Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 76150

1000 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
MCQmedium

During a network forensic investigation, an analyst examines a pcap file and finds multiple TCP SYN packets sent to a target IP on port 80, each from a different source IP address. No SYN-ACK packets are returned, but the target continues to send SYN-ACK responses for earlier packets. What attack is MOST likely occurring?

A.UDP flood attack
B.SYN flood attack
C.ARP spoofing attack
D.DNS amplification attack
AnswerB

Multiple SYN packets from varied sources, no subsequent ACKs, and target still responding indicate SYN flood.

Why this answer

A SYN flood attack sends many SYN packets without completing the handshake, exhausting the target's connection queue. The different source IPs indicate a distributed SYN flood or IP spoofing.

77
MCQhard

An analyst discovers a hidden partition on a hard drive that does not appear in the standard MBR partition table. The drive uses GPT partitioning. Which area of the disk should be examined to find evidence of a hidden partition?

A.The Master Boot Record (MBR) in sector 0
B.The GPT header and partition entry array located after the protective MBR
C.The Volume Boot Record (VBR) of the C: drive
D.The Host Protected Area (HPA) at the end of the disk
AnswerB

The GPT header and partition entries define all partitions. A hidden partition might be omitted from the main table but could be discovered by scanning the entire disk for GPT-like structures.

Why this answer

GPT uses a Protective MBR in the first sector, followed by the GPT header and partition entries. A hidden partition might be created by modifying the GPT header or by using alternative partitioning schemes that are not listed in the main GPT table.

78
MCQhard

A forensic examiner is analyzing a compromised Linux system and finds a suspicious cron job in /var/spool/cron/crontabs/root that executes a script every hour. The script is located in /tmp/.hidden/update.sh. What is the BEST next step?

A.Reboot the system to clear the cron job from memory
B.Capture the script for analysis and preserve the cron entry as evidence
C.Delete the cron job immediately to prevent further damage
D.Run the script in a sandbox to determine its functionality
AnswerB

Forensic soundness requires collecting and analyzing the script without altering the system.

Why this answer

The cron job is a persistence mechanism. The examiner should capture the script and analyze it to understand the attacker's actions, preserving the file as evidence.

79
MCQmedium

During an email forensics investigation, an analyst examines headers and sees `Received: from mail.evil.com (192.168.1.100) by mail.victim.com` followed by `DKIM-Signature: v=1; a=rsa-sha256; d=evil.com; s=selector; bh=...; h=...; b=...`. The email claims to be from support@paypal.com. Which finding is the strongest indicator of spoofing?

A.The email was received via SMTP
B.The email lacks a SPF record in the header
C.The email originated from IP 192.168.1.100
D.The DKIM signature domain is evil.com, not paypal.com
AnswerD

A valid DKIM signature for paypal.com should have d=paypal.com. The mismatch is a strong spoofing indicator.

Why this answer

The DKIM-Signature domain (evil.com) does not match the claimed sender domain (paypal.com). This mismatch indicates the email is likely spoofed.

80
MCQeasy

Which forensic tool is specifically designed to recover lost partitions or file system structures and can also be used for data carving?

A.Sleuth Kit
B.EnCase
C.TestDisk
D.Volatility
AnswerC

Why this answer

TestDisk is a powerful tool for recovering lost partitions and fixing boot sectors. It can also carve data from unallocated space.

81
Multi-Selectmedium

Which TWO of the following are considered essential steps in the computer forensics investigation process according to EC-Council guidelines?

Select 2 answers
A.Identification of potential evidence
B.Data recovery from damaged media
C.Deletion of irrelevant data
D.Preservation of the integrity of evidence
E.Public disclosure of findings
AnswersA, D

Identification is the first step in the forensic process.

Why this answer

Identification of potential evidence is a core initial step in the EC-Council's computer forensics investigation process because it defines the scope and sources of data that may contain relevant evidence. Without proper identification, investigators risk missing critical data or collecting irrelevant information, which can compromise the entire investigation. This step involves recognizing potential evidence sources such as hard drives, network logs, and volatile memory, ensuring that all relevant data is accounted for before collection begins.

Exam trap

The trap here is that candidates often confuse specialized techniques like data recovery or data deletion with the core essential steps, leading them to select options that are not part of the standard EC-Council forensics process.

82
MCQhard

During an Android forensic examination, an analyst uses ADB to perform a backup of a device. The resulting .ab file is encrypted. Which of the following is the most likely reason for the encryption?

A.The device has a lock screen PIN set, and the backup was created with default settings
B.The backup was created with the -nopassword flag
C.The backup file is corrupted
D.The device has full-disk encryption enabled
AnswerA

By default, adb backup encrypts the backup using the device's lock screen credentials.

Why this answer

When an Android backup is created via ADB with default settings, the resulting .ab file is encrypted using the device's lock screen PIN or password as the encryption key. This is a built-in security feature of the Android Backup Manager to protect backup data from unauthorized access. The encryption is applied regardless of whether full-disk encryption is enabled, as it is a separate layer of protection for the backup stream.

Exam trap

EC-Council often tests the distinction between full-disk encryption and backup-level encryption, leading candidates to incorrectly assume that FDE is the cause of the encrypted .ab file when the real mechanism is the lock screen PIN used by the Android Backup Manager.

How to eliminate wrong answers

Option B is wrong because the -nopassword flag explicitly disables encryption, so the backup would not be encrypted. Option C is wrong because corruption does not cause encryption; a corrupted file would typically fail to parse or show integrity errors, not appear as encrypted. Option D is wrong because full-disk encryption (FDE) protects data at rest on the device's internal storage, but the ADB backup stream is encrypted independently using the lock screen credential, not FDE.

83
MCQhard

An analyst discovers a suspicious file named 'cmd.aspx' in the web root of an IIS server. The file contains ASPX code that executes system commands. The IIS logs show a POST request to '/cmd.aspx' with a 200 status code. Which type of attack is indicated?

A.Webshell upload
B.SQL injection
C.Cross-site scripting (XSS)
D.Directory traversal
AnswerA

A webshell is a malicious script uploaded to a server that allows remote command execution. The file name 'cmd.aspx' and its ability to execute system commands are classic signs.

Why this answer

A webshell is a script that provides a backdoor for remote administration. The presence of 'cmd.aspx' in the web root with command execution capability confirms a webshell attack.

84
MCQmedium

A forensic investigator is required to testify in court about the findings of a digital investigation. Which of the following roles does the investigator fulfill?

A.Expert witness
B.Lay witness
C.Character witness
D.Fact witness
AnswerA

The investigator's specialized knowledge qualifies them as an expert witness to provide opinions on technical matters.

Why this answer

An expert witness is someone with specialized knowledge who provides opinion testimony to assist the court in understanding technical evidence.

85
MCQhard

A security analyst observes a process on a Windows system creating a mutex named "Global\{5B9E4E7E-8B2C-4F6D-A1A3-F2C8D9E0A1B2}" shortly after execution. The analyst also notes outbound connections to an IP address 203.0.113.50 on port 4444. Which malware behaviour indicator is MOST clearly demonstrated?

A.Anti-debugging technique through timing checks
B.Single-instance execution safeguard and command and control communication
C.File encryption using a hardcoded AES key
D.Persistence mechanism via registry run keys
AnswerB

Mutex ensures only one instance runs; outbound connection indicates C2.

Why this answer

The mutex name 'Global\{5B9E4E7E-8B2C-4F6D-A1A3-F2C8D9E0A1B2}' is a well-known technique used by malware to ensure only one instance of itself runs on the system, preventing conflicts or multiple infections. The outbound connection to 203.0.113.50 on TCP port 4444 is a classic indicator of command and control (C2) communication, as port 4444 is commonly associated with reverse shells and C2 traffic (e.g., Metasploit default). Together, these two behaviors directly demonstrate single-instance execution safeguard and C2 communication.

Exam trap

EC-Council often tests the distinction between behavioral indicators (like mutex and network connections) and specific malware capabilities (like encryption or persistence), leading candidates to confuse a single-instance safeguard with anti-debugging or persistence techniques.

How to eliminate wrong answers

Option A is wrong because anti-debugging through timing checks involves measuring code execution time to detect debugger presence, not mutex creation or outbound connections. Option C is wrong because file encryption with a hardcoded AES key would manifest as file I/O operations and cryptographic API calls, not a mutex or a network connection on port 4444. Option D is wrong because persistence via registry run keys involves writing to 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' or similar, which is not indicated by the mutex or the outbound connection.

86
MCQmedium

An email header shows the following Received line: Received: from mail.example.com (192.168.1.1) by smtp.server.com (Postfix). The DKIM-Signature header is missing, and the X-Originating-IP header shows an IP address different from the sender's domain MX record. What is the MOST likely conclusion?

A.The email is likely spoofed
B.The email is legitimate but routed through a different server
C.The email was sent from a mobile device
D.The email server is misconfigured
AnswerA

Missing DKIM and mismatched originating IP are strong indicators of email spoofing.

Why this answer

The missing DKIM-Signature and mismatched X-Originating-IP suggest that the email may be spoofed. DKIM provides cryptographic verification; its absence combined with an IP mismatch indicates a lack of authentication and possible forgery.

87
MCQmedium

Which of the following tools is specifically designed for forensic imaging and can create compressed, segmented, or E01 format images?

A.dd
B.Nmap
C.FTK Imager
D.Wireshark
AnswerC

FTK Imager is a GUI tool created by AccessData that supports E01, DD, and other formats with compression and segmentation.

Why this answer

FTK Imager is a free forensic imaging tool that supports multiple output formats including E01 (EnCase), DD, and segmented images.

88
MCQeasy

In the context of cloud forensics, what is the primary challenge associated with volatile evidence in Infrastructure as a Service (IaaS) environments?

A.Evidence can be lost when the cloud instance is stopped or terminated
B.Evidence may be stored across multiple jurisdictions
C.Encryption of data at rest prevents access to evidence
D.Cloud providers may not allow forensic investigators to access the physical hardware
AnswerA

Volatile evidence like RAM and process lists is lost upon instance shutdown.

Why this answer

Volatile evidence such as memory and running processes disappears when an instance is stopped or terminated, making timely acquisition critical.

89
Multi-Selecthard

Which THREE of the following are persistence mechanisms that can be used on Linux systems?

Select 3 answers
A.Prefetch files
B.SSH authorized keys
C.Startup scripts in /etc/init.d
D.Cron jobs
E.Modifications to /etc/passwd to add new users
AnswersC, D, E

Scripts in init.d run at system startup.

Why this answer

Cron jobs, startup scripts in /etc/init.d, and modifications to /etc/passwd to create backdoor accounts are all persistence techniques on Linux. SSH keys are not a persistence mechanism but rather an access method.

90
MCQhard

A forensic investigator is analyzing a RAID 0 array consisting of two disks. She uses FTK Imager to acquire the logical drive. However, the data appears interleaved. What additional step is necessary to properly assemble the image?

A.Use EnCase to acquire each disk separately and mount as a RAID volume
B.Simply reorder the disk images alphabetically
C.Reconstruct the RAID by determining stripe size and order, then combine the images
D.Use PhotoRec to carve files from raw images
AnswerC

RAID 0 requires knowledge of stripe size and disk order to reassemble.

Why this answer

FTK Imager can acquire a logical drive but may not reassemble RAID 0 stripes automatically. The analyst needs to identify stripe size and order, then combine the disks using a RAID reconstruction tool.

91
MCQeasy

Which mobile forensic tool is specifically designed to extract data from a wide range of mobile devices, including both iOS and Android, and is commonly used by law enforcement agencies?

A.Cellebrite UFED
B.Magnet AXIOM
C.Oxygen Forensic Detective
D.FTK Imager
AnswerA

Cellebrite UFED is specifically designed for mobile device forensics.

Why this answer

Cellebrite UFED (Universal Forensic Extraction Device) is the correct answer because it is a dedicated hardware and software solution specifically engineered to extract data from a vast array of mobile devices, including iOS and Android, through both physical and logical acquisition methods. It is widely adopted by law enforcement agencies globally due to its ability to bypass lock screen security, support over 30,000 device profiles, and extract deleted data via advanced techniques like JTAG and chip-off.

Exam trap

Cisco often tests the distinction between a dedicated mobile extraction tool (Cellebrite UFED) and a multi-platform forensic analysis suite (Magnet AXIOM), causing candidates to pick AXIOM because it is more well-known in general digital forensics, even though it is not the primary tool for physical mobile extraction.

How to eliminate wrong answers

Option B (Magnet AXIOM) is wrong because it is primarily a computer forensic analysis platform that processes artifacts from multiple sources (mobile, cloud, computer) but is not a dedicated mobile extraction tool; it relies on other tools like UFED for the actual physical extraction from mobile devices. Option C (Oxygen Forensic Detective) is wrong because, while it is a strong mobile forensic tool, it is not specifically designed as a hardware-based extraction device for law enforcement; it is a software suite that often requires a separate hardware write blocker and does not offer the same breadth of physical extraction methods (e.g., JTAG, ISP) as Cellebrite UFED. Option D (FTK Imager) is wrong because it is a disk imaging and preview tool for computers and hard drives, not designed for mobile device extraction; it lacks the protocols (e.g., USB, ADB, iTunes backup parsing) and hardware interfaces needed to acquire data from iOS or Android devices.

92
MCQhard

During an e-discovery process, a forensic examiner encounters a hard drive that is encrypted using BitLocker. The examiner has a valid password to unlock the drive. Which of the following is the MOST appropriate action to acquire the data while maintaining the chain of custody?

A.Remove the hard drive and connect it to a forensic workstation without a write blocker
B.Ask the IT administrator to decrypt the drive and then image
C.Use a hardware write blocker to image the encrypted drive directly, then decrypt the image in a lab
D.Boot the system and unlock the drive using the password, then create a forensic image
AnswerC

This preserves the original encrypted state and integrity.

Why this answer

Using a write blocker ensures the drive is not modified during acquisition. Unlocking via the OS may alter data; imaging the encrypted drive preserves the original state.

93
MCQmedium

During a network breach investigation, an analyst examines NetFlow records and sees large data transfers from a server to an external IP address during off-hours. Which type of activity does this MOST likely indicate?

A.Normal software update download
B.Scheduled backup to a cloud service
C.Data exfiltration by an attacker
D.Denial-of-service attack against the server
AnswerC

Large off-hours transfers to external IPs are a classic exfiltration indicator.

Why this answer

Large off-hours data transfers to an external IP are typical of data exfiltration. Normal backup traffic may occur but is usually scheduled and to known destinations.

94
Multi-Selectmedium

Which TWO of the following are Windows artifacts that can provide evidence of file execution, including timestamps and paths?

Select 2 answers
A.Event ID 4720
B.SAM registry hive
C.Prefetch files (*.pf)
D.Pagefile.sys
E.LNK files
AnswersC, E

Prefetch files are created when an application is run and contain execution information.

Why this answer

Prefetch files store information about recently executed programs, and LNK files (shortcuts) record execution details including timestamps and target paths.

95
MCQeasy

Which tool is specifically designed to perform physical extraction of data from mobile devices, including bypassing lock screens on many iOS and Android devices?

A.SIFT Workstation
B.FTK Imager
C.Cellebrite UFED
D.Wireshark
AnswerC

Cellebrite UFED specializes in physical extraction and lock screen bypass.

Why this answer

Cellebrite UFED (Universal Forensic Extraction Device) is a specialized hardware and software tool designed for physical extraction of data from mobile devices, including bypassing lock screen security on iOS and Android devices. It uses advanced techniques such as bootloader exploits, JTAG, chip-off, and proprietary software-based methods to acquire full file system images, even when the device is locked or encrypted.

Exam trap

EC-Council often tests the distinction between logical extraction (e.g., via ADB or iTunes backup) and physical extraction, and candidates may confuse FTK Imager (a computer forensics tool) with mobile extraction tools, missing that Cellebrite UFED is the only option capable of bypassing lock screens via hardware-level exploits.

How to eliminate wrong answers

Option A is wrong because SIFT Workstation is a forensic analysis platform for disk and memory analysis, not a mobile device extraction tool, and it cannot bypass lock screens. Option B is wrong because FTK Imager is a disk imaging tool for computers and storage media, lacking the hardware interfaces and exploit capabilities needed for mobile device physical extraction. Option D is wrong because Wireshark is a network protocol analyzer used for capturing and inspecting network traffic, not for physical data extraction from mobile devices.

96
MCQeasy

A forensic analyst finds a partition that uses the Master Boot Record (MBR) scheme. Which of the following is TRUE about the MBR partition table?

A.It uses a 128-bit Globally Unique Identifier (GUID) for partitions
B.It supports disks larger than 2 TiB
C.It stores partition information in a 64-byte table
D.It stores a backup partition table at the end of the disk
AnswerC

The MBR partition table is 64 bytes, containing four 16-byte entries.

Why this answer

The MBR uses a 32-bit Logical Block Address (LBA) which limits the maximum addressable disk size to 2 TiB. It stores a 64-byte partition table with four primary partitions.

97
Multi-Selecteasy

Which TWO of the following are examples of file carving tools? (Select two.)

Select 2 answers
A.WinPmem
B.FTK Imager
C.PhotoRec
D.Foremost
E.dd
AnswersC, D

Correct. A file carver from the TestDisk suite.

Why this answer

Foremost and PhotoRec are well-known file carving tools that recover files based on headers/footers.

98
MCQeasy

A security analyst investigates a Windows system and finds an event with ID 4625 in the Security log. What does this event indicate?

A.A failed logon attempt
B.A successful user logon
C.A service was installed
D.A new user account was created
AnswerA

4625 is the event ID for failed logon.

Why this answer

Event ID 4625 indicates a failed logon attempt. This is a standard Windows security event used to track authentication failures.

99
MCQmedium

In a Windows forensic investigation, which registry key is used to examine programs that automatically start at system boot for all users?

A.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
B.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
C.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
D.NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
AnswerC

Correct: This key runs programs for all users at boot.

Why this answer

Run keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run configure programs to start automatically for all users. The HKCU equivalent is per-user.

100
MCQmedium

A security analyst notices a process named 'svchost.exe' running from the directory 'C:\Users\Public\svchost.exe'. This is suspicious because legitimate svchost.exe runs from 'C:\Windows\System32'. What type of indicator is this?

A.Network indicator
B.Behavioural indicator
C.File hash indicator
D.Registry key indicator
AnswerB

The process running from an anomalous path is a behavioural pattern.

Why this answer

B is correct because the presence of svchost.exe in C:\Users\Public\ instead of C:\Windows\System32 indicates a deviation from the expected execution path, which is a classic behavioral indicator. Behavioral indicators focus on anomalous actions or file placements rather than static attributes like hashes or network traffic.

Exam trap

EC-Council often tests the distinction between static indicators (file hash, registry key) and dynamic indicators (behavioral, network), and the trap here is that candidates confuse a file path anomaly with a network or registry indicator because they associate svchost.exe with system-level activity.

How to eliminate wrong answers

Option A is wrong because a network indicator would involve IP addresses, domain names, or communication patterns (e.g., DNS queries to a C2 server), not the file path of a running process. Option C is wrong because a file hash indicator is a static signature (e.g., MD5/SHA-1 hash) used to identify known malware, not the location or behavior of a process. Option D is wrong because a registry key indicator involves modifications to Windows Registry keys (e.g., Run keys for persistence), not the file system path of an executable.

101
Multi-Selectmedium

A forensic analyst is examining an Android device using ADB extraction. Which TWO statements about ADB extraction are true?

Select 2 answers
A.ADB extraction requires USB debugging to be enabled on the device
B.ADB extraction allows full file system access without root
C.ADB extraction can acquire a physical image of the device
D.ADB extraction can recover deleted files from unallocated space
E.ADB extraction requires the device to be authorized to the computer
AnswersA, E

USB debugging must be enabled for ADB to communicate with the device.

Why this answer

ADB (Android Debug Bridge) extraction requires USB debugging to be enabled on the device because ADB operates over a USB connection using the Android Debug Bridge protocol, which is only active when USB debugging is turned on in Developer Options. Without this setting, the device will not respond to ADB commands, making extraction impossible. This is a fundamental prerequisite for any ADB-based forensic acquisition.

Exam trap

Cisco often tests the misconception that ADB extraction provides full file system or physical access, but the trap is that ADB is a logical extraction method with significant privilege restrictions, and candidates confuse 'ADB backup' or 'ADB pull' with physical imaging capabilities.

102
Multi-Selecthard

Which TWO actions are essential for a first responder when securing an incident scene involving a compromised server? (Select exactly two.)

Select 2 answers
A.Run antivirus scans to identify and remove any malware present.
B.Document the system’s date and time settings for accurate timeline reconstruction.
C.Photograph the physical setup, including all cables and peripheral connections.
D.Reboot the system into safe mode to prevent further damage.
E.Connect an external hard drive to create a backup of important files.
AnswersB, C

Time settings are crucial for correlating events.

Why this answer

Option B is correct because the system's date and time settings are critical for establishing a reliable timeline of events during forensic analysis. The first responder must document these settings (e.g., from the BIOS or operating system) before any changes occur, as they directly affect the timestamps of file system metadata (MAC times) and log entries. Without this baseline, correlating events across multiple sources becomes unreliable, potentially invalidating the entire investigation.

Exam trap

EC-Council often tests the misconception that proactive remediation (like scanning or backing up) is part of first responder duties, when in fact the priority is preservation of volatile and non-volatile evidence without any alteration.

103
MCQhard

An organization receives a litigation hold notice regarding an ongoing lawsuit. The IT administrator is instructed to preserve all relevant electronic records. Which of the following actions is MOST consistent with proper legal hold implementation?

A.Reboot all servers to ensure they are running the latest patches.
B.Immediately delete all emails older than 90 days to reduce data volume.
C.Place a hold on all data that may be relevant by suspending routine deletion and notifying custodians.
D.Encrypt all data and change access passwords to prevent unauthorized access.
AnswerC

This preserves evidence and meets legal obligations.

Why this answer

A legal hold requires suspending routine deletion policies and preserving potentially relevant data in its current state. Notifying custodians and disabling automatic deletion mechanisms are critical steps.

104
MCQhard

Refer to the exhibit. A forensic examiner is analyzing a Windows system and sees the above NTFS file metadata. The user claims the file was last accessed at 09:15. Which of the following best explains the discrepancy?

A.The $UsnJrnl entry shows the file was modified, and the last access time was updated by the system when the file was opened for reading
B.The system has disabled last access time updates, so the reported times are unreliable
C.The creation time is earlier than the last access, indicating the file was copied from another volume
D.The $LogFile sequence number indicates a transaction rollback that reset the timestamps
AnswerA

The $UsnJrnl records changes; the last access time is updated on read operations, explaining the later timestamp.

Why this answer

Option A is correct because the $UsnJrnl (Update Sequence Number Journal) records that the file was modified, and on Windows systems, when a file is opened for reading, the last access time is updated by default. The discrepancy arises because the user claims the file was last accessed at 09:15, but the NTFS metadata shows a different last access time, which could be due to the system updating the last access time upon modification or read operations, as recorded in the $UsnJrnl.

Exam trap

Cisco often tests the misconception that last access time updates are always disabled or unreliable, but the trap here is that the $UsnJrnl entry confirms the file was modified, which can trigger a last access time update, making the user's claim inconsistent with the system's logged activity.

How to eliminate wrong answers

Option B is wrong because if the system had disabled last access time updates (via the NtfsDisableLastAccessUpdate registry key), the last access time would not be updated at all, but the exhibit shows a last access time, indicating updates are enabled. Option C is wrong because the creation time being earlier than the last access time is normal and does not indicate a copy operation; file copy operations typically set the creation time to the current time, not an earlier one. Option D is wrong because the $LogFile sequence number indicates transaction logging for file system operations, but a transaction rollback would revert the file to a previous state, not reset timestamps in the manner described.

105
MCQhard

A forensic analyst is examining a network intrusion detection system (NIDS) alert that triggered on a packet with the FIN, PSH, and URG flags set. What type of scan does this indicate?

A.Xmas scan
B.NULL scan
C.SYN scan
D.ACK scan
AnswerA

Xmas scan sets FIN, PSH, and URG flags to evade detection and elicit responses.

Why this answer

A is correct because an Xmas scan sends packets with the FIN, PSH, and URG flags set (like a Christmas tree lit up). According to RFC 793, a closed port must respond with an RST packet, while an open port should drop the packet silently (no response). The NIDS alert triggered on these three flags together, which is the signature of an Xmas scan.

Exam trap

EC-Council often tests the distinction between Xmas, NULL, and SYN scans by focusing on the exact flag combinations; the trap here is that candidates confuse the FIN, PSH, URG combination with a NULL scan (no flags) or a SYN scan (single flag).

How to eliminate wrong answers

Option B is wrong because a NULL scan sends packets with no flags set (all flags off), not the FIN, PSH, and URG flags. Option C is wrong because a SYN scan sends packets with only the SYN flag set, used for half-open connections, not the combination of FIN, PSH, and URG. Option D is wrong because an ACK scan sends packets with only the ACK flag set, used to map firewall rules, not the FIN, PSH, and URG flags.

106
MCQeasy

A security analyst is tasked with reverse engineering a suspected malware sample. Which initial step should the analyst take to ensure safe handling and prevent accidental infection?

A.Create a bit-for-bit forensic image of the sample
B.Execute the sample in a debugger on a production machine
C.Disassemble the binary using IDA Pro directly
D.Connect the sample to an isolated network to observe behavior
AnswerA

A forensic copy preserves evidence and allows safe analysis.

Why this answer

Creating a bit-for-bit forensic image (option A) is the correct first step because it preserves the malware in an immutable, write-protected state, preventing any accidental execution or modification. This ensures the integrity of the evidence and allows the analyst to work with a safe copy without risking infection of the host system or network. In malware forensics, this aligns with the fundamental principle of maintaining a chain of custody and avoiding alteration of the original sample.

Exam trap

Cisco often tests the misconception that dynamic analysis (e.g., observing behavior in a network) is the safest first step, but the trap here is that any execution—even in a controlled environment—risks accidental infection if the sample is not first forensically imaged and handled with write-blockers.

How to eliminate wrong answers

Option B is wrong because executing the sample in a debugger on a production machine risks infecting the live environment, potentially causing data loss or propagation; debugging should only be performed in an isolated sandbox or virtual machine. Option C is wrong because disassembling the binary directly with IDA Pro without first creating a forensic image could inadvertently trigger self-modifying code or anti-analysis routines that execute upon file access, compromising the analysis environment. Option D is wrong because connecting the sample to an isolated network to observe behavior still requires execution, which could lead to unintended infection of the analyst's host system if proper isolation (e.g., air-gapped VM) is not confirmed first; the initial step must be static acquisition, not dynamic analysis.

107
MCQhard

A forensic examiner recovers a Windows 10 system and finds a prefetch file for powershell.exe with a last run time of 3 days ago, but the system's security logs show no interactive logons from that user. What does this discrepancy suggest?

A.PowerShell was executed as part of a scheduled task or service
B.The prefetch file is corrupted
C.The user deleted their profile
D.The system clock was changed
AnswerA

Non-interactive execution (logon type 3, 4, or 5) won't show interactive logon events.

Why this answer

Prefetch files record execution times. If PowerShell ran but no interactive logon, it likely ran via a scheduled task or service, which doesn't create an interactive logon event (Event ID 4624 with logon type 2).

108
MCQmedium

During a forensic investigation of a hard disk, the investigator finds that the partition table is missing. The disk was previously partitioned using GPT. Which area of the disk should be examined to recover the GPT partition table?

A.Last sector of the disk
B.Volume boot record
C.Master Boot Record (LBA 0)
D.LBA 1 (sector 1)
AnswerD

The GPT header and partition entries start at LBA 1.

Why this answer

GPT stores a primary partition table at LBA 1 (sector 1) and a backup at the end of the disk. The protective MBR is at LBA 0.

109
MCQhard

You are a forensic investigator responding to a data breach at a financial institution. The compromised server is a Windows Server 2019 running a custom trading application. The server is still powered on and connected to the production network. The incident response team has instructed you to acquire forensic evidence while minimizing downtime. The server has 2 TB of storage with 500 GB used. You have a forensic workstation with a write-blocker and an empty 2 TB external drive. The server's RAM is 64 GB. You need to acquire both volatile data (RAM) and a forensic image of the disk. However, the legal team requires a verified bit-for-bit copy with cryptographic hash verification. Additionally, the server's performance is critical; acquiring RAM via network is not feasible due to bandwidth constraints. Which of the following is the best course of action?

A.Shut down the server, remove the disk, connect it to a write-blocker, and acquire the disk image using FTK Imager; RAM is lost but disk acquisition is verified.
B.Use FTK Imager over the network to acquire RAM first, then use dd to image the disk to the external drive via write-blocker.
C.Run win32dd locally to capture RAM to the external drive, then use FTK Imager over the network to create a physical disk image with verification.
D.Use dd over netcat to acquire RAM and disk simultaneously, then compute hashes separately.
AnswerC

win32dd captures RAM locally quickly; FTK Imager over network can image the disk with hash verification.

Why this answer

Option C is correct because it prioritizes capturing volatile RAM first using win32dd (a memory acquisition tool) locally to the external drive, which preserves the most volatile evidence before any shutdown or network transfer. After RAM capture, FTK Imager over the network creates a verified physical disk image, satisfying the legal requirement for cryptographic hash verification while minimizing downtime. This approach avoids the risk of losing RAM data (as in shutdown) and avoids bandwidth constraints (as in network RAM acquisition).

Exam trap

EC-Council often tests the misconception that network-based RAM acquisition is always feasible or that shutting down the server is acceptable, but the trap here is that candidates overlook the bandwidth constraint and the critical need to preserve volatile data before disk imaging.

How to eliminate wrong answers

Option A is wrong because shutting down the server destroys volatile data (RAM), which is critical for investigating the breach, and the legal team requires a verified bit-for-bit copy, but RAM is lost entirely. Option B is wrong because acquiring RAM over the network is explicitly stated as not feasible due to bandwidth constraints, and using dd to image the disk to the external drive via write-blocker is not described correctly (dd is a Linux tool, not native to Windows Server 2019, and FTK Imager over the network for RAM would be slow and unreliable). Option D is wrong because using dd over netcat for RAM acquisition is not a standard Windows memory acquisition method, and simultaneous acquisition of RAM and disk is impractical without proper write-blocking and verification; netcat does not provide cryptographic hash verification natively.

110
MCQeasy

Which Windows Event ID is generated when a new service is installed on a system?

A.4624
B.7045
C.4648
D.4720
AnswerB

7045 is service installation.

Why this answer

Event ID 7045 in the System log indicates a service was installed on the system.

111
Multi-Selecteasy

Which TWO of the following are commonly used tools for file carving (recovering files based on file signatures)? (Select TWO.)

Select 2 answers
A.Nmap
B.Foremost
C.Wireshark
D.John the Ripper
E.Scalpel
AnswersB, E

Foremost is a classic file carver that uses configuration files to define signatures.

Why this answer

Foremost and Scalpel are well-known file carving tools that use header/footer signatures to recover files from disk images.

112
MCQeasy

Which tool is specifically designed for timeline analysis in digital forensics and is the command-line version of the log2timeline framework?

A.Autopsy
B.Sleuth Kit
C.Plaso
D.Wireshark
AnswerC

Plaso (log2timeline) is the command-line tool for creating super timelines.

Why this answer

Plaso (Python Log2Timeline) is the command-line tool for creating super timelines from various forensic artifacts.

113
MCQeasy

Which tool is specifically designed to extract and analyze metadata from email messages, including headers, attachments, and embedded objects, for forensic investigations?

A.FTK Imager
B.Wireshark
C.Sleuth Kit
D.EmailTracker
AnswerD

EmailTracker specializes in email header analysis and metadata extraction.

Why this answer

EmailTracker is a tool that parses email headers and extracts metadata for forensic analysis, such as tracking the path of an email.

114
MCQeasy

An analyst finds the following string in an IIS log: %3Cscript%3Ealert('XSS')%3C/script%3E. What does this indicate?

A.A cross-site scripting (XSS) attempt
B.A SQL injection attempt
C.A buffer overflow attempt
D.A path traversal attempt
AnswerA

The payload contains script tags intended to execute JavaScript.

Why this answer

The string is URL-encoded HTML/JavaScript (<script>alert('XSS')</script>). It is a typical cross-site scripting payload attempting to execute in a browser.

115
MCQhard

A forensic examiner is presented with evidence that a suspect's computer was used to commit a fraud. The defense argues that the evidence was obtained without a warrant. Which US Constitutional Amendment is MOST relevant to this argument?

A.Fourth Amendment
B.First Amendment
C.Sixth Amendment
D.Fifth Amendment
AnswerA

The Fourth Amendment directly addresses warrants and unreasonable searches.

Why this answer

The Fourth Amendment protects against unreasonable searches and seizures and requires warrants supported by probable cause.

116
MCQmedium

During a malware analysis, an analyst uses a tool to monitor registry changes, file system modifications, and process activity simultaneously. Which tool is BEST suited for this integrated monitoring?

A.Wireshark
B.Process Monitor
C.Regshot
D.Process Explorer
AnswerB

Process Monitor monitors registry, file system, and process activity.

Why this answer

Process Monitor (ProcMon) is the correct tool because it integrates real-time monitoring of registry changes, file system modifications, and process/thread activity into a single interface. It combines the legacy tools Regmon (registry) and Filemon (file system) with process monitoring, allowing an analyst to correlate events across all three subsystems simultaneously, which is essential for dynamic malware analysis.

Exam trap

EC-Council often tests the distinction between tools that perform real-time integrated monitoring (Process Monitor) versus tools that offer only snapshot comparisons (Regshot) or specialize in a single subsystem (Process Explorer), leading candidates to confuse Regshot's registry snapshot capability with live monitoring.

How to eliminate wrong answers

Option A is wrong because Wireshark is a network protocol analyzer that captures and inspects network traffic (e.g., packets over Ethernet, Wi-Fi), not registry, file system, or process activity. Option C is wrong because Regshot is a registry comparison tool that takes before-and-after snapshots of the registry and optionally the file system, but it does not monitor process activity or provide real-time, integrated monitoring. Option D is wrong because Process Explorer is a task manager and process analysis tool that shows detailed information about running processes, handles, and DLLs, but it does not monitor registry or file system changes in real time.

117
Multi-Selectmedium

Which TWO of the following are Volatility plugins used for process enumeration? (Select two.)

Select 2 answers
A.pslist
B.netscan
C.pstree
D.mftparser
E.hashdump
AnswersA, C

Correct. Lists processes from the EPROCESS list.

Why this answer

pslist lists processes by walking the doubly-linked list. pstree displays process hierarchy. Both are standard process enumeration plugins.

118
MCQmedium

During a forensic investigation of a compromised web server, an analyst examines the Apache access log and finds the following entry: '192.168.1.10 - - [12/Oct/2024:13:45:22 +0000] "GET /index.php?id=1 UNION SELECT username, password FROM users-- HTTP/1.1" 200 1234 "-" "Mozilla/5.0"'. What type of attack is MOST likely indicated?

A.Cross-site scripting (XSS)
B.SQL injection (SQLi)
C.Path traversal
D.Remote file inclusion (RFI)
AnswerB

The UNION SELECT statement and comment '--' are classic SQL injection payloads inserted into the id parameter.

Why this answer

The log entry contains 'UNION SELECT username, password FROM users--', which is a SQL injection attempt to retrieve data from the users table.

119
MCQhard

You are a forensic investigator responding to a suspected data breach at a financial institution. The incident response team has isolated a Windows 10 workstation used by a former employee. The system is still powered on, and the login screen is displayed. Your task is to acquire forensic evidence in a defensible manner. The following actions are available: A. Immediately pull the power cord to perform a cold acquisition of the hard drive. B. Capture volatile data (RAM, network connections, running processes) using a trusted tool on a USB drive, then shut down normally and remove the hard drive for imaging. C. Boot the system from a forensic live CD and create a forensic image of the hard drive while the system is running. D. Use the built-in Windows backup to create a system image to an external drive. Which action is the most appropriate first step in this scenario?

A.Use the built-in Windows backup to create a system image to an external drive
B.Capture volatile data using a trusted tool on a USB drive, then shut down normally and remove the hard drive for imaging
C.Boot the system from a forensic live CD and create a forensic image of the hard drive while the system is running
D.Immediately pull the power cord to perform a cold acquisition of the hard drive
AnswerB

This preserves volatile evidence first, then allows forensic imaging of the disk.

Why this answer

Option B is correct because the system is still powered on with the login screen displayed, meaning volatile data (RAM, network connections, running processes) is present and will be lost if the system is powered off. Capturing this data first using a trusted forensic tool (e.g., FTK Imager or DumpIt) from a write-blocked USB drive preserves critical evidence such as encryption keys, active network connections, and malware in memory. Only after volatile data is secured should the system be shut down normally and the hard drive removed for forensic imaging, ensuring a defensible chain of custody.

Exam trap

EC-Council often tests the misconception that pulling the power cord is the safest method to preserve disk evidence, but the trap here is that it destroys volatile data and can cause filesystem corruption, making it inappropriate when the system is still powered on and volatile data is present.

How to eliminate wrong answers

Option A is wrong because using the built-in Windows backup to create a system image modifies the system (e.g., writes backup metadata, changes registry timestamps) and does not capture volatile data, violating forensic integrity principles. Option C is wrong because booting from a forensic live CD while the system is running can overwrite portions of RAM and disk (e.g., pagefile, unallocated space) and may trigger anti-forensic mechanisms, plus it does not capture the current volatile state before the system is altered. Option D is wrong because immediately pulling the power cord (cold acquisition) destroys all volatile data (RAM, network connections, running processes) that may contain critical evidence like encryption keys or active malware, and can cause filesystem corruption if the disk was in a write state.

120
Multi-Selecthard

Which TWO of the following are valid techniques for collecting volatile network evidence from a live system during incident response?

Select 2 answers
A.Using route print to view the IP routing table.
B.Using ipconfig /displaydns to view the DNS resolver cache.
C.Running arp -a to view the ARP table.
D.Running netstat -an to view active TCP/UDP connections.
E.Executing tcpdump -i eth0 -w capture.pcap to capture live packets.
AnswersD, E

Active connections are volatile and show current network activity.

Why this answer

Option D is correct because `netstat -an` displays all active TCP and UDP connections along with their listening ports and states, which is critical for identifying unauthorized or malicious network connections on a live system. This command provides a snapshot of current network sessions without altering system state, making it a standard volatile evidence collection technique.

Exam trap

The trap here is that candidates confuse static configuration commands (route print, arp -a) or cached data (ipconfig /displaydns) with live volatile evidence, when only commands that capture active network sessions or raw traffic qualify as volatile evidence collection.

121
MCQmedium

Refer to the exhibit. An analyst recovers this binary log entry from a MySQL server. What does the timestamp '190101 10:00:00' represent?

A.The time the DELETE statement was executed on the MySQL server
B.The time the client sent the query to the server
C.The time the binary log file was written to disk
D.The time the transaction was committed
AnswerA

The timestamp records when the server executed the statement.

Why this answer

In MySQL binary logs, the timestamp in the 'Query' event header (e.g., '190101 10:00:00') records the server's local time when the statement began executing. This is the time the DELETE statement was actually processed by the MySQL server, not when the client sent it or when the log was written. The binary log captures the exact moment the server starts executing the query, making option A correct.

Exam trap

Cisco often tests the distinction between 'execution time on server' vs 'client send time' or 'commit time', and the trap here is that candidates confuse the binary log event timestamp with the client-side query submission time or the transaction commit time, which are recorded differently in MySQL's binary log format.

How to eliminate wrong answers

Option B is wrong because the timestamp in the binary log event header reflects the server's execution start time, not the client's query send time; client-side timestamps are not recorded in the binary log. Option C is wrong because the binary log file write time is recorded in the file header or as a separate 'Rotate' event, not in the individual query event timestamps. Option D is wrong because the transaction commit time is recorded in a 'Xid' event or 'Query' event with a 'COMMIT' statement, not in the timestamp of a DELETE statement event; the timestamp here marks the start of the statement execution, not the commit.

122
MCQhard

An analyst is investigating a Linux system that used ext4. The suspect deleted several files and then ran 'fstrim' on the partition. Which of the following best describes the challenge in recovering the deleted data?

A.The ext4 journal will automatically purge the metadata of deleted files
B.Data recovery is still possible using file carving because fstrim only affects free space
C.The inodes are overwritten immediately, making recovery impossible
D.The TRIM command instructs the SSD to permanently erase the blocks, and wear leveling may also have moved data
AnswerD

Why this answer

The fstrim command sends TRIM commands to the SSD, causing the device to garbage-collect and erase deleted blocks. Wear leveling may have moved data, complicating recovery.

123
MCQhard

During a forensic investigation of a Google Cloud Platform (GCP) environment, an analyst reviews Audit Logs and sees a log entry with the method 'storage.objects.list' and a principal email 'attacker@gmail.com'. However, the identity is not from the organization's domain. What should the analyst conclude?

A.The analyst must immediately shut down the bucket.
B.The attacker spoofed the principal email in the log.
C.An external identity was granted IAM permissions on the bucket, possibly through a misconfigured resource.
D.The log entry is a false positive due to a logging error.
AnswerC

The presence of an external email in the principal field indicates that an external user had permissions, likely due to misconfigured IAM or a public bucket.

Why this answer

An external principal appearing in the log indicates that the bucket's IAM policy allowed access from outside the organization, a common misconfiguration.

124
MCQmedium

During a forensic examination of an SSD, the analyst notes that TRIM is enabled. What challenge does TRIM pose for data recovery?

A.TRIM reduces the lifespan of the SSD by excessive writes
B.TRIM compresses data, altering forensic signatures
C.TRIM encrypts data, preventing forensic access
D.TRIM permanently erases deleted data at the block level, hindering recovery
AnswerD

TRIM informs the SSD to erase blocks, making recovery difficult.

Why this answer

TRIM allows the SSD to erase data blocks that are no longer in use, making it difficult to recover deleted files because the physical data may be zeroed out.

125
MCQmedium

Which of the following is a primary challenge in cloud forensics due to shared infrastructure?

A.Slow internet speeds
B.Multi-tenancy and data comingling
C.Lack of logging capabilities
D.Inability to perform network analysis
AnswerB

Shared resources can cause evidence from different tenants to mix, complicating attribution.

Why this answer

Multi-tenancy means multiple customers share the same physical resources. This complicates evidence isolation and can lead to data comingling, making forensic acquisition difficult.

126
Multi-Selectmedium

A security analyst notices repeated entries in an IIS log: 10.0.0.2, -, 05/Feb/2023:08:12:34 +0000, GET /../../windows/system32/config/sam, 404, 0, 532. Which TWO of the following attack types are indicated by this log entry?

Select 2 answers
A.SQL injection
B.Directory traversal
C.Privilege escalation attempt
D.Denial of service
E.Cross-site scripting
AnswersB, C

'../' sequences aim to traverse directories to access restricted files.

Why this answer

The use of '../' indicates path traversal, and the target file (SAM) is a common target for privilege escalation.

127
MCQmedium

A forensic analyst is creating a forensic image of a suspect's hard drive using a write blocker. Which of the following BEST describes the purpose of using a hardware write blocker?

A.To ensure that no data is written to the source drive during imaging
B.To increase the speed of data acquisition
C.To encrypt the forensic image for secure storage
D.To allow the suspect drive to be booted without altering data
AnswerA

This is the primary function: it blocks write commands from the forensic workstation to the suspect drive.

Why this answer

A hardware write blocker prevents any modification to the original evidence by intercepting write commands at the hardware level, ensuring the integrity of the source drive.

128
MCQeasy

During a forensic investigation, an examiner wants to recover deleted files from a FAT32 file system. Which structure is most critical for file recovery?

A.File Allocation Table (FAT)
B.Master File Table (MFT)
C.Journal
D.Inode table
AnswerA

FAT stores cluster chains; deleted files may have their directory entries and FAT chains intact.

Why this answer

The File Allocation Table (FAT) contains cluster chains for files; deleted entries may still be recoverable if not overwritten.

129
MCQeasy

An analyst captures network traffic during an incident and wants to extract files transferred over HTTP. Which Wireshark feature is BEST suited for this task?

A.Follow TCP Stream
B.Statistics > HTTP
C.Export Objects > HTTP
D.Analyze > Expert Info
AnswerC

This extracts files transferred via HTTP from the capture.

Why this answer

Wireshark's 'Export Objects' feature allows extraction of files transferred via HTTP, SMB, etc. 'Follow TCP Stream' shows the stream content but does not export files.

130
MCQeasy

During a forensic investigation, an analyst discovers that the suspect's hard drive was encrypted using BitLocker. The analyst has obtained the recovery key. Which of the following is the best next step to ensure data integrity?

A.Decrypt the drive using the recovery key and then create a forensic image.
B.Run a live analysis tool to extract encryption keys from memory.
C.Create a forensic image of the encrypted drive, then decrypt the image.
D.Boot the suspect computer and copy files to an external drive.
AnswerC

This preserves the original encrypted state and allows analysis of the decrypted image.

Why this answer

Option C is correct because creating a forensic image of the encrypted drive before decryption preserves the original evidence in its pristine, unaltered state. Decrypting the image later using the recovery key ensures that the original encrypted data remains intact and verifiable, maintaining data integrity throughout the investigation.

Exam trap

EC-Council often tests the principle that forensic imaging must occur before any decryption or analysis to preserve evidence integrity, and candidates mistakenly believe decryption first is acceptable because they have the key.

How to eliminate wrong answers

Option A is wrong because decrypting the drive directly on the original hardware modifies the data and metadata, breaking the chain of custody and potentially altering evidence. Option B is wrong because running a live analysis tool to extract encryption keys from memory is unnecessary when the recovery key is already obtained, and live acquisition risks modifying the system state and compromising integrity. Option D is wrong because booting the suspect computer and copying files to an external drive alters the original media and does not create a bit-for-bit forensic image, violating forensic best practices.

131
MCQmedium

During a forensic investigation, an analyst uses a hardware write blocker to connect a suspect hard drive to a forensic workstation. Which of the following is the PRIMARY reason for using a write blocker?

A.To allow the suspect drive to be mounted as read-write for analysis
B.To decrypt the drive automatically without the key
C.To prevent any modification to the suspect drive during acquisition
D.To speed up the imaging process by caching writes
AnswerC

The primary purpose is to ensure the drive is not altered during forensic acquisition.

Why this answer

The primary reason for using a hardware write blocker is to ensure that the suspect drive is connected in a read-only manner, preventing any write operations from the forensic workstation from reaching the drive. This preserves the integrity of the evidence by guaranteeing that no data is altered, added, or deleted during the acquisition process, which is a fundamental requirement for admissibility in legal proceedings.

Exam trap

EC-Council often tests the misconception that write blockers are used to speed up imaging or that they provide some form of decryption, when in fact their sole purpose is write prevention for evidence integrity.

How to eliminate wrong answers

Option A is wrong because a write blocker forces the drive to be read-only, not read-write; mounting as read-write would risk modifying evidence. Option B is wrong because write blockers do not perform decryption; they only block write commands at the hardware level and have no capability to decrypt drives without the key. Option D is wrong because write blockers do not cache writes or speed up imaging; in fact, they add a slight overhead by intercepting and blocking write commands, and caching writes would contradict the goal of preventing modification.

132
MCQhard

A forensic analyst is examining a Docker container that was used to launch a DDoS attack. Which layer of a Docker image is most likely to contain the attacker's malicious scripts?

A.The overlay filesystem layer
B.The topmost writable container layer
C.The volume mounted from the host
D.The base image layer
AnswerB

Runtime changes, including malicious scripts, are stored in the writable layer.

Why this answer

Docker images consist of read-only layers. The topmost writable layer (container layer) holds changes made at runtime, such as installing tools or scripts. The attack scripts would be in this layer.

133
MCQmedium

A security analyst discovers a suspicious registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate. The key points to a file in AppData. What is the most likely purpose of this registry key?

A.It logs the user's keystrokes
B.It ensures the malware runs every time the user logs in
C.It is a legitimate Windows update configuration
D.It stores the malware's configuration settings
AnswerB

The Run key is a standard persistence location for malware.

Why this answer

The registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a standard Windows autostart location. Malware commonly adds an entry here to achieve persistence, ensuring it executes every time the user logs in. The suspicious name 'WindowsUpdate' is a common masquerade tactic to hide malicious intent.

Exam trap

Cisco often tests the distinction between persistence mechanisms (like Run keys) and actual malware functionality; the trap here is assuming the key name 'WindowsUpdate' implies legitimate system behavior, when in fact it is a classic masquerade technique.

How to eliminate wrong answers

Option A is wrong because keystroke logging is a specific function of malware, not a property of the Run registry key itself; the key only specifies an executable to launch. Option C is wrong because legitimate Windows Update configuration is stored in system-level registry paths (e.g., HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate) and never in HKCU\...\Run. Option D is wrong because the Run key stores a command line to execute a program, not configuration settings; malware configuration is typically stored in separate files or other registry keys.

134
MCQmedium

During a forensic investigation, an analyst creates a forensic image using `dcfldd` with the command: `dcfldd if=/dev/sda of=image.dd hash=sha256 hashwindow=10M`. What is the purpose of the `hashwindow` parameter?

A.It limits the total amount of data to hash to 10 MB
B.It creates a hash for every 10 MB block of data
C.It sets the hash algorithm to SHA-256
D.It enables error correction for every 10 MB
AnswerB

This allows verification of each 10 MB segment independently.

Why this answer

The `hashwindow` parameter in `dcfldd` specifies the size of the data chunks for which individual hash values are computed. With `hashwindow=10M`, the tool generates a SHA-256 hash for every 10 MB block of the input data, allowing verification of integrity on a per-block basis rather than only a single hash for the entire image. This is useful for detecting corruption or tampering in specific segments of large forensic images.

Exam trap

EC-Council often tests the distinction between parameters that set the hash algorithm (`hash=`) versus those that control hash granularity (`hashwindow`), leading candidates to confuse `hashwindow` with limiting the total data or enabling error correction.

How to eliminate wrong answers

Option A is wrong because `hashwindow` does not limit the total amount of data to hash; it defines the block size for per-block hashing, and the entire input is still processed. Option C is wrong because the hash algorithm is set by the `hash=sha256` parameter, not by `hashwindow`. Option D is wrong because `hashwindow` does not enable error correction; it only controls the granularity of hash computation, and `dcfldd` does not provide built-in error correction for data blocks.

135
MCQmedium

During a forensic investigation of a compromised web server, you find the following entry in the IIS log: 192.168.2.50, -, 10/Jan/2023, 14:32:15, W3SVC1, WEB01, 192.168.2.10, 80, POST, /uploads/shell.aspx, 200, 0, 0, 513, 0, Mozilla/4.0. Which action should the investigator prioritize?

A.Rebuild the web server from a clean backup
B.Analyze the uploaded shell.aspx file for malicious content
C.Delete the shell.aspx file immediately
D.Check the web server's firewall logs for the attacker's IP
AnswerB

The file is likely a webshell; analyzing it helps understand the attacker's capabilities and persistence mechanisms.

Why this answer

The log shows a POST request to shell.aspx in the uploads directory with a 200 status, indicating a likely webshell upload. The investigator should retrieve and analyze the uploaded file for malicious content to confirm the compromise.

136
MCQeasy

What is slack space in a file system?

A.Space used by the file system journal
B.The unused portion of a file's last cluster
C.Space reserved for the MBR
D.Space between partitions on a disk
AnswerB

File slack is the unused bytes in the last cluster assigned to a file.

Why this answer

Slack space is the unused portion of a cluster that remains after a file is written, potentially containing residual data from previous files.

137
MCQeasy

Which tool is specifically designed to analyze email headers and track the path of an email across multiple servers?

A.Aid4Mail
B.EmailTracker
C.Wireshark
D.FTK Imager
AnswerB

EmailTracker analyzes headers and traces the email's path.

Why this answer

EmailTracker is a web-based tool that parses email headers and visualizes the route. Aid4Mail is for forensic acquisition/analysis. Wireshark captures network packets.

FTK Imager is for disk imaging.

138
MCQeasy

Which tool is specifically designed to analyze email headers and track the path an email took across mail servers?

A.Wireshark
B.Volatility
C.EmailTracker
D.FTK Imager
AnswerC

EmailTracker is purpose-built for email header forensics.

Why this answer

EmailTracker is a tool that parses email headers and visualizes the route, timing, and geolocation of mail servers.

139
MCQhard

An organization suspects a stealthy malware infection on a critical server. Traditional antivirus and EDR solutions have not detected anything. Which forensic approach would be most effective in identifying the malware, given that it likely resides only in memory?

A.Perform a full disk scan with updated antivirus signatures
B.Acquire a memory dump and perform memory forensics with tools like Volatility
C.Conduct a live analysis using built-in Windows tools like Task Manager
D.Analyze network traffic for anomalies using a NetFlow analyzer
AnswerB

Memory forensics captures the malware's code and artifacts in RAM for analysis.

Why this answer

Option B is correct because the malware resides only in memory, making it invisible to disk-based scans. Memory forensics with tools like Volatility allows investigators to analyze RAM artifacts (e.g., processes, network connections, injected code) to detect stealthy malware that never writes to disk.

Exam trap

Cisco often tests the misconception that live analysis tools (like Task Manager or Process Explorer) are sufficient for detecting memory-resident malware, but they fail to reveal hidden or injected code that only memory forensics can uncover.

How to eliminate wrong answers

Option A is wrong because a full disk scan with updated antivirus signatures targets files on disk, but the malware is memory-resident and never written to disk, so it will not be detected. Option C is wrong because live analysis using built-in Windows tools like Task Manager provides only a high-level view of processes and cannot reveal hidden or injected code, rootkits, or kernel-level artifacts that require deep memory structure parsing. Option D is wrong because analyzing network traffic with a NetFlow analyzer can show anomalous communication patterns but cannot directly identify malware that resides only in memory; it lacks the ability to inspect process memory, loaded modules, or code injection.

140
Multi-Selecteasy

An analyst is preparing to analyze a RAID 5 array of three disks. The analyst wants to reconstruct the logical volume for file system analysis. Which THREE steps are essential in this process?

Select 3 answers
A.Use a tool like `mdadm` (Linux) or RAID reconstructor (Windows) to assemble the array
B.Zero out the first sector of each disk to remove remnants of previous arrays
C.Determine the disk order and stripe size
D.Identify the parity rotation method (left-symmetric, etc.)
E.Run `chkdsk` on each individual disk before reconstruction
AnswersA, C, D

Specialized tools are needed to combine the disks.

Why this answer

RAID reconstruction involves identifying the order of disks, stripe size, and parity layout, then using a tool that can reassemble the array to access the file system.

141
MCQhard

During a forensic investigation, an examiner finds a log entry: 'User JohnDoe accessed file contract.pdf at 10:32:45 AM'. This log is considered which type of evidence?

A.Circumstantial evidence
B.Hearsay
C.Direct evidence
D.Best evidence
AnswerC

Direct evidence directly proves a fact; the log entry directly shows the user accessed the file.

Why this answer

The log entry directly states that User JohnDoe accessed contract.pdf at a specific time, which is a firsthand account of the event without requiring inference. In digital forensics, direct evidence is evidence that, if believed, proves a fact without any additional reasoning or presumption. This log is a direct record of the user's action, making it direct evidence.

Exam trap

EC-Council often tests the distinction between direct and circumstantial evidence by presenting a log entry that seems to imply an action (e.g., 'User logged in at 10:30, file accessed at 10:32'), which would be circumstantial, but here the log explicitly states the user accessed the file, making it direct—candidates often confuse 'log' with 'circumstantial' because logs are sometimes used to build a circumstantial case.

How to eliminate wrong answers

Option A is wrong because circumstantial evidence requires an inference to connect it to a conclusion (e.g., a fingerprint on a keyboard suggests access, but doesn't prove it), whereas this log explicitly states the access event. Option B is wrong because hearsay is an out-of-court statement offered to prove the truth of the matter asserted, but logs are considered business records or computer-generated records that are generally admissible as an exception to hearsay under FRE 803(6) or similar rules, not hearsay themselves. Option D is wrong because the best evidence rule applies to the original writing, recording, or photograph to prove its content, but this question is about the classification of the log as a type of evidence (direct vs. circumstantial), not about the admissibility of a copy versus an original.

142
MCQmedium

An investigator needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which of the following tools is specifically designed for parsing and extracting emails, attachments, and metadata from PST files in a forensically sound manner?

A.Aid4Mail
B.DBXtract
C.MailXaminer
D.OutlookSpy
AnswerA

Aid4Mail is a comprehensive email forensic tool that handles PST files and preserves metadata.

Why this answer

Aid4Mail is a forensic email analysis tool that supports PST file parsing and extraction.

143
MCQmedium

A security analyst detects that a system's 'SeDebugPrivilege' is enabled for a suspicious process. Which technique is the malware MOST likely attempting to use?

A.Persistence through service
B.Anti-debugging
C.Network sniffing
D.Process injection
AnswerD

SeDebugPrivilege enables debugging and injecting code into other processes.

Why this answer

SeDebugPrivilege allows a process to debug other processes, including accessing and modifying their memory. Malware often enables this privilege to perform process injection, where malicious code is written into the memory of a legitimate process (e.g., via WriteProcessMemory and CreateRemoteThread) to evade detection and execute under the target process's context.

Exam trap

EC-Council often tests the misconception that SeDebugPrivilege is only for debugging or anti-debugging, but the exam trap is that it directly enables process injection and memory manipulation, not just debugging tools.

How to eliminate wrong answers

Option A is wrong because persistence through service typically involves creating or modifying Windows services (e.g., via sc.exe or registry keys like HKLM\SYSTEM\CurrentControlSet\Services), not enabling SeDebugPrivilege. Option B is wrong because anti-debugging techniques (e.g., IsDebuggerPresent, NtQueryInformationProcess) aim to prevent analysis, not leverage a debug privilege for code execution. Option C is wrong because network sniffing requires raw socket access or WinPcap/Npcap, not SeDebugPrivilege, which is a security privilege for process debugging.

144
MCQmedium

A forensic investigator is analyzing a USB drive formatted with FAT32 and finds that a deleted file's directory entry still exists but the first character of the filename is replaced with 0xE5. What does this indicate?

A.The file is marked as hidden
B.The file has been deleted
C.The file is encrypted
D.The file is fragmented
AnswerB

0xE5 is the deletion marker in FAT directory entries.

Why this answer

In FAT file systems, when a file is deleted, the first byte of the directory entry is set to 0xE5 to mark it as deleted, while the rest of the entry remains until overwritten.

145
MCQeasy

A forensic analyst needs to extract email artifacts from a Microsoft Outlook .OST file that is associated with an Exchange account. Which tool is specifically designed to parse and analyze .OST files?

A.Kernel for OST Viewer
B.Aid4Mail
C.EmailTracker Pro
D.MailXaminer
AnswerA

Kernel for OST Viewer is a dedicated tool for opening and analyzing .OST files.

Why this answer

Kernel for OST Viewer is specifically designed to parse offline Outlook data files (.OST).

146
MCQhard

During static analysis of a PE file, an analyst uses PEiD and detects the signature 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. What should the analyst do next?

A.The file is clean; no further analysis needed
B.Unpack the file using a UPX unpacker or manual unpacking
C.Delete the file as it is definitely malware
D.Run the file in a sandbox immediately
AnswerB

Unpacking is required to analyze the original code hidden by the packer.

Why this answer

The signature 'UPX 0.89.6 - 1.02 / 1.05 - 1.24' indicates the file is packed with UPX (Ultimate Packer for eXecutables). Packing is a common technique used by malware authors to obfuscate the original code and evade signature-based detection. The analyst must unpack the file using a UPX unpacker or manual unpacking to reveal the actual executable code for further static or dynamic analysis.

Exam trap

Cisco often tests the misconception that a packer signature automatically indicates malware, when in fact packing is a legitimate software distribution technique and the analyst must unpack the file to determine its true nature.

How to eliminate wrong answers

Option A is wrong because the presence of a packer signature like UPX does not mean the file is clean; packing is often used to hide malicious code. Option C is wrong because deleting the file without analysis destroys potential evidence and may be premature—packed files can be legitimate software, and the analyst must verify. Option D is wrong because running a packed file in a sandbox may not reveal the true behavior, as the unpacking routine must execute first; static unpacking is the proper next step to obtain the unpacked binary for analysis.

147
MCQeasy

A forensic analyst is examining a Windows 10 system and needs to view the Master File Table ($MFT) to identify recently deleted files. Which tool is most appropriate for parsing the $MFT directly?

A.Wireshark
B.John the Ripper
C.EnCase
D.Nmap
AnswerC

EnCase is a forensic suite that can parse $MFT entries and recover deleted files.

Why this answer

The $MFT is a core component of NTFS. EnCase has built-in support for parsing $MFT and extracting file metadata.

148
MCQmedium

An investigator recovers a suspicious file from a compromised system. Using PEiD, the file is detected as 'UPX 0.89.6 - 1.02 / 1.05 - 1.24'. What is the MOST appropriate next step in the analysis?

A.Delete the file as it is likely a false positive from a legitimate UPX-packed application.
B.Unpack the file using the UPX tool or manual unpacking to obtain the original executable.
C.Submit the packed file to VirusTotal to obtain a hash-based detection report.
D.Run the file in a sandbox without unpacking to observe dynamic behavior.
AnswerB

Unpacking is the standard next step to reveal the original code for static analysis.

Why this answer

The PEiD detection of 'UPX 0.89.6 - 1.02 / 1.05 - 1.24' confirms the file is packed with UPX (Ultimate Packer for eXecutables). Packing obfuscates the original code and often evades static analysis. The most appropriate next step is to unpack the file using the UPX tool (with the -d switch) or manual unpacking to recover the original executable for deeper static and dynamic analysis.

Exam trap

EC-Council often tests the misconception that a packer detection alone indicates a false positive or that dynamic analysis without unpacking is sufficient, when in fact unpacking is the foundational step to reveal the true executable for both static and dynamic analysis.

How to eliminate wrong answers

Option A is wrong because deleting the file based solely on a UPX packer detection is premature; UPX is commonly used by malware to compress and obfuscate code, and a legitimate application does not preclude malicious intent. Option C is wrong because submitting the packed file to VirusTotal may yield a hash that differs from the unpacked malware, potentially missing detection signatures that rely on the unpacked code. Option D is wrong because running the packed file in a sandbox without unpacking may cause the unpacking stub to execute and then the malware to run, but the packed state prevents proper static analysis and may not trigger all dynamic behaviors if the unpacking fails or is environment-aware.

149
MCQmedium

A security analyst is reviewing the output from a forensic tool examining an iOS Keychain. The analyst finds an entry with the attribute 'kSecAttrAccessible' set to 'kSecAttrAccessibleWhenUnlockedThisDeviceOnly'. What does this indicate?

A.The item is backed up to iCloud and can be restored to another device
B.The item is accessible even when the device is locked
C.The item is only accessible when the device is unlocked and is not backed up to iCloud
D.The item is stored in the Secure Enclave and cannot be extracted
AnswerC

This is the correct interpretation of the attribute.

Why this answer

The attribute 'kSecAttrAccessibleWhenUnlockedThisDeviceOnly' in iOS Keychain indicates that the item can only be accessed when the device is unlocked and is not included in any backup (iCloud or iTunes). This is because the 'ThisDeviceOnly' suffix ties the encryption key to the device's UID, preventing migration to another device or restoration from backup. Option C correctly captures both conditions: accessibility only when unlocked and exclusion from backups.

Exam trap

EC-Council often tests the misconception that 'ThisDeviceOnly' only affects backup behavior, when in fact it also prevents restoration to another device, and candidates may confuse 'WhenUnlocked' with 'AfterFirstUnlock' or 'Always', which have different lock-state requirements.

How to eliminate wrong answers

Option A is wrong because 'ThisDeviceOnly' explicitly prevents the item from being backed up to iCloud or restored to another device; only items without that suffix can be migrated. Option B is wrong because 'WhenUnlocked' means the item is only accessible when the device is unlocked, not when locked; the 'kSecAttrAccessibleWhenUnlocked' class requires the device to be unlocked for decryption. Option D is wrong because the Keychain item is encrypted with a key derived from the device's UID and the user's passcode, but it is not stored in the Secure Enclave; the Secure Enclave handles cryptographic operations but does not store Keychain items directly.

150
MCQmedium

An analyst examining an Outlook PST file wants to recover deleted emails that are no longer visible in the Deleted Items folder. Which technique is MOST effective?

A.Convert the PST to an EDB file and mount it
B.Repair the PST file using Scanpst.exe
C.Reconstruct the PST from the Exchange server backup
D.Use a forensic tool to carve for deleted items within the PST
AnswerD

Forensic carving can recover deleted emails from unallocated space in the PST.

Why this answer

Deleted emails in PST files are often not immediately overwritten. Using forensic tools to scan the PST file for unallocated space or deleted items can recover them.

Page 1

Page 2 of 14

Page 3