Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 9761000

1000 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQeasy

Which cloud forensic challenge refers to the inability to physically access the storage media where data resides?

A.Data jurisdiction
B.Lack of physical access
C.Multi-tenancy
D.Volatility of evidence
AnswerB

In cloud forensics, investigators cannot physically seize servers.

Why this answer

Volatility of evidence relates to the ephemeral nature of cloud data. Multi-tenancy is about shared resources. Data jurisdiction is legal.

Lack of physical access is a key challenge.

977
MCQmedium

In cloud forensics, which AWS service provides a centralized log of API calls made by users and services, often used to investigate unauthorized access or configuration changes?

A.AWS CloudWatch
B.AWS CloudTrail
C.AWS Config
D.AWS VPC Flow Logs
AnswerB

CloudTrail records API activity for auditing and forensic analysis.

Why this answer

AWS CloudTrail records all API calls for governance, compliance, and operational auditing, making it essential for forensic investigations in AWS.

978
MCQmedium

A security analyst receives an image of a hard drive with a GPT partition table. Which of the following is a key difference between GPT and MBR that the analyst should consider?

A.GPT stores partition information only in the first sector of the disk
B.GPT uses a protective MBR to prevent legacy tools from misinterpreting the disk
C.GPT supports up to 4 primary partitions; MBR supports up to 128
D.MBR uses a GUID partition table; GPT uses a simple table at sector 0
AnswerB

Why this answer

GPT includes a protective MBR (Legacy MBR) at sector 0 to prevent older disk utilities from overwriting the GPT data.

979
MCQmedium

During a cloud forensic investigation, an analyst needs to identify who deleted an S3 bucket in an AWS environment. Which AWS service log should the analyst examine to find the API call and the associated IAM user or role?

A.AWS CloudTrail
B.Amazon S3 server access logs
C.AWS Config
D.Amazon CloudWatch Logs
AnswerA

CloudTrail logs all API calls and is the primary source for tracking user activity.

Why this answer

AWS CloudTrail records API calls made to AWS services, including S3 bucket deletion, along with the identity of the caller.

980
MCQhard

A forensic analyst is examining Docker container logs and finds a container that ran the command 'rm -rf /' and then stopped. The container was based on a custom image. Which of the following is the most effective way to recover deleted files from the container's filesystem?

A.Restore the container from a backup snapshot
B.Use data carving tools on the container's writable layer
C.Run 'docker commit' to create an image from the container and then extract files
D.Recover files from the image layers using 'docker history' and 'docker export'
AnswerD

Image layers are immutable; files deleted in the container are still present in the underlying layers. 'docker export' can extract the container's filesystem but layers contain original data.

Why this answer

Docker images consist of layers. Even if a container deletes files, the underlying image layers are read-only and contain the original files. Inspecting the image layers can recover them.

981
MCQhard

An analyst reviews proxy logs and sees repeated requests to a known malicious domain from multiple internal hosts, each using a different User-Agent string. The requests are all GET requests for /images/icon.png. What technique is most likely being used to evade detection?

A.User-Agent randomization
B.HTTPS tunneling
C.IP spoofing
D.Domain generation algorithm (DGA)
AnswerA

Randomizing User-Agent helps evade detection by making traffic appear as coming from diverse browsers.

Why this answer

Using different User-Agent strings per request is a common evasion technique to avoid signature-based detection that relies on a single User-Agent.

982
Multi-Selectmedium

Which TWO pieces of information can be obtained from an email's Received headers to help trace the email's origin? (Select TWO)

Select 2 answers
A.The DKIM signature hash
B.The sender's email client version
C.The IP address of the originating mail server
D.The subject line of the email
E.The timestamp when the email was processed by each server
AnswersC, E

The first Received header often contains the originating IP.

Why this answer

Received headers show each mail server the email passed through, including its IP address and timestamp.

983
MCQhard

A forensic analyst is reviewing the syslog from a compromised Linux server. Based on the exhibit, what does the 'orphan inode deleted' message indicate?

A.A hidden file was permanently removed from the filesystem.
B.A file was deleted while still open, and the filesystem has cleaned up the orphan inode.
C.A rootkit has attempted to hide files by marking them as orphan inodes.
D.A critical system file has been deleted, and the filesystem is warning the administrator.
AnswerB

Orphan inodes occur when a file is deleted while open; the filesystem cleans them on mount.

Why this answer

The 'orphan inode deleted' message in syslog indicates that a file was deleted while it was still open by a process. The kernel's inode cleanup mechanism (part of the VFS layer) detected the orphaned inode—an inode with no directory entry but still referenced by an open file descriptor—and removed it after the last file descriptor was closed. This is standard behavior in Linux filesystems (e.g., ext4) and is not indicative of hidden files, rootkits, or critical system file alerts.

Exam trap

EC-Council often tests the misconception that 'orphan inode deleted' is a security alert or sign of malicious activity, when in fact it is a normal filesystem housekeeping message that occurs whenever a file is deleted while still open by a process.

How to eliminate wrong answers

Option A is wrong because 'orphan inode deleted' does not imply a hidden file; hidden files (dot files) are simply files with names starting with a period and are not related to orphan inodes. Option C is wrong because rootkits may hide files by manipulating directory entries or using kernel modules, but they do not mark files as orphan inodes—orphan inodes are a natural consequence of deleting an open file, not a hiding technique. Option D is wrong because the message is a routine informational log from the filesystem cleanup process, not a warning about critical system file deletion; it does not indicate administrator action is required.

984
MCQeasy

Which of the following email authentication protocols uses a digital signature to verify the sender's domain and that the email has not been tampered with?

A.DMARC
B.DKIM
C.SPF
D.STARTTLS
AnswerB

DKIM adds a digital signature to the email headers, allowing verification of the domain and message integrity.

Why this answer

DKIM (DomainKeys Identified Mail) uses a digital signature to authenticate the email's domain and integrity.

985
MCQmedium

Which Azure log source should an investigator query to identify who deleted a virtual machine and when?

A.Azure Activity Log
B.Azure Active Directory sign-in logs
C.Azure Diagnostic Settings for the VM
D.Network Security Group flow logs
AnswerA

Activity Log records resource management operations (create, update, delete).

Why this answer

Azure Activity Log (now called Monitor Activity Log) records control-plane operations like VM deletion. Azure AD logs are for authentication. NSG flow logs are for network traffic.

Diagnostic settings for VMs capture OS-level logs.

986
MCQhard

A forensic analyst is examining a RAID 5 array consisting of three disks. One disk has failed and has been replaced. The array is rebuilt automatically. However, the analyst needs to recover deleted files that existed before the rebuild. What is the MOST significant challenge in this scenario?

A.File carving techniques do not work on RAID volumes
B.The rebuild process may overwrite data in slack space and previously unallocated clusters
C.The file system becomes corrupted after rebuild
D.The RAID controller encrypts data, preventing direct disk access
AnswerB

Rebuilding RAID 5 writes new parity and data, overwriting free space and slack.

Why this answer

RAID rebuild writes parity and data across disks, potentially overwriting slack space and previously deleted file data. The rebuilt array may have altered the original data layout, complicating recovery.

987
MCQhard

An incident responder has acquired a forensic image of a Linux server suspected of being compromised. The image was taken using 'dd' with no compression. The analyst needs to verify the integrity of the image. Which command should be used and what should be compared?

A.Use 'cmp' to compare the image byte-by-byte with the original drive.
B.Use 'md5sum image.dd' and compare with the original file's MD5 hash provided by the system administrator.
C.Run 'fsck' on the image to check for filesystem errors.
D.Use 'sha256sum image.dd' and compare with the hash computed during acquisition from the source device.
AnswerD

SHA-256 is strong and comparing with the hash from the source verifies integrity.

Why this answer

Option D is correct because the SHA-256 hash computed during acquisition from the source device provides a cryptographic integrity check. By recomputing the hash on the acquired image and comparing it to the original hash, the analyst can verify that the image is an exact bit-for-bit copy without any alteration or corruption. SHA-256 is preferred over MD5 in forensic contexts due to its stronger collision resistance.

Exam trap

EC-Council often tests the distinction between integrity verification (hash comparison) and filesystem checking (fsck), and the trap here is that candidates may choose 'cmp' or 'md5sum' because they sound familiar, without recognizing that 'cmp' requires the original drive and MD5 is no longer considered forensically sound.

How to eliminate wrong answers

Option A is wrong because 'cmp' compares the image file to the original drive, but the original drive is no longer available (or should not be accessed again to preserve evidence) and this approach requires direct access to the source, which defeats the purpose of forensic imaging. Option B is wrong because comparing the MD5 hash of the image to a hash provided by the system administrator is unreliable; the administrator's hash could be compromised or not computed at the time of acquisition, and MD5 is cryptographically weak and deprecated for forensic integrity verification. Option C is wrong because 'fsck' checks filesystem consistency, not bit-for-bit integrity; a filesystem can pass fsck even if the image has been tampered with or corrupted at the block level.

988
MCQhard

Refer to the exhibit. A database administrator finds the above error log entries when attempting to start the MySQL service. The server was working fine yesterday. What is the most likely cause of this issue?

A.The MySQL user does not have write permissions to the data directory.
B.The binary log is full and cannot be rotated.
C.The server ran out of memory due to high innodb_buffer_pool_size.
D.The InnoDB system tablespace file (ibdata1) is corrupted.
AnswerD

Corrupt ibdata1 prevents InnoDB initialization.

Why this answer

The error log entries indicate that InnoDB is unable to open or read the system tablespace file (ibdata1), which is the core file storing the InnoDB data dictionary, undo logs, and doublewrite buffer. A corrupted ibdata1 prevents MySQL from starting because the storage engine cannot initialize its internal structures, even if the server was operational the previous day. This matches the symptom of a sudden failure without prior configuration changes.

Exam trap

EC-Council often tests the distinction between permission errors, disk-full errors, memory errors, and corruption errors, so the trap here is that candidates may confuse a 'cannot start' error with a permission issue or memory exhaustion, rather than recognizing the specific InnoDB corruption signature in the log.

How to eliminate wrong answers

Option A is wrong because if the MySQL user lacked write permissions to the data directory, the error would typically be 'Permission denied' or 'Can't create/write to file', not a corruption-related InnoDB error about ibdata1. Option B is wrong because a full binary log that cannot be rotated would cause a 'Binary log disk full' or 'Could not write to binlog' error, not an InnoDB system tablespace corruption error. Option C is wrong because running out of memory due to high innodb_buffer_pool_size would manifest as an out-of-memory (OOM) kill or allocation failure, not a specific corruption error for ibdata1.

989
MCQhard

An iOS forensic analyst extracts the Keychain from an iTunes backup. Within the Keychain, they find an entry with class 'Generic Password', service 'com.apple.sbd', and account 'iCloud'. What type of data does this entry MOST likely contain?

A.Wi-Fi password
B.Device passcode
C.iCloud credentials
D.SMS encryption key
AnswerC

The service 'com.apple.sbd' and account 'iCloud' strongly suggest iCloud authentication data.

Why this answer

The entry with class 'Generic Password', service 'com.apple.sbd', and account 'iCloud' corresponds to the iCloud credentials stored in the iOS Keychain. The service identifier 'com.apple.sbd' is the bundle ID for Apple's 'sbd' daemon, which handles iCloud syncing and authentication. This Keychain entry stores the user's iCloud account password, not a Wi-Fi password, device passcode, or SMS encryption key.

Exam trap

The trap here is that candidates confuse the 'Generic Password' class with any password type, but the specific service 'com.apple.sbd' uniquely identifies iCloud credentials, not generic Wi-Fi or device passcode entries.

How to eliminate wrong answers

Option A is wrong because Wi-Fi passwords are stored under class 'AirPort' or 'Generic Password' with service 'com.apple.wifi' or 'AirPort', not 'com.apple.sbd'. Option B is wrong because the device passcode is never stored in the Keychain; it is stored in a separate hardware-backed Secure Enclave and is not extractable from an iTunes backup. Option D is wrong because SMS encryption keys are managed by the iMessage subsystem and stored under service 'com.apple.icloud.sms' or 'com.apple.madrid', not 'com.apple.sbd'.

990
MCQmedium

An investigator examines an iPhone backup file. Inside the backup manifest, they find a file path 'AppDomainGroup-group.com.example.app'. This indicates the data belongs to which type of app container?

A.System container for iOS system apps
B.The app's sandbox container
C.A shared container for multiple apps from the same developer
D.Temporary container for app data
AnswerC

AppDomainGroup indicates a shared container for app groups.

Why this answer

The file path 'AppDomainGroup-group.com.example.app' indicates a shared container used by App Groups, a feature that allows multiple apps from the same developer to share data. This is not a sandbox container for a single app, nor is it a system or temporary container. The 'group' prefix and the bundle identifier pattern confirm it belongs to a shared app group container.

Exam trap

EC-Council often tests the distinction between 'AppDomain-' (single app sandbox) and 'AppDomainGroup-' (shared container), and candidates mistakenly pick the sandbox container option because they overlook the 'group' keyword in the path.

How to eliminate wrong answers

Option A is wrong because system containers for iOS system apps use paths like '/System/Library' or '/var/containers/Bundle/System', not 'AppDomainGroup-'. Option B is wrong because an app's sandbox container uses the 'AppDomain-' prefix (e.g., 'AppDomain-com.example.app'), not 'AppDomainGroup-'. Option D is wrong because temporary containers use paths like 'tmp/' or 'Caches/' within the app's sandbox, not a dedicated 'AppDomainGroup-' domain.

991
MCQmedium

In Mac forensics, which artifact stores system-wide and per-user application preferences, often used to determine configured settings and recently accessed files?

A.Unified logging
B..plist files
C.Sqlite databases
D.FSEvents
AnswerB

.plist files store preferences and user data for applications.

Why this answer

.plist files (property lists) are used on macOS to store application preferences and configuration data. They can be analyzed to extract user activity and settings.

992
MCQmedium

An incident responder finds a file named 'photo.jpg' on a compromised system. The file size is 2 MB and it is located in a temp directory. The file's SHA256 hash is 5d41402abc4b2a76b9719d911017c592. What is the BEST next step to determine if this file is malicious?

A.Delete the file to prevent potential harm
B.Perform static analysis using IDA Pro to disassemble the file
C.Compare the hash against known malware hashes in a threat intelligence database
D.Run the file in a sandbox environment to observe behavior
AnswerC

Hash lookup can immediately confirm if the file is known malicious.

Why this answer

Option C is correct because comparing the SHA256 hash of the file against a threat intelligence database (e.g., VirusTotal, AlienVault OTX) is the fastest, least intrusive method to determine if the file is known malware. Since the file is 2 MB and located in a temp directory, it could be a legitimate image or a disguised executable; hash comparison leverages existing threat intelligence without altering the evidence or risking system compromise.

Exam trap

Cisco often tests the principle of 'least intrusive first' in forensic workflows, and the trap here is that candidates impulsively choose to run the file in a sandbox (Option D) without first performing a simple, non-invasive hash lookup, which is the standard initial triage step.

How to eliminate wrong answers

Option A is wrong because deleting the file destroys potential evidence and violates forensic preservation principles (e.g., maintaining chain of custody). Option B is wrong because IDA Pro is a disassembler for executable files (PE, ELF, Mach-O), not for image files like photo.jpg; static analysis of a non-executable file would be ineffective and premature without first confirming it is malicious. Option D is wrong because running the file in a sandbox could execute malware, potentially causing network propagation or data exfiltration, and is resource-intensive; it should only be done after hash analysis fails to identify the file.

993
MCQeasy

A security team needs to preserve network evidence for a potential legal case. What is the BEST practice for capturing volatile network data?

A.Wait until normal business hours to capture traffic
B.Only record summary logs from the firewall
C.Perform packet capture using a portable tool and store the capture with a cryptographic hash
D.Use a dedicated forensic workstation with a write blocker
AnswerC

This ensures minimal impact and integrity of the captured data.

Why this answer

Option C is correct because capturing volatile network data requires immediate acquisition of live traffic before it is lost, and using a portable tool (e.g., tcpdump, Wireshark) allows rapid deployment. Storing the capture with a cryptographic hash (e.g., SHA-256) ensures data integrity and chain of custody, which is essential for admissibility in legal proceedings. This approach preserves the most volatile evidence (packet contents) while providing verifiable proof that the data has not been altered.

Exam trap

EC-Council often tests the distinction between volatile and non-volatile evidence; the trap here is that candidates confuse the write blocker (used for disk forensics) with network capture tools, incorrectly assuming that a write blocker can somehow preserve network traffic.

How to eliminate wrong answers

Option A is wrong because waiting until normal business hours introduces unacceptable delay; volatile network data (e.g., active sessions, real-time traffic) is lost the moment it passes, and delaying capture risks losing critical evidence. Option B is wrong because recording only summary logs from the firewall discards the full packet payload and metadata (e.g., TCP sequence numbers, application-layer data), which are often necessary for reconstructing incidents and proving intent. Option D is wrong because a dedicated forensic workstation with a write blocker is designed for acquiring non-volatile storage media (e.g., hard drives, SSDs) to prevent writes; network traffic is volatile and cannot be captured via a write blocker, which has no role in live network packet capture.

994
MCQmedium

During a forensic investigation of a Windows system, an analyst examines the NTUSER.DAT registry hive. Which artifact would MOST likely be found to identify recently accessed documents and folders via the Windows Explorer GUI?

A.ShellBags
B.Run keys
C.MRU lists
D.UserAssist
AnswerA

ShellBags record folder names and paths accessed via Windows Explorer.

Why this answer

ShellBags store folder view settings and paths of accessed folders, making them useful for tracking user folder navigation.

995
MCQmedium

A forensic analyst needs to acquire evidence from an iPhone 12 running iOS 15. The device is passcode-locked and cannot be unlocked. Which acquisition method should be used to obtain the MOST data possible?

A.Physical acquisition via GrayKey or Cellebrite
B.Logical acquisition via iTunes backup
C.Manual acquisition by photographing the screen
D.File system acquisition via jailbreak
AnswerA

These tools can perform physical extraction even on locked devices, using advanced exploits.

Why this answer

GrayKey and Cellebrite perform physical acquisition by exploiting bootrom or iBoot vulnerabilities (e.g., checkm8 on older devices) or using advanced brute-force techniques to extract the full file system image, including encrypted keychain data and deleted files. This method bypasses the passcode lock and retrieves the maximum amount of data from an iPhone 12 running iOS 15, as logical and manual methods are severely limited by the locked state.

Exam trap

Cisco often tests the misconception that a logical backup (Option B) is sufficient for locked devices, but the trap is that iTunes backups require the device to be unlocked and trusted, making them impossible on a passcode-locked iPhone 12 running iOS 15.

How to eliminate wrong answers

Option B is wrong because a logical acquisition via iTunes backup requires the device to be unlocked and trusted with the host computer; a passcode-locked iPhone 12 cannot be backed up without the passcode, and even if possible, it only retrieves user data, not system files or deleted artifacts. Option C is wrong because manual acquisition by photographing the screen only captures visible content and cannot access internal storage, encrypted data, or deleted information, making it the least comprehensive method. Option D is wrong because file system acquisition via jailbreak requires the device to be jailbroken, which is not possible on iOS 15 for a locked device without first bypassing the passcode; jailbreaking also voids security and is not a standard forensic method for locked iPhones.

996
Multi-Selectmedium

Which TWO of the following tools are commonly used for file carving during forensic investigations?

Select 2 answers
A.Sleuth Kit
B.WinPmem
C.Foremost
D.Volatility
E.PhotoRec
AnswersC, E

Foremost is a file carver.

Why this answer

Foremost and PhotoRec are popular file carving tools that recover files based on headers and footers.

997
MCQmedium

During a forensic examination of a Windows 10 system, an investigator runs the following command: 'fsutil usn readjournal C: > usn_output.txt'. What is the primary purpose of this action?

A.To recover deleted files from the Recycle Bin
B.To analyze the Update Sequence Number (USN) journal for file system activity
C.To check the integrity of the NTFS file system
D.To extract the Master File Table ($MFT) from the volume
AnswerB

The USN journal tracks changes; reading it helps identify file operations.

Why this answer

The USN journal records changes to files and directories. This command reads the journal, which can reveal file creation, deletion, and modification timestamps, even if the MFT entry is modified.

998
MCQmedium

A forensic analyst is examining a Mac system for evidence of recent file access. Which artifact provides a timeline of file system events with high precision and is commonly analyzed using tools like mac_apt?

A.bash_history
B.Unified Logging
C..plist files
D.FSEvents
AnswerD

FSEvents records file system changes with timestamps, essential for timeline analysis on macOS.

Why this answer

FSEvents (File System Events) on macOS records changes to the file system, including timestamps, and is stored in /.fseventsd. It is a primary artifact for timeline analysis on Mac.

999
MCQeasy

An analyst is examining an Apple Mac system and needs to recover deleted files from an APFS volume. Which tool is most appropriate for this task?

A.Foremost
B.LiME
C.FTK Imager
D.Volatility
AnswerC

FTK Imager supports APFS and can recover deleted files.

Why this answer

APFS is the default file system on modern Macs. Tools like 'foremost' or 'photorec' can carve files from the raw device, but file system aware tools like 'apfs-fuse' or 'disk drill' are more appropriate. Among forensic suites, FTK and EnCase support APFS.

1000
Multi-Selecthard

Which THREE of the following are challenges specific to cloud forensics compared to traditional digital forensics? (Select 3)

Select 3 answers
A.Chain of custody documentation
B.Data jurisdiction and legal compliance across regions
C.Multi-tenancy and co-mingling of data
D.Volatile evidence and lack of persistent storage
E.Physical access to the hard drive
AnswersB, C, D

Data may be stored in multiple countries with different laws.

Why this answer

Cloud forensics involves multi-tenancy (shared resources), data jurisdiction (legal across regions), and volatile evidence (data may be ephemeral). These are distinct from traditional forensics.

Page 13

Page 14 of 14