Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 826900

1000 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQeasy

During a malware investigation, a forensic analyst observes that a suspicious process creates a mutex named 'Global\MyMutex' and writes to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. What behavioral indicator does this represent?

A.Persistence mechanism to survive reboot
B.Encryption of sensitive data
C.Establishment of a C2 channel
D.Attempt to evade sandbox detection
AnswerA

The Run registry key is a standard persistence location; malware adds itself to launch automatically at system startup.

Why this answer

Writing to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism. This key is processed by the Windows Session Manager (smss.exe) and the Winlogon process at every user logon, causing the specified executable to launch automatically. Combined with the creation of a named mutex (Global\MyMutex) to prevent multiple instances, this behavior indicates the malware is ensuring it survives a system reboot and maintains a single running copy.

Exam trap

EC-Council often tests the distinction between persistence mechanisms and other malware behaviors, so candidates mistakenly associate any registry write with C2 or evasion, when the specific Run key is explicitly designed for automatic startup after reboot.

How to eliminate wrong answers

Option B is wrong because writing to the Run registry key does not involve any cryptographic operations; encryption of sensitive data would typically involve API calls like CryptEncrypt or BCryptEncrypt, not registry modifications. Option C is wrong because establishing a C2 channel requires network communication (e.g., HTTP/S, DNS, or raw socket connections), not the creation of a local mutex or a registry run key. Option D is wrong because evading sandbox detection often involves techniques like checking for debuggers, virtual machine artifacts, or delaying execution, not simply creating a mutex and writing to a well-known persistence location.

827
Multi-Selectmedium

Which TWO Windows Event IDs are associated with successful and failed logon events? (Select two.)

Select 2 answers
A.4720
B.7045
C.4625
D.4648
E.4624
AnswersC, E

4625 is event ID for failed logon.

Why this answer

Event ID 4624 indicates a successful logon, and 4625 indicates a failed logon. These are standard security audit events.

828
MCQmedium

During a forensic investigation, an analyst uses a tool to capture the contents of RAM from a live Linux system. Which tool is specifically designed for this purpose and can acquire memory over a network or via a local kernel module?

A.WinPmem
B.LiME
C.FTK Imager
D.Volatility
AnswerB

LiME is a Linux memory acquisition tool.

Why this answer

LiME (Linux Memory Extractor) is a tool that acquires RAM from Linux systems and can output to various formats, including over the network.

829
MCQmedium

An examiner acquires a forensic image of an SSD from a suspect's laptop. The SSD was connected to a system with TRIM enabled. What challenge will the examiner most likely face when trying to recover deleted files?

A.Wear leveling complicates data location
B.RAID striping interferes with imaging
C.The SSD is encrypted and cannot be imaged
D.Deleted files may have been physically erased by TRIM
AnswerD

TRIM commands cause the SSD to erase data blocks, hindering recovery.

Why this answer

TRIM causes the SSD to erase blocks that are no longer in use, making file recovery difficult because data is physically erased.

830
MCQhard

Refer to the exhibit. An investigator is examining a disk image using TSK. The output from 'fls' shows the directory structure. What is the significance of the entry 'V/V 113-128-1: $OrphanFiles'?

A.It is a sign that a rootkit has hidden files in the image
B.It indicates the location of the Master File Table (MFT) mirror
C.It is a virtual directory that contains files with no parent directory, often from deleted files
D.It is a standard NTFS metadata file that stores file permissions
AnswerC

'V/V' denotes a virtual directory for files that are not linked in the directory tree.

Why this answer

In The Sleuth Kit (TSK), the 'fls' command lists files and directories within a disk image. The entry 'V/V 113-128-1: $OrphanFiles' is a virtual directory that contains files that have no parent directory in the file system, typically because their directory entries were deleted or corrupted. This is a common artifact when recovering deleted files from NTFS volumes, as TSK collects such orphaned MFT entries into this virtual container.

Exam trap

Cisco often tests the distinction between native NTFS metadata files (like $MFT, $Bitmap) and TSK virtual artifacts (like $OrphanFiles), so candidates mistakenly treat $OrphanFiles as a real NTFS system file rather than a forensic tool's reconstruction.

How to eliminate wrong answers

Option A is wrong because a rootkit hiding files would not manifest as a standard TSK virtual directory; rootkits typically use techniques like DKOM or hooking to conceal files, and $OrphanFiles is a normal TSK artifact for orphaned entries, not a sign of rootkit activity. Option B is wrong because the Master File Table (MFT) mirror is stored at the end of the NTFS volume (usually the last few clusters) and is not represented by a 'V/V' virtual directory in TSK; the MFT mirror is a metadata file ($MFTMirr), not a virtual directory. Option D is wrong because $OrphanFiles is not a standard NTFS metadata file; NTFS metadata files include $MFT, $LogFile, $Volume, etc., and $OrphanFiles is a TSK construct for forensic analysis, not a native NTFS file.

831
Multi-Selectmedium

Which TWO of the following are common challenges specific to cloud forensics? (Select TWO)

Select 2 answers
A.Volatile memory acquisition
B.Inability to image hard drives
C.Data jurisdiction and legal compliance
D.Multi-tenancy and separation of data
E.Lack of proper tools
AnswersC, D

Data may reside in different countries with varying laws, posing jurisdictional issues.

Why this answer

Multi-tenancy (shared infrastructure) and data jurisdiction (where data is physically stored) are unique to cloud forensics, unlike physical or virtual environments.

832
MCQmedium

During an iOS forensic examination, an analyst extracts an iTunes backup and finds a file named 'SMS.db'. Which of the following tools is BEST suited to parse and analyze this SQLite database for SMS and iMessage content?

A.GrayKey
B.Oxygen Forensic Detective
C.Cellebrite UFED
D.SQLite Browser
AnswerD

SQLite Browser is a free tool that can directly open and query SQLite databases such as SMS.db.

Why this answer

SQLite Browser is the best tool for parsing and analyzing the 'SMS.db' file because it is a free, open-source SQLite database viewer that allows direct querying and inspection of the database schema, tables, and records. Since 'SMS.db' is a standard SQLite database containing SMS and iMessage data in iOS backups, SQLite Browser provides the most straightforward and cost-effective method for manual forensic analysis without relying on proprietary extraction tools.

Exam trap

EC-Council often tests the misconception that commercial forensic suites like Cellebrite or GrayKey are always the best tools for every forensic task, when in fact a simple, free database browser is more appropriate for analyzing a standard SQLite file after extraction.

How to eliminate wrong answers

Option A is wrong because GrayKey is a specialized hardware tool for bypassing iOS passcodes and extracting full file system images, not for parsing individual SQLite databases like 'SMS.db' after extraction. Option B is wrong because Oxygen Forensic Detective is a comprehensive forensic suite that can parse SMS.db, but it is overkill for simply analyzing a single extracted database file and is not the 'best suited' tool for this specific task due to its cost and complexity. Option C is wrong because Cellebrite UFED is primarily a physical extraction and decoding tool for mobile devices, not a dedicated SQLite database browser; while it can parse SMS data from extractions, it is not the optimal choice for directly opening and querying an already extracted 'SMS.db' file.

833
MCQeasy

Which of the following tools is specifically designed to analyze email headers and track the path of an email, providing information about delays and potential spoofing?

A.EmailTracker
B.Wireshark
C.FTK Imager
D.Autopsy
AnswerA

EmailTracker is designed for email header analysis and tracking.

Why this answer

EmailTracker is a tool that analyzes email headers, visualizes the path, and helps identify spoofing and delivery delays.

834
MCQmedium

During a database forensic investigation, you need to review Microsoft SQL Server transaction logs to identify unauthorized data modifications. Which of the following SQL Server functions or commands is used to read the transaction log?

A.SELECT * FROM sys.dm_tran_database_transactions
B.DBCC LOG
C.fn_dblog
D.BACKUP LOG
AnswerC

fn_dblog reads the transaction log and provides detailed information.

Why this answer

fn_dblog is an undocumented function that reads the SQL Server transaction log and returns log records. It is commonly used in forensic analysis.

835
Multi-Selecteasy

Which TWO of the following are persistence mechanisms commonly found in Windows forensics? (Select two.)

Select 2 answers
A.Jump lists
B.ShellBags
C.Scheduled Tasks
D.Prefetch files
E.Registry Run keys (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run)
AnswersC, E

Scheduled tasks can run at specific times or events.

Why this answer

Registry Run keys and Scheduled Tasks are common persistence techniques that allow malware to automatically execute on system startup or at scheduled times.

836
MCQhard

A forensic lab is designing a network architecture to ensure the integrity of evidence during acquisition. What is the most critical design consideration?

A.Deploy multiple forensic workstations to parallelize tasks
B.Use a segmented network to isolate forensic tools
C.Encrypt all data in transit over the network
D.Implement hardware write-blockers on all acquisition stations
AnswerD

Write-blockers prevent any writes to the source drive, ensuring integrity.

Why this answer

Hardware write-blockers are the most critical design consideration because they physically prevent any write operations to the source drive at the ATA/SCSI command level, ensuring that the evidence remains bit-for-bit unchanged during acquisition. Without a hardware write-blocker, even a single read operation from a forensic workstation could inadvertently modify metadata (e.g., last access timestamps) or trigger anti-forensic mechanisms, compromising the integrity of the evidence and its admissibility in court.

Exam trap

The trap here is that candidates often confuse network security measures (segmentation, encryption) with evidence integrity controls, failing to recognize that the most critical design consideration is preventing any write access to the source media at the hardware level during acquisition.

How to eliminate wrong answers

Option A is wrong because deploying multiple forensic workstations to parallelize tasks improves throughput but does not address the fundamental requirement of preserving evidence integrity; it can even introduce chain-of-custody issues if not properly managed. Option B is wrong because using a segmented network to isolate forensic tools enhances security and prevents unauthorized access, but it does not prevent write operations to the source drive during acquisition, which is the primary integrity concern. Option C is wrong because encrypting data in transit over the network protects confidentiality and integrity during transfer, but it does not prevent the acquisition station from writing to the source drive; the evidence could be altered before encryption even occurs.

837
MCQmedium

An analyst is examining a Linux server and issues the command: cat /var/log/auth.log | grep 'Failed password' | awk '{print $1,$2,$3,$9,$11}' | sort | uniq -c. What is the analyst most likely trying to determine?

A.The list of all sudo commands executed
B.The number of distinct users who successfully logged in
C.The IP addresses with the most failed SSH login attempts
D.The total number of successful logins
AnswerC

Correct. It counts failed attempts grouping by date, user, and IP, showing top attackers.

Why this answer

The command extracts timestamps, usernames, and IP addresses from failed SSH login attempts, then counts unique occurrences. This identifies the most frequent source of brute‑force attempts.

838
Multi-Selecthard

An incident response team is investigating a breach involving a Docker container. Which THREE of the following actions should the team take to preserve forensic evidence?

Select 3 answers
A.Stop the container immediately to prevent further compromise
B.Use docker export to save the container's filesystem as a tar archive
C.Run docker commit to create an image from the container
D.Use docker inspect to examine container metadata before stopping
E.Execute docker logs to capture container logs
AnswersB, C, E

Exports the container's filesystem for offline analysis.

Why this answer

Creating a container image preserves the filesystem and configuration. Saving logs via docker logs captures runtime output. Exporting the container as a tar archive preserves the filesystem.

Inspecting while running is not safe for preservation. Deleting removes evidence.

839
MCQmedium

During a forensic investigation, the analyst runs netstat -ano on a compromised workstation. Based on the exhibit, which connection is MOST suspicious and should be investigated further?

A.The established HTTPS connection to 203.0.113.5:443 (PID 5678).
B.The DNS query to 192.168.1.1:53 in TIME_WAIT state.
C.The UDP listener on port 5353 (mDNS) with PID 910.
D.The listening RDP service on port 3389 (PID 1234).
AnswerA

203.0.113.5 is a test address and likely indicates a connection to a suspicious host.

Why this answer

The established HTTPS connection to 203.0.113.5:443 (PID 5678) is most suspicious because it is an external IP address (not in the private RFC 1918 range) with an established TCP connection, indicating active data transfer. In a forensic context, an outbound HTTPS connection to an unknown external IP is a common indicator of command-and-control (C2) communication or data exfiltration, especially when the PID can be traced to an unknown or malicious process.

Exam trap

EC-Council often tests the misconception that any listening service (like RDP or mDNS) is inherently suspicious, when in fact established external connections to unknown IPs are far more indicative of active compromise.

How to eliminate wrong answers

Option B is wrong because a DNS query to 192.168.1.1:53 in TIME_WAIT state is normal internal network traffic; DNS queries are expected to resolve names, and TIME_WAIT indicates the connection has ended, not active malicious activity. Option C is wrong because a UDP listener on port 5353 (mDNS) with PID 910 is a standard service for local network discovery (RFC 6762) and is not inherently suspicious unless the PID is known to be malicious. Option D is wrong because the listening RDP service on port 3389 (PID 1234) is a common administrative service; while RDP can be exploited, a listening state alone does not indicate compromise without evidence of unauthorized access or unusual source IPs.

840
Multi-Selectmedium

During a database forensic investigation, an analyst finds that the SQL Server transaction log contains gaps. Which TWO actions should the analyst take to preserve evidence integrity and recover missing transactions?

Select 2 answers
A.Perform a transaction log backup using BACKUP LOG
B.Run DBCC CHECKDB to verify database consistency
C.Restart the SQL Server service to flush pending transactions
D.Truncate the transaction log to free space
E.Use DBCC PAGE or fn_dblog to read the transaction log
AnswersA, E

Preserves the current log state for analysis.

Why this answer

Option A is correct because performing a transaction log backup using BACKUP LOG captures the active portion of the transaction log, preserving evidence of all committed and uncommitted transactions. This ensures that the log is not truncated and that the forensic integrity of the transaction history is maintained for later analysis. Without this backup, subsequent operations could overwrite or lose critical transaction records.

Exam trap

EC-Council often tests the misconception that restarting the service or running consistency checks will help recover transactions, when in fact these actions can destroy or overwrite the very evidence needed for forensic analysis.

841
MCQeasy

Which of the following tools is specifically designed for parsing and analyzing email headers to detect spoofing and trace the origin of an email?

A.EmailTracker
B.Wireshark
C.Volatility
D.Sleuth Kit
AnswerA

EmailTracker is designed for email header analysis and tracing.

Why this answer

EmailTracker is a tool that analyzes email headers to track the path of an email and detect spoofing.

842
MCQmedium

A forensic analyst is preparing to acquire an image from a suspect's hard drive. The analyst connects the drive to a write blocker, then uses FTK Imager to create a forensic image. Which hashing algorithm is commonly used by FTK Imager to verify image integrity?

A.AES
B.RSA
C.Blowfish
D.MD5
AnswerD

MD5 is a hash function commonly used by FTK Imager to verify that the image is identical to the source.

Why this answer

FTK Imager commonly uses MD5 and SHA-1 to verify integrity; MD5 is a standard option.

843
MCQhard

Based on the acquisition log, what can be concluded about the integrity of the acquired image?

A.The image is not forensically sound because the verification passed
B.The source and image have different data
C.The image is corrupted because only one hash algorithm was used
D.The image is an exact copy of the source
AnswerD

Matching hashes and verification confirm integrity.

Why this answer

The acquisition log shows that the hash values computed for the source drive and the acquired image match exactly. A matching hash (e.g., MD5 or SHA-1) verifies that the image is a bit-for-bit identical copy of the original evidence, confirming forensic soundness. Therefore, the image is an exact copy of the source, making option D correct.

Exam trap

EC-Council often tests the misconception that a passed verification indicates the image is not forensically sound, or that using only one hash algorithm implies corruption, when in fact a matching hash confirms integrity regardless of the number of algorithms used.

How to eliminate wrong answers

Option A is wrong because a verification that passes (hash match) confirms forensic soundness, not the opposite; a failed verification would indicate the image is not forensically sound. Option B is wrong because matching hash values prove the source and image have identical data, not different data. Option C is wrong because using a single hash algorithm (e.g., MD5 or SHA-1) is standard practice and does not indicate corruption; corruption would cause a hash mismatch, not be caused by the number of algorithms used.

844
MCQhard

During a forensic examination of a Windows 10 system, you find a file named "chrome_000001.jumplist" in the user's AppData directory. What does the presence of this file indicate?

A.The file is a Chrome extension
B.The user has installed Chrome via a jump list installer
C.The file contains Chrome bookmarks
D.The file stores recent items accessed through Chrome, such as downloaded files
AnswerD

Jump lists track recently opened files for the associated application, including downloads opened from Chrome.

Why this answer

Jump lists are created by Windows to show recently opened files for applications pinned to the taskbar or start menu. The file name indicates it is a jump list for Google Chrome, revealing recently accessed files or URLs within Chrome.

845
MCQmedium

A security analyst is using Wireshark during a malware analysis session. The analyst observes a series of DNS queries to a domain 'malware-c2.example.com' every 60 seconds. This behavior is indicative of which malware characteristic?

A.Data exfiltration
B.DNS tunneling
C.Command and control (C2) communication
D.Propagation via network scanning
AnswerC

Regular beaconing to a domain suggests C2 communication for instructions or status updates.

Why this answer

The periodic DNS queries to 'malware-c2.example.com' every 60 seconds are a classic heartbeat or beaconing mechanism used by malware to maintain persistent communication with its command and control (C2) server. This regular check-in allows the attacker to send commands or receive stolen data without requiring the malware to initiate a direct connection, which could be blocked by firewalls. The fixed interval and specific domain indicate a programmed C2 channel rather than a one-time data transfer or tunneling technique.

Exam trap

EC-Council often tests the distinction between DNS tunneling and C2 beaconing, where candidates mistakenly choose DNS tunneling because they see DNS queries, but the key differentiator is the regular, low-frequency pattern (beaconing) versus high-volume or encoded data in queries (tunneling).

How to eliminate wrong answers

Option A is wrong because data exfiltration typically involves sending stolen data (e.g., files, credentials) to an external server, often using HTTP POST, FTP, or DNS tunneling, but the periodic DNS queries alone do not indicate data transfer; they are just keep-alive signals. Option B is wrong because DNS tunneling encodes data within DNS query and response fields (e.g., subdomains or TXT records) to bypass network filters, but the described behavior—simple queries every 60 seconds—lacks the high volume or encoded payloads characteristic of tunneling. Option D is wrong because propagation via network scanning involves probing for vulnerable hosts using protocols like SMB, RDP, or SSH, not sending DNS queries to a fixed domain at regular intervals.

846
MCQeasy

Which of the following tools is BEST suited for performing static analysis of a malware binary to identify strings, headers, and imported functions without executing the file?

A.Cuckoo Sandbox
B.Any.run
C.Process Monitor
D.IDA Pro
AnswerD

IDA Pro is a static analysis tool for disassembling and analyzing binaries.

Why this answer

IDA Pro is the correct choice because it is a disassembler and debugger specifically designed for static analysis of binary executables. It allows an analyst to examine strings, PE/ELF headers, and imported functions without executing the file, making it ideal for malware reverse engineering. In contrast, the other options require execution or focus on runtime behavior.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis, and the trap here is that candidates confuse sandbox tools (Cuckoo, Any.run) or process monitors (Procmon) with static analysis because they are commonly used in malware forensics, but they all require execution.

How to eliminate wrong answers

Option A is wrong because Cuckoo Sandbox is an automated dynamic analysis system that executes the malware in a sandboxed environment, not a static analysis tool. Option B is wrong because Any.run is a cloud-based interactive malware analysis platform that also executes samples to observe behavior, not a static analyzer. Option C is wrong because Process Monitor (Procmon) is a real-time system monitoring tool that captures file system, registry, and process activity during execution, requiring the malware to run.

847
MCQeasy

During a forensic investigation, an analyst needs to preserve the integrity of evidence on a hard drive. Which of the following is the best practice for acquiring an image of the drive?

A.Use the 'dd' command to create a raw image without a write blocker.
B.Connect the drive to a forensic workstation and use the operating system's copy command.
C.Use a hardware write blocker and create a bit-stream image.
D.Format the drive before imaging to ensure no hidden data is missed.
AnswerC

A write blocker ensures no data is altered on the original drive during acquisition.

Why this answer

Option C is correct because using a hardware write blocker ensures that no write commands from the forensic workstation reach the suspect drive, preserving its integrity at the physical level. Creating a bit-stream image (sector-by-sector copy) captures all data, including slack space and unallocated clusters, which is essential for thorough forensic analysis. This combination is the gold standard in digital forensics, as mandated by best practices like those from NIST and the ACPO principles.

Exam trap

Cisco often tests the misconception that a software-based approach (like dd) is sufficient for imaging, but the trap is that without a hardware write blocker, the forensic workstation's OS may inadvertently write to the suspect drive (e.g., via automount or journaling), compromising evidence integrity.

How to eliminate wrong answers

Option A is wrong because using the 'dd' command without a write blocker risks modifying the evidence drive (e.g., by the OS mounting it or writing temporary files), which breaks chain of custody and can render evidence inadmissible. Option B is wrong because the operating system's copy command (e.g., cp or copy) only copies visible files and does not capture deleted data, slack space, or file system metadata; it also does not prevent write operations to the source drive. Option D is wrong because formatting the drive destroys all existing data, including evidence, and is the antithesis of preservation; it would permanently eliminate any chance of recovering hidden or deleted information.

848
MCQeasy

Which Windows registry hive should be examined to determine the last time a specific external USB drive was connected to a system?

A.HKLM\SAM
B.HKLM\SYSTEM
C.HKLM\SOFTWARE
D.HKLM\SECURITY
AnswerB

Correct. USBSTOR key under SYSTEM enumerates connected USB devices.

Why this answer

The SYSTEM hive (specifically HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR) contains identifiers and timestamps for every USB device that has been attached.

849
MCQeasy

During a forensic investigation, an analyst needs to recover recently deleted files from a FAT32 partition. Which of the following techniques is MOST effective for recovering files whose directory entries have been marked as deleted but the clusters have not yet been overwritten?

A.Running 'scalpel' to extract fragments and reassemble based on metadata
B.Using the 'foremost' tool to perform file carving based on file headers and footers
C.Using 'dd' to create a raw image and then 'photorec' to recover based on file signatures
D.Editing the directory entry's first byte from 0xE5 to the original character and recalculating the FAT chain
AnswerD

This restores the deleted file's directory entry, making it visible again. The FAT chain is usually still valid.

Why this answer

FAT32 marks deleted files by setting the first byte of the directory entry to 0xE5. If the clusters are not overwritten, the file can be recovered by restoring the original first byte and using the FAT chain. File carving is used when directory entries are gone or clusters are fragmented.

850
Multi-Selecteasy

Which TWO of the following are types of write blockers used in forensic imaging? (Select two.)

Select 2 answers
A.Encryption write blocker
B.Network write blocker
C.Hash write blocker
D.Hardware write blocker
E.Software write blocker
AnswersD, E

Hardware write blockers are physical devices.

Why this answer

Hardware write blockers (Option D) are physical devices that sit between the suspect drive and the forensic workstation, intercepting and blocking any write commands at the SATA/IDE/USB bus level. They ensure that no data is altered on the source drive during imaging by electrically or mechanically preventing write signals from reaching the drive.

Exam trap

EC-Council often tests the distinction between integrity verification (hashing) and write prevention, leading candidates to mistakenly select 'Hash write blocker' as a valid type.

851
Multi-Selecthard

During a malware investigation, an analyst examines a suspicious file that appears to have been timestomped. Which THREE of the following techniques or tools can be used to detect timestamp manipulation on Windows?

Select 3 answers
A.Examining the file’s $STANDARD_INFORMATION vs $FILE_NAME timestamps using tools like MFT2CSV
B.Capturing network traffic with Wireshark
C.Using Regshot to compare registry snapshots
D.Running the Timestomp tool to analyze the file’s timestamp attributes
E.Analyzing the USN journal for file modification records
AnswersA, D, E

Timestomping often changes $SI but not $FN; comparing them can reveal manipulation.

Why this answer

Option A is correct because timestomping modifies the $STANDARD_INFORMATION attribute, but the $FILE_NAME attribute retains the original timestamps from when the file was created or renamed. Tools like MFT2CSV parse the MFT to compare these two sets of timestamps; a discrepancy indicates manipulation.

Exam trap

Cisco often tests the distinction between filesystem metadata attributes (SI vs FN) and common forensic tools, leading candidates to mistakenly think network or registry analysis can detect timestamp manipulation.

852
Multi-Selecteasy

Which TWO of the following are types of slack space that can contain forensic evidence?

Select 2 answers
A.Volume slack
B.Index slack
C.Swap space
D.Buffered slack
E.RAM slack
AnswersA, E

Why this answer

Volume slack is the unused space between the end of the file system and the end of the partition. When a partition is smaller than the volume it resides on, the remaining space (volume slack) can contain remnants of previously stored data, making it a valuable source of forensic evidence.

Exam trap

EC-Council often tests the distinction between 'volume slack' and 'RAM slack' as the two correct types, while distractors like 'swap space' or 'index slack' are common misconceptions that candidates mistake for legitimate slack space categories.

853
MCQmedium

A forensic analyst is reviewing Microsoft IIS logs and finds the entry: 192.168.1.50, -, 10/Feb/2025:14:22:10 +0000, GET /scripts/..%c1%af../winnt/system32/cmd.exe, 404. Which attack technique is indicated by the encoded characters in the URI?

A.Directory listing attempt
B.SQL injection (SQLi)
C.Cross-site scripting (XSS)
D.Path traversal attack using Unicode encoding
AnswerD

The %c1%af is Unicode for '/', used to traverse directories.

Why this answer

The ..%c1%af.. is an encoded path traversal sequence (Unicode encoding) used to bypass filters and access restricted files.

854
Multi-Selectmedium

An incident responder is analyzing a compromised Windows workstation. Which TWO artifacts would provide the STRONGEST evidence of a malware persistence mechanism?

Select 2 answers
A.Event log entry for user login
B.Registry Run key referencing a suspicious path
C.Scheduled Task entry pointing to a malicious executable
D.Network share access logs
E.Browser history showing download of a suspicious file
AnswersB, C

Autorun persistence.

Why this answer

The Registry Run key (e.g., `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`) is a classic and widely used persistence mechanism. A suspicious path under this key directly indicates that the malware is configured to execute automatically at user logon, providing strong evidence of persistence. This is a core artifact in Windows forensics for identifying auto-starting malware.

Exam trap

Cisco often tests the distinction between infection vector artifacts (like browser history) and persistence mechanism artifacts (like Run keys or scheduled tasks), trapping candidates who confuse how malware arrives with how it survives a reboot.

855
MCQhard

An analyst extracts an iTunes backup from a Windows computer. The backup contains a file manifest.plist with cryptographic hashes. What is the primary purpose of these hashes in the backup process?

A.To compress the backup data
B.To verify the integrity of the backup files
C.To index the backup for faster searching
D.To encrypt the backup files
AnswerB

Hashes ensure files haven't been altered.

Why this answer

The cryptographic hashes in an iTunes backup's manifest.plist file are used to verify the integrity of the backup files. Each hash corresponds to a file in the backup, allowing the system to detect any corruption or tampering by comparing the stored hash against a newly computed hash of the file data.

Exam trap

EC-Council often tests the distinction between integrity verification (hashing) and confidentiality (encryption), so candidates may confuse the purpose of hashes with encryption or compression.

How to eliminate wrong answers

Option A is wrong because hashes do not compress data; compression is achieved through algorithms like zlib or LZMA, not cryptographic hashing. Option C is wrong because hashes are not used for indexing or searching; indexing is typically handled by separate metadata or database files (e.g., Manifest.db). Option D is wrong because hashes do not encrypt data; encryption in iTunes backups is performed using AES-256 with a key derived from the user's password, while hashes only provide integrity verification.

856
Multi-Selectmedium

A first responder is responding to a ransomware incident on a Windows server. Which TWO actions should be performed to preserve evidence? (Choose two.)

Select 2 answers
A.Run an antivirus scan to remove the ransomware.
B.Power off the server to prevent further data encryption.
C.Restore the system from backup to minimize downtime.
D.Capture a memory dump using a forensic tool.
E.Disconnect the network cable immediately.
AnswersB, D

Powering off stops the ransomware and preserves the disk state.

Why this answer

Option B is correct because powering off the server preserves the encrypted state of the disk and prevents the ransomware from continuing to encrypt additional files or communicate with its command-and-control server. In a ransomware incident, immediate shutdown halts the encryption process and preserves the volatile evidence on disk, such as the ransomware binary and encrypted files, for forensic analysis.

Exam trap

The trap here is that candidates often confuse 'disconnecting the network' (Option E) as sufficient to stop encryption, but ransomware runs locally and continues encrypting until the process is terminated or the system is powered off.

857
MCQhard

An analyst is examining a USB drive that appears to have a smaller capacity than expected. The drive is detected as 8 GB but only 7 GB is accessible. Which of the following is the most likely cause?

A.The file system uses a cluster size that wastes space
B.The drive is formatted with FAT32 which has a 4 GB file size limit
C.The drive has a Host Protected Area (HPA) hiding 1 GB
D.The drive contains a hidden partition
AnswerC, D

Correct: HPA can hide a portion of the drive from the OS.

Why this answer

The missing space could be due to an HPA (Host Protected Area) or DCO (Device Configuration Overlay) configured to hide the additional space.

858
MCQhard

An analyst recovers a disk image from a Linux server that used ext4. The image shows a superblock backup at multiple offsets. Which dd command would correctly extract the backup superblock located at offset 32768 bytes?

A.dd if=image.dd of=superblock.bin bs=4096 skip=8 count=1
B.dd if=image.dd of=superblock.bin bs=512 skip=64 count=2
C.dd if=image.dd of=superblock.bin bs=1024 skip=32 count=1
D.dd if=image.dd of=superblock.bin bs=32768 skip=1 count=1
AnswerB

bs=512, skip=64 (offset 32768/512), count=2 (1024/512).

Why this answer

To extract the backup superblock at offset 32768 with size 1024 bytes, dd needs skip=32768/512=64 and count=1024/512=2.

859
Multi-Selecteasy

Which TWO of the following are valid acquisition types in mobile forensics, ranked from most to least data recovered?

Select 2 answers
A.Manual
B.Physical
C.Cloud
D.Logical
E.File system
AnswersB, D

Bit-for-bit image of storage, recovers deleted data.

Why this answer

Physical acquisition (option B) captures the entire flash memory bit-for-bit, including deleted files and unallocated space, providing the most complete data recovery. Logical acquisition (option D) extracts only active files and system data via the operating system's API, yielding less data than physical but more than manual or cloud methods. Together, they represent the two valid acquisition types ranked from most to least data recovered in mobile forensics.

Exam trap

EC-Council often tests the distinction between primary acquisition types (physical and logical) and secondary methods (manual, cloud, file system), expecting candidates to recognize that file system acquisition is a subset of logical, not a separate category, and that cloud acquisition is not device-centric.

860
Multi-Selecthard

Which TWO of the following are common indicators of a rootkit infection on a Windows system?

Select 2 answers
A.High CPU usage by svchost.exe
B.System calls returning inconsistent results
C.Unexpected open ports on the firewall
D.Presence of unsigned kernel drivers
E.Hidden processes not visible in Task Manager
AnswersB, E

Rootkits hook system calls to return false information.

Why this answer

Option B is correct because rootkits operate at the kernel level, intercepting system calls to hide their presence. When a system call (e.g., NtQuerySystemInformation) is invoked, the rootkit modifies the return data to exclude malicious processes or files, causing the results to be inconsistent with the actual system state. This is a classic symptom of a kernel-mode rootkit that has hooked the System Service Dispatch Table (SSDT).

Exam trap

Cisco often tests the distinction between generic malware symptoms (like high CPU or open ports) and rootkit-specific stealth behaviors, so candidates mistakenly choose obvious signs of compromise rather than the subtle, kernel-level inconsistencies that uniquely identify a rootkit.

861
Multi-Selecthard

Which THREE of the following are challenges specific to forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives? (Select 3)

Select 3 answers
A.TRIM command may permanently erase deleted data
B.SSDs have platters that can be degaussed to destroy data
C.SSDs are slower to image because of rotational latency
D.Garbage collection can erase blocks containing deleted files before acquisition
E.Wear leveling moves data across blocks, complicating file system analysis
AnswersA, D, E

TRIM informs the SSD to erase blocks, making recovery impossible.

Why this answer

SSDs have TRIM, wear leveling, and garbage collection that can destroy data or make recovery difficult.

862
Multi-Selectmedium

Which TWO of the following are common challenges in SSD forensics that can hinder data recovery?

Select 2 answers
A.File fragmentation
B.TRIM
C.Bad sectors
D.NTFS permissions
E.Wear levelling
AnswersB, E

TRIM erases blocks upon deletion, preventing recovery.

Why this answer

TRIM is a command that allows an operating system to inform an SSD which data blocks are no longer in use and can be wiped internally. When TRIM is enabled, the SSD's controller immediately erases those blocks, making the original data unrecoverable by forensic tools because the physical cells are reset to an unprogrammed state. This directly hinders data recovery because the data is permanently removed at the hardware level before any forensic acquisition can occur.

Exam trap

EC-Council often tests the misconception that file fragmentation (Option A) is a major SSD forensic challenge, but the trap is that fragmentation is handled internally by the SSD controller and does not impede forensic recovery like TRIM and wear levelling do.

863
MCQmedium

A Linux system administrator notices unusual outbound connections from a server. Which log file should be examined FIRST to identify authentication attempts related to the compromised account?

A./var/log/messages
B./var/log/auth.log
C./var/log/secure
D./var/log/syslog
AnswerB

Auth.log is the default log for authentication events on many Linux distributions.

Why this answer

/var/log/auth.log records authentication-related events such as login attempts, SSH connections, and sudo commands. It is the primary log for investigating unauthorized access.

864
MCQmedium

In cloud forensics, which AWS service logs API calls for governance, compliance, and operational auditing, and is the primary source for detecting unauthorized access?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch
D.AWS GuardDuty
AnswerA

CloudTrail logs all API calls for auditing and security analysis.

Why this answer

AWS CloudTrail is the service that records API activity in the AWS account, providing logs for security analysis, incident investigation, and compliance auditing.

865
MCQhard

During a Linux forensic investigation, you find that the /var/log/auth.log file contains log entries showing multiple 'Failed password for root' messages from a single IP address, followed by a 'Accepted password for root' entry. What is the MOST likely conclusion?

A.An attacker successfully brute-forced the root password
B.The root user accidentally mistyped the password multiple times
C.The system was compromised via a privilege escalation exploit
D.The root account has been locked out due to multiple failures
AnswerA

Failed followed by accepted from same IP indicates successful brute force.

Why this answer

The pattern suggests a successful brute-force attack: multiple failed attempts and then a successful authentication from the same IP.

866
MCQmedium

During a forensic examination of a Linux system, the investigator runs the command 'ls -i /home/user/file.txt' and sees inode number 12345. The file was recently deleted. Which of the following is the most effective method to recover the file, assuming the inode is still accessible?

A.Run 'scalpel' with a custom configuration for the file type
B.Use 'foremost' to scan the disk for the file header/footer
C.Run 'photorec' on the disk to carve the file from unallocated space
D.Use 'debugfs' to attempt to recover the inode and its data blocks
AnswerD

Correct: debugfs can recover files by inode if the inode is still allocated.

Why this answer

The 'debugfs' tool on ext filesystems can access inodes directly to recover deleted files if the inode is still present.

867
MCQmedium

A security team detects exfiltration via HTTP POST requests to a suspicious domain. Which network forensic technique would BEST identify the data being sent in these requests?

A.Firewall log review
B.IDS alert correlation
C.Wireshark packet capture with HTTP follow stream
D.NetFlow analysis
AnswerC

Wireshark captures full packets and can reassemble HTTP streams to view POST data.

Why this answer

Wireshark can capture and display the full packet contents, including HTTP POST body data, allowing analysis of exfiltrated data.

868
MCQhard

During an incident response, a first responder needs to collect evidence from a Linux server that is still running. The server has sensitive data and cannot be shut down. Which technique is BEST for acquiring a forensic image of the hard disk?

A.Use dd if=/dev/sda of=/mnt/evidence/image.dd conv=noerror,sync
B.Use dd if=/dev/sda of=/mnt/evidence/image.dd bs=4M
C.Use dd if=/dev/mapper/root of=/mnt/evidence/image.dd
D.Use dd if=/dev/sda1 of=/mnt/evidence/image.dd
AnswerB

dd copying the entire disk (/dev/sda) creates a complete forensic image.

Why this answer

Option B is correct because it uses dd with a 4M block size, which improves acquisition speed while still producing a bit-for-bit forensic image of the entire disk (/dev/sda). The conv=noerror,sync option in A is unnecessary for a live acquisition from a healthy disk and can mask read errors, while B's larger block size is more efficient for imaging a running system without shutdown.

Exam trap

EC-Council often tests the misconception that conv=noerror,sync is always required for forensic imaging, but in a live, healthy server scenario, it can introduce artifacts and is not the best practice.

How to eliminate wrong answers

Option A is wrong because conv=noerror,sync pads bad blocks with zeros, which can hide read errors and corrupt the forensic integrity of the image; it is typically used for failing disks, not for a live, healthy server. Option C is wrong because /dev/mapper/root targets a logical volume (LVM) rather than the physical disk, missing partition tables, boot sectors, and unallocated space essential for a complete forensic image. Option D is wrong because /dev/sda1 is only the first partition, not the entire disk, so it omits other partitions, MBR/GPT, and unallocated areas.

869
Multi-Selecteasy

Which TWO of the following are types of evidence recognized in legal proceedings? (Select two.)

Select 2 answers
A.Corroborative evidence
B.Direct evidence
C.Demonstrative evidence
D.Circumstantial evidence
E.Primary evidence
AnswersB, D

Direct evidence proves a fact directly, e.g., eyewitness testimony.

Why this answer

Direct evidence (B) is recognized because it directly proves a fact without requiring any inference, such as a witness testifying they saw the defendant commit the crime. Circumstantial evidence (D) is also recognized as it relies on inference to connect a fact to a conclusion, like a log file showing a user logged in at the time of an incident. Both are admissible in legal proceedings under the Federal Rules of Evidence (FRE) and similar frameworks.

Exam trap

EC-Council often tests the misconception that 'corroborative evidence' or 'demonstrative evidence' are primary legal categories, when in fact they are subcategories or procedural tools, not the two fundamental types recognized in court (direct and circumstantial).

870
MCQeasy

Which cloud service log is most appropriate for tracking API calls and resource changes in an AWS environment?

A.AWS VPC Flow Logs
B.AWS Config
C.AWS CloudTrail
D.AWS CloudWatch Logs
AnswerC

CloudTrail records all API calls and resource changes for auditing.

Why this answer

AWS CloudTrail is the service that records API activity and resource changes.

871
MCQhard

An analyst reviews Windows Registry for USB device usage history. Which registry hive and key contain the 'USBSTOR' key that logs unique serial numbers of connected USB drives?

A.HKLM\SAM\SAM\Domains\Account\Users
B.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
D.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
AnswerC

This is the correct location for USB storage device history.

Why this answer

USBSTOR is located under SYSTEM\CurrentControlSet\Enum\USBSTOR, which records USB storage device identifiers.

872
MCQmedium

During a Linux forensic investigation, you find that the file /var/log/auth.log has been deleted. Which of the following artefacts would BEST help determine recent SSH login attempts?

A.Contents of /etc/shadow
B.Bash history from /root/.bash_history
C.Cron job entries in /etc/crontab
D.Output of the 'last' command
AnswerD

'last' shows login records from /var/log/wtmp, useful for recent SSH attempts.

Why this answer

The 'last' command reads /var/log/wtmp, which records all logins and logouts, including SSH sessions.

873
MCQmedium

During an investigation, an analyst creates a forensic image of a hard drive using FTK Imager and computes the MD5 hash of the image. Later, the hash is re-computed and found to match. What does this confirm?

A.The image is an exact copy and has not been altered
B.FTK Imager is a valid forensic tool
C.The original hard drive is free of malware
D.The image was acquired without using a write blocker
AnswerA

Correct. Hashing verifies integrity.

Why this answer

A matching MD5 hash confirms that the forensic image is bit-for-bit identical to the original drive at the time of acquisition and has not been modified since. MD5 is a cryptographic hash function that produces a 128-bit digest; any change to the image, even a single bit, would produce a completely different hash. This integrity verification is a foundational step in the forensic process to ensure the evidence is admissible and untampered.

Exam trap

EC-Council often tests the distinction between integrity verification (hash matching) and other forensic steps like tool validation, malware detection, or acquisition methodology, leading candidates to conflate hash matching with broader forensic guarantees.

How to eliminate wrong answers

Option B is wrong because a hash match does not validate the tool itself; FTK Imager's validity as a forensic tool is established through testing, certification, and peer review, not by a hash comparison. Option C is wrong because a hash match only verifies the integrity of the image, not the contents of the original drive; malware could still be present on the original drive or in the image. Option D is wrong because the use of a write blocker is a separate procedural requirement to prevent alteration of the source drive during acquisition; a matching hash does not confirm whether a write blocker was used or not.

874
MCQmedium

Which type of evidence is a witness's statement that they saw someone log into a computer?

A.Hearsay evidence
B.Best evidence
C.Circumstantial evidence
D.Direct evidence
AnswerD

Correct. The witness directly observed the act.

Why this answer

Direct evidence is testimony or other proof that directly proves a fact without requiring any inference. A witness's statement that they saw someone log into a computer is direct evidence because it is based on the witness's firsthand observation of the act itself, not on any deduction or assumption. In digital forensics, direct evidence can include eyewitness accounts of specific actions on a system, such as entering credentials or accessing files.

Exam trap

EC-Council often tests the distinction between direct and circumstantial evidence by presenting a scenario where a witness sees a result (e.g., a screen displaying a file) and candidates mistakenly classify it as direct evidence of the action (e.g., file access) when it is actually circumstantial evidence requiring an inference.

How to eliminate wrong answers

Option A is wrong because hearsay evidence is an out-of-court statement offered to prove the truth of the matter asserted, and a witness's firsthand observation of a login is not hearsay—it is a statement based on personal knowledge, not a secondhand report. Option B is wrong because best evidence refers to the original document or recording (e.g., the actual log file) rather than a witness's testimony; the best evidence rule typically applies to writings, recordings, or photographs, not to live testimony about an observed event. Option C is wrong because circumstantial evidence requires an inference to connect it to a fact (e.g., finding a log entry at a certain time implies someone logged in), whereas the witness directly observed the login, so no inference is needed.

875
MCQmedium

A forensic examiner finds a suspicious entry in the Linux file /etc/passwd: 'backdoor:x:0:0:root:/root:/bin/bash'. What is the MOST significant security issue with this entry?

A.The entry has no password hash
B.The home directory is set to /root
C.The UID is 0, granting root privileges
D.The shell is /bin/bash
AnswerC

UID 0 means root-level access; a backdoor account with UID 0 is a critical backdoor.

Why this answer

A UID of 0 gives root privileges; the username 'backdoor' with UID 0 indicates a backdoor account with superuser access.

876
MCQeasy

Which tool is specifically designed for file carving and can recover files based on headers and footers without relying on file system metadata?

A.FTK Imager
B.Foremost
C.Autopsy
D.Volatility
AnswerB

Foremost is a command-line file carver that recovers files based on headers, footers, and data structures.

Why this answer

Foremost is a file carving tool that uses headers/footers. Autopsy and FTK have carving modules but Foremost is dedicated to it.

877
Multi-Selecteasy

Which TWO of the following are valid methods for collecting volatile data from a live database server during an incident response?

Select 2 answers
A.Extract the file system journal
B.Take a backup of the database using mysqldump
C.Create a forensic image of the hard disk
D.Execute netstat -an to list active network connections
E.Capture a memory dump using a tool like LiME or FTK Imager
AnswersD, E

Netstat shows current connections, which are volatile.

Why this answer

Option D is correct because `netstat -an` lists all active network connections and listening ports without performing DNS resolution, which is critical for identifying unauthorized connections or ongoing data exfiltration from the live database server. This command retrieves data from the kernel's network stack, which is volatile and would be lost if the system were powered down.

Exam trap

Cisco often tests the misconception that database backups (like mysqldump) or disk imaging are valid for volatile data collection, when in fact volatile data must be captured from memory and network state before any persistent storage is touched.

878
Multi-Selecthard

Which TWO of the following are essential components of a computer forensics lab according to CHFI best practices?

Select 2 answers
A.Server farm for data processing
B.Evidence storage area with controlled access
C.Public-facing website for case management
D.Coffee machine for staff convenience
E.Forensic workstation with specialized software
AnswersB, E

Critical for evidence integrity.

Why this answer

Option B is correct because a computer forensics lab must have a secure evidence storage area with controlled access to maintain the chain of custody and prevent tampering or unauthorized access to digital evidence. CHFI best practices emphasize physical security controls, such as biometric locks or access logs, to ensure evidence integrity throughout the investigation lifecycle.

Exam trap

EC-Council often tests the distinction between 'nice-to-have' items (like coffee machines) and mandatory security components (like controlled-access evidence storage), leading candidates to select convenience over critical infrastructure.

879
MCQeasy

A forensic analyst is investigating a Windows system and needs to examine the contents of the Recycle Bin. Which file artifact contains metadata about deleted files, including original file paths and deletion times?

A.$Recycle.bin\$I
B.C:\Windows\System32\winevt\Logs
C.$Recycle.bin\$R
D.C:\Windows\Prefetch
AnswerA

$I stores the metadata including original path, deletion time, and size.

Why this answer

The $Recycle.bin directory contains a file named $R (deleted file) and $I (info file). The $I file stores metadata such as original path, deletion time, and size. This is the standard Recycle Bin artifact in NTFS.

880
MCQeasy

What is the primary purpose of the Host Protected Area (HPA) on a hard disk drive?

A.To provide a write-cache for improved performance
B.To store diagnostic data or allow vendors to hide data from the OS
C.To store the partition table when using GPT
D.To store the operating system boot loader
AnswerB

HPA is used by manufacturers for tools, diagnostics, or data hiding.

Why this answer

HPA is a reserved area on the disk that is not visible to the operating system, intended for vendor-specific data. It can be used to hide data from forensic acquisition.

881
MCQmedium

During an investigation of a suspected data exfiltration, a forensic analyst examines MySQL general query logs and finds a large number of SELECT queries retrieving customer records, followed by DELETE queries. Which of the following is the most likely conclusion?

A.An attacker exfiltrating data and then deleting the records to cover tracks
B.An attempted SQL injection attack
C.A misconfigured replication process
D.Normal database maintenance operations
AnswerA

SELECT then DELETE indicates data theft and cleanup.

Why this answer

The combination of bulk SELECT (exfiltration) followed by DELETE (cover tracks) is a classic pattern of data theft.

882
Multi-Selecthard

Which THREE of the following are common indicators of a web shell presence on a compromised IIS web server? (Select THREE.)

Select 3 answers
A.Increased 404 errors in HTTP logs
B.Process w3wp.exe making outbound connections to an unknown IP
C.Scheduled tasks that execute cmd.exe or powershell.exe
D.Anomalous files with .asp or .aspx extensions in the wwwroot directory
E.Normal GET requests to static .html pages
AnswersB, C, D

w3wp.exe is the IIS worker process; outbound connections may indicate C2.

Why this answer

Web shells often create anomalous files in web directories, processes running as w3wp.exe executing suspicious commands, and outbound connections to C2 servers. Normal activity includes log entries for legitimate requests.

883
MCQmedium

A forensic examiner needs to create a bit-for-bit copy of a suspect's hard drive for analysis. Which tool is specifically designed for this purpose and can also verify integrity using hashing?

A.Wireshark
B.Metasploit
C.Nmap
D.dd
AnswerD

dd creates raw bit-for-bit images and can be used with hashing.

Why this answer

dd is a Unix/Linux command-line tool that creates sector-by-sector copies (forensic images), and its variant dcfldd adds on-the-fly hashing. FTK Imager and EnCase also create forensic images.

884
MCQmedium

In NTFS, the $MFT file contains metadata about every file and directory on the volume. When a file is deleted, its $MFT record is marked as free. What information in the $MFT record is MOST useful for recovering a deleted file?

A.The file name attribute
B.The standard information attribute
C.The security descriptor
D.The data attribute
AnswerD

The data attribute contains data runs that specify which clusters hold the file content, essential for recovery.

Why this answer

The $MFT record contains data runs (extents) that point to the clusters where the file data is stored. Even after deletion, if the clusters have not been overwritten, these data runs can be used to recover the file content.

885
MCQmedium

In a cloud forensic investigation, the analyst needs to obtain a memory dump of a virtual machine. Which method is considered forensically sound?

A.Log into the VM and use a tool to create a crash dump
B.Copy the virtual disk file (.vmdk) and extract memory from it
C.Use a live forensic tool inside the VM to capture memory
D.Take a snapshot of the VM via the hypervisor and export the .vmem file
AnswerD

This method captures the VM's memory in a forensically sound manner.

Why this answer

Option D is forensically sound because taking a snapshot of the VM via the hypervisor and exporting the .vmem file captures the entire volatile memory state from outside the guest OS, without altering any data inside the VM. This method preserves the memory in its pristine state and avoids the contamination that occurs when executing tools inside the suspect VM.

Exam trap

Cisco often tests the misconception that a virtual disk file (.vmdk) contains memory data, when in fact it only stores persistent storage, and that live tools inside the VM are acceptable despite violating forensic soundness by altering the evidence.

How to eliminate wrong answers

Option A is wrong because logging into the VM and creating a crash dump modifies the guest OS state (e.g., writing to disk, altering page tables) and may trigger anti-forensic mechanisms, violating the principle of minimal interaction. Option B is wrong because the virtual disk file (.vmdk) contains only persistent storage data, not volatile memory; memory contents are stored in a separate .vmem or .vmsn file, and extracting memory from a disk image is technically impossible. Option C is wrong because using a live forensic tool inside the VM requires executing code within the compromised environment, which alters memory contents (e.g., overwriting pages, changing process states) and risks triggering malware or tampering with evidence.

886
Multi-Selectmedium

Which TWO Windows Event IDs are associated with successful logon or explicit credential usage? (Choose TWO.)

Select 2 answers
A.4648
B.4720
C.4624
D.4625
E.7045
AnswersA, C

4648: A logon was attempted using explicit credentials.

Why this answer

4624 is a successful logon event. 4648 indicates a logon using explicit credentials (e.g., RunAs). 4625 is failed logon, 4720 is account creation, 7045 is service install.

887
Multi-Selectmedium

In a Mac forensic investigation, which TWO artifacts are valuable for determining the timeline of file access? (Select two.)

Select 2 answers
A.ShellBags
B.Prefetch files
C.Unified logging
D.NTUSER.DAT
E.FSEvents
AnswersC, E

Unified logging provides detailed system logs including file access.

Why this answer

FSEvents logs file system changes, and unified logging captures system events including file access.

888
Multi-Selecthard

A malware analyst is performing dynamic analysis of a suspected trojan in a sandbox environment. Which of the following behaviours are strong indicators that the malware is establishing persistence on the infected system? (Select THREE.)

Select 3 answers
A.Creating a scheduled task that runs at system startup
B.Creating a Windows service named 'UpdateService'
C.Connecting to an IP address on port 443
D.Writing a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.Creating a mutex named 'Global\MyMutex'
AnswersA, B, D

Scheduled tasks can trigger at boot or logon, ensuring persistence.

Why this answer

Creating a scheduled task that runs at system startup is a classic persistence mechanism. The Task Scheduler API (taskschd.dll) allows malware to register a task that executes at boot or user logon, ensuring the trojan re-executes after a reboot. This is a direct indicator of persistence because it modifies the system's startup behavior.

Exam trap

EC-Council often tests the distinction between persistence mechanisms and other malware behaviors (like network communication or inter-process synchronization), so the trap here is confusing network activity (C) or mutex creation (E) with persistence, when only startup-modifying actions (A, B, D) qualify.

889
Multi-Selecteasy

Which TWO of the following are common hashing algorithms used to verify the integrity of forensic images? (Select two.)

Select 2 answers
A.AES
B.SHA-1
C.Blowfish
D.RSA
E.MD5
AnswersB, E

SHA-1 is widely used in forensics.

Why this answer

MD5 and SHA-1 are widely used hash functions for integrity verification in digital forensics. SHA-256 is also used but less common in legacy contexts.

890
MCQmedium

During a forensic analysis of a drive, the examiner discovers a Host Protected Area (HPA). What is the primary purpose of an HPA?

A.To store the file system journal
B.To accelerate disk read/write operations
C.To provide a hidden storage area not visible to the OS
D.To store backup copies of the MBR
AnswerC

HPA is a reserved area that is not accessible via standard OS commands.

Why this answer

HPA is a region on ATA drives that is hidden from the operating system, often used by manufacturers for diagnostic tools or to hide data.

891
MCQmedium

A security analyst reviews the following Apache access log entry: 192.168.1.10 - - [15/May/2025:10:15:23 +0000] "GET /search.php?q=1'%20OR%20'1'='1 HTTP/1.1" 200 5321 "-" "Mozilla/5.0". Which type of attack is most likely indicated?

A.Cross-site scripting (XSS)
B.Path traversal
C.Remote file inclusion
D.SQL injection (SQLi)
AnswerD

The payload ' OR '1'='1 is a classic SQL injection attempt to bypass authentication or extract data.

Why this answer

The log shows a GET request with a SQL injection payload (1' OR '1'='1) in the 'q' parameter. The HTTP 200 response indicates the server processed the request, suggesting a successful or attempted SQL injection.

892
MCQmedium

During a malware investigation, an analyst discovers a suspicious file with a hash value that matches known malware. However, the file fails to execute and does not exhibit any malicious behavior in a sandbox. What is the most likely reason for this discrepancy?

A.The file is a false positive and is actually benign
B.The sandbox is not updated with the latest signatures
C.The file's metadata has been modified to evade analysis
D.The file is packed or obfuscated to prevent execution in a sandbox
AnswerD

Packing can prevent execution until unpacked, causing the sandbox to not observe malicious behavior.

Why this answer

Option D is correct because malware authors often use packing or obfuscation techniques to prevent the malicious payload from executing in an analysis environment. The packed code requires a specific unpacking routine or trigger (e.g., a specific system call, registry key, or timing condition) that the sandbox does not provide, causing the file to appear inert. This is a common anti-sandbox technique distinct from simple signature evasion.

Exam trap

Cisco often tests the distinction between detection evasion (e.g., hash modification) and execution evasion (e.g., packing/obfuscation), trapping candidates who assume a matching hash guarantees malicious behavior.

How to eliminate wrong answers

Option A is wrong because the hash matches known malware, making a false positive highly unlikely; hash collisions are extremely rare and not a plausible explanation. Option B is wrong because signature updates are irrelevant when the hash already matches known malware; the issue is execution, not detection. Option C is wrong because modifying metadata (e.g., timestamps, file attributes) does not prevent execution; it only affects forensic artifacts and file identification, not runtime behavior.

893
MCQhard

During a Docker forensics investigation, an analyst needs to identify the commands executed within a deleted container. Which of the following approaches is MOST effective to retrieve this information?

A.Check the Docker daemon logs for container start/stop events
B.Search the host filesystem for the container's log files in /var/lib/docker/containers
C.Use `docker inspect` on the container ID
D.Examine the container's image layers using `docker history`
AnswerB

Container logs (stdout/stderr) are stored in JSON files under the container ID directory. If not overwritten, they contain the commands' output.

Why this answer

Docker stores container logs in JSON files on the host. Even after a container is removed, its logs may remain on the host filesystem under /var/lib/docker/containers until cleaned. Inspecting image layers only shows filesystem changes, not runtime commands.

894
Multi-Selectmedium

Which TWO of the following are valid indicators of email spoofing when analyzing email headers?

Select 2 answers
A.The 'From' header domain matches the 'Return-Path' domain
B.The 'DKIM-Signature' header validates successfully
C.The 'Received-SPF' header shows 'fail'
D.The 'Message-ID' header contains the sender's IP address
E.The 'Reply-To' header differs from the 'From' header
AnswersC, E

SPF fail indicates the sending server is not authorized to send for the domain.

Why this answer

SPF failure and a mismatch between Reply-To and From are common signs of spoofing.

895
Multi-Selecthard

During dynamic analysis of a malware sample, an analyst observes the following: creation of a mutex named `Global\{9A2D7E1C-3F4B-4A5E-9B8C-1D2E3F4A5B6C}`, a registry key under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` named `WindowsUpdate`, and outbound TCP traffic to `203.0.113.5:443`. Which THREE of the following indicators of compromise (IoCs) should be documented?

Select 3 answers
A.Outbound TCP to `203.0.113.5:443`
B.SHA256 hash of the malware sample
C.Mutex name `Global\{9A2D7E1C-3F4B-4A5E-9B8C-1D2E3F4A5B6C}`
D.File path `C:\Windows\System32\notepad.exe`
E.Registry key `HKCU\...\Run\WindowsUpdate`
AnswersA, C, E

C2 communication.

Why this answer

Option A is correct because outbound TCP traffic to a specific IP address and port (203.0.113.5:443) is a classic network-based indicator of compromise (IoC). During dynamic analysis, this demonstrates the malware's command-and-control (C2) communication, often using HTTPS over port 443 to blend with legitimate traffic. Documenting this IoC allows defenders to block the endpoint and detect similar infections via network monitoring.

Exam trap

Cisco often tests the distinction between static IoCs (like file hashes) and dynamic IoCs (like network traffic, mutex names, and registry modifications) to see if candidates understand that dynamic analysis focuses on behavioral artifacts, not file-level attributes.

896
Multi-Selectmedium

Which TWO of the following tools are commonly used for file carving in forensic investigations?

Select 2 answers
A.Autopsy
B.PhotoRec
C.Foremost
D.EnCase
E.Wireshark
AnswersB, C

PhotoRec is a file carving tool that recovers many file types.

Why this answer

Foremost and PhotoRec are popular file carving tools. EnCase and FTK are suites that include carving but are not exclusively carving tools; the question asks for tools commonly used for carving.

897
Multi-Selectmedium

Which TWO of the following are requirements for evidence to be admissible in court? (Select two.)

Select 2 answers
A.Evidence must be reliable
B.Evidence must be encrypted
C.Evidence must be stored on a write-blocked drive
D.Evidence must be obtained by the police
E.Evidence must be relevant
AnswersA, E

Reliability is crucial for admissibility.

Why this answer

The rules of evidence require that evidence be admissible, reliable, complete, and authentic. In many jurisdictions, evidence must be relevant and reliable to be admissible. Completeness and authenticity are also key.

898
MCQeasy

During the first response to a computer incident, which of the following actions is MOST critical for preserving evidence?

A.Run antivirus software to remove any malware
B.Disconnect the power to prevent data alteration
C.Photograph the scene including all visible cables and connections
D.Immediately boot the system to verify it is operational
AnswerC

This preserves the initial state as evidence.

Why this answer

Option C is correct because photographing the scene, including all visible cables and connections, is the most critical first step in preserving the chain of custody and documenting the exact physical state of the system before any changes occur. This visual record captures port assignments, device connections, and cable orientations that could be altered by subsequent actions, ensuring that the original configuration is preserved for forensic analysis. Without this documentation, later evidence of network topology or peripheral involvement may be lost or disputed.

Exam trap

Cisco often tests the misconception that immediately disconnecting power (Option B) is the safest action, but the trap is that this destroys volatile evidence and may cause unintended writes, whereas photographing the scene is the least intrusive and most defensible first step for preserving the physical state of evidence.

How to eliminate wrong answers

Option A is wrong because running antivirus software modifies the system by scanning, quarantining, or deleting files, which alters the original data and violates forensic integrity principles (e.g., overwriting slack space or modifying timestamps). Option B is wrong because disconnecting power on a running system can cause loss of volatile data (e.g., RAM contents, open network connections, process lists) and may trigger write operations during shutdown, potentially corrupting evidence. Option D is wrong because immediately booting the system writes new data to the disk (e.g., log files, temporary files, registry changes) and overwrites unallocated space, destroying potential evidence and violating the 'do not modify the original' forensic rule.

899
MCQhard

A forensic analyst is preparing to testify as an expert witness in court. Which of the following characteristics is MOST essential for the court to accept the analyst's testimony?

A.The analyst's methods are generally accepted in the forensic community
B.The analyst has direct knowledge of the case
C.The analyst has a certification in computer forensics
D.The analyst is employed by the prosecution
AnswerA

Daubert standard requires reliable methods generally accepted.

Why this answer

The court's acceptance of expert testimony hinges on the reliability and validity of the methods used, not the analyst's personal involvement or credentials. Under the Daubert standard (or Frye standard in some jurisdictions), the key factor is whether the forensic methods have been subjected to peer review, are generally accepted within the relevant scientific community, and have a known error rate. This ensures the testimony is based on sound scientific principles, not just the analyst's qualifications or role in the case.

Exam trap

EC-Council often tests the distinction between an expert witness and a fact witness, trapping candidates who think direct knowledge or employment status is the primary criterion for expert testimony admissibility.

How to eliminate wrong answers

Option B is wrong because direct knowledge of the case is a requirement for a fact witness, not an expert witness; an expert witness can testify based on hypotheticals or analysis of evidence provided by others, and their testimony is evaluated on methodology, not firsthand involvement. Option C is wrong because while a certification (e.g., CHFI, EnCE) can bolster credibility, it is not a legal prerequisite for admissibility; the court focuses on the reliability of the methods and the analyst's demonstrated expertise, which can be established through experience, training, or education without a specific certification. Option D is wrong because employment by the prosecution does not automatically qualify an analyst as an expert; in fact, it may raise concerns about bias, and the court must independently assess the methodology's acceptance in the forensic community regardless of which party retains the analyst.

900
MCQmedium

An investigator is analyzing an Android device and finds a database file in /data/data/com.whatsapp/databases/msgstore.db. Which type of information is MOST likely stored in this database?

A.WhatsApp chat messages
B.System call logs
C.GPS location history
D.Contact list from the device
AnswerA

msgstore.db is the WhatsApp message database.

Why this answer

The msgstore.db file in the WhatsApp package directory is the primary SQLite database that stores all WhatsApp chat messages, including text messages, media metadata, and message timestamps. This database is located at /data/data/com.whatsapp/databases/msgstore.db on Android devices and is a key artifact for forensic recovery of WhatsApp conversations.

Exam trap

EC-Council often tests the distinction between app-specific databases and system-level databases, and the trap here is that candidates confuse msgstore.db with a general-purpose database that might store contacts or location data, when in fact it is strictly for chat message storage within the WhatsApp application.

How to eliminate wrong answers

Option B is wrong because system call logs are stored in the Linux kernel's ring buffer or in /proc/ and /sys/ filesystem entries, not in an app-specific SQLite database like msgstore.db. Option C is wrong because GPS location history is typically stored in Google Play Services databases (e.g., /data/data/com.google.android.gms/databases/) or in the device's fused location provider, not in WhatsApp's msgstore.db (though WhatsApp may store location-sharing messages as part of chat content, the database itself is not a GPS history store). Option D is wrong because the contact list from the device is stored in the Contacts Provider database (e.g., /data/data/com.android.providers.contacts/databases/contacts2.db) or in WhatsApp's wa.db or axolotl.db, not in msgstore.db, which focuses on message threads.

Page 11

Page 12 of 14

Page 13