Individual email message export

Why these pairings

These artifacts store email data in different formats.

768
Drag & Dropmedium

Drag and drop the steps to conduct a memory acquisition using DumpIt on a Windows system into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Memory acquisition requires booting from trusted media, running tool as admin, and verifying hash.

769
MCQmedium

During a forensic examination of a Windows system, an analyst finds a file that appears to be zero bytes in size when viewed in Windows Explorer, but the file's properties show a size on disk of 4 KB. What is the most likely explanation?

A.The file contains only slack space
B.The file is compressed using NTFS compression
C.The file is stored in an alternate data stream (ADS)
D.The file is a sparse file
AnswerD

Why this answer

Sparse files in NTFS have a logical size larger than the allocated disk space. The file may appear as zero bytes but occupy slack space due to allocation.

770
Matchingmedium

Match each forensic artifact to its location in Windows (typical).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

C:\Windows\Prefetch

C:\Windows\System32\winevt\Logs

C:\$Recycle.Bin

C:\Windows\System32\config

C:\Users\[user]\AppData\Local\Microsoft\Windows\Explorer

Why these pairings

These paths are standard for Windows 10/11.

771
Multi-Selecthard

Which three of the following are common techniques used to hide data on a storage device? (Choose THREE.)

Select 3 answers
A.File system journaling
B.Host Protected Area (HPA)
C.Alternate Data Streams (ADS) in NTFS
D.TRIM command
E.Slack space (file slack, volume slack)
AnswersB, C, E

Correct: HPA hides data from the OS.

Why this answer

HPA, ADS, and slack space are well-known data hiding techniques.

772
Multi-Selecteasy

Which TWO of the following are primary locations for browser history artifacts in a Windows 10 system? (Select TWO.)

Select 2 answers
A.%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files
B.%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History
C.%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
D.%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\places.sqlite
E.%USERPROFILE%\AppData\Local\Temp
AnswersB, C

Chrome stores history in a SQLite database named History.

Why this answer

Chrome history is in SQLite database files; Edge uses WebCacheV01.dat; Firefox uses places.sqlite.

773
Multi-Selectmedium

Which TWO of the following are considered forms of evidence under the rules of evidence? (Select two.)

Select 2 answers
A.Illegally obtained evidence
B.Hearsay evidence
C.Circumstantial evidence
D.Opinion evidence
E.Direct evidence
AnswersC, E

Circumstantial evidence requires inference but is still valid.

Why this answer

Circumstantial evidence is a recognized form of evidence under the rules of evidence because it allows a fact-finder to infer a fact from other established facts, even without direct witness testimony. In digital forensics, this is critical when reconstructing user activity from log files, file metadata, or network traffic patterns that indirectly prove an action occurred.

Exam trap

EC-Council often tests the distinction between admissibility and form of evidence, leading candidates to mistakenly select 'illegally obtained evidence' as a valid form because they confuse the concept of 'evidence' with 'admissible evidence'.

774
MCQmedium

Which mobile forensic acquisition method is MOST likely to retrieve deleted text messages from an iPhone that was not jailbroken and has no passcode?

A.Physical acquisition via forensic tool like Cellebrite UFED
B.Logical acquisition via iTunes backup
C.Manual acquisition by browsing the device
D.File system acquisition via AFC (Apple File Conduit)
AnswerA

Physical acquisition recovers full flash including deleted data.

Why this answer

Physical acquisition (A) creates a bit-for-bit copy of the entire flash storage, including unallocated space where deleted text messages (stored in SQLite WAL/SHM/journal files) often reside. Since the iPhone has no passcode, the forensic tool can bypass the lock screen and access the raw NAND, allowing recovery of deleted records that logical or file-system methods cannot reach because they only copy allocated files.

Exam trap

Cisco often tests the misconception that logical or file-system methods can recover deleted data because they access the file system, but in iOS, only physical acquisition reaches the unallocated space where deleted messages persist.

How to eliminate wrong answers

Option B is wrong because logical acquisition via iTunes backup only retrieves files that are currently allocated and backed up; deleted text messages are not included in the backup, as iTunes does not capture unallocated space or SQLite write-ahead logs. Option C is wrong because manual acquisition by browsing the device only shows visible, undeleted content through the user interface; deleted messages are not displayed and cannot be recovered by simply scrolling or tapping. Option D is wrong because file system acquisition via AFC (Apple File Conduit) only provides access to the media partition and certain app sandboxes over USB, but it does not grant raw block-level access to the NAND or unallocated space, so deleted SQLite records remain unrecoverable.

775
MCQmedium

An investigator is examining a Windows system and needs to capture volatile data without altering the system. Which of the following tools would be MOST appropriate for acquiring the contents of RAM?

A.FTK Imager
B.dd
C.EnCase
D.Tableau write blocker
AnswerA

FTK Imager has a memory capture feature.

Why this answer

FTK Imager can capture a memory dump (RAM) from a live system, preserving volatile data for analysis.

776
MCQhard

While investigating a compromised web server, you discover a file named 'shell.php' in the web root. The file contains the following code: <?php system($_GET['cmd']); ?>. Which of the following best describes this file?

A.A SQL injection script
B.A file upload vulnerability exploit
C.A backdoor trojan
D.A web shell
AnswerD

Webshells provide a command-line interface via HTTP.

Why this answer

This PHP code executes system commands passed via the 'cmd' GET parameter. This is a classic webshell, allowing remote command execution.

777
MCQeasy

A forensic examiner wants to recover deleted files from a USB drive formatted with FAT32. Which file carving tool is specifically designed to recover files based on file headers and footers?

A.Nmap
B.Foremost
C.Wireshark
D.Sleuth Kit
AnswerB

Foremost is a file carving tool that recovers files using headers and footers.

Why this answer

Foremost is a file carving tool that uses headers and footers to recover files. It is widely used for data recovery from FAT, NTFS, and other file systems.

778
MCQhard

During a forensic examination, an analyst runs `dcfldd if=/dev/sda of=image.dd hash=sha256 hashwindow=1G` on a suspect drive. What is the PRIMARY advantage of using `hashwindow=1G` over a single hash at the end?

A.It enables the image to be mounted as a loop device.
B.It allows verification of the image in 1GB segments, so errors can be pinpointed.
C.It encrypts the image file for security.
D.It reduces the total time to create the image.
AnswerB

If a hash mismatch occurs, the analyst knows which 1GB block is problematic.

Why this answer

The `hashwindow=1G` option in `dcfldd` computes a SHA-256 hash for every 1 GB segment of the input data, rather than a single hash for the entire image. This allows the analyst to verify the integrity of each segment independently, so if a hash mismatch occurs during later verification, the exact 1 GB block containing the error can be identified and reacquired without reimaging the entire drive.

Exam trap

The trap here is that candidates confuse `hashwindow` with a performance optimization or encryption feature, when in fact it is an integrity verification mechanism that trades slight performance overhead for granular error detection.

How to eliminate wrong answers

Option A is wrong because `hashwindow` does not affect the ability to mount the image as a loop device; mounting requires a filesystem-aware tool like `mount` with `-o loop`, not a hashing parameter. Option C is wrong because `hashwindow` provides integrity verification, not encryption; `dcfldd` does not encrypt output, and encryption would require separate tools like `openssl` or `LUKS`. Option D is wrong because computing multiple hashes during imaging actually increases CPU overhead and can slightly increase total imaging time compared to a single hash at the end.

779
MCQhard

During dynamic analysis of a Windows malware sample, Process Monitor shows repeated writes to 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. What does this behaviour indicate?

A.The malware is disabling Windows Defender
B.The malware is establishing persistence to run at system startup
C.The malware is modifying network configuration
D.The malware is performing log wiping
AnswerB

The 'Run' key is used to automatically start programs when a user logs in.

Why this answer

The registry key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' is a standard Windows autorun location. Malware writing to this key ensures that its executable is launched automatically every time the system boots, which is a classic persistence mechanism. Process Monitor capturing repeated writes confirms the malware is actively establishing this startup persistence.

Exam trap

EC-Council often tests the distinction between persistence mechanisms (like Run keys) and other malware behaviors (like disabling security or log wiping), so the trap here is that candidates confuse the Run key's purpose with system configuration changes or defensive countermeasures.

How to eliminate wrong answers

Option A is wrong because disabling Windows Defender typically involves modifying security center settings or stopping services (e.g., via 'sc stop WinDefend' or writing to 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender'), not writing to the Run key. Option C is wrong because modifying network configuration involves changes to TCP/IP parameters, DNS settings, or firewall rules (e.g., via netsh or registry keys under 'HKLM\SYSTEM\CurrentControlSet\Services\Tcpip'), not the Run key. Option D is wrong because log wiping involves clearing event logs (e.g., via 'wevtutil cl' or 'Clear-EventLog') or deleting log files, not writing to the Run registry key.

780
MCQmedium

A network forensics analyst captures traffic from a suspected data exfiltration. In Wireshark, filtering for DNS queries containing a long subdomain with base64-encoded text suggests which technique?

A.DNS tunneling
B.DNS hijacking
C.DNS poisoning
D.DNS amplification
AnswerA

DNS tunneling uses DNS queries/responses to transfer data covertly.

Why this answer

DNS tunneling encodes data in DNS queries to exfiltrate information, often using base64 in subdomains.

781
MCQmedium

A security analyst reviewing Windows Security Event Logs sees multiple Event ID 4625 entries for a single user account, followed by a successful Event ID 4624. The account is a domain administrator. What is the MOST likely explanation?

A.The user typed their password incorrectly several times before succeeding
B.The system experienced a denial of service attack
C.An attacker performed a brute-force password attack and succeeded
D.A misconfigured application caused repeated logon attempts
AnswerC

Multiple failed logon attempts followed by a successful logon, especially on a privileged account, strongly suggests a brute-force attack.

Why this answer

This pattern indicates a successful brute-force attack where the attacker guessed the password and then logged in successfully. Event ID 4625 indicates failed logon attempts, and Event ID 4624 indicates a successful logon.

782
MCQmedium

An iOS forensic analyst is examining data from an iCloud backup and finds a file named 'call_history.db'. Which SQLite table within this database is MOST likely to contain the duration and timestamp of each phone call?

A.ZCONTACT
B.ZOBJECT
C.call
D.ZCALL
AnswerC

The 'call' table stores call records including date, duration, and phone number.

Why this answer

In iOS, call history data is stored in the 'call_history.db' SQLite database, and the primary table containing call duration and timestamps is named 'call'. The 'call' table includes columns such as 'duration' (in seconds) and 'date' (as a Cocoa Core Data timestamp). This is the standard schema used by Apple's Phone app since iOS 4.

Exam trap

EC-Council often tests the misconception that iOS uses Core Data entity names with a 'Z' prefix (like ZCALL) for all databases, but the call_history.db uses a simple legacy table named 'call' without the prefix.

How to eliminate wrong answers

Option A is wrong because ZCONTACT is a table in the iOS AddressBook or Contacts database (e.g., AddressBook.sqlitedb), not in call_history.db, and it stores contact names and IDs, not call metadata. Option B is wrong because ZOBJECT is a table found in the KnowledgeC database (e.g., knowledgeC.db) used for app usage and behavior logging, not for call history records. Option D is wrong because ZCALL does not exist as a standard table in iOS call_history.db; the correct table is simply 'call', and the 'Z' prefix is used in Core Data entity names but not in this legacy SQLite schema.

783
MCQeasy

In static malware analysis, what is the purpose of using a tool like PEiD?

A.To monitor registry changes during execution
B.To detect packers or compilers used in the PE file
C.To disassemble the binary into assembly code
D.To analyze network traffic generated by the malware
AnswerB

PEiD identifies packers like UPX, ASPack.

Why this answer

PEiD is a static analysis tool that identifies packers, cryptors, and compilers embedded in Portable Executable (PE) files by scanning for known signatures in the file's entry point and section headers. This helps an analyst understand whether the malware is packed (obfuscated) and what tool was used to create or compress it, which is critical before attempting dynamic analysis or unpacking.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools, and the trap here is that candidates confuse PEiD with a disassembler or a runtime monitor, because they see 'analysis' and assume it covers all phases of malware examination.

How to eliminate wrong answers

Option A is wrong because monitoring registry changes during execution is a dynamic analysis technique, not static; tools like Regshot or Process Monitor are used for that purpose. Option C is wrong because disassembling a binary into assembly code is the function of a disassembler such as IDA Pro or Ghidra, not PEiD, which only identifies packers/compilers. Option D is wrong because analyzing network traffic generated by malware is a dynamic analysis task performed with tools like Wireshark or tcpdump, not a static analysis tool like PEiD.

784
MCQeasy

Which of the following is a primary challenge in cloud forensics due to the shared responsibility model?

A.Inability to perform live acquisition of volatile data without cooperation from the cloud provider
B.Data is always stored in a single jurisdiction
C.Lack of encryption support
D.Cloud logs are immutable and cannot be altered
AnswerA

In cloud environments, forensic investigators often lack physical or administrative access to capture volatile data (e.g., memory) without provider assistance.

Why this answer

The shared responsibility model means the cloud provider controls the infrastructure, limiting the investigator's ability to acquire volatile data without provider support.

785
MCQhard

An investigator seizes a computer that was involved in a crime. The suspect claims that the evidence was planted. Which forensic principle best helps to refute this claim by demonstrating that the evidence could only have been left by the suspect?

A.Locard's exchange principle
B.Hearsay rule
C.Best evidence rule
D.Chain of custody
AnswerA

Locard's principle asserts that every contact leaves a trace, supporting that the suspect's interaction with the evidence is inevitable.

Why this answer

Locard's exchange principle states that every contact leaves a trace. In digital forensics, this means the suspect's interaction with the computer—such as typing, accessing files, or connecting peripherals—will leave unique digital artifacts (e.g., registry keys, prefetch files, USB device serial numbers, or browser history). By demonstrating that these artifacts could only have been created by the suspect's specific actions or device, the investigator refutes the claim of planting.

Exam trap

EC-Council often tests whether candidates confuse chain of custody (a procedural safeguard) with Locard's principle (a scientific concept about trace evidence), leading them to pick chain of custody when the question asks about how evidence was left by the suspect.

How to eliminate wrong answers

Option B (Hearsay rule) is wrong because it is a legal rule governing the admissibility of out-of-court statements as evidence, not a forensic principle about physical or digital trace transfer. Option C (Best evidence rule) is wrong because it requires the original document or recording as evidence, not a principle explaining how evidence is left by a suspect. Option D (Chain of custody) is wrong because it documents the handling and integrity of evidence from seizure to court, but does not itself demonstrate that the evidence was left by the suspect.

786
MCQhard

In a UK-based investigation, law enforcement officers seize a computer without a warrant. The suspect argues the seizure violated his rights under the Police and Criminal Evidence Act 1984 (PACE). Which of the following is a key consideration under PACE regarding the admissibility of the seized evidence?

A.The evidence is automatically admissible because it was seized during an investigation.
B.The evidence is admissible because it is circumstantial.
C.The evidence is admissible only if the suspect signed a consent form.
D.The court may exclude the evidence if its admission would be unfair to the suspect.
AnswerD

Section 78 of PACE gives the court discretion to exclude evidence obtained improperly.

Why this answer

Under Section 78 of PACE, the court has discretion to exclude prosecution evidence if its admission would have such an adverse effect on the fairness of the proceedings that it ought not to be admitted. Since the computer was seized without a warrant, the court must weigh the potential breach of PACE safeguards against the probative value of the digital evidence. This is not automatic exclusion, but a judicial balancing test specific to the circumstances of the seizure.

Exam trap

EC-Council often tests the misconception that any procedural violation automatically excludes evidence, whereas PACE Section 78 gives the court discretion to admit evidence if the breach does not render the trial unfair.

How to eliminate wrong answers

Option A is wrong because PACE does not provide automatic admissibility for evidence seized without a warrant; the court retains discretion under Section 78 to exclude evidence obtained in breach of PACE codes. Option B is wrong because the classification of evidence as circumstantial or direct has no bearing on admissibility under PACE; the key factor is the fairness of the proceedings, not the type of evidence. Option C is wrong because PACE does not require a suspect's signed consent for admissibility; consent relates to lawful search and seizure under PACE Code B, but even without consent, evidence may still be admissible if the court deems it fair to admit.

787
Multi-Selecthard

During a forensic analysis of a compromised web server, an investigator identifies the following log entries. Which THREE entries are the strongest indicators of a successful web shell upload? (Choose three.)

Select 3 answers
A.POST /upload.php HTTP/1.1 200 0
B.POST /uploads/shell.aspx HTTP/1.1 200 - -
C.GET /uploads/shell.aspx?cmd=dir HTTP/1.1 200 - -
D.GET /../../windows/system32/cmd.exe HTTP/1.1 404 - -
E.GET /images/logo.png HTTP/1.1 304 - -
AnswersA, B, C

A successful POST to upload.php could be a PHP-based web shell upload.

Why this answer

Successful uploads of aspx or php files that contain web shell code (e.g., with cmd parameter) and subsequent access to those files are strong indicators. The 404 for cmd.exe indicates a path traversal attempt, not a web shell.

788
Multi-Selecthard

During the initial response to a suspected data exfiltration, which THREE pieces of volatile data should be collected first? (Choose three.)

Select 3 answers
A.Current network connections.
B.List of running processes.
C.Contents of system memory (RAM).
D.Windows registry hives.
E.Forensic image of the hard drive.
AnswersA, B, C

Network connections are transient and may disappear.

Why this answer

Current network connections (A) are volatile because they show active communication channels that could indicate data exfiltration in progress. If the system is shut down or disconnected, this evidence is lost immediately, making it a top priority for collection during initial response.

Exam trap

EC-Council often tests the Order of Volatility principle, and the trap here is that candidates mistakenly prioritize persistent data like registry hives or disk images over transient evidence that disappears immediately upon shutdown.

789
MCQhard

A security analyst discovers unauthorized access to a server. The incident response team decides to preserve evidence. Which of the following actions is MOST critical to ensure the admissibility of evidence in court?

A.Disconnecting the server from the network
B.Documenting the chain of custody
C.Running a full antivirus scan on the server
D.Taking screenshots of the server's screen
AnswerB

Correct. Chain of custody is essential for evidence admissibility.

Why this answer

Chain of custody documentation is the most critical action for evidence admissibility because it establishes a verifiable record of who handled the evidence, when, and under what conditions, ensuring the evidence has not been tampered with. Without a proper chain of custody, even technically sound evidence can be ruled inadmissible under rules like Federal Rule of Evidence 901. In forensic practice, this involves logging every access with timestamps, digital signatures, and hash values (e.g., SHA-256) to maintain integrity.

Exam trap

EC-Council often tests the misconception that immediate network disconnection is the top priority, but the CHFI exam emphasizes that preserving the integrity and admissibility of evidence through chain of custody outweighs technical containment actions.

How to eliminate wrong answers

Option A is wrong because disconnecting the server from the network may cause loss of volatile data (e.g., active network connections, memory contents) and can trigger anti-forensic mechanisms; the proper forensic step is to capture a memory dump and network state before isolation. Option C is wrong because running a full antivirus scan modifies file access times, potentially overwrites deleted files, and alters the system state, which violates forensic integrity principles (e.g., not altering original evidence). Option D is wrong because screenshots are easily manipulated and lack metadata integrity; they do not provide a verifiable, hash-authenticated record like a forensic image or chain-of-custody log.

790
Multi-Selecthard

Which THREE of the following are challenges specific to container forensics? (Select THREE.)

Select 3 answers
A.Containers share the same kernel as the host, limiting isolation for forensic acquisition
B.Network isolation prevents packet capture
C.Ephemeral nature of containers leads to volatile evidence
D.Standard forensic imaging tools can be directly applied
E.Need to analyze layered image filesystem instead of a single disk image
AnswersA, C, E

This complicates evidence collection without affecting other containers.

Why this answer

Containers are ephemeral (volatile evidence), they share the host kernel (limited isolation), and they rely on layered images that must be analyzed. Standard disk imaging tools may not work; network isolation is not a specific challenge.

791
MCQmedium

A network analyst captures traffic and sees an HTTP request containing: GET /wp-content/uploads/evil.php?cmd=id HTTP/1.1. Which of the following is MOST likely occurring?

A.Webshell access
B.SQL injection attack
C.Cross-site scripting (XSS) attack
D.Directory traversal attack
AnswerA

The request to a PHP file with a cmd parameter suggests a webshell that allows command execution.

Why this answer

The request attempts to execute a command (id) via a PHP file in the uploads directory, indicating a webshell. Webshells allow attackers to execute commands on the server.

792
MCQmedium

An investigator is analyzing a Windows 10 system suspected of malware persistence. Which registry key is commonly used by malware to achieve persistence by running a program at every user logon?

A.HKLM\SAM\SAM
B.HKLM\SYSTEM\CurrentControlSet\Services
C.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall
AnswerC

This Run key specifies programs that run automatically when the user logs on.

Why this answer

The Run key under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is a common persistence mechanism that starts programs when the user logs on.

793
MCQeasy

What is the primary difference between MBR and GPT partition tables?

A.MBR is used only on Linux; GPT is used on Windows
B.GPT uses a cyclic redundancy check (CRC) for integrity; MBR does not
C.MBR supports larger disks than GPT
D.GPT stores the partition table only in the first sector
AnswerB

Correct. GPT has CRC32 checksums; MBR has no integrity check.

Why this answer

MBR uses 32-bit entries and supports up to 4 primary partitions and disks up to 2 TB. GPT uses 64-bit entries, supports up to 128 partitions, and disks larger than 2 TB, with backup partition table for redundancy.

794
Multi-Selecthard

According to the US Fourth Amendment, which of the following THREE conditions generally allow law enforcement to search and seize digital evidence without a warrant? (Select THREE)

Select 3 answers
A.Consent given voluntarily by the owner of the device
B.The suspect is a minor
C.Exigent circumstances where evidence is likely to be destroyed
D.The data is encrypted and the key is not provided
E.The evidence is in plain view during a lawful search
AnswersA, C, E

Consent is a valid exception.

Why this answer

Option A is correct because the Fourth Amendment generally requires a warrant for searches, but an exception exists when the owner of the device voluntarily consents to the search. In digital forensics, consent must be knowing, intelligent, and voluntary, and it can be revoked at any time. This exception is commonly applied when a suspect agrees to a forensic examination of their computer or mobile device without a court order.

Exam trap

EC-Council often tests the misconception that encryption or a minor's status automatically creates a warrant exception, when in fact neither condition alone satisfies the Fourth Amendment's requirements for a warrantless search.

795
MCQmedium

An attacker has compromised a Linux server and edited the /etc/passwd file to change a user's UID to 0. What is the likely goal of this modification?

A.To lock the user account
B.To escalate privileges to root
C.To enable password-less login
D.To hide the user account from the system
AnswerB

UID 0 gives root-level access.

Why this answer

UID 0 is the root user. Changing a user's UID to 0 grants that user root privileges, providing privileged access.

796
MCQhard

A forensic examiner is analyzing a compromised Linux server and notices that /etc/cron.daily contains a script named 'sysupdate.sh' that runs a base64-encoded command. Which persistence mechanism is being used?

A.LD_PRELOAD library injection
B.Cron job for daily execution
C.Systemd service
D.SSH authorized_keys backdoor
AnswerB

The script is in /etc/cron.daily, indicating a daily cron job.

Why this answer

Cron jobs in /etc/cron.daily are scheduled tasks that run daily. Malicious scripts placed there provide persistence by re-executing at regular intervals.

797
MCQeasy

Which of the following is a key difference between static and dynamic malware analysis?

A.Static analysis executes the malware, dynamic does not
B.Static analysis requires an internet connection, dynamic does not
C.Static analysis examines code without execution, dynamic analysis executes the sample
D.Static analysis is always automated, dynamic is manual
AnswerC

Static involves disassembly and code review; dynamic involves running the malware.

Why this answer

Static malware analysis involves examining the malware's code (e.g., disassembly, strings, headers) without executing it, while dynamic analysis runs the sample in a controlled environment (e.g., sandbox, debugger) to observe its runtime behavior. Option C correctly captures this fundamental distinction: static analysis is code-centric and non-executional, whereas dynamic analysis is behavior-centric and executional.

Exam trap

The trap here is that candidates often confuse the terms 'static' and 'dynamic' by associating 'static' with 'not moving' (incorrectly thinking it means no analysis) or misremembering which one involves execution, leading them to pick Option A.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: static analysis does NOT execute the malware, while dynamic analysis does. Option B is wrong because neither analysis inherently requires an internet connection; dynamic analysis often uses simulated network services (e.g., INetSim) to avoid real internet traffic, and static analysis can be performed offline. Option D is wrong because both static and dynamic analysis can be automated (e.g., YARA rules for static, Cuckoo Sandbox for dynamic) or performed manually, so automation is not a distinguishing factor.

798
MCQeasy

Which of the following is an example of an anti-forensics technique used to hide malicious activity?

A.Timestomping
B.Running a sandbox
C.Creating a mutex
D.Generating a hash
AnswerA

Alters timestamps to evade detection.

Why this answer

Timestomping is an anti-forensics technique that deliberately modifies file timestamps (e.g., MAC times: Modified, Accessed, Created) using tools like `touch` on Linux or `SetFileTime` on Windows. By altering these timestamps, an attacker can hide the true timeline of malicious file creation, modification, or access, thereby evading forensic timeline analysis and making it appear that malicious activity occurred at a different time or was part of legitimate system operations.

Exam trap

Cisco often tests the misconception that any technique used by malware (like creating a mutex) is automatically an anti-forensics technique, when in fact anti-forensics specifically targets the forensic process itself (e.g., data hiding, evidence destruction, or timeline manipulation).

How to eliminate wrong answers

Option B is wrong because running a sandbox is a security analysis technique used to execute suspicious code in an isolated environment to observe its behavior, not an anti-forensics technique to hide malicious activity. Option C is wrong because creating a mutex (mutual exclusion object) is a common programming construct used by both legitimate software and malware for synchronization or to prevent multiple instances, but it is not inherently an anti-forensics technique; while some malware uses mutexes as infection markers, this does not hide activity from forensic tools. Option D is wrong because generating a hash (e.g., MD5, SHA-1) is a standard integrity verification method used in forensics to ensure evidence has not been altered, not a technique to conceal malicious activity.

799
MCQmedium

A forensic analyst receives a mobile device that has been factory reset. Which of the following types of data is MOST likely to be recoverable using advanced forensic techniques?

A.Deleted text messages and call logs, but not app data
B.All user data, as factory reset only deletes file pointers
C.Google account tokens and cached credentials
D.No data is recoverable after a factory reset on modern devices
AnswerC

Some tokens may persist in NVRAM or other storage; advanced techniques like chip-off may recover them.

Why this answer

Option C is correct because a factory reset typically does not overwrite the flash memory where Google account tokens and cached credentials are stored. Advanced forensic techniques, such as chip-off or JTAG, can recover these remnants from the NAND flash memory, as the reset only marks the storage blocks as available for reuse without physically erasing the data.

Exam trap

EC-Council often tests the misconception that a factory reset is equivalent to a secure wipe, but in reality, it only deletes file pointers and leaves residual data in unallocated flash memory, which advanced forensic techniques can recover.

How to eliminate wrong answers

Option A is wrong because deleted text messages and call logs are also stored in unallocated flash memory and can be recovered alongside app data using advanced techniques, not exclusively excluded. Option B is wrong because a factory reset does not preserve all user data; it clears user data partitions and file pointers, but some residual data may remain in unallocated space, not the entire dataset. Option D is wrong because modern devices still leave recoverable data in unallocated NAND flash blocks after a factory reset, especially tokens and credentials, due to the lack of secure erase commands like eMMC sanitize being executed.

800
MCQeasy

Which Windows Event ID is generated when a new service is installed on the system?

A.4648
B.4720
C.7045
D.4624
AnswerC

7045 indicates a new service installation.

Why this answer

Event ID 7045 is logged in the System event log when a service is installed on a Windows system.

801
MCQeasy

Which of the following best describes the purpose of the Master File Table (MFT) in the NTFS filesystem?

A.It manages the file allocation table for cluster chains
B.It stores the partition table and boot sector
C.It contains metadata and file attribute records for all files and directories
D.It maintains a journal of all filesystem changes
AnswerC

Correct. The MFT stores file metadata and attributes.

Why this answer

The MFT is a relational database containing one or more records for each file and directory on the volume, storing metadata such as timestamps, permissions, and data runs.

802
Multi-Selectmedium

A malware sample creates the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareName. Which THREE of the following are appropriate next steps for the analyst?

Select 3 answers
A.Run a full system antivirus scan
B.Document the registry key as an IoC for future detection
C.Check for similar persistence keys in other Run locations and scheduled tasks
D.Delete the registry key to remove the persistence mechanism
E.Contact law enforcement immediately
AnswersB, C, D

Registry keys are valuable IoCs for detection and threat intelligence.

Why this answer

The registry key indicates persistence. The analyst should document it as an IoC, delete the key to remove persistence, and examine other common persistence locations. Running a full system scan may be helpful but is less specific; contacting law enforcement is premature unless required.

803
MCQeasy

A forensic analyst is troubleshooting a write-blocker that is not working correctly. The analyst connected the write-blocker between the suspect drive and the forensic workstation, but the workstation still shows the drive as writable. What is the most likely cause?

A.The suspect drive was connected before the write-blocker was powered on
B.The write-blocker does not have external power
C.The suspect drive uses SATA but the write-blocker is USB-only
D.The write-blocker is connected to the suspect drive's output port
AnswerA

Connecting the drive before powering the write-blocker can bypass the write-block.

Why this answer

When a write-blocker is powered on after the suspect drive is already connected, the drive may have already been enumerated by the operating system as a writable device. Write-blockers rely on intercepting and filtering ATA/SCSI commands at the hardware level before the OS sees the drive; if the drive is connected first, the OS may have already sent write commands or cached write attributes, bypassing the blocker's protection. This is why the proper sequence is to power on the write-blocker first, then connect the suspect drive.

Exam trap

EC-Council often tests the power-on sequence as a subtle but critical procedural step, knowing that candidates may focus on hardware compatibility or cabling errors instead of the order of operations.

How to eliminate wrong answers

Option B is wrong because most write-blockers are designed to draw power from the host USB port or have an external power adapter; lack of external power would cause the blocker to not enumerate at all, not to allow writes. Option C is wrong because SATA-to-USB write-blockers exist and are common; if the blocker is USB-only, it simply would not physically connect to a SATA drive, so the workstation would not see the drive at all. Option D is wrong because write-blockers have clearly labeled input (suspect drive) and output (host) ports; connecting to the output port would reverse the data flow and likely cause no enumeration or a connection error, not a writable drive.

804
Multi-Selectmedium

Which TWO Linux log files are MOST relevant for investigating authentication events and user login activity? (Choose TWO.)

Select 2 answers
A./var/log/boot.log
B./var/log/dmesg
C./var/log/kern.log
D./var/log/auth.log
E./var/log/syslog
AnswersD, E

Primary log for authentication events on Debian/Ubuntu systems.

Why this answer

/var/log/auth.log records authentication attempts (login, sudo, SSH). /var/log/syslog contains general system logs including some auth messages. /var/log/kern.log is for kernel messages, /var/log/boot.log for boot, and /var/log/dmesg for kernel ring buffer.

805
MCQmedium

An investigator uses the `volatility -f mem.dump netscan` command on a memory dump from a Windows 10 system. What information is this command primarily intended to reveal?

A.Network connections and listening ports
B.List of running processes
C.File handles opened by each process
D.Registry hives loaded in memory
AnswerA

netscan enumerates network artifacts from memory.

Why this answer

The `netscan` plugin in Volatility scans memory for network connections (TCP and UDP) and listening ports, including those from hidden or terminated processes.

806
MCQhard

During a forensic investigation, you encounter a RAID 5 array consisting of three 1 TB disks. The array is failed, and you need to reconstruct the original data. Which of the following approaches is MOST appropriate for data recovery?

A.Mount each disk individually and copy files
B.Run `mdadm --assemble --scan` on the images
C.Use `dd` to image each disk and then XOR the three images together
D.Use EnCase to perform a RAID rebuild with known parameters
AnswerD

Correct. EnCase and similar tools can automate RAID reconstruction given disk order, stripe size, and parity rotation.

Why this answer

Forensic tools like EnCase or FTK can reconstruct RAID arrays if the parameters (stripe size, parity order) are known. Manual reconstruction using dd and parity calculations is possible but error-prone.

807
MCQeasy

A forensic examiner needs to acquire the RAM from a Windows 10 system without altering the contents. Which tool is MOST appropriate for this task?

A.WinPmem
B.FTK Imager
C.LiME
D.dd
AnswerA

WinPmem is designed for capturing Windows RAM.

Why this answer

WinPmem is a memory acquisition tool for Windows that supports capturing RAM. It is widely used in forensics. LiME is for Linux, FTK Imager can acquire disk images but not RAM.

808
Multi-Selecteasy

During a Windows forensic investigation, an analyst finds prefetch files with the .pf extension. Which TWO pieces of information can the analyst obtain from analyzing prefetch files?

Select 2 answers
A.The number of times the application has been executed
B.The exact date and time of each execution
C.The username that executed the application
D.The command-line arguments used to launch the program
E.The IP addresses the application connected to
AnswersA, B

Prefetch stores a run counter.

Why this answer

Prefetch files contain metadata about application execution including the full path to the executable, run count, and last run time. They can also list DLLs loaded. The run count and last run time are useful for forensic timeline.

809
MCQeasy

Which of the following tools is designed specifically for dynamic analysis of malware by executing it in a controlled, isolated environment?

A.PEiD
B.Ghidra
C.Cuckoo Sandbox
D.IDA Pro
AnswerC

Cuckoo Sandbox is a dynamic analysis tool that runs malware in an isolated environment and monitors behavior.

Why this answer

Cuckoo Sandbox is an open-source automated malware analysis system designed specifically for dynamic analysis. It executes suspicious files in a controlled, isolated environment (a virtual machine) and monitors their behavior, including system calls, file system changes, registry modifications, and network traffic, to produce a comprehensive report without risking the host system.

Exam trap

EC-Council often tests the distinction between static analysis tools (like PEiD, Ghidra, IDA Pro) and dynamic analysis sandboxes (like Cuckoo), so the trap is that candidates may confuse a debugger or disassembler (which can execute code step-by-step) with a fully automated, isolated sandbox environment.

How to eliminate wrong answers

Option A (PEiD) is wrong because it is a static analysis tool that detects packers, cryptors, and compilers in PE files by scanning signatures; it does not execute malware. Option B (Ghidra) is wrong because it is a reverse-engineering framework focused on static analysis and disassembly/decompilation of binaries, not on executing malware in an isolated environment. Option D (IDA Pro) is wrong because it is an interactive disassembler and debugger used for static and limited dynamic analysis (via its debugger), but it is not designed as a sandbox for automated, isolated execution of malware.

810
Multi-Selectmedium

Which TWO of the following are valid methods for acquiring volatile data from a live Windows system? (Choose two.)

Select 2 answers
A.Copying the Windows registry
B.Capturing active network connections
C.Imaging the hard drive
D.Extracting the Master File Table (MFT)
E.Dumping the contents of RAM
AnswersB, E

Network connections are volatile.

Why this answer

Option B is correct because capturing active network connections (e.g., using `netstat -anob` or `netstat -ano`) retrieves volatile data that is lost when the system is powered off. This data includes current TCP/UDP connections, listening ports, and associated process IDs, which are critical for identifying active network threats or unauthorized communications during incident response.

Exam trap

EC-Council often tests the distinction between volatile and non-volatile data, trapping candidates who confuse persistent artifacts (registry, MFT, hard drive images) with live system state (RAM, network connections) that disappears on power loss.

811
Multi-Selectmedium

A forensic analyst is examining a Google Cloud Platform (GCP) environment after a security incident. Which TWO GCP services should the analyst use to audit API activity and resource changes? (Select TWO.)

Select 2 answers
A.Cloud Asset Inventory
B.Cloud Audit Logs
C.Cloud Storage Object Change Notification
D.Cloud Monitoring
E.Cloud Functions
AnswersA, B

Cloud Asset Inventory provides a history of resource configurations and changes.

Why this answer

Cloud Audit Logs record API calls and resource changes, while Cloud Asset Inventory tracks resource history and configuration changes.

812
MCQeasy

In Linux forensics, which file contains user account information including the user ID, group ID, home directory, and default shell?

A./etc/passwd
B./var/log/auth.log
C./etc/shadow
D./proc/cpuinfo
AnswerA

/etc/passwd contains user account information.

Why this answer

/etc/passwd stores user account details. /etc/shadow stores password hashes.

813
MCQmedium

During a mobile forensic investigation, an examiner finds that the seized iPhone is locked with a passcode but is running iOS 11. Which acquisition method should the examiner prioritize to obtain the most data without bypassing the passcode?

A.Physical acquisition using a JTAG tool
B.Logical acquisition via iTunes backup
C.File system acquisition using Cellebrite UFED
D.Manual acquisition by photographing the screen
AnswerB

iTunes backup can be initiated without passcode if device is trusted, and provides access to many artefacts including SMS, contacts, and call history.

Why this answer

On iOS 11, a locked device prevents physical and file system acquisitions due to hardware encryption and the Secure Enclave. Logical acquisition via iTunes backup is the recommended method because it can extract most user data (contacts, messages, photos) without requiring the passcode to be bypassed, as the backup process is authorized by the device's trust relationship with a previously paired computer.

Exam trap

Cisco often tests the misconception that physical acquisition is always superior, but on modern iOS devices, logical acquisition via iTunes backup is the only viable method for locked devices without bypassing the passcode.

How to eliminate wrong answers

Option A is wrong because JTAG physical acquisition requires physical access to the device's circuit board and is typically used for older devices or when the device is disabled; on iOS 11, the Secure Enclave and full-disk encryption make JTAG impractical for locked devices without passcode bypass. Option C is wrong because file system acquisition using Cellebrite UFED on iOS 11 requires either a jailbreak or a known passcode to decrypt the file system; without bypassing the passcode, UFED cannot access the encrypted file system. Option D is wrong because manual acquisition by photographing the screen only captures visible data and is not a forensic acquisition method; it fails to retrieve deleted data, metadata, or data not currently displayed.

814
MCQeasy

A security analyst arrives at a crime scene where a computer is turned on and the screen shows a document. What is the FIRST action the analyst should take according to forensic best practices?

A.Create a forensic image of the hard drive using a write blocker.
B.Open the Task Manager to check for suspicious processes.
C.Immediately unplug the power cord to preserve volatile data.
D.Photograph the screen and surroundings, then proceed to document the scene.
AnswerD

Photographing and documenting the scene is the initial step to capture the current state.

Why this answer

Option D is correct because the first priority at a live crime scene is to preserve the state of the system and its environment through documentation. Photographing the screen and surroundings captures volatile data (e.g., open documents, running processes, network connections) before any interaction alters the system. This aligns with the order of volatility and the principle of minimizing changes to the evidence.

Exam trap

EC-Council often tests the misconception that preserving volatile data means immediately pulling the plug, when in fact the correct first step is to document the live state to avoid destroying evidence that cannot be recovered.

How to eliminate wrong answers

Option A is wrong because creating a forensic image with a write blocker is a later step after documenting the live state; connecting a write blocker or imaging tool could modify the system’s memory or storage. Option B is wrong because opening Task Manager alters the system state (e.g., changes process metadata, modifies memory) and may destroy volatile evidence like running processes or network connections. Option C is wrong because immediately unplugging the power cord destroys volatile data (RAM, network connections, process lists) and can cause file system corruption or loss of encryption keys, violating the order of volatility.

815
MCQeasy

A forensic analyst is performing timeline analysis on a compromised system. Which tool is specifically designed to parse multiple log sources and create a super timeline?

A.Sleuth Kit
B.log2timeline
C.Volatility
D.Wireshark
AnswerB

log2timeline (part of Plaso) is designed to create super timelines from multiple sources.

Why this answer

log2timeline (and Plaso) is a toolset for creating super timelines from various forensic artifacts.

816
MCQmedium

During a forensic examination of a Windows 10 system, you find a file with an ADS named `:hidden.txt` attached to `legal.docx`. Using FTK Imager, you extract the ADS and discover it contains a list of passwords. Which tool or technique could also be used to identify this hidden data?

A.Analyzing the $MFT using Autopsy
B.Running `strings` on the raw partition
C.Using `lsof` on a live system
D.Performing file carving with PhotoRec
AnswerA

Correct. Autopsy can parse $MFT and display ADS entries.

Why this answer

Autopsy (Sleuth Kit) can list alternate data streams when viewing file metadata. The `istat` command in TSK also shows ADS, but Autopsy is a common GUI tool.

817
Multi-Selecteasy

A network forensic investigator is analyzing traffic from a compromised web server. Which TWO artifacts are MOST likely to indicate the presence of a web shell? (Select TWO.)

Select 2 answers
A.Multiple DNS queries to external domains
B.Excessive SYN-ACK packets
C.Presence of a suspicious .aspx or .php file in web directories
D.Unusual HTTP POST requests to non-standard scripts
E.High volume of ICMP traffic
AnswersC, D

Web shells are often uploaded as .php, .aspx, etc.

Why this answer

Web shells are often uploaded as scripts and generate unusual HTTP requests; logs will show these patterns.

818
MCQhard

During a Linux forensic investigation, you find that the file /etc/cron.d/evil contains the entry: '* * * * * root /bin/bash /root/backdoor.sh'. What persistence mechanism is being used?

A.Systemd service
B.Init script
C.Cron job
D.At job
AnswerC

Cron jobs in /etc/cron.d execute on schedule.

Why this answer

Cron jobs in /etc/cron.d are system-wide scheduled tasks. This entry runs a script every minute as root, providing persistence.

819
Multi-Selecthard

A cloud forensic investigator is analyzing a GCP audit log entry for a Compute Engine instance. Which THREE fields are essential for identifying the user and operation performed?

Select 3 answers
A.requestMetadata.callerIp
B.methodName
C.resourceName
D.requestMetadata.userAgent
E.authenticationInfo.principalEmail
AnswersB, C, E

Indicates the operation (e.g., v1.compute.instances.delete).

Why this answer

GCP audit logs include the principal email (authenticationInfo), operation type (methodName), and resource name (resourceName). IP address and user agent may be in requestMetadata but not always in every log entry.

820
MCQmedium

An organization receives a litigation hold notice regarding an ongoing lawsuit. The IT department is instructed to preserve all relevant electronic data. Which of the following actions should be taken FIRST to comply with the legal hold?

A.Delete all data that is not relevant to the lawsuit to reduce storage.
B.Immediately preserve all potentially relevant data, including backups and archives, and suspend automatic deletion policies.
C.Notify all employees to ignore the hold and continue normal operations.
D.Conduct a forensic analysis of the data to determine relevance before preservation.
AnswerB

Preserving data is the first step to comply with the legal hold.

Why this answer

Option B is correct because the first step in responding to a litigation hold is to immediately preserve all potentially relevant data, including backups and archives, and suspend any automatic deletion or rotation policies. This ensures that no spoliation of evidence occurs, which could lead to legal sanctions. The preservation order must be broad to cover all data that might be relevant, as determining exact relevance comes later in the e-discovery process.

Exam trap

Cisco often tests the misconception that you can first analyze data to determine relevance before preserving it, but in legal hold scenarios, the correct order is always preserve first, then analyze, to avoid any risk of spoliation.

How to eliminate wrong answers

Option A is wrong because deleting data, even if believed to be irrelevant, risks destroying potentially relevant evidence and violates the duty to preserve, which can result in severe legal penalties for spoliation. Option C is wrong because notifying employees to ignore the hold and continue normal operations directly contradicts the legal hold requirement and would likely lead to the destruction of relevant data through routine operations. Option D is wrong because conducting a forensic analysis to determine relevance before preservation is premature and risky; the priority is to freeze the data in place to prevent any alteration or loss, with analysis performed only after a proper preservation hold is in place.

821
MCQeasy

Which type of evidence is based on information that is not directly from an eyewitness but is reported by someone else?

A.Direct evidence
B.Circumstantial evidence
C.Best evidence
D.Hearsay evidence
AnswerD

Hearsay is out-of-court statement offered for the truth of the matter.

Why this answer

Hearsay evidence is defined as a statement made outside of court that is presented to prove the truth of the matter asserted. In digital forensics, this applies when a witness testifies about what another person said regarding an event, rather than recounting their own direct observation. The CHFI exam categorizes this under evidence types because it is not based on the witness's firsthand knowledge, making it generally inadmissible unless an exception applies.

Exam trap

EC-Council often tests the distinction between hearsay and circumstantial evidence, where candidates mistakenly choose circumstantial because they think any indirect information is circumstantial, but the key differentiator is that hearsay specifically involves a secondhand statement, not an inference from physical evidence.

How to eliminate wrong answers

Option A is wrong because direct evidence is based on firsthand observation or direct knowledge, such as an eyewitness account or a log file that directly records an event, not a report from someone else. Option B is wrong because circumstantial evidence relies on inference to connect a fact to a conclusion, such as a fingerprint at a crime scene, but it does not involve a secondhand report of an event. Option C is wrong because best evidence refers to the original source of evidence (e.g., the original hard drive or document) rather than a copy, and it is a rule of admissibility, not a category based on how the information is obtained.

822
MCQeasy

A forensic analyst is examining a disk image and needs to identify the file system structure. She looks for the Master File Table ($MFT) to begin analysis. Which file system is she most likely dealing with?

A.FAT32
B.NTFS
C.HFS+
D.ext4
AnswerB

NTFS uses $MFT for file metadata.

Why this answer

$MFT is a key component of NTFS, storing metadata about files and directories.

823
Multi-Selecteasy

Which TWO of the following are examples of circumstantial evidence in a digital forensics investigation? (Select TWO)

Select 2 answers
A.A witness testifying they saw the suspect commit the crime
B.A video recording of the suspect typing a password
C.Metadata showing a file was created on the suspect's computer during the incident timeframe
D.A signed confession from the suspect
E.Server logs showing the suspect's IP address connected at the time of the incident
AnswersC, E

Metadata alone does not prove the suspect created the file; it's circumstantial.

Why this answer

Option C is correct because metadata, such as file system timestamps (e.g., $STANDARD_INFORMATION and $FILE_NAME attributes in NTFS), provides indirect evidence that a file was created during the incident timeframe. This does not directly prove the suspect's actions but supports an inference of involvement, which is the hallmark of circumstantial evidence.

Exam trap

EC-Council often tests the distinction between direct and circumstantial evidence by presenting seemingly conclusive items (like a video or confession) as traps, leading candidates to overlook that circumstantial evidence requires inference, not direct observation.

824
Matchingmedium

Match each steganography technique to its carrier medium.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Image files (BMP, PNG)

Audio files (WAV, MP3)

GIF images

JPEG images

Plain text or documents

Why these pairings

These methods hide data in different file types.

825
Multi-Selecthard

Which THREE of the following present unique challenges for forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives (HDDs)? (Select THREE.)

Select 3 answers
A.Slack space analysis due to 512-byte sector emulation
B.Wear leveling that moves data around the NAND chips
C.Fragmentation due to file system aging
D.Garbage collection that consolidates valid data and erases stale blocks
E.TRIM command that erases deleted data blocks
AnswersB, D, E

Wear leveling distributes writes, causing data to be moved unpredictably.

Why this answer

SSDs use flash memory and have features like TRIM, wear leveling, and garbage collection that can destroy or relocate data, making recovery difficult. These are distinct from HDD behavior.

Page 10

Page 11 of 14

Page 12