Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 901975

1000 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQhard

A forensic analyst is examining a Docker container suspected of being used for malicious activities. The container was running an Alpine Linux image and was stopped 2 hours ago. Which of the following is the BEST first step to collect volatile evidence?

A.Collect the container's log files from /var/log/
B.Create a memory dump of the container's process
C.Export the container's filesystem using docker export
D.Run docker attach to reconnect to the container
AnswerC

docker export creates a tar archive of the container's filesystem, preserving persistent data.

Why this answer

When a container is stopped, its process state and other in-memory data are lost. The best first step is to create a forensic image of the container's filesystem layers, which are still available on the host. Docker containers' filesystems are stored as layers on the host, accessible via docker export or by copying the container's filesystem from /var/lib/docker/overlay2/.

902
MCQhard

During a forensic examination, an analyst uses the command 'dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.txt'. What is the primary purpose of including 'hash=sha256' in this command?

A.To split the image into multiple files named with SHA-256 checksums
B.To compute a SHA-256 hash of the input drive and log it to a file for integrity verification
C.To encrypt the output image file using SHA-256
D.To compress the image using SHA-256 compression algorithm
AnswerB

The hash is computed during imaging and logged, allowing later verification that the image matches the original.

Why this answer

Option B is correct because the `hash=sha256` parameter in `dcfldd` instructs the tool to compute a SHA-256 hash of the input device (`/dev/sda`) during the acquisition process. This hash is then logged to the file specified by `hashlog=hash.txt`, providing a verifiable integrity check that the forensic image matches the original source. This is a standard forensic practice to ensure the image has not been altered or corrupted.

Exam trap

The trap here is that candidates confuse hashing with encryption or compression, assuming that `hash=sha256` might secure or shrink the output, when in fact it only generates a fixed-length digest for integrity verification.

How to eliminate wrong answers

Option A is wrong because `dcfldd` uses the `split=` parameter (e.g., `split=2G`) to split an image into multiple files, not the `hash=` parameter, which is solely for hash computation. Option C is wrong because SHA-256 is a cryptographic hash function, not an encryption algorithm; it produces a fixed-size digest, not ciphertext, and cannot encrypt files. Option D is wrong because SHA-256 is a hash function, not a compression algorithm; compression in `dcfldd` is not supported natively, and SHA-256 does not reduce file size.

903
Multi-Selecthard

Which THREE of the following correctly describe the rules of evidence as applied to digital forensics? (Select three.)

Select 3 answers
A.Evidence must be relevant to the case and obtained through lawful means
B.Circumstantial evidence is not allowed in digital forensics cases
C.Hearsay evidence is always inadmissible in court
D.The evidence must be complete and not misleading
E.Evidence must be authentic and its integrity must be verifiable
AnswersA, D, E

Relevance and lawful acquisition are fundamental.

Why this answer

Option A is correct because evidence must be relevant to the case and obtained through lawful means. In digital forensics, this aligns with the legal principle of relevance under the Federal Rules of Evidence (FRE 401) and the requirement that evidence be obtained via a lawful search warrant or consent, otherwise it may be suppressed under the exclusionary rule (e.g., Fourth Amendment violations).

Exam trap

Cisco often tests the misconception that hearsay evidence is always inadmissible, but in digital forensics, server logs and automated records frequently qualify under hearsay exceptions, making Option C a trap for those who do not know the exceptions.

904
MCQmedium

A Windows system is suspected of having malware that maintains persistence by starting every time a user logs in. Which registry key should be examined FIRST for this persistence mechanism?

A.ShellBags
B.NTUSER.DAT
C.Run keys
D.HKLM\SAM
AnswerC

Run keys under HKCU and HKLM specify programs that run at user logon, a common persistence mechanism.

Why this answer

Run keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) specify programs to run at user logon.

905
MCQeasy

Refer to the exhibit. A first responder runs the command on a Linux server. Which process should be considered MOST suspicious and investigated immediately?

A./bin/bash (PID 1245)
B.python /tmp/.payload.py (PID 1310)
C.nc -lvp 4444 (PID 1302)
D.perl /tmp/.script.pl (PID 1325)
AnswerB

A Python script running from a hidden temp directory with CPU usage is highly suspicious.

Why this answer

Option B is correct because the Python script located in /tmp/.payload.py (PID 1310) is a hidden file in a temporary directory, which is a common technique for storing malicious payloads. The command 'python /tmp/.payload.py' indicates execution of an arbitrary script, often used for reverse shells, data exfiltration, or persistence mechanisms, making it the most suspicious process in an incident response context.

Exam trap

EC-Council often tests the distinction between a network listener (like Netcat) and an active script execution, where candidates may incorrectly choose the listener as most suspicious because it implies a backdoor, but the hidden script execution represents active malicious code that is already running and could be performing data theft or lateral movement.

How to eliminate wrong answers

Option A is wrong because /bin/bash (PID 1245) is a standard shell process that is expected on a Linux server; without additional context like a parent-child relationship with a suspicious process, it is not inherently suspicious. Option C is wrong because nc -lvp 4444 (PID 1302) is a Netcat listener on port 4444, which is indeed suspicious for a backdoor, but it is less immediately actionable than a hidden script execution because the listener may be a legitimate administrative tool or a honeypot; however, in this scenario, the Python script execution is more directly indicative of active malicious code running. Option D is wrong because perl /tmp/.script.pl (PID 1325) is also a hidden script in /tmp, similar to B, but the question asks for the 'MOST suspicious' process; the Python script (B) is often associated with more versatile payloads (e.g., reverse shells, keyloggers) and is a common choice for attackers, making it the primary focus over Perl.

906
Multi-Selecteasy

An Android forensic examiner performs a physical acquisition on a device. Which TWO of the following are typical artefacts that can be recovered from the /data/data/ directory on a non-rooted device if the acquisition method allows full file system access?

Select 2 answers
A.Bootloader configuration
B.Recovery mode logs
C.Kernel logs
D.App-specific SQLite databases
E.Shared preferences XML files
AnswersD, E

App databases (e.g., for WhatsApp, Facebook) are stored here.

Why this answer

On a non-rooted Android device, the /data/data/ directory contains application-specific data, including SQLite databases and Shared Preferences XML files. These are typical artefacts because apps store structured data (e.g., user credentials, chat logs) in SQLite databases and configuration settings in Shared Preferences XML files. A physical acquisition with full file system access can recover these files even without root, as the acquisition method bypasses normal permission restrictions.

Exam trap

EC-Council often tests the misconception that /data/data/ is inaccessible on non-rooted devices, but a physical acquisition with full file system access (e.g., via JTAG or chip-off) can read the raw NAND flash, allowing recovery of app data regardless of root status.

907
MCQmedium

An email header contains the following line: "Received: from mail.evil.com (192.0.2.1) by mail.victim.com with ESMTP; Mon, 20 Mar 2023 10:00:00 -0500". The next Received line shows a different IP. What does this indicate?

A.The email is likely spoofed
B.The email's DKIM signature is invalid
C.The email was encrypted in transit
D.The email was forwarded from another server
AnswerA

The first Received header claims a source IP (192.0.2.1) that may not match the actual originating server, indicating spoofing.

Why this answer

Discrepancies in the Received headers, especially IP mismatches, are a classic sign of email spoofing where the origin is forged.

908
MCQmedium

During dynamic analysis of a malware sample, an analyst uses Process Monitor to monitor file system activity. The malware creates a file named 'C:\Users\Admin\AppData\Roaming\svchost.exe'. What does this likely indicate?

A.The malware is a legitimate Windows update
B.The malware is extracting an archive
C.The malware is cleaning up temporary files
D.The malware is attempting to achieve persistence by placing a copy in a user directory
AnswerD

Creating a file with a system process name in AppData is a common persistence technique.

Why this answer

The creation of a file named 'svchost.exe' in the user's AppData\Roaming directory is a classic persistence technique. By placing a copy of itself with the name of a legitimate Windows system process (svchost.exe) in a user-writable location, the malware aims to execute automatically at startup (e.g., via a registry Run key or scheduled task) while evading suspicion. This is not a legitimate Windows update, as system files reside in C:\Windows\System32, not in a user profile directory.

Exam trap

Cisco often tests the misconception that any file named 'svchost.exe' is legitimate, but the key indicator is the path — a system process should never run from a user profile directory like AppData\Roaming.

How to eliminate wrong answers

Option A is wrong because legitimate Windows updates are delivered via Windows Update and stored in C:\Windows\SoftwareDistribution or System32, not created by malware in a user's AppData folder. Option B is wrong because extracting an archive would typically produce multiple files or a temporary extraction folder, not a single executable masquerading as a system process. Option C is wrong because cleaning up temporary files would involve deleting files (e.g., .tmp files) from Temp folders, not creating a new executable in AppData\Roaming.

909
MCQmedium

During a forensic investigation of a MongoDB database, the analyst needs to identify which user executed a particular write operation. Which MongoDB log or feature should the analyst examine?

A.Journal (journal directory)
B.System log (mongod.log)
C.Audit log (auditLog)
D.Oplog (local.oplog.rs)
AnswerC

Audit log records user actions when enabled.

Why this answer

The audit log (auditLog) is the correct source because it is specifically designed to record user authentication and database operations, including which user executed a write operation. MongoDB's audit system captures detailed events such as insert, update, and delete commands along with the authenticated user identity, making it the definitive forensic artifact for user attribution.

Exam trap

EC-Council often tests the misconception that the oplog or system log records user identity, when in fact only the audit log provides authenticated user attribution for database operations.

How to eliminate wrong answers

Option A is wrong because the journal (journal directory) records write-ahead redo logs for crash recovery and durability, not user identity or operation attribution. Option B is wrong because the system log (mongod.log) contains operational messages and errors but does not reliably capture per-operation user context or detailed write command attribution. Option D is wrong because the oplog (local.oplog.rs) is a capped collection used for replication tracking and contains operation details but does not include the authenticated user who executed the write.

910
MCQmedium

A forensic analyst is examining a hard drive that was seized from a suspect's home. The analyst uses FTK Imager to create a forensic image. After imaging, the analyst computes the MD5 hash of the image and compares it to the hash computed at the scene. The hashes match. What does this confirm?

A.The file system is intact and readable
B.The image is an exact bit-for-bit copy of the original drive
C.The drive contains malware
D.The drive was not encrypted
AnswerB

Hash matching verifies data integrity.

Why this answer

B is correct because a matching MD5 hash between the image and the original drive confirms that the forensic image is an exact bit-for-bit copy. Hashing algorithms like MD5 produce a unique fixed-size hash value based on the binary content; if two hashes match, the data is identical with no alterations. This validates the integrity of the acquisition process, ensuring that the image is a perfect forensic duplicate.

Exam trap

EC-Council often tests the misconception that a matching hash confirms the drive is readable or free from issues like encryption or malware, when in fact it only confirms bit-for-bit integrity of the acquired image.

How to eliminate wrong answers

Option A is wrong because a matching hash only verifies data integrity, not file system health; a corrupted file system can still produce an identical hash if the corruption existed on the original drive. Option C is wrong because hash matching has no bearing on the presence of malware; malware can be present on both the original and the image without affecting the hash match. Option D is wrong because encryption does not affect the hash comparison; an encrypted drive will produce a hash of the encrypted data, and a matching hash only confirms the image is a copy of that encrypted state.

911
MCQhard

During a Mac forensic examination, an investigator needs to find evidence of recently executed applications and accessed files. Which artifact should the investigator prioritize for reconstructing user activity?

A.bash_history
B.FSEvents
C.Unified logging
D..plist files in ~/Library/Preferences
AnswerB

FSEvents logs file system changes and is a key artifact for user activity on macOS.

Why this answer

FSEvents records file system changes including file access and execution on macOS, providing a timeline of user activity.

912
Multi-Selecteasy

Which TWO of the following are common challenges in cloud forensics that are not typically encountered in traditional on-premises forensics?

Select 2 answers
A.Difficulty in obtaining search warrants
B.Lack of forensic tools for cloud environments
C.Volatile evidence that may be lost on system shutdown
D.Multi-tenancy and co-mingling of data
E.Data jurisdiction and legal compliance across regions
AnswersD, E

Multiple tenants share the same physical infrastructure, complicating data isolation.

Why this answer

Multi-tenancy and data jurisdiction are unique to cloud environments. Volatile evidence is a general challenge but not exclusive to cloud. Lack of tools is not a typical challenge.

Legal warrants apply to both.

913
Multi-Selecteasy

Which TWO techniques are commonly used to evade detection by antivirus software in packed malware?

Select 2 answers
A.Code obfuscation
B.Anti-debugging tricks
C.Polymorphic code
D.Anti-VM checks
E.Encryption with a variable key
AnswersC, E

Polymorphic code mutates its signature, evading signature-based detection.

Why this answer

Polymorphic code (C) is correct because it mutates its decryption loop with each infection while preserving the original malicious payload, generating functionally equivalent but bytewise different code. This signature mutation evades signature-based antivirus detection by ensuring no static byte sequence remains constant across samples. Encryption with a variable key (E) is correct because it changes the decryption key per sample, producing different ciphertext each time and thus defeating signature matching on the encrypted payload.

Exam trap

EC-Council often tests the distinction between polymorphic code (which changes the decryption stub) and metamorphic code (which rewrites the entire payload), and candidates confuse anti-debugging or anti-VM techniques with signature evasion methods.

914
MCQmedium

During a forensic examination of an NTFS drive, an investigator finds that a file 'notes.txt' has an additional data stream named 'hidden.txt' attached. Which feature of NTFS allows this?

A.USN Journal
B.MFT
C.Alternate Data Streams (ADS)
D.Slack space
AnswerC

ADS allows hiding data in separate streams attached to a file.

Why this answer

C is correct because NTFS supports Alternate Data Streams (ADS), a feature that allows multiple data streams to be associated with a single file. The 'hidden.txt' stream attached to 'notes.txt' is a classic example of ADS, which can be used to hide data or store metadata without affecting the file's primary content.

Exam trap

The trap here is that candidates confuse ADS with slack space or the MFT, thinking that any hidden data in NTFS must be in slack space or metadata, when ADS is the specific feature for named additional streams.

How to eliminate wrong answers

Option A is wrong because the USN Journal (Update Sequence Number Journal) is a log of changes to files on an NTFS volume, not a mechanism for attaching additional data streams. Option B is wrong because the Master File Table (MFT) is a database that stores metadata about files and directories, but it does not directly enable the attachment of extra data streams; ADS is a separate NTFS feature. Option D is wrong because slack space refers to unused bytes at the end of a file's allocated cluster, which can store hidden data but is not a feature for attaching named data streams like ADS.

915
Multi-Selecthard

An Azure Activity Log shows a suspicious 'Delete Virtual Machine' operation from an IP address in a foreign country. Which THREE actions should the forensic investigator take immediately to preserve evidence and assess impact?

Select 3 answers
A.Check if the VM's disks have been copied or exported
B.Isolate the affected VM from the network
C.Export the Activity Log to a secure storage
D.Restore the VM from the latest backup
E.Immediately revoke all IAM permissions
AnswersA, B, C

Determine if data exfiltration occurred by checking disk exports.

Why this answer

Isolating the VM, exporting the Activity Log, and checking for data backups are critical steps to preserve evidence.

916
Multi-Selecteasy

Which TWO of the following are common challenges in cloud forensics?

Select 2 answers
A.Jurisdictional and legal issues due to data stored in multiple regions
B.All cloud environments provide the same forensic capabilities
C.Reliance on the cloud provider's APIs for data acquisition
D.Easier evidence acquisition compared to traditional forensics
E.Physical access to the hard drive is always available
AnswersA, C

Data may be stored across different jurisdictions with conflicting laws.

Why this answer

Option A is correct because cloud forensic investigations often involve data stored across multiple geographic regions, each with its own data protection laws (e.g., GDPR, CLOUD Act). This creates jurisdictional conflicts regarding lawful access, data privacy, and chain of custody, which are not present in traditional on-premises forensics.

Exam trap

EC-Council often tests the misconception that cloud forensics is easier or similar to traditional forensics, but the trap here is that candidates overlook the unique legal and technical dependencies on cloud providers, such as API reliance and jurisdictional issues.

917
MCQeasy

Which US Constitutional amendment primarily governs the legality of searching and seizing digital devices?

A.Fifth Amendment
B.Fourth Amendment
C.Fourteenth Amendment
D.First Amendment
AnswerB

The Fourth Amendment protects against unreasonable searches and seizures.

Why this answer

The Fourth Amendment protects against unreasonable searches and seizures, requiring law enforcement to obtain a warrant based on probable cause before searching or seizing digital devices. This directly governs the legality of accessing data on computers, smartphones, and storage media in forensic investigations.

Exam trap

EC-Council often tests the misconception that the Fifth Amendment (self-incrimination) governs digital searches, but the Fourth Amendment's warrant requirement is the primary constitutional basis for seizing and searching digital devices.

How to eliminate wrong answers

Option A is wrong because the Fifth Amendment protects against self-incrimination and due process, not the legality of searches or seizures of digital devices. Option C is wrong because the Fourteenth Amendment addresses equal protection and due process at the state level, not the specific warrant requirements for searching digital devices. Option D is wrong because the First Amendment protects freedom of speech, religion, press, and assembly, and has no bearing on search and seizure law for digital evidence.

918
MCQeasy

A security analyst is reviewing Windows Security Event Logs and notices multiple Event ID 4625 entries for a single user account within a short time frame. What does this MOST likely indicate?

A.Brute-force password guessing attack
B.Service installation
C.Account lockout policy change
D.Successful account logon
AnswerA

Multiple failed logons in a short period are a classic indicator of a brute-force attack.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple failures in a short time suggest a brute-force attack against the user account.

919
MCQmedium

An analyst is recovering deleted files from a FAT32 file system. The file system uses a cluster size of 4096 bytes. The first cluster of a deleted file is cluster 100. Which structure contains the chain of clusters for this file?

A.Volume boot record
B.Directory entry
C.File Allocation Table (FAT)
D.Boot sector
AnswerC

Why this answer

The FAT contains entries for each cluster, indicating whether a cluster is free, bad, or part of a file chain. The directory entry points to the first cluster, and the FAT provides the chain.

920
Multi-Selecthard

Which THREE of the following are rules of evidence that must be satisfied for digital evidence to be admissible in court? (Select THREE.)

Select 3 answers
A.Simplicity
B.Admissibility
C.Authenticity
D.Encryption
E.Completeness
AnswersB, C, E

Evidence must be legally allowed in court.

Why this answer

Admissibility requires that evidence is relevant (admissible), reliable (authentic), and complete (not partial).

921
MCQhard

An investigator recovers a file from unallocated space on an NTFS drive using file carving. The file appears to contain alternate data streams (ADS). Which tool can be used to list all ADS associated with a file on a live Windows system?

A.dir /r
B.ls -la
C.attrib
D.fsutil
AnswerA

dir /r lists all streams including ADS.

Why this answer

The `dir /r` command in Windows displays alternate data streams. `streams.exe` from Sysinternals is also commonly used, but among the options, `dir /r` is the native method.

922
MCQmedium

During a forensic investigation, you are asked to acquire the contents of RAM from a live Windows 10 system without causing system instability. Which tool would be most appropriate for this task?

A.LiME
B.DumpIt
C.FTK Imager
D.Belkasoft RAM Capturer
AnswerD

Belkasoft RAM Capturer is designed for Windows live RAM acquisition and is stable.

Why this answer

Belkasoft RAM Capturer is the most appropriate tool for acquiring RAM from a live Windows 10 system because it is designed specifically for live memory acquisition on Windows, uses a lightweight kernel-mode driver to read physical memory without causing system instability, and supports acquisition from 64-bit systems. Unlike other tools, it minimizes interaction with the target process list and avoids loading unnecessary user-mode components that could trigger crashes or alter the memory state.

Exam trap

EC-Council often tests the distinction between Linux and Windows memory acquisition tools, and the trap here is that candidates may choose LiME (a well-known memory tool) without noticing the question specifies a Windows 10 system, or they may select FTK Imager because of its familiarity, overlooking its instability for live RAM capture compared to a dedicated kernel-driver-based tool like Belkasoft RAM Capturer.

How to eliminate wrong answers

Option A is wrong because LiME (Linux Memory Extractor) is a tool for acquiring RAM from Linux systems, not Windows; it loads a kernel module via `insmod` and is incompatible with Windows 10. Option B is wrong because DumpIt, while capable of capturing Windows memory, is a user-mode tool that can cause system instability on live systems due to its reliance on the Windows API (e.g., `NtReadVirtualMemory`) and lack of a kernel driver, potentially leading to crashes or incomplete dumps on heavily loaded systems. Option C is wrong because FTK Imager is primarily a disk imaging and forensic acquisition tool; its memory capture feature is limited, often requires administrative privileges in a non-live environment, and does not use a dedicated kernel driver, making it less stable for live RAM acquisition on Windows 10.

923
MCQmedium

An analyst is investigating a Linux server running ext4 and needs to recover deleted files that may have been overwritten partially. Which technique is BEST suited for recovering fragments of known file types when the inode metadata is lost?

A.Perform file carving using 'foremost' with custom signatures
B.Use 'dd' to extract the partition and then 'grep' for strings
C.Manually reconstruct the inode table using 'debugfs'
D.Use 'extundelete' to recover files from the journal
AnswerA

File carving does not need metadata; it scans raw data for file signatures.

Why this answer

File carving recovers files based on headers and footers without relying on file system metadata. Foremost and PhotoRec are common carving tools. Inode recovery fails if metadata is overwritten.

924
MCQmedium

A cloud forensics investigator is analyzing an incident in AWS. The suspect is alleged to have deleted an S3 bucket. Which AWS service log would contain the DeleteBucket API call details, including the source IP and user identity?

A.AWS CloudTrail
B.VPC Flow Logs
C.Amazon S3 access logs
D.AWS Config
AnswerA

CloudTrail is the audit log for API activity in AWS.

Why this answer

AWS CloudTrail records all API calls made to the AWS environment, including S3 bucket deletions. It logs the identity, source IP, and request parameters.

925
MCQhard

An analyst is examining an NTFS volume and finds that a file's $MFT record indicates it is resident. What does this imply about the file's data?

A.The file is compressed and stored across multiple clusters
B.The file uses alternate data streams to hide data
C.The file's data is stored within the $MFT record itself, suitable for small files
D.The file is a directory junction point
AnswerC

Why this answer

Resident files have their data stored directly in the $MFT record, typically for files smaller than about 900 bytes.

926
MCQmedium

In malware static analysis, a PE file is examined. The section names include '.text', '.rdata', '.data', and '.rsrc'. The entry point is in the .text section. Which tool would be MOST appropriate to identify any packer that might be obfuscating the code?

A.strings
B.Ghidra
C.PEiD
D.IDA Pro
AnswerC

PEiD is designed to identify packers, cryptors, and compilers using signatures.

Why this answer

PEiD is specifically designed to detect packers, cryptors, and compilers by scanning PE files for known signatures in the entry point and section headers. Since the question asks for identifying a packer that obfuscates code, PEiD's signature-based detection directly targets this need, unlike general-purpose disassemblers or string extractors.

Exam trap

EC-Council often tests the distinction between tools for packer detection versus general reverse engineering; the trap here is that candidates choose IDA Pro or Ghidra because they are powerful, but the question specifically asks for the *most appropriate* tool to *identify* a packer, not to analyze the unpacked code.

How to eliminate wrong answers

Option A is wrong because `strings` only extracts readable ASCII/Unicode sequences from a file and cannot identify packer signatures or obfuscation algorithms. Option B is wrong because Ghidra is a full reverse-engineering framework focused on disassembly and decompilation, not packer detection; it would require manual analysis to spot packer artifacts. Option D is wrong because IDA Pro is an interactive disassembler/debugger for deep code analysis, but it lacks automated packer signature scanning and is overkill for simply identifying a packer.

927
MCQmedium

In malware forensics, which of the following is an indicator of compromise (IoC) that can be used to detect a specific malware strain across multiple systems?

A.The file's size in bytes reported by the filesystem
B.The file's MD5 hash computed from its binary contents
C.The file's copyright metadata embedded in the PE header
D.The file's creation timestamp as recorded by the operating system
AnswerB

Cryptographic hashes uniquely identify file content and are reliable IoCs.

Why this answer

The MD5 hash of a file's binary contents is a unique cryptographic fingerprint that remains consistent across all copies of the exact same malware strain, regardless of where it is stored or what metadata the filesystem assigns. This makes it a reliable indicator of compromise (IoC) for identifying a specific malware sample across multiple systems, as the hash will match even if file names, sizes, or timestamps differ.

Exam trap

EC-Council often tests the misconception that file metadata like timestamps or sizes are reliable IoCs, when in fact they are easily altered or inconsistent across systems, whereas a cryptographic hash of the binary content provides a deterministic and verifiable identifier.

How to eliminate wrong answers

Option A is wrong because the file's size in bytes can vary due to padding, compression, or different file system cluster sizes, and multiple distinct malware strains can have identical file sizes, making it non-unique and unreliable as a specific IoC. Option C is wrong because copyright metadata embedded in the PE header is optional, easily stripped or modified by malware authors, and is not a consistent or trustworthy identifier across different samples of the same strain. Option D is wrong because the file's creation timestamp is set by the operating system at the time of file extraction or download, which varies per system and can be manipulated via timestomping, so it cannot uniquely identify a specific malware strain across multiple environments.

928
Multi-Selectmedium

Which TWO of the following are valid methods for hiding data on an NTFS volume without using third-party tools? (Select 2)

Select 2 answers
A.Creating a symbolic link to a hidden file
B.Encrypting the file with EFS
C.Slack space (file slack or volume slack)
D.Alternate Data Streams (ADS)
E.Using the $Recycle.bin folder
AnswersC, D

Slack space can be used to hide data without affecting the file's apparent size.

Why this answer

Alternate Data Streams (ADS) and slack space are native NTFS features that can be used to conceal data.

929
MCQeasy

Which of the following is an indicator of compromise (IoC) that is LEAST likely to change when malware mutates through polymorphic techniques?

A.MD5 hash of the malware file
B.File name of the malware
C.Registry key created by the malware
D.Import hash (IMPHASH)
AnswerC

Behavioural IoCs like registry keys, file paths, and C2 domains often persist across polymorphic variants.

Why this answer

Registry keys created by malware are often tied to persistence mechanisms (e.g., Run keys) or configuration storage that remain consistent across polymorphic mutations. While the malware's code and file hash change with each mutation, the registry key path and value name typically stay the same to ensure the malware can re-launch or maintain its foothold. This makes the registry key a stable indicator of compromise (IoC) that is least likely to change.

Exam trap

EC-Council often tests the misconception that file-based attributes like hashes or names are reliable IoCs for polymorphic malware, when in fact behavioral artifacts (e.g., registry keys, mutexes, network patterns) are more stable across mutations.

How to eliminate wrong answers

Option A is wrong because the MD5 hash is computed from the file's binary content; polymorphic malware changes its code with each mutation, producing a different MD5 hash every time. Option B is wrong because the file name is easily changed by the attacker or during delivery (e.g., random naming), and polymorphic variants often use different file names to evade detection. Option D is wrong because the Import Hash (IMPHASH) is derived from the import address table (IAT) of a PE file; polymorphic techniques can alter the order or selection of imported functions, changing the IMPHASH even if the core functionality remains the same.

930
MCQhard

A forensic analyst is examining an Android device that has been factory reset. Which of the following artefacts is MOST likely to persist after a factory reset and provide valuable evidence?

A.Google account authentication tokens and sync settings
B.Deleted SMS messages from the mmssms.db WAL file
C.The contents of the SD card's Android/data directory
D.The user's pattern lock hash stored in gatekeeper.password.key
AnswerA

Google account tokens and sync settings often remain in the /data partition and can be recovered through physical extraction, providing critical evidence of user identity and cloud activity.

Why this answer

Google account authentication tokens and sync settings are stored in the device's internal flash memory within the 'accounts.db' database and the 'authtoken' table, which are not wiped by a standard factory reset because the reset only clears user data partitions but does not overwrite the underlying NAND flash blocks. These tokens can survive a reset if the device was previously synced with Google servers, allowing recovery of the Google account credentials and sync configurations, which are critical for linking the device to a user identity.

Exam trap

EC-Council often tests the misconception that a factory reset completely erases all data, but the trap here is that authentication tokens stored in the internal flash memory can survive because the reset only wipes the filesystem pointers, not the underlying data blocks, especially on devices with unmanaged NAND storage.

How to eliminate wrong answers

Option B is wrong because the mmssms.db WAL (Write-Ahead Log) file is stored in the user data partition, which is fully erased during a factory reset via the 'wipe data/factory reset' operation that deletes the /data partition, including all SQLite databases and their associated WAL files. Option C is wrong because the SD card's Android/data directory is on external storage, which is typically not affected by a factory reset (the reset only targets internal storage), but the contents of this directory are app-specific cache and data that are often cleared by the apps themselves after a reset or are not directly tied to user authentication evidence. Option D is wrong because the gatekeeper.password.key file, which stores the hashed pattern lock, is located in the /data/system/ directory and is deleted during a factory reset, as the entire /data partition is wiped, removing all lock screen credentials.

931
MCQhard

A forensic investigator uses FTK Imager to create a forensic image of a suspect's laptop. The acquisition generates both an E01 file and a corresponding hash file. Which statement accurately describes the integrity verification process in FTK Imager?

A.The hash is computed only when the image is mounted for analysis, not during acquisition
B.FTK Imager does not support hash verification; a separate tool must be used
C.The hash is compared to a known-good hash from the manufacturer's database
D.The image file includes embedded hash values that can be verified later to ensure data integrity
AnswerD

E01 files contain CRC checksums and hash values that allow verification of integrity without the original drive.

Why this answer

Option D is correct because FTK Imager embeds hash values (MD5 and SHA1) directly into the E01 file during acquisition. These embedded hashes can be verified later by FTK Imager or compatible tools to confirm that the image has not been altered, ensuring data integrity without relying on an external hash file.

Exam trap

The trap here is that candidates often assume hash verification requires an external file or separate tool, but FTK Imager embeds the hash directly in the E01 file, making verification a built-in feature that does not rely on external databases or post-acquisition computation.

How to eliminate wrong answers

Option A is wrong because FTK Imager computes the hash during acquisition, not when the image is mounted for analysis; the hash is calculated in real-time as data is read from the source. Option B is wrong because FTK Imager fully supports hash verification; it can verify the embedded hash against the acquired data and also allows verification of separate hash files (e.g., .txt or .md5). Option C is wrong because FTK Imager does not compare hashes to a manufacturer's database; it compares the computed hash of the acquired image to the hash value embedded in the E01 file or provided separately, ensuring the image matches the original source.

932
Multi-Selectmedium

A security analyst is investigating a potential container escape from a Docker container. Which THREE artifacts should the analyst collect to analyze the incident? (Select THREE.)

Select 3 answers
A.Host system's audit logs (e.g., /var/log/auth.log)
B.Network traffic captures from the host's physical NIC
C.Container image layers from the registry
D.Container's memory dump
E.Docker daemon logs (e.g., journalctl -u docker)
AnswersA, C, E

Host logs may show unusual system calls or access from the container.

Why this answer

Host audit logs, Docker daemon logs, and container image layers are critical for investigating container escapes.

933
Multi-Selectmedium

During acquisition of a live Linux server, the forensic examiner runs the following command: # dd if=/dev/sda of=/mnt/evidence/disk.dd conv=noerror,sync bs=4k. Which TWO statements are true about this acquisition?

Select 2 answers
A.The command preserves the partition table of the source disk.
B.The command automatically computes MD5 hash of the output file.
C.If a read error occurs, dd will pad the output with zeros and continue.
D.The block size (bs=4k) is appropriate for imaging a disk to reduce overhead.
E.The output file will be compressed to save storage space.
AnswersC, D

The conv=noerror,sync option causes dd to fill read errors with zeros and continue imaging.

Why this answer

Option C is correct because the `conv=noerror,sync` parameter tells `dd` to continue reading even if a read error occurs, and to pad the output block with zeros to maintain the correct offset and size. This ensures the image remains usable for analysis despite bad sectors on the source disk.

Exam trap

EC-Council often tests the misconception that `dd` automatically hashes or compresses output, when in fact it is a raw copy tool and those functions require separate commands or piping.

934
MCQhard

During a forensic examination of an NTFS drive, an analyst runs 'fsutil usn readjournal C:' and observes a large number of USN journal entries for a specific file after a certain date. The file's $MFT record shows a last modified timestamp far earlier than the journal entries. What does this discrepancy suggest?

A.The file's metadata was modified without changing its content, possibly using timestomping or ADS manipulation
B.The file is a system file that is excluded from USN journaling
C.The file system is corrupted and the MFT is not updating correctly
D.The file was accessed via a mounted volume shadow copy, which does not update MFT
AnswerA

USN journal records metadata changes; if timestamps are not updated, it suggests intentional manipulation.

Why this answer

The USN journal records changes to files. If the journal shows many entries after the last modified timestamp, it indicates that the file was accessed or modified in ways that did not update the $MFT timestamps (e.g., via alternate data streams, timestomping, or changes to metadata). This could be evidence of anti-forensics.

935
MCQmedium

You are a first responder for a medium-sized enterprise. The Help Desk received multiple reports that users cannot access the company's internal web application (app.example.com) hosted on a Windows Server 2019 VM. The server is also running a MySQL database and an FTP service for file transfers. You remote into the server and find that the web server (IIS) is still running, but the application pool is stopped. The event logs show multiple failed logon attempts from an external IP address (198.51.100.23) for the local administrator account around the time the issues started. The FTP service log shows successful anonymous logins from the same IP minutes before the web app failure. The MySQL log shows a query 'DROP TABLE users;' executed at 03:15 AM. The current time is 04:00 AM. What immediate action should you take?

A.Capture a memory dump of the server, then disconnect the network cable, and then image the hard drive.
B.Disconnect the server from the network and then restore the database from the last clean backup.
C.Immediately shut down the server to prevent further damage and then create a forensic image of the hard drive.
D.Run a full antivirus scan, then try to restart the application pool to restore service quickly.
AnswerA

Memory dump preserves volatile evidence (RAM, processes, network connections) which is critical for identifying the attack vector and malware; subsequent steps isolate and preserve disk evidence.

Why this answer

Option A is correct because the server is actively compromised — the attacker gained access via anonymous FTP, executed a destructive SQL query, and performed lateral movement. Capturing a memory dump preserves volatile evidence (e.g., running processes, network connections, and in-memory malware), disconnecting the network cable prevents further data exfiltration or remote control, and imaging the hard drive captures persistent evidence. This follows the CHFI first responder priority: preserve volatile data first, then isolate, then acquire non-volatile evidence.

Exam trap

EC-Council often tests the first responder's priority order — candidates mistakenly choose to shut down or restore services first, forgetting that volatile evidence (memory, network connections) is lost on power-off and that isolation must precede any remediation.

How to eliminate wrong answers

Option B is wrong because restoring the database from backup destroys volatile evidence (e.g., memory-resident malware, active network connections) and may re-infect the system if the backup is compromised; isolation must precede restoration. Option C is wrong because shutting down the server destroys volatile data (e.g., running processes, network connections, encryption keys in memory) and may trigger anti-forensic mechanisms; the correct order is memory capture before power-off. Option D is wrong because running an antivirus scan modifies the system state (e.g., file access times, quarantine actions) and may alert the attacker if they have remote access; service restoration is premature before forensic preservation.

936
Multi-Selecthard

Which THREE of the following are challenges specific to container forensics?

Select 3 answers
A.Ephemeral nature of containers: containers are often short-lived and can be deleted quickly
B.Containers cannot be imaged using standard forensic tools
C.Container logs are always stored in a centralized location
D.Multiple layers in a container image require analysis of each layer for forensic artifacts
E.Containers share the host kernel, so kernel-level artifacts are not available
AnswersA, D, E

Containers are designed to be ephemeral, making forensic acquisition time-sensitive.

Why this answer

The ephemeral nature, layered file systems, and shared kernel are key challenges in container forensics.

937
MCQmedium

During a forensic investigation, an analyst needs to acquire data from a live Windows system without altering the system's state. Which tool should the analyst use to capture the contents of RAM?

A.dd
B.FTK Imager Lite
C.EnCase
D.WinHex
AnswerB

FTK Imager Lite is designed to capture RAM from a live system without altering the system's state.

Why this answer

FTK Imager Lite is designed for live forensic acquisition on Windows systems, including capturing RAM contents without altering the system state. It uses a lightweight, read-only approach that avoids writing to the disk or modifying memory pages, preserving the integrity of the evidence.

Exam trap

EC-Council often tests the misconception that dd is the universal acquisition tool, but candidates forget that dd is not native to Windows and can alter the system state if not used with a dedicated memory acquisition driver.

How to eliminate wrong answers

Option A is wrong because dd is a Unix/Linux command-line tool for bit-for-bit copying, but it lacks native support for Windows memory acquisition and can cause system state changes if not used with specialized wrappers. Option C is wrong because EnCase is a comprehensive forensic suite that can acquire RAM, but its full installation and driver loading may alter the system state more than FTK Imager Lite's minimal footprint. Option D is wrong because WinHex is a hex editor and disk editor that can access physical memory, but it is not optimized for live RAM capture and may require manual configuration that risks altering the system state.

938
MCQhard

In an Android forensic investigation, an examiner extracts the /data/data/com.whatsapp/databases/msgstore.db file. The database contains a table 'messages' with columns 'key_remote_jid', 'data', and 'timestamp'. Which SQL query would retrieve all messages sent to a specific contact with a phone number ending in '1234'?

A.SELECT * FROM messages WHERE key_remote_jid = '%1234%'
B.SELECT * FROM messages WHERE key_remote_jid LIKE '%1234%'
C.SELECT * FROM messages WHERE data LIKE '%1234%'
D.SELECT * FROM messages WHERE timestamp LIKE '%1234%'
AnswerB

'key_remote_jid' contains the recipient's JID; LIKE '%1234%' matches any JID ending in 1234.

Why this answer

Option B is correct because the `key_remote_jid` column stores the remote party's identifier (e.g., a phone number with country code), and the `LIKE '%1234%'` pattern matches any value containing '1234' anywhere in the string. This retrieves all messages where the contact's phone number ends with '1234', as required by the question.

Exam trap

The trap here is that candidates often confuse `=` with `LIKE` for pattern matching, or mistakenly filter on the `data` column (message content) instead of the contact identifier column `key_remote_jid`.

How to eliminate wrong answers

Option A is wrong because `=` performs an exact match, not a substring search; `'%1234%'` would be treated as a literal string, not a wildcard pattern, so it would return no rows unless a JID is literally '%1234%'. Option C is wrong because the `data` column contains message content (text, media metadata), not the contact identifier; filtering on `data` would find messages containing '1234' in the message body, not messages sent to a specific contact. Option D is wrong because `timestamp` stores Unix epoch time in milliseconds, not a phone number; using `LIKE '%1234%'` on a numeric column would cause a type mismatch or return no meaningful results.

939
MCQeasy

Which of the following best describes the 'Best Evidence Rule' as it applies to digital evidence?

A.A forensic image is considered the best evidence if the original is unavailable
B.Hearsay evidence is admissible if it is the only evidence available
C.The original digital media must be presented in court
D.Oral testimony is always better than written records
AnswerA

Courts accept a properly authenticated image as a duplicate of the original.

Why this answer

The Best Evidence Rule requires that the original evidence be presented, but in digital forensics, a forensic image is considered the best evidence if the original is not practical.

940
Multi-Selectmedium

During a Linux forensic investigation, an analyst examines the file /var/log/auth.log and finds repeated entries with 'Failed password for root from 192.168.1.200 port 22 ssh2'. Which TWO conclusions can the analyst draw from this evidence?

Select 2 answers
A.The source IP 192.168.1.200 belongs to a local subnet
B.The system is experiencing a brute-force attack on SSH
C.The SSH service is enabled and listening on port 22
D.The attacker attempted to exploit a vulnerability in the SSH version
E.An unauthorized user successfully logged in as root
AnswersB, C

Multiple failed login attempts from a single IP indicate a brute-force attack.

Why this answer

The log shows failed SSH login attempts for root from a specific IP, indicating a brute-force attack on SSH. The source IP is remote (not localhost). The attempts are unsuccessful (failed).

941
MCQmedium

A forensic investigator is analyzing a Linux ext4 file system. They suspect a file was deleted but its inode may still be intact. Which tool can be used to recover the file by referencing the inode?

A.dd
B.scalpel
C.foremost
D.debugfs
AnswerD

debugfs can be used to inspect and recover files from ext file systems by inode.

Why this answer

The 'debugfs' tool can access ext2/3/4 file systems directly and recover files from inodes. 'extundelete' also works, but debugfs is more versatile.

942
Multi-Selecthard

Which THREE of the following are challenges specific to forensic analysis of solid-state drives (SSDs) compared to traditional hard disk drives (HDDs)? (Select three.)

Select 3 answers
A.The TRIM command can permanently erase deleted data
B.SSDs have higher latency for read operations
C.Wear leveling algorithms move data unpredictably
D.Built-in hardware encryption may prevent data access
E.Bad block remapping is more frequent on SSDs
AnswersA, C, D

Correct. TRIM can make recovery impossible.

Why this answer

TRIM causes deleted data to be erased. Wear leveling moves data and complicates recovery. Encryption (e.g., built-in) can lock access.

Bad block remapping is common in HDDs too. Fragmentation is less relevant.

943
MCQeasy

Which Linux log file is the PRIMARY source for authentication-related events such as user logins, sudo usage, and failed authentication attempts?

A./var/log/kern.log
B./var/log/syslog
C./var/log/boot.log
D./var/log/auth.log
AnswerD

auth.log records authentication events.

Why this answer

/var/log/auth.log (or /var/log/secure on RHEL) stores authentication logs. /var/log/syslog contains general system messages. /var/log/kern.log is for kernel messages.

944
MCQhard

An investigator notes that a file on an NTFS volume has a resident data size of 900 bytes, but the $DATA attribute lists an allocated size of 1024 bytes. What does this indicate?

A.The file is compressed using NTFS compression
B.The file has slack space that may contain remnants of previously deleted data
C.The file's data is stored in the MFT as a resident attribute
D.The file is stored in an alternate data stream
AnswerB

The difference is slack space; could contain old data.

Why this answer

The difference between actual data size and allocated size is slack space. The file was allocated a cluster of 1024 bytes, but only 900 bytes are used, leaving 124 bytes of slack space that could contain residual data.

945
MCQmedium

A forensic examiner needs to extract timeline data from a compromised Linux system for analysis with log2timeline/Plaso. Which of the following command sequences should be used?

A.bulk_extractor -o timeline.csv /dev/sda1
B.plaso.py -i /var/log -o timeline.csv
C.log2timeline.py --partition /dev/sda1 timeline.plaso && psort.py -o l2tcsv timeline.plaso
D.sleuthkit_timeline -m /mnt/evidence -d timeline.csv
AnswerC

This sequence creates a storage file from a partition and then exports to CSV.

Why this answer

log2timeline (now Plaso) typically uses log2timeline.py to create a storage file, then psort.py to output the timeline in a readable format.

946
MCQmedium

A forensic analyst is testifying in court as an expert witness. What is the PRIMARY role of an expert witness in digital forensics?

A.To represent the interests of the party that hired them.
B.To determine the guilt or innocence of the defendant.
C.To offer an opinion on the technical facts and assist the trier of fact.
D.To present factual findings only, without interpretation.
AnswerC

Expert witnesses provide interpretations and opinions within their expertise.

Why this answer

Option C is correct because the primary role of an expert witness in digital forensics is to provide an impartial opinion on technical facts, helping the trier of fact (judge or jury) understand complex digital evidence. Unlike a lay witness, an expert is permitted to offer interpretations and conclusions based on their specialized knowledge, as defined under Federal Rule of Evidence 702. This opinion must be based on sufficient facts or data, reliable principles and methods, and a reliable application of those methods to the case.

Exam trap

Cisco often tests the distinction between a fact witness and an expert witness, trapping candidates who think an expert can only present raw facts (Option D) rather than offering technical opinions.

How to eliminate wrong answers

Option A is wrong because an expert witness must remain impartial and objective, not advocate for the hiring party; their duty is to the court, not to the client. Option B is wrong because determining guilt or innocence is the sole responsibility of the trier of fact (judge or jury), not the expert witness, who only provides technical analysis and opinions. Option D is wrong because while factual findings are foundational, an expert witness is specifically allowed to offer interpretations and opinions on those facts, which is what distinguishes them from a fact witness.

947
Drag & Dropmedium

Drag and drop the steps to create a forensic timeline using the Sleuth Kit (TSK) and log2timeline into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Timeline creation involves parsing metadata, exporting, and analyzing events.

948
Multi-Selectmedium

Which TWO of the following are essential components of the rules of evidence for digital evidence to be admissible in court? (Choose two.)

Select 2 answers
A.Authenticity
B.Originality
C.Expediency
D.Admissibility
E.Complexity
AnswersA, D

Evidence must be genuine and unaltered.

Why this answer

Authenticity is a core component of the rules of evidence because it requires the proponent to show that the digital evidence is what it claims to be and has not been tampered with. For digital evidence, this is typically established through cryptographic hash verification (e.g., SHA-256) and a documented chain of custody. Without authenticity, the court cannot rely on the evidence's integrity, making it inadmissible.

Exam trap

EC-Council often tests the misconception that 'originality' is required for digital evidence, but the rule actually allows authenticated duplicates (e.g., forensic images) as long as the hash matches the original, making 'Originality' a distractor for those who confuse physical evidence rules with digital evidence rules.

949
MCQeasy

Refer to the exhibit. An investigator runs fsstat and dstat on a captured image. What is the total capacity of the volume?

A.512 MB
B.1 GB
C.1 MB
D.4 GB
AnswerB

Total sectors * sector size = 2097152 * 512 = 1,073,741,824 bytes = 1 GB.

Why this answer

The `fsstat` and `dstat` commands from The Sleuth Kit (TSK) provide file system and disk statistics. In the exhibit, `dstat` shows the total disk size as 2097152 sectors, and each sector is 512 bytes. Multiplying 2097152 × 512 = 1073741824 bytes, which equals exactly 1 GB (1024 MB).

This is the total capacity of the volume.

Exam trap

EC-Council often tests the candidate's ability to multiply sectors by sector size correctly, and the trap here is that candidates may misread the sector count or forget that the default sector size is 512 bytes, leading them to pick 512 MB (confusing the sector size with total capacity) or 4 GB (multiplying by 2048 instead of 512).

How to eliminate wrong answers

Option A is wrong because 512 MB would correspond to 1048576 sectors (512 MB × 2048 sectors per MB), but the exhibit shows 2097152 sectors, which is double that. Option C is wrong because 1 MB is far too small; it would require only 2048 sectors, not the 2 million+ sectors shown. Option D is wrong because 4 GB would require 8388608 sectors (4 × 2097152), but the exhibit shows exactly 2097152 sectors, which is 1 GB.

950
Multi-Selecthard

An analyst is reviewing a Linux system for signs of a rootkit. Which THREE of the following are common indicators of a rootkit infection? (Select THREE.)

Select 3 answers
A.Incorrect file permissions on /etc/passwd
B.Anomalies in the /proc filesystem
C.Large number of failed SSH login attempts
D.Suspicious loadable kernel modules
E.Modified system binaries like ls and ps
AnswersB, D, E

Rootkits may manipulate /proc to hide processes and files.

Why this answer

Loadable kernel modules (LKM) are a common rootkit technique. Modified system binaries and hidden processes are also typical indicators.

951
Multi-Selectmedium

Which TWO of the following are legal frameworks or regulations that govern search and seizure of digital evidence in the United Kingdom?

Select 2 answers
A.Computer Fraud and Abuse Act (CFAA)
B.Fourth Amendment to the US Constitution
C.PACE (Police and Criminal Evidence Act)
D.GDPR (General Data Protection Regulation)
E.Sarbanes-Oxley Act (SOX)
AnswersC, D

PACE sets out the legal framework for police powers, including search and seizure of evidence.

Why this answer

PACE and GDPR are relevant legal frameworks. PACE governs police powers, and GDPR regulates data protection and processing of personal data.

952
MCQmedium

During an investigation of a compromised system, the analyst discovers that the suspect used steganography to hide data within image files. Which forensic tool is BEST suited for detecting hidden data in images through statistical analysis?

A.Binwalk
B.Wireshark
C.Foremost
D.Stegdetect
AnswerD

Stegdetect performs statistical analysis to detect steganography in JPEG images.

Why this answer

Stegdetect is a tool that uses statistical analysis to detect steganography in JPEG images. Autopsy has steganography detection modules but Stegdetect is specialized.

953
Multi-Selecthard

A security team is analyzing a compromised Linux server. Indicators suggest the attacker used a web shell. Which THREE of the following are common persistence mechanisms that may be found on the system? (Select THREE.)

Select 3 answers
A.Adding an SSH public key to /root/.ssh/authorized_keys
B.Cron jobs added to /etc/crontab
C.Modification of the NTUSER.DAT registry hive
D.Prefetch file creation
E.A systemd service in /etc/systemd/system/
AnswersA, B, E

Allows persistent SSH access.

Why this answer

Cron jobs, SSH authorized keys, and systemd services are common persistence mechanisms on Linux.

954
MCQmedium

During a forensic investigation of an Android device, the examiner uses ADB to extract data. Which command would create a full backup of the device's data partition, including app data and shared storage?

A.adb backup -f backup.ab -apk -shared -all
B.adb shell dd if=/dev/block/mmcblk0 of=/data/backup.img
C.adb pull /data/data/
D.adb restore backup.ab
AnswerA

This command creates a full backup including APKs, shared storage, and all app data to 'backup.ab'.

Why this answer

Option A is correct because the `adb backup -f backup.ab -apk -shared -all` command creates a full Android backup that includes both app data (via `-apk`) and shared storage (via `-shared`), outputting a single `.ab` file. This is the standard ADB method for non-rooted devices to capture a comprehensive backup of the data partition, including user-installed apps and their data, as well as internal shared storage like `/sdcard`.

Exam trap

Cisco often tests the distinction between backup creation (`adb backup`) and restoration (`adb restore`), or between logical backups (ADB backup) and physical imaging (`dd`), leading candidates to confuse the purpose of each command.

How to eliminate wrong answers

Option B is wrong because `adb shell dd if=/dev/block/mmcblk0 of=/data/backup.img` attempts to create a raw block-level image of the entire device (mmcblk0), which requires root access and is not a standard ADB backup command; it also writes to a path that may not be writable without root. Option C is wrong because `adb pull /data/data/` only copies the app-specific data directory, missing shared storage and system data, and typically requires root access on modern Android devices due to permissions. Option D is wrong because `adb restore backup.ab` is used to restore a backup, not to create one, and thus does not extract data from the device.

955
MCQmedium

A forensic analyst is examining an SSD that may have had deleted files. The analyst is concerned about the TRIM command. What effect does TRIM have on forensic recovery of deleted files?

A.TRIM increases the chance of recovering deleted files
B.TRIM causes wear leveling that spreads data across blocks, aiding recovery
C.TRIM invalidates deleted data blocks, making them unreadable and unrecoverable
D.TRIM has no effect on forensic analysis
AnswerC

TRIM immediately erases blocks, reducing forensic recovery potential.

Why this answer

TRIM allows the SSD to erase data blocks immediately after deletion, making recovery nearly impossible because the data is actually zeroed out.

956
MCQmedium

In a memory forensics investigation using Volatility, an analyst wants to see a list of processes that were active at the time of acquisition, including hidden processes. Which Volatility command should be used?

A.pslist
B.pstree
C.netscan
D.psscan
AnswerD

psscan uses pool tag scanning to find processes, including hidden.

Why this answer

The `pslist` command lists processes from the doubly linked list, but `psscan` uses pool scanning to find processes, including hidden ones.

957
MCQeasy

Which of the following partition table types uses a protective MBR and a GPT header, and is recommended for disks larger than 2 TB?

A.MBR
B.Dynamic disk
C.GPT
D.APM (Apple Partition Map)
AnswerC

GPT supports large disks and uses protective MBR.

Why this answer

GPT (GUID Partition Table) uses a protective MBR for compatibility and supports disks larger than 2 TB. MBR is limited to 2 TB.

958
MCQmedium

During an iOS forensic analysis, an examiner recovers the Keychain data from a backup. Which type of information is commonly stored in the iOS Keychain and can be extracted during analysis?

A.Text message content and attachments
B.Call log timestamps and durations
C.Contact photos and thumbnails
D.Wi-Fi passwords and website login credentials
AnswerD

Keychain stores credentials like Wi-Fi passwords and website logins.

Why this answer

The iOS Keychain is a secure, encrypted database designed to store sensitive user credentials and secrets. Wi-Fi passwords and website login credentials are explicitly stored in the Keychain to protect them from unauthorized access, making them recoverable during forensic analysis of a backup.

Exam trap

Cisco often tests the misconception that the Keychain stores all app data or media, when in fact it is strictly limited to credentials, tokens, and secrets, while other data types reside in separate databases.

How to eliminate wrong answers

Option A is wrong because text message content and attachments are stored in the SMS/MMS SQLite database (sms.db) and the attachments directory, not in the Keychain. Option B is wrong because call log timestamps and durations are stored in the CallHistory.storedata SQLite database, not in the Keychain. Option C is wrong because contact photos and thumbnails are stored in the AddressBook framework's SQLite database (AddressBook.sqlitedb) and the filesystem, not in the Keychain.

959
MCQmedium

An Android device is seized as evidence. The screen is locked with a PIN. Which tool or method is MOST appropriate for acquiring a physical image of the device without bypassing the lock screen, assuming the device is rooted?

A.Boot into recovery mode and use ADB to dd the userdata partition
B.Use Cellebrite UFED with a lock screen bypass exploit
C.Remove the microSD card and image it separately
D.Perform an ADB backup to obtain app data only
AnswerA

With root and recovery mode, dd can create a physical image even if the screen is locked.

Why this answer

Option A is correct because booting into recovery mode on a rooted Android device allows you to use ADB to execute the `dd` command, which can create a bit-for-bit physical image of the userdata partition without needing to bypass the lock screen. Since the device is rooted, you have the necessary privileges to read the raw block device, and recovery mode ensures the filesystem is not mounted, preventing data corruption during acquisition.

Exam trap

EC-Council often tests the distinction between physical and logical acquisition methods, and the trap here is that candidates may choose ADB backup (Option D) thinking it is a valid physical acquisition, when in fact it only captures a logical subset of data and cannot recover deleted or system-level artifacts.

How to eliminate wrong answers

Option B is wrong because Cellebrite UFED with a lock screen bypass exploit is designed to bypass the lock screen, which contradicts the question's requirement of not bypassing the lock screen; additionally, such exploits may not be available or reliable for all devices. Option C is wrong because removing the microSD card and imaging it separately only captures external storage, not the internal userdata partition where the majority of forensic evidence (e.g., app data, messages) resides, and it does not acquire a physical image of the device's internal storage. Option D is wrong because an ADB backup only extracts app data via Android's backup mechanism, which is a logical acquisition that does not capture deleted data, system files, or the full physical image of the userdata partition.

960
MCQeasy

A security analyst is reviewing Apache access logs and finds the entry: 192.168.1.100 - - [10/Mar/2025:08:12:34 +0000] "GET /search?q=test' OR '1'='1 HTTP/1.1" 200 532. Which attack does this log entry most likely indicate?

A.Cross-site scripting (XSS)
B.Remote file inclusion (RFI)
C.SQL injection (SQLi)
D.Path traversal
AnswerC

The single quotes and OR '1'='1 are characteristic of SQLi.

Why this answer

The presence of ' OR '1'='1 in the query string is a classic SQL injection attempt, designed to bypass authentication or extract data.

961
MCQeasy

During a forensic investigation, an analyst examines a hard disk and notices that the partition table uses a 64-bit scheme with a maximum of 128 partitions. Which partition table type is in use?

A.MBR
B.LDM
C.APM
D.GPT
AnswerD

GPT uses a 64-bit scheme and supports up to 128 partitions.

Why this answer

GPT (GUID Partition Table) uses a 64-bit scheme and supports up to 128 partitions by default. MBR uses 32-bit and supports only 4 primary partitions.

962
MCQeasy

A security analyst needs to examine network traffic for signs of a data exfiltration attempt. Which tool is specifically designed for deep packet inspection and can reconstruct TCP streams?

A.Tcpdump
B.Wireshark
C.Netstat
D.Nmap
AnswerB

Wireshark performs deep packet inspection and TCP stream reassembly.

Why this answer

Wireshark is the primary tool for packet capture and analysis, including TCP stream reconstruction.

963
MCQeasy

Which tool is specifically designed for performing physical extraction of iOS devices and is widely used by law enforcement for bypassing passcode restrictions on modern iPhones?

A.Cellebrite UFED
B.GrayKey
C.Magnet AXIOM
D.Oxygen Forensic Detective
AnswerB

GrayKey is purpose-built for iOS physical extraction and passcode bypass, widely used by law enforcement.

Why this answer

GrayKey is specifically designed for physical extraction of iOS devices, leveraging advanced techniques to bypass passcode restrictions on modern iPhones, including those with Secure Enclave and full-disk encryption. It is widely adopted by law enforcement for its ability to perform brute-force attacks on the device's passcode without triggering the auto-wipe feature, making it the correct answer.

Exam trap

Cisco often tests the distinction between general-purpose forensic suites (like Cellebrite UFED or Magnet AXIOM) and specialized hardware tools (like GrayKey) that are purpose-built for iOS passcode bypass, leading candidates to choose a familiar name like Cellebrite instead of the correct specialized tool.

How to eliminate wrong answers

Option A is wrong because Cellebrite UFED is a versatile forensic tool that supports both physical and logical extraction across many mobile platforms, but it is not specifically designed for iOS physical extraction and does not specialize in bypassing passcode restrictions on modern iPhones as GrayKey does. Option C is wrong because Magnet AXIOM is a comprehensive digital forensic platform for analyzing data from computers, mobile devices, and cloud sources, but it relies on third-party tools for physical extraction and does not directly perform hardware-level passcode bypass on iOS devices. Option D is wrong because Oxygen Forensic Detective is a mobile forensic tool that supports logical and file system extractions, but it lacks the specialized hardware and software capabilities for brute-forcing iOS passcodes on modern iPhones with Secure Enclave protection.

964
Matchingmedium

Match each Windows Registry hive to its stored information.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

User account passwords and hashes

System configuration and device drivers

Installed software and settings

Security policies and user rights

Per-user settings and preferences

Why these pairings

These hives contain specific types of configuration data.

965
MCQmedium

Based on the exhibit, what is the most likely indication of malware persistence?

A.services.exe PID 4321 is a known malware process
B.Windows Defender service is stopped, allowing malware to run
C.services.exe is listening on TCP port 4444, indicating possible code injection
D.svchost.exe hosting BFE and MpsSvc indicates a firewall bypass
AnswerC

services.exe should not have open listening ports; port 4444 is suspicious and suggests malware injected into the process.

Why this answer

Option C is correct because services.exe (the Service Control Manager) should not normally listen on any TCP port. When it is found listening on TCP port 4444—a port commonly associated with Metasploit and reverse shells—it strongly indicates that malware has injected code into the legitimate services.exe process, hijacking it to establish a persistent backdoor listener. This is a classic sign of process hollowing or reflective DLL injection, where the malware hides its network activity under a trusted system process.

Exam trap

EC-Council often tests the misconception that any process named 'services.exe' or 'svchost.exe' is automatically malicious, when in fact the key indicator is abnormal behavior (like listening on a non-standard port) that deviates from the process's legitimate function.

How to eliminate wrong answers

Option A is wrong because services.exe is a legitimate Windows system process (the Service Control Manager), and PID 4321 alone does not indicate malware; malware often uses process names like svchost.exe or services.exe to blend in, so the PID itself is not a known malware identifier. Option B is wrong because while a stopped Windows Defender service could allow malware to run, the exhibit shows no evidence that Defender is stopped; the question asks for the most likely indication of persistence based on the exhibit, and a stopped service is a condition, not a direct indicator of persistence. Option D is wrong because svchost.exe hosting BFE (Base Filtering Engine) and MpsSvc (Windows Firewall) is normal behavior; these services are part of the Windows Firewall and do not indicate a bypass—in fact, they are the firewall itself, and their presence in svchost.exe is expected.

966
MCQeasy

Which tool is commonly used in timeline analysis for digital forensics to parse various artifacts and create a super timeline?

A.Volatility
B.Wireshark
C.Sleuth Kit
D.log2timeline / Plaso
AnswerD

log2timeline (now Plaso) is designed to create super timelines from multiple sources.

Why this answer

log2timeline (and its successor Plaso) is a tool designed to parse multiple forensic artifacts and output a timeline. Plaso is the current version.

967
MCQhard

A forensic analyst is investigating a Docker container that was used to launch a network attack. The container has been stopped but not removed. Which action should the analyst take FIRST to preserve volatile evidence?

A.Restart the container and use 'docker exec' to collect evidence
B.Use 'docker inspect' to view container metadata only
C.Use 'docker save' to export the container as a tar file
D.Use 'docker commit' to create an image of the container
AnswerD

This captures the current filesystem state without altering it.

Why this answer

Preserving the container's file system and logs is key. 'docker commit' creates an image from the container's current state. 'docker export' exports the filesystem as a tar archive. 'docker logs' retrieves logs. 'docker inspect' shows metadata. The container is stopped, so 'docker exec' won't work without starting it, which alters state. 'docker save' saves images, not containers. The best first step is to create an image or export the filesystem.

968
MCQeasy

In FAT32, the File Allocation Table (FAT) is used to track which clusters are allocated to files. If a file is deleted, what happens to the FAT entries for that file?

A.The FAT entries are encrypted
B.The FAT entries are preserved intact
C.The FAT entries are overwritten with zeros
D.The FAT entries are moved to a journal
AnswerC

FAT entries are set to 0 (free).

Why this answer

When a file is deleted in FAT32, the directory entry is marked as deleted (first byte set to 0xE5) and the FAT entries are set to 0, marking clusters as free.

969
MCQhard

An investigator acquires an SSD from a laptop that has been turned off for 24 hours. The suspect recently deleted several incriminating files. Using a forensic imager, the investigator creates a bit-for-bit copy. However, when analyzing the image, the deleted files' data appears to be zeros. What is the MOST likely cause?

A.The files were stored in the paging file, which is volatile
B.The SSD controller performed wear leveling, moving data to unallocated blocks
C.The imaging tool incorrectly interpreted the data due to encryption
D.The TRIM command was issued, causing the SSD to erase the freed blocks
AnswerD

Correct. TRIM can cause permanent loss of deleted data on SSDs.

Why this answer

Many SSDs implement TRIM, which instructs the controller to erase blocks that are no longer in use. If the OS issued TRIM commands before shutdown, the deleted data may have been physically erased.

970
MCQmedium

An organization uses Azure. A security analyst needs to investigate a suspicious login event. Which Azure log contains details about user sign-ins, including IP address, timestamp, and success/failure status?

A.Azure Monitor Metrics
B.Azure AD Sign-in logs
C.Azure Activity Logs
D.Azure Security Center alerts
AnswerB

Azure AD Sign-in logs capture user authentication events with IP, timestamp, and status.

Why this answer

Azure Activity Logs (now also called Azure Monitor activity log) record subscription-level events, but user sign-in details are specifically in Azure AD Sign-in logs, which are part of Azure Active Directory reporting. However, the question asks about Azure logs; the most appropriate is Azure AD Sign-in logs, but since that's not an option, the closest is Azure Activity Logs which can capture management events, but not sign-ins. Actually, Azure AD Sign-in logs are the correct source.

But given options, if only Azure Activity Logs is present, it's partially correct. The typical answer is Azure AD Sign-in logs. Since the question says "Azure log", the best choice is Azure Activity Logs as it's within Azure Monitor, but it's not precise.

Let's adjust options accordingly. I'll assume Azure AD Sign-in logs is not listed; I'll create a plausible distractor. Actually, in real exam, they expect Azure AD Sign-in logs.

I'll make sure one option says "Azure AD Sign-in logs". But the stem says "Azure log", so I'll include it. Let me redo: The correct answer should be Azure AD Sign-in logs.

I'll set that as option A.

971
MCQmedium

A security analyst detects a sudden spike in failed logon events with Event ID 4625 on a Windows domain controller. The source IP addresses are random and from various external subnets. Which type of attack is MOST likely occurring?

A.Pass‑the‑hash attack
B.Kerberos ticket forgery (Golden Ticket)
C.Insider threat with compromised credentials
D.Brute‑force attack
AnswerD

Correct. Many failed logons from varied IPs indicate a brute‑force attempt.

Why this answer

Event ID 4625 indicates failed logon attempts. A sudden spike from random external IPs is characteristic of a brute‑force attack, where an attacker tries many passwords across multiple accounts.

972
MCQhard

You are acquiring a laptop with a self-encrypting drive (SED) that is powered on and logged in. What is the best method to acquire the drive while preserving encrypted data?

A.Remove the drive and use a forensic bridge that supports SED
B.Power off the laptop and image the drive using a hardware write blocker
C.Acquire a logical image from the running operating system
D.Boot from a forensic live CD and image the drive
AnswerC

Since the system is logged in, the data is decrypted and accessible.

Why this answer

When a self-encrypting drive (SED) is powered on and logged in, the drive's hardware encryption key is already loaded and the data is accessible through the operating system. The best method to preserve the encrypted data in its decrypted state is to acquire a logical image from the running OS, which captures files and metadata without powering off the drive and losing the decryption context. Removing power or rebooting would cause the SED to lock, requiring the authentication key again and potentially altering the data state.

Exam trap

EC-Council often tests the misconception that a hardware write blocker or forensic bridge can always acquire a drive intact, but with SEDs, the critical factor is the encryption state—powering off or removing the drive locks it, making the data inaccessible regardless of write-blocking hardware.

How to eliminate wrong answers

Option A is wrong because removing the drive from a powered-on, logged-in SED will cause the drive to lose power and lock, requiring the authentication key to re-access; a forensic bridge that supports SED cannot bypass the hardware encryption without the key. Option B is wrong because powering off the laptop will lock the SED, and imaging with a hardware write blocker will only capture the encrypted ciphertext, not the decrypted data the examiner needs. Option D is wrong because booting from a forensic live CD will power-cycle the drive, causing the SED to lock and requiring the authentication key to decrypt, which is not available; the resulting image would be encrypted and unusable.

973
MCQmedium

During a forensic examination, the analyst encounters a file that is not automatically readable by forensic tools. The analyst suspects the file contains contraband images. Which of the following is the BEST approach to handle this evidence in accordance with the rules of evidence?

A.Delete the file to prevent accidental distribution.
B.Create a forensic copy and use a write blocker to access the copy with appropriate software.
C.Ignore the file because it cannot be easily read.
D.Open the file using the original application on the suspect's computer.
AnswerB

Working on a copy preserves the original.

Why this answer

The analyst should document the file's location and metadata, then use a validated tool to extract and view the content while maintaining a chain of custody and ensuring the original is not altered.

974
MCQmedium

A security analyst reviews Windows Security event logs and finds Event ID 4625 with Logon Type 10. What does this indicate?

A.Failed remote interactive logon (e.g., RDP)
B.Failed service logon attempt
C.Successful network logon
D.Successful local logon
AnswerA

Logon Type 10 is RemoteInteractive, and 4625 is failed authentication.

Why this answer

Event ID 4625 with Logon Type 10 indicates a failed remote interactive logon attempt, typically via Remote Desktop (RDP).

975
MCQhard

During a Mac forensic investigation, you examine the unified log for process execution around the time of an incident. Which command-line tool is used to query the macOS unified log?

A.log
B.journalctl
C.dmesg
D.syslog
AnswerA

The 'log' command is used to access the unified log on macOS.

Why this answer

The 'log' command is the native tool to query the unified logging system on macOS.

Page 12

Page 13 of 14

Page 14