Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 151225

1000 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
MCQhard

You are a forensic examiner responding to a data breach incident at a medium-sized company. The incident response team has identified a Windows Server 2019 that may contain evidence of unauthorized access. The server is running and logged in with administrative privileges. The server has 32 GB of RAM, a 1 TB SSD (bitlocker encrypted, but unlocked), and is connected to the corporate network. The server is running several critical business applications, and the IT manager asks you to minimize downtime. You have a forensic workstation with write blockers, a hardware acquisition tool, and various software tools. What is the best course of action to acquire evidence while preserving integrity and minimizing downtime?

A.Use a network acquisition tool like Guymager to image the drive over the network
B.Dump RAM and capture network connections, then create a logical image of the SSD using FTK Imager while the server remains on
C.Immediately power off the server, remove the SSD, and image it using a hardware write blocker
D.Pull the power cord, remove the SSD, and use a forensic bridge to image the drive
AnswerB

This preserves volatile data and minimizes downtime.

Why this answer

Option B is correct because it prioritizes capturing volatile data (RAM and network connections) first, which would be lost on shutdown, then creates a logical image of the unlocked BitLocker SSD while the server remains online to minimize downtime. This approach preserves the integrity of volatile evidence and allows critical business applications to continue running, aligning with the IT manager's request to minimize downtime.

Exam trap

EC-Council often tests the principle of order of volatility and the need to capture volatile data before powering down, leading candidates to mistakenly choose a shutdown-based option (C or D) that destroys critical evidence.

How to eliminate wrong answers

Option A is wrong because Guymager is a Linux-based imaging tool typically used for local or direct disk imaging, not for network acquisition over a live network; network imaging over a corporate network introduces risk of data alteration and is slower, potentially compromising integrity and increasing downtime. Option C is wrong because immediately powering off the server destroys volatile evidence (RAM, network connections) and risks data loss from the unlocked BitLocker SSD due to improper shutdown, while also causing unnecessary downtime for critical applications. Option D is wrong because pulling the power cord causes an abrupt shutdown that corrupts volatile data and may damage the file system on the SSD, and imaging via a forensic bridge after removal is invasive and increases downtime without capturing volatile evidence.

152
Multi-Selectmedium

A security analyst is investigating a phishing email and notices the DKIM-Signature header is present but fails validation. Which TWO actions should the analyst take?

Select 2 answers
A.Ignore the DKIM failure as it is not important
B.Check the DKIM DNS record for the signing domain
C.Reply to the sender to verify authenticity
D.Examine the Received headers for spoofing clues
E.Delete the email immediately
AnswersB, D

To verify if the signature matches the public key.

Why this answer

DKIM failure indicates the email may be forged or tampered with. Checking the domain's DKIM DNS record and examining the email headers for other spoofing indicators are appropriate steps.

153
MCQmedium

An investigator uses the Volatility framework on a memory dump from a Windows 10 system. Which command would list all processes, including those hidden by rootkits?

A.volatility -f memory.dmp --profile=Win10x64 psscan
B.volatility -f memory.dmp --profile=Win10x64 pslist
C.volatility -f memory.dmp --profile=Win10x64 psxview
D.volatility -f memory.dmp --profile=Win10x64 pstree
AnswerC

psxview cross-references multiple sources to detect hidden processes.

Why this answer

The 'psxview' plugin in Volatility compares process lists from various sources to detect hidden processes.

154
Multi-Selecthard

Which THREE of the following are common indicators of a web shell on a compromised web server? (Select THREE.)

Select 3 answers
A.Presence of .htaccess files with rewrite rules
B.Files with obfuscated code (e.g., base64 encoded strings)
C.Files located in web-accessible directories (e.g., /uploads) with execute permissions
D.High number of 404 errors in access logs
E.Unusual HTTP POST requests with large payloads to a single script
AnswersB, C, E

Obfuscation is used to hide malicious functionality from security tools.

Why this answer

Web shells often contain obfuscated code, are placed in web-accessible directories, and may be accessed via unusual HTTP methods like POST with encoded payloads.

155
MCQeasy

Which Windows Event ID is generated when a new service is installed on a system, and is often used by malware to establish persistence?

A.4624
B.4648
C.7045
D.4720
AnswerC

7045 is the event ID for service installation, commonly used by malware for persistence.

Why this answer

Event ID 7045 logs the installation of a new service, including service name, image path, and start type. Malware often creates services to achieve persistence.

156
MCQeasy

Which Windows registry hive stores user-specific configuration and is loaded when a user logs in, containing artifacts such as recently accessed files and application settings?

A.SECURITY
B.NTUSER.DAT
C.HKLM\SAM
D.SYSTEM
AnswerB

NTUSER.DAT is loaded into HKEY_CURRENT_USER and contains user preferences and activity artifacts.

Why this answer

NTUSER.DAT is the registry hive that contains user-specific settings and is loaded into HKEY_CURRENT_USER upon logon. It includes UserAssist, MRU lists, and other user activity artifacts.

157
MCQeasy

A first responder arrives at a crime scene where a computer is running. According to standard forensic procedure, what should the responder do FIRST?

A.Photograph the scene and secure the area
B.Connect a write blocker and create a forensic image immediately
C.Immediately shut down the computer to prevent data alteration
D.Pull the power cord to ensure the system does not shut down normally
AnswerA

Securing and photographing the scene ensures preservation of the original state.

Why this answer

Option A is correct because the first priority at a live crime scene is to preserve the integrity of the scene and all potential evidence. Standard forensic procedure (e.g., from NIST SP 800-86 and ACPO guidelines) mandates that the first responder must photograph the scene to document the state of the computer (including screen contents, cables, and peripherals) and secure the area to prevent unauthorized access or tampering. Only after this documentation and scene stabilization can the responder proceed to handle the live system, such as capturing volatile data or creating a forensic image.

Exam trap

The trap here is that candidates often confuse the urgency of preserving volatile data with the need to immediately perform a live acquisition or shut down the system, forgetting that scene documentation and security are the foundational first steps in any forensic investigation.

How to eliminate wrong answers

Option B is wrong because connecting a write blocker and creating a forensic image immediately is a later step in the forensic process; the first responder must first document the scene and secure it to preserve the chain of custody and prevent evidence contamination. Option C is wrong because immediately shutting down the computer can destroy volatile data (e.g., RAM contents, network connections, running processes) and may trigger anti-forensic mechanisms or cause file system corruption; proper live acquisition should be performed first if the system is running. Option D is wrong because pulling the power cord (hard power-off) can cause data loss, file system corruption, and loss of volatile memory, and it bypasses the need to document the system state and capture live data; it should only be considered as a last resort when the system is actively being used to destroy evidence.

158
MCQhard

You are a forensic investigator responding to a data breach at a mid-sized company. The company uses a hybrid cloud environment with AWS for production workloads and on-premises servers for legacy applications. The breach was detected when an internal monitoring system flagged unusual outbound traffic from an AWS EC2 instance (i-0a1b2c3d4e5f) to an external IP address (198.51.100.20) on TCP port 4444 during off-hours. The EC2 instance runs a Linux-based web server. The security team has already isolated the instance by removing its security group rules and stopping the instance. You have been provided with the following: (1) AWS CloudTrail logs for the past 72 hours, (2) VPC Flow Logs for the same period, (3) a snapshot of the instance’s root volume (EBS), and (4) the instance metadata log from the AWS console. The company’s incident response policy requires preservation of all volatile data before powering off the instance. Which of the following steps should you take FIRST to ensure a forensically sound investigation?

A.Acquire a memory dump from the stopped instance by re-attaching the root volume to a forensic workstation.
B.Review the instance metadata log to identify the user who launched the instance.
C.Create a forensic copy of the EBS snapshot and attach it to a separate analysis EC2 instance in a different AWS account to avoid altering evidence.
D.Analyze the VPC Flow Logs to determine if other instances communicated with the same external IP.
AnswerC

The snapshot is the only disk evidence; making a copy in a separate account prevents accidental modification.

Why this answer

Option C is correct because the first step in a forensically sound investigation is to create a forensic copy (bit-for-bit) of the EBS snapshot before any analysis. This preserves the original evidence integrity, as required by the order of volatility and chain of custody. Attaching the copy to a separate analysis EC2 instance in a different AWS account prevents accidental modification of the original snapshot and isolates the forensic environment from the compromised production account.

Exam trap

The trap here is that candidates confuse volatile data preservation with the need to acquire memory from a stopped instance (Option A), not realizing that stopping the instance already destroys RAM, and the snapshot only captures disk data.

How to eliminate wrong answers

Option A is wrong because the instance is already stopped, so volatile data (memory) is lost; re-attaching the root volume to a forensic workstation would not recover memory, and the snapshot is of the root volume, not RAM. Option B is wrong because reviewing the instance metadata log to identify the user who launched the instance is a non-forensic administrative step that does not preserve or acquire evidence; it should be done after securing the evidence. Option D is wrong because analyzing VPC Flow Logs is a valid investigative step, but it is not the first priority; the immediate need is to preserve the EBS snapshot evidence before any analysis that might alter or overlook the original data.

159
MCQhard

An analyst is examining a PCAP file in Wireshark and notices a series of TCP SYN packets sent to multiple ports on a single IP address, with no subsequent SYN-ACK replies. What type of network activity does this indicate?

A.A denial of service attack
B.A man-in-the-middle attack
C.A TCP handshake for normal connection establishment
D.A port scan attempting to identify open ports
AnswerD

This is characteristic of a SYN scan, where the scanner sends SYN packets and waits for SYN-ACKs from open ports.

Why this answer

Sending SYN packets to many ports without receiving SYN-ACKs indicates a port scan, likely a TCP SYN scan, to discover open ports.

160
MCQeasy

In network forensics, which type of log is BEST for identifying all outbound connections from internal hosts to external IP addresses on specific ports?

A.Firewall logs
B.IDS logs
C.Proxy logs
D.NetFlow logs
AnswerA

Firewall logs capture all traffic passing through the firewall, including outbound connections.

Why this answer

Firewall logs record allowed and denied traffic, including source/destination IP and port, ideal for tracking outbound connections.

161
MCQeasy

During a forensic investigation of a suspected data breach, you are asked to analyze email headers to trace the origin of a phishing email. Which header field provides the IP address of the sending SMTP server?

A.Received
B.Message-ID
C.DKIM-Signature
D.X-Originating-IP
AnswerA

Each Received header records the IP of the server that handled the message.

Why this answer

The Received header is added by each SMTP server that relays the message, showing the IP of the previous hop. The last entry often contains the original sender's IP.

162
MCQmedium

A forensic investigator is documenting evidence for a case. What is the PRIMARY purpose of maintaining an unbroken chain of custody for digital evidence?

A.To track the storage location of the evidence.
B.To prove that the evidence has not been altered or tampered with.
C.To speed up the investigation process.
D.To assign responsibility for the evidence to a single individual.
AnswerB

Chain of custody establishes that evidence is authentic and unchanged.

Why this answer

The primary purpose of maintaining an unbroken chain of custody is to establish the integrity and authenticity of digital evidence by documenting every person who handled it, every transfer, and every access event. This documentation allows the court to verify that the evidence has not been altered, tampered with, or corrupted from the moment of seizure through analysis and presentation. Without a provable chain of custody, the evidence may be deemed inadmissible under rules like Federal Rule of Evidence 901 or similar standards in other jurisdictions.

Exam trap

EC-Council often tests the distinction between the operational benefit (tracking location) and the legal purpose (proving integrity), so candidates mistakenly choose Option A because they focus on the logistical aspect rather than the evidentiary admissibility requirement.

How to eliminate wrong answers

Option A is wrong because tracking the storage location is only a secondary benefit of chain-of-custody documentation, not its primary legal purpose; the core goal is to prove integrity, not merely to log physical or logical locations. Option C is wrong because maintaining a rigorous chain of custody often slows down the investigation process due to required documentation, logging, and verification steps; it is designed for legal admissibility, not speed. Option D is wrong because chain of custody does not assign responsibility to a single individual; it documents every individual who handled the evidence, ensuring multiple points of accountability and preventing a single point of failure or bias.

163
MCQeasy

Which of the following is a Windows-based forensic suite that provides timeline analysis, keyword search, and file system browsing for forensic investigations?

A.Wireshark
B.FTK
C.Autopsy
D.EnCase
AnswerC

Autopsy is an open-source platform with timeline, keyword search, and file browsing.

Why this answer

Autopsy is an open-source digital forensics platform that runs on Windows, Linux, and macOS. It provides timeline analysis, keyword search, and file system browsing.

164
MCQmedium

A forensics investigator finds a suspicious LNK file on a Windows system that points to a script located on a remote share. What is the PRIMARY forensic significance of this LNK file?

A.It is evidence of USB device insertion.
B.It may be part of a lateral movement technique using remote execution.
C.It shows the user's recently accessed files.
D.It is a prefetch artifact indicating the script was executed.
AnswerB

An LNK file pointing to a remote script is often used in attacks like PsExec or scheduled tasks to move laterally.

Why this answer

LNK files can be used for persistence or lateral movement. A shortcut to a remote script could indicate the system is configured to run a malicious script from another machine, potentially for propagation.

165
MCQhard

During a forensic investigation of a compromised Linux server, you find the following entry in /var/log/auth.log: 'Mar 10 03:14:15 server sshd[1234]: Accepted publickey for root from 10.0.0.5 port 54321 ssh2: RSA SHA256:AbCdEf123456'. Which artifact should you examine next to determine if unauthorized key-based access occurred?

A./var/log/syslog
B./etc/ssh/sshd_config
C.~/.ssh/authorized_keys
D./etc/passwd
AnswerC

This file lists public keys permitted to authenticate as root. Checking its contents can reveal unauthorized keys.

Why this answer

The log shows acceptance of a public key. To determine if the key was unauthorized, you must examine the authorized_keys file for root (~/.ssh/authorized_keys) to see if the key was added maliciously.

166
MCQmedium

You are investigating a network breach at a financial institution. The organization uses a network-based intrusion detection system (NIDS) and maintains full packet capture (PCAP) for critical segments. The incident allegedly started with a spear-phishing email that delivered a remote access trojan (RAT). The security team has isolated the infected host and provided you with a disk image of the host and a PCAP file covering the network traffic from the host for the 24-hour period before isolation. In the PCAP, you see a series of TCP connections from the host to an external IP address on port 443 (HTTPS). The external IP is known to be associated with a command-and-control (C2) server. However, the disk image shows no evidence of the RAT binary or any malicious files. The host's antivirus logs are clean. Which of the following is the most likely explanation for the lack of evidence on the disk?

A.The antivirus software deleted the malicious files before the image was taken
B.The hard drive was reimaged before the forensic image was taken
C.The RAT uses a rootkit to hide its files
D.The malware was fileless and only resided in memory
AnswerD

Fileless malware leaves no persistent artifacts on disk.

Why this answer

The absence of the RAT binary and any malicious files on the disk, combined with clean antivirus logs and active C2 traffic over HTTPS, strongly indicates a fileless malware infection. Fileless malware operates entirely in memory (RAM), never writing its payload to disk, which explains why the disk image shows no artifacts and why traditional file-scanning antivirus did not detect it. The TCP connections to the C2 server on port 443 are consistent with a memory-resident RAT that loads directly into a legitimate process (e.g., PowerShell, WMI, or a script interpreter) and communicates over encrypted HTTPS to evade network inspection.

Exam trap

EC-Council often tests the distinction between file-based and fileless malware, and the trap here is assuming that a rootkit (Option C) is the only way to hide files, when in fact fileless malware never writes files to disk at all, making rootkits unnecessary for evasion.

How to eliminate wrong answers

Option A is wrong because antivirus software typically quarantines or logs deleted files, and the scenario states antivirus logs are clean — if deletion had occurred, the logs would show a detection event. Option B is wrong because the question explicitly states the security team isolated the infected host and provided a disk image; if the drive had been reimaged, there would be no disk image to analyze, and the scenario would mention a reimage event. Option C is wrong because while rootkits can hide files from the operating system, they still leave traces on disk (e.g., in the Master File Table or alternate data streams) that forensic tools can detect, and the question says there is no evidence of any malicious files — not just hidden files.

167
MCQmedium

A cloud forensic analyst is tasked with preserving evidence from an AWS S3 bucket that may contain malicious files. The bucket is publicly accessible, and the analyst wants to create a forensically sound copy. Which method BEST ensures integrity and chain of custody?

A.Download each object via the AWS Management Console and compute SHA256 hashes manually.
B.Use the AWS CLI cp command recursively without any flags.
C.Generate a presigned URL for the bucket and use wget to download all files.
D.Use the AWS CLI sync command with the --checksum-mode flag to verify integrity during transfer.
AnswerD

The sync command can verify checksums (e.g., SHA256) to ensure data integrity.

Why this answer

Option D is correct because the AWS CLI `sync` command with the `--checksum-mode` flag automatically computes and compares checksums (e.g., SHA256) during the transfer, ensuring data integrity without manual intervention. This method also preserves metadata and timestamps, which is critical for maintaining a forensically sound copy and chain of custody in cloud forensics.

Exam trap

Cisco often tests the misconception that any download method (like `cp` or `wget`) inherently preserves integrity, but the trap is that only explicit checksum verification (e.g., `--checksum-mode`) provides cryptographic assurance required for forensic soundness and chain of custody.

How to eliminate wrong answers

Option A is wrong because manually downloading each object via the AWS Management Console and computing SHA256 hashes is error-prone, lacks automation, and does not provide a verifiable, auditable log of the transfer process, compromising chain of custody. Option B is wrong because the AWS CLI `cp` command recursively without any flags does not verify integrity during transfer; it only copies files and relies on the underlying HTTP checksums (e.g., ETag) which may not be cryptographically strong (e.g., multipart uploads use MD5-based ETags). Option C is wrong because generating a presigned URL and using `wget` does not automatically verify file integrity; `wget` only checks HTTP response codes and does not compute or compare cryptographic hashes, leaving the copy vulnerable to undetected corruption or tampering.

168
Multi-Selectmedium

An investigator is analyzing email headers and notices the following: The 'Received' headers show a path through multiple servers, the 'DKIM-Signature' domain matches the sender domain, and 'X-Originating-IP' is present. Which TWO pieces of information are MOST useful to trace the original sender's IP address? (Choose two.)

Select 2 answers
A.The 'Message-ID' header
B.The 'From' header email address
C.The DKIM-Signature's 'd=' domain
D.The X-Originating-IP header value
E.The last (bottommost) Received header's IP
AnswersD, E

Some mail servers add this header with the original client IP.

Why this answer

The bottommost 'Received' header contains the IP of the first receiving server, which is often the sender's MTA or the client IP. 'X-Originating-IP' is a non-standard header that may contain the original client IP if included by the outbound server.

169
Multi-Selectmedium

An analyst is performing dynamic analysis of a malware sample in Cuckoo Sandbox. Which TWO of the following are typical indicators of command and control (C2) communication?

Select 2 answers
A.The malware creates a registry run key for persistence
B.The malware performs DNS queries to a domain that resolves to a known malicious IP
C.The malware modifies system files in C:\Windows\System32
D.The malware creates a mutex named 'Global\MyMutex'
E.The malware makes HTTP POST requests to a domain registered 2 days ago
AnswersB, E

DNS queries to malicious IPs are typical C2 beaconing activity.

Why this answer

In dynamic analysis with Cuckoo Sandbox, DNS queries to a domain that resolves to a known malicious IP are a classic indicator of C2 communication because the malware must resolve its command server's address before establishing a channel. Similarly, HTTP POST requests to a very recently registered domain (e.g., 2 days old) are suspicious, as attackers often use fresh domains to evade reputation-based blocklists, and POST is commonly used to exfiltrate data or receive commands.

Exam trap

EC-Council often tests the distinction between local host artifacts (persistence, mutexes, file modifications) and network-based C2 indicators, tricking candidates into selecting any suspicious behavior rather than focusing specifically on outbound communication patterns.

170
Multi-Selecthard

A malware analyst is analyzing a suspicious executable. Which THREE of the following are valid indicators of compromise (IoCs) that can be extracted from static analysis of the PE file? (Select THREE)

Select 3 answers
A.IP addresses from embedded strings
B.Registry keys modified during execution
C.MD5 hash of the file
D.File paths created during execution
E.List of imported DLLs and functions
AnswersA, C, E

Strings can be extracted from the binary without execution.

Why this answer

Option A is correct because static analysis of a PE file involves examining the file without executing it. Embedded strings, such as IP addresses, can be extracted using tools like `strings` or `binwalk` and serve as IoCs indicating command-and-control servers or other network destinations. These strings are stored in the PE file's data sections and are directly observable in the binary.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis, trapping candidates who confuse runtime artifacts (like registry or file system changes) with data extractable from the PE file itself without execution.

171
MCQhard

A forensic analyst is examining a PostgreSQL database server that was compromised. The attacker gained superuser access and deleted several rows from a critical table. The database is configured with WAL (Write-Ahead Log) archiving. Which method would allow the analyst to identify the exact time the deletions occurred?

A.Review the pg_stat_activity view to see the history of queries executed.
B.Examine the archive_status directory to find the timestamp of the WAL file that contains the deletion.
C.Query the pg_audit table to retrieve a log of all DELETE statements.
D.Use the pg_waldump utility to parse the WAL files and identify DELETE operations with timestamps.
AnswerD

pg_waldump can decode WAL records, showing the exact operations and timestamps.

Why this answer

D is correct because `pg_waldump` is the PostgreSQL utility specifically designed to parse Write-Ahead Log (WAL) files and display their contents in a human-readable format, including the exact timestamps and operation types (e.g., DELETE). Since the database uses WAL archiving, the archived WAL segments will contain a record of every data modification, allowing the analyst to pinpoint when the deletions occurred.

Exam trap

Cisco often tests the misconception that PostgreSQL has a built-in audit table or that `pg_stat_activity` retains historical query logs, leading candidates to choose A or C without understanding that WAL is the definitive forensic source for past DML operations.

How to eliminate wrong answers

Option A is wrong because `pg_stat_activity` shows only currently running or recently active queries, not a historical log of past queries; it does not retain a history of completed DELETE statements. Option B is wrong because the `archive_status` directory only indicates whether a WAL file has been archived (e.g., `.ready` or `.done` markers), not the content or timestamp of specific operations within the file. Option C is wrong because PostgreSQL does not have a built-in `pg_audit` table; auditing requires the `pg_audit` extension to be explicitly installed and configured, and even then, it logs statements in a separate audit log file, not a table named `pg_audit`.

172
Multi-Selectmedium

Which TWO of the following are SQLite databases commonly analysed during iOS forensic examinations?

Select 2 answers
A.AddressBook.db
B.call_history.db
C.com.apple.mobilemail.plist
D.SMS.db
E.keychain.plist
AnswersB, D

Stores call logs.

Why this answer

B is correct because `call_history.db` is a SQLite database on iOS devices that stores call logs, including incoming, outgoing, and missed calls with timestamps and durations. Forensic examiners analyze this database to reconstruct communication patterns and timelines during investigations.

Exam trap

EC-Council often tests the distinction between SQLite databases and plist files, trapping candidates who assume all iOS forensic artifacts are SQLite databases when many are property lists or other formats.

173
Multi-Selectmedium

A forensic analyst is examining Azure Activity Logs for signs of privilege escalation. Which TWO of the following activities would be MOST indicative of an attacker attempting to escalate privileges? (Choose two.)

Select 2 answers
A.A user updating their own password
B.Deleting a resource group
C.Creation of a custom RBAC role with Owner permissions
D.Adding a user to the Global Administrator role
E.A user accessing a storage account they own
AnswersC, D

Creating a custom role with Owner permissions can allow the creator to grant themselves full control.

Why this answer

Creating a custom RBAC role with high permissions (like Owner) and assigning it to a user can grant elevated privileges. Adding a user to a privileged role (like Global Administrator) directly escalates privileges.

174
MCQmedium

During an iOS forensic examination, an analyst extracts the SMS.db file from an iTunes backup. Which table within this database contains the actual message content and associated metadata such as timestamps and sender/recipient information?

A.chat
B.message
C.attachment
D.handle
AnswerB

The 'message' table contains the actual message content, timestamps, and sender/recipient references.

Why this answer

The `message` table in SMS.db stores the actual message content (the `text` field) along with critical metadata such as `date` (Unix timestamp), `is_from_me` (sender/recipient indicator), and `handle_id` (foreign key to the `handle` table). This is the primary table for message body and timestamp data in iOS SMS/MMS forensics.

Exam trap

EC-Council often tests the distinction between the `message` table (content + timestamps) and the `handle` table (contact identifiers), leading candidates to confuse the `handle` table as containing message data when it only stores address book references.

How to eliminate wrong answers

Option A is wrong because the `chat` table stores conversation groupings (chat rooms) and references to messages via the `chat_message_join` table, not the message content itself. Option C is wrong because the `attachment` table stores metadata about file attachments (e.g., filename, MIME type, transfer state) but not the text content of messages. Option D is wrong because the `handle` table stores contact identifiers (phone numbers, email addresses) and their service types (iMessage, SMS), not the message body or timestamps.

175
Multi-Selecteasy

Which TWO tools are commonly used for email forensic analysis and metadata extraction?

Select 2 answers
A.Aid4Mail
B.Wireshark
C.Volatility
D.EmailTracker
E.FTK Imager
AnswersA, D

Aid4Mail is a commercial email forensic tool.

Why this answer

Aid4Mail and EmailTracker are specialized for email forensics.

176
MCQeasy

In Docker forensics, which command is used to view the command history of a container, including how it was built?

A.docker diff
B.docker history
C.docker logs
D.docker inspect
AnswerB

This command displays the history of an image, including build commands and layer information.

Why this answer

The `docker history` command displays the history of a Docker image, showing each layer and the command that created it. This includes the build commands from the Dockerfile, allowing an investigator to see how the container was constructed and what instructions were executed during the build process.

Exam trap

EC-Council often tests the distinction between commands that operate on running containers (like `docker logs` and `docker diff`) versus those that inspect image metadata (like `docker history`), leading candidates to confuse runtime activity with build-time history.

How to eliminate wrong answers

Option A is wrong because `docker diff` shows changes to files and directories in a container's filesystem compared to its base image, not the command history or build steps. Option C is wrong because `docker logs` retrieves the stdout/stderr output from a running or stopped container, not the build history or command sequence. Option D is wrong because `docker inspect` returns low-level configuration and metadata about a container or image (e.g., network settings, mounts), but does not show the layered command history of how the image was built.

177
Multi-Selecthard

In an email forensics investigation, which THREE indicators suggest that an email is likely spoofed? (Select THREE.)

Select 3 answers
A.The 'DKIM-Signature' header is missing or fails validation
B.The 'Reply-To' header contains a different domain than the 'From' header
C.The email's 'Received' headers show an inconsistent routing path
D.The 'Received-SPF' header shows 'pass'
E.The 'From' domain matches the 'Return-Path' domain
AnswersA, B, C

Missing or invalid DKIM is a strong indicator of spoofing.

Why this answer

Spoofed emails often fail SPF checks, have no DKIM signature (or a failed one), and may contain mismatched headers like From vs. Return-Path.

178
MCQhard

A forensic analyst is investigating a Windows 10 system and needs to determine if a USB device was ever connected. Which registry key would provide a comprehensive list of USB devices that have been attached, including the first and last connection times?

A.HKLM\SYSTEM\CurrentControlSet\Enum\USB
B.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
C.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
D.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles
AnswerB

USBSTOR lists all USB storage devices with first/last connection times under Properties.

Why this answer

The USBSTOR key records all USB storage devices with timestamps. Enum/USB contains device descriptors but not timestamps. SetupAPI logs are in a different location.

179
Drag & Dropmedium

Drag and drop the steps to perform forensic imaging of a hard drive using FTK Imager into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Forensic imaging involves selecting source, configuring destination, and verifying integrity with hash.

180
Multi-Selectmedium

A Docker container is suspected of malicious activity. Which THREE data sources should the investigator collect for forensic analysis?

Select 3 answers
A.Network packet captures from the container's virtual interface
B.Host system audit logs
C.Docker image layer files
D.Container logs (stdout/stderr)
E.The Dockerfile used to build the image
AnswersB, C, D

Host logs (e.g., syslog) show container interactions with the host.

Why this answer

Container logs, image layers, and host system logs are key sources in Docker forensics.

181
MCQmedium

During a malware investigation, an analyst uses Process Monitor to observe a suspicious executable. The tool reveals that the process attempts to write to 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and creates a file named 'svchost.exe' in 'C:\Users\Public\'. What is the MOST likely goal of this behavior?

A.Exfiltrating data to a remote C2 server
B.Establishing persistence by adding an auto-start entry
C.Disabling security software by modifying service entries
D.Privilege escalation by masquerading as a legitimate system process
AnswerB

The Run registry key is a standard auto-start location, ensuring the malware executes on user logon.

Why this answer

Writing to the 'Run' registry key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) is a classic persistence mechanism: any executable listed there is automatically launched at user logon. Creating a file named 'svchost.exe' in a public directory is a masquerading attempt to blend in with the legitimate svchost.exe (which resides in System32), but the registry write is the definitive indicator of persistence via an auto-start entry.

Exam trap

EC-Council often tests the distinction between persistence (Run key) and privilege escalation (e.g., service path hijacking or token theft) — candidates confuse masquerading as a system process with actually gaining higher privileges, but the Run key write only ensures the malware runs at logon, not with elevated rights.

How to eliminate wrong answers

Option A is wrong because writing to the Run registry key and creating a local file are actions that establish foothold, not data exfiltration; exfiltration would involve network activity (e.g., HTTP POST, DNS tunneling) or file uploads, which Process Monitor did not show. Option C is wrong because disabling security software typically involves modifying service entries (e.g., HKLM\SYSTEM\CurrentControlSet\Services) or deleting security product binaries, not writing to the Run key or creating a fake svchost.exe. Option D is wrong because privilege escalation requires exploiting a vulnerability (e.g., token manipulation, UAC bypass) or abusing misconfigured permissions; simply naming a file 'svchost.exe' in a non-system directory is masquerading, not privilege escalation, and the Run key write does not elevate privileges.

182
MCQhard

During a forensic analysis of an APFS volume, the investigator needs to examine file metadata such as creation time, modification time, and extended attributes. Which APFS structure contains this information?

A.Volume Superblock
B.Journal
C.Inode Table
D.Extent Reference Tree
AnswerC

APFS uses inode-like structures (inode number) that hold standard metadata including timestamps and permissions.

Why this answer

In APFS, files and directories are represented by inodes. The inode contains basic metadata. Extended attributes are stored separately in B-tree structures.

183
MCQeasy

A first responder arrives at a scene where a computer is turned on and a user is logged in. What is the FIRST action the responder should take to preserve volatile evidence?

A.Photograph the screen and then shut down the system normally
B.Immediately unplug the power cord to prevent data alteration
C.Remove the hard drive immediately for forensic imaging
D.Collect volatile data such as RAM contents and running processes
AnswerD

Volatile data must be collected first before any power-down to preserve critical evidence.

Why this answer

Option D is correct because volatile data (e.g., RAM contents, running processes, network connections) is lost when power is removed. The first responder must collect this data before any shutdown or hardware removal, following the order of volatility (RFC 3227). This preserves critical evidence that cannot be recovered later.

Exam trap

EC-Council often tests the order of volatility (RFC 3227) and the misconception that immediate shutdown or hardware removal is safer, when in fact the priority is capturing volatile data first to avoid permanent loss.

How to eliminate wrong answers

Option A is wrong because shutting down the system normally allows the OS to write data to disk (e.g., pagefile.sys, temporary files), potentially overwriting evidence, and destroys volatile data. Option B is wrong because immediately unplugging the power cord causes an abrupt loss of all volatile data (RAM, network state) and may corrupt the file system, making forensic analysis harder. Option C is wrong because removing the hard drive without first capturing volatile data loses all RAM-based evidence, and hot-swapping a running system can cause data corruption or loss of encryption keys in memory.

184
MCQhard

During a forensic analysis of a compromised Linux system, you notice that the /proc filesystem contains a suspicious entry /proc/12345/exe pointing to /tmp/.hidden/malware. What conclusion can you draw?

A.The system was rebooted recently
B.The malware is a kernel module
C.A process with PID 12345 is running the malware
D.The malware was executed via a cron job
AnswerC

/proc/12345/exe points to the actual executable; a hidden location indicates malicious activity.

Why this answer

/proc/[pid]/exe is a symbolic link to the executable of a running process. The entry indicates a process with PID 12345 is running from a hidden file in /tmp, strongly suggesting malware execution.

185
MCQhard

During an investigation of a web application breach, an analyst reviews IIS logs and finds numerous entries with status code '200' and URIs containing '?cmd=' followed by encoded strings. The analyst also notices that some requests have a 'User-Agent' string resembling 'Microsoft-CryptoAPI/10.0'. What is the MOST likely conclusion?

A.The logs indicate a successful SQL injection attack
B.The logs show a cross-site scripting (XSS) attack targeting administrators
C.The server is infected with ransomware, encrypting files
D.A webshell is being used to execute commands on the server
AnswerD

The cmd parameter and non-standard User-Agent are indicators of a webshell, likely executed via a command injection vulnerability.

Why this answer

A valid POST request with no cookies and a suspicious User-Agent could indicate a webshell attempting to exfiltrate data or execute commands, as the User-Agent is atypical for a browser.

186
Multi-Selectmedium

Which THREE of the following are indicators of a webshell in web server logs? (Select THREE)

Select 3 answers
A.Multiple GET requests to /index.html
B.POST requests to a script file with large payloads
C.Consistent 304 Not Modified responses
D.Requests to unusual script files like cmd.aspx or shell.php
E.A high number of requests from a single IP to a single script
AnswersB, D, E

POST to a script file may indicate command execution.

Why this answer

Webshells are indicated by anomalous script files being accessed, POST requests to script files, and high request rates to a single script. These patterns suggest remote access and command execution.

187
Multi-Selectmedium

Which TWO of the following are valid methods to hide data on an NTFS file system without using external tools?

Select 2 answers
A.Embedding data in file slack space
B.Storing data in the NTFS file system journal ($LogFile)
C.Using the $Volume attribute in the MFT
D.Encrypting data with EFS
E.Using Alternate Data Streams (ADS)
AnswersA, E

File slack is unused space at the end of a cluster that can be filled with data.

Why this answer

Alternate Data Streams (ADS) allow hiding data within a file's stream. Slack space (file slack) can hide data in unused bytes between the end of file and end of cluster. Both are native NTFS features.

188
MCQmedium

An investigator is analyzing a FAT32 drive and notices that a deleted file's directory entry still exists, but the first byte of the filename is changed to 0xE5. What does this indicate about the file?

A.The file is fragmented
B.The file is marked as deleted but its data clusters may still be intact
C.The file has been securely overwritten
D.The file is encrypted
AnswerB

0xE5 indicates deletion; clusters are marked free but data remains until overwritten.

Why this answer

In FAT file systems, a deleted file's directory entry has the first byte of the filename set to 0xE5. The clusters in the FAT may still be allocated or marked as free.

189
MCQeasy

What is the primary goal of the chain of custody in a digital forensic investigation?

A.To maintain the integrity and admissibility of evidence
B.To encrypt the evidence during transport
C.To speed up the forensic analysis process
D.To ensure that the forensic tools used are properly licensed
AnswerA

This is the main purpose: to show that evidence has not been tampered with.

Why this answer

The chain of custody is a documented chronological record that tracks the seizure, custody, control, transfer, analysis, and disposition of digital evidence. Its primary goal is to maintain the integrity and admissibility of evidence by proving that the evidence has not been tampered with or altered from the moment it was collected until it is presented in court. This is critical because any break in the chain can lead to evidence being deemed inadmissible under rules like the Federal Rules of Evidence (FRE) or the Daubert standard.

Exam trap

EC-Council often tests the misconception that chain of custody is about physical security or tool licensing, when in fact it is solely about maintaining a verifiable, unbroken record of evidence handling to ensure legal admissibility.

How to eliminate wrong answers

Option B is wrong because encrypting evidence during transport is a security measure to protect confidentiality, not a goal of the chain of custody, which focuses on integrity and accountability through documentation. Option C is wrong because the chain of custody does not speed up analysis; in fact, it adds procedural steps that can slow the process but are necessary for legal admissibility. Option D is wrong because ensuring forensic tools are properly licensed is a matter of tool validation and legal compliance, unrelated to the chain of custody's purpose of tracking evidence handling.

190
MCQmedium

A security analyst reviews Apache access logs and finds the following entry: `192.168.1.10 - - [12/Jul/2024:10:15:30 -0400] "GET /search.php?q=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 5321 "-" "Mozilla/5.0"`. Which attack technique is most likely being attempted?

A.Remote file inclusion
B.SQL injection
C.Cross-site scripting (XSS)
D.Directory traversal
AnswerB

The UNION SELECT SQL statement in the query parameter indicates a SQL injection attempt.

Why this answer

The log entry shows a SQL injection payload (the UNION SELECT statement) in the query parameter. This is a classic SQL injection attempt.

191
MCQmedium

During a Linux forensic investigation, you find the following entry in /var/log/auth.log: "Accepted publickey for root from 203.0.113.5 port 54321 ssh2: RSA SHA256:abc...". The user claims they never connect from that IP. Which forensic artifact should you examine next to confirm unauthorized access?

A.bash_history for suspicious commands
B./etc/shadow for recent modifications
C.~/.ssh/authorized_keys for unauthorized keys
D./var/log/syslog for cron job entries
AnswerC

Unauthorized SSH keys are often added in authorized_keys; this file should be examined for unknown entries.

Why this answer

The presence of an authorized key from an unknown IP suggests an attacker added their public key. Checking ~/.ssh/authorized_keys on the affected account will reveal any unauthorized keys.

192
MCQmedium

During a malware analysis session, an analyst uses Process Monitor (Procmon) to observe a suspicious executable. Which of the following behavioral indicators would MOST strongly suggest the malware is attempting to establish persistence?

A.Making outbound TCP connections to an IP address
B.Creating a named mutex
C.Writing to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
D.Creating files in the %TEMP% directory
AnswerC

This registry key is used to run programs at user logon, a classic persistence technique.

Why this answer

Writing to HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism because Windows automatically launches programs listed in this registry key at user logon. Process Monitor capturing a write to this key directly indicates the malware is configuring itself to run on startup, which is the strongest evidence of persistence among the options.

Exam trap

EC-Council often tests the distinction between runtime indicators (network connections, mutexes, temp files) and persistence mechanisms (registry Run keys, scheduled tasks, startup folders), so candidates mistakenly pick outbound connections or mutexes as persistence when they are not.

How to eliminate wrong answers

Option A is wrong because making outbound TCP connections indicates network communication (e.g., C2 beaconing), not persistence. Option B is wrong because creating a named mutex is a synchronization primitive used to prevent multiple instances of a process, not a persistence mechanism. Option D is wrong because creating files in %TEMP% is typical for temporary data extraction or staging, but does not ensure the malware runs again after reboot.

193
Multi-Selectmedium

Which TWO of the following are BEST practices when using a hardware write blocker during forensic acquisition? (Select TWO)

Select 2 answers
A.Test the write blocker on a non-evidence drive before connecting it to the suspect drive
B.Use the write blocker to write data to the suspect drive to verify functionality
C.Use the same write blocker for both source and destination drives
D.Connect the write blocker between the suspect drive and the forensic workstation
E.Bypass the write blocker if the imaging tool supports software write protection
AnswersA, D

Testing ensures the device is working properly.

Why this answer

Option A is correct because testing the write blocker on a non-evidence drive verifies that the device is functioning correctly and will not inadvertently allow writes to the suspect drive. This step ensures the integrity of the forensic acquisition by confirming the write blocker's hardware-level protection is operational before it is connected to evidence.

Exam trap

The trap here is that candidates may confuse the role of a write blocker as a device that protects both source and destination drives, when in fact it is only used to protect the source (suspect) drive from accidental writes.

194
MCQhard

An analyst discovers that a Windows system has hidden data in the Host Protected Area (HPA) of the hard drive. Which tool or method can be used to detect and access the HPA?

A.Using the Windows Disk Management utility
B.Using the hdparm command in Linux with the -N flag
C.Using the Volatility framework
D.Using the chkdsk command
AnswerB

hdparm -N /dev/sda shows the user-accessible capacity vs. native capacity, revealing HPA.

Why this answer

HPA is a region of the disk that is normally hidden from the operating system. Tools like hdparm (Linux) or MBRTool can be used to detect and modify HPA settings. FTK and EnCase can also detect HPA when imaging at the device level.

195
MCQeasy

A security analyst reviews Windows Security Event Log and notices multiple Event ID 4625 entries for a single user account from various IP addresses within a short time frame. What is the MOST likely attack being attempted?

A.Brute-force password attack
B.Kerberos golden ticket attack
C.ARP spoofing attack
D.Pass-the-hash attack
AnswerA

Multiple failed logons from different sources suggest systematic password guessing.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple failures from different IPs in a short period is characteristic of a brute-force password guessing attack.

196
Multi-Selectmedium

During an iOS forensics investigation, an examiner extracts an iTunes backup and finds the SQLite database files. Which TWO of the following databases are LEAST likely to contain forensically relevant artefacts for a communication analysis?

Select 2 answers
A.SMS.db
B.data_ark.db
C.AddressBook.db
D.tmp.db
E.call_history.db
AnswersB, D

Not a standard iOS backup database; likely not present or relevant.

Why this answer

B is correct because data_ark.db is not a standard iOS SQLite database; it does not exist in typical iOS backups or file systems. The name suggests a fabricated or non-standard artefact, making it least likely to contain forensically relevant communication data. In contrast, databases like SMS.db and call_history.db are well-documented repositories for SMS messages and call logs, respectively.

Exam trap

EC-Council often tests candidates' familiarity with standard iOS database filenames, and the trap here is that 'data_ark.db' sounds plausible (like an 'ark' for data) but is not a real iOS database, leading examinees to overlook it as a distractor.

197
MCQmedium

A forensic investigator recovers a hard drive from a suspect's computer. The drive is detected as 120 GB in BIOS, but forensic tools report only 100 GB of addressable space. Which data hiding technique is MOST likely being used?

A.Device Configuration Overlay (DCO)
B.Volume slack
C.Host Protected Area (HPA)
D.Alternate Data Streams (ADS)
AnswerC

Correct. HPA reduces the reported capacity to hide data in the protected area.

Why this answer

Host Protected Area (HPA) is a region on ATA drives that can be hidden from the OS by using the SET MAX ADDRESS command. It is commonly used for hiding data.

198
MCQmedium

An investigator needs to analyze the contents of the Windows Recycle Bin on a system running Windows 10. Which artifact(s) should the investigator examine to determine the original location and deletion time of a file in the Recycle Bin?

A.The 'System Volume Information' folder
B.The '$I' and '$R' files in the $Recycle.Bin\<SID> folder
C.The 'INFO2' file in the Recycled folder
D.The 'desktop.ini' file in the Recycle Bin
AnswerB

$I files contain metadata (original name, path, deletion time); $R files contain the actual data.

Why this answer

In Windows Vista and later, the Recycle Bin uses $Recycle.Bin folder with each user having a subfolder named by SID. The file 'Info2' or '$I<filename>' files contain metadata such as original path and deletion time.

199
Multi-Selecthard

A forensic analyst is examining a network packet capture for signs of data exfiltration. Which THREE of the following are common indicators of data exfiltration over DNS? (Select three.)

Select 3 answers
A.Low TTL values in DNS responses
B.DNS queries sent to multiple different DNS servers
C.DNS responses with unusually large payloads (e.g., TXT records)
D.High volume of DNS queries to a single domain
E.DNS queries for random-looking subdomains
AnswersC, D, E

Large response sizes can indicate data being encoded in DNS responses.

Why this answer

DNS exfiltration often uses high query volumes, unusual domain names, and large TXT records.

200
MCQmedium

A forensic analyst is examining a USB drive formatted with FAT32. A suspect claims they deleted a file several weeks ago. The analyst uses a carving tool but cannot recover the file. What is the MOST likely reason for the failed recovery?

A.The file was encrypted and cannot be carved
B.FAT32 does not support file carving
C.The file was stored in the MFT, which is only present in NTFS
D.The file clusters were overwritten by new data
AnswerD

Correct. File carving relies on data still being present; overwritten data cannot be recovered.

Why this answer

On FAT32, when a file is deleted, the directory entry is marked as deleted (first byte set to 0xE5) and the FAT clusters are freed. If the clusters have been reallocated and overwritten, carving fails.

201
Multi-Selectmedium

Which TWO of the following are forensic artifacts found on macOS systems that can help reconstruct user activity?

Select 2 answers
A..plist files
B.Unified logging
C.Prefetch files (*.pf)
D.Registry hive files
E.Event ID 4624
AnswersA, B

Property list files store configuration and usage data for applications.

Why this answer

Unified logging captures detailed system and user activity logs, and .plist files store application preferences and usage data. Both are valuable for reconstructing user actions.

202
MCQeasy

An analyst receives an alert indicating a suspicious process (PID 3342) is making outbound connections on port 443 to an unknown IP. The system is a Windows 10 workstation. Which first responder action is MOST appropriate?

A.Capture a full memory dump using a tool like FTK Imager (Memory Capture) or DumpIt.
B.Immediately disconnect the system from the network to contain the threat.
C.Check the Windows Event Logs for related entries.
D.Reboot the system to clear any malicious processes from memory.
AnswerA

Memory capture preserves running processes, network connections, and other volatile data crucial for analysis.

Why this answer

Capturing a full memory dump (option A) is the most appropriate first responder action because it preserves the volatile state of the suspicious process (PID 3342) and its associated artifacts (e.g., network connections, loaded DLLs, encryption keys) before any further system changes occur. This allows forensic analysis to identify the malware's behavior, such as command-and-control (C2) communication over port 443 (HTTPS), without altering evidence. Tools like FTK Imager (Memory Capture) or DumpIt acquire a raw .mem file that can be analyzed with Volatility or Rekall to extract process details, network sockets, and injected code.

Exam trap

EC-Council often tests the principle that volatile data (memory) must be captured before any containment or analysis steps, and the trap here is that candidates mistakenly prioritize network containment (option B) over evidence preservation, forgetting that disconnecting the network can destroy critical volatile artifacts like active connections and encryption keys.

How to eliminate wrong answers

Option B is wrong because immediately disconnecting the system from the network may destroy volatile evidence (e.g., active TCP connections, ARP cache, and network session data) and could alert the attacker, potentially triggering anti-forensic measures like process termination or data encryption. Option C is wrong because checking Windows Event Logs is a secondary step that should occur after memory capture; event logs may not contain real-time process details (e.g., memory-resident code) and can be tampered with or cleared by the malware. Option D is wrong because rebooting the system destroys all volatile memory (RAM), including the suspicious process (PID 3342), network connections, and any decrypted payloads, making forensic recovery of the attack impossible.

203
Multi-Selectmedium

In email forensics, which TWO of the following headers are most useful for identifying the true origin of an email? (Select TWO.)

Select 2 answers
A.Message-ID
B.DKIM-Signature
C.X-Originating-IP
D.Received
E.MIME-Version
AnswersC, D

This header often contains the IP address of the sender's machine.

Why this answer

Received headers show the path and each server's IP, while X-Originating-IP may contain the sender's IP. DKIM verifies integrity but not origin IP. Message-ID is just an identifier.

204
Multi-Selecthard

Which THREE of the following are indicators of a webshell compromise on a web server?

Select 3 answers
A.High CPU usage from web server processes
B.Regular successful logins to the server with correct credentials
C.Presence of files with extensions like .php, .asp, or .jsp in web directories that are not part of the original application
D.Unexpected outbound connections from the web server to unknown IP addresses
E.Decrease in network traffic
AnswersA, C, D

Execution of arbitrary commands or scripts can spike CPU usage.

Why this answer

Unusual files in web directories, high CPU usage due to command execution, and unexpected outbound traffic are common signs of a webshell compromise. Log entries with 'cmd' parameter are also typical.

205
MCQmedium

An analyst reviews NetFlow logs and sees a single internal host communicating with multiple external IPs on port 53 (DNS) over a short period, with each session transferring approximately 1500 bytes. What suspicious activity might this indicate?

A.DNS tunneling for data exfiltration
B.A DNS amplification attack
C.Dynamic DNS update attempts
D.Normal DNS resolution for web browsing
AnswerA

Correct. The pattern matches DNS tunneling.

Why this answer

DNS tunneling often uses small DNS queries/responses to exfiltrate data or establish C2. The consistent small packet size and many external destinations are indicators.

206
MCQmedium

A security team detects a suspicious process that writes to the Windows registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What is the MOST likely purpose of this activity?

A.Clearing browser history
B.Establishing persistence for malware
C.Updating system time
D.Configuring firewall rules
AnswerB

The Run key launches programs at user logon, commonly used for persistence.

Why this answer

The Run key is a common auto-start location used for persistence. Writing to it ensures the process executes at user logon.

207
MCQhard

During an incident response on a Linux server, you find the following entry in /var/log/auth.log: "Mar 10 12:34:56 server sshd[1234]: Failed password for root from 10.0.0.5 port 34567 ssh2". Which of the following is the BEST immediate action to prevent further unauthorized access?

A.Block the IP address 10.0.0.5 at the firewall
B.Edit /etc/ssh/sshd_config to set PermitRootLogin no and PasswordAuthentication no, then restart sshd
C.Delete the root user account
D.Change the root password to a complex password
AnswerB

This disables root SSH login and password authentication, forcing key-based authentication, which mitigates brute-force attacks.

Why this answer

The log shows a failed SSH login attempt for root from an external IP. The most effective immediate action is to change the SSH configuration to disable root login and key-based authentication only (PasswordAuthentication no), then restart the service. This blocks password guessing attacks on root.

208
MCQmedium

A forensic lab manager is setting up a new lab and must decide on the physical security measures. Which of the following is the MOST important to implement first?

A.Construct Faraday cages around the evidence storage area
B.Deploy CCTV cameras covering all entry points
C.Install a gas-based fire suppression system
D.Implement a biometric access control system
AnswerD

Biometric access control prevents unauthorized entry, which is the first line of defense.

Why this answer

Biometric access control is the most critical first step because it establishes a foundational layer of physical security that authenticates and authorizes personnel before they can access the lab. Without controlling who enters, other measures like CCTV or fire suppression are less effective, as unauthorized individuals could compromise evidence integrity. This aligns with the principle of defense-in-depth, where access control is the primary barrier against tampering or theft.

Exam trap

The trap here is that candidates often prioritize surveillance (CCTV) or evidence preservation (Faraday cages) over the foundational security principle of access control, failing to recognize that without controlling who enters, all other measures are reactive rather than preventive.

How to eliminate wrong answers

Option A is wrong because Faraday cages are specialized for blocking electromagnetic signals (e.g., to prevent remote wiping of mobile devices) and are not a general physical security measure; they should be implemented after basic access controls are in place. Option B is wrong because CCTV cameras are a monitoring/deterrent tool, not a preventive control; they record breaches but do not stop unauthorized access, making them secondary to access control. Option C is wrong because gas-based fire suppression systems protect against fire damage but do not address the immediate threat of unauthorized entry or evidence tampering; they are a safety measure, not a security measure.

209
Multi-Selectmedium

A malware analyst is performing dynamic analysis of a suspicious executable in a Cuckoo Sandbox environment. Which THREE of the following behavioural indicators would be considered suspicious and warrant further investigation?

Select 3 answers
A.Creating a mutex with a hardcoded name
B.Reading registry keys under HKLM\HARDWARE
C.Modifying the hosts file to redirect a domain
D.Writing a temporary file to %TEMP%
E.Connecting to an IP address associated with a known command-and-control server
AnswersA, C, E

Malware often creates a mutex with a unique name to ensure single instance; hardcoded mutex names are common in malware families.

Why this answer

Creating a mutex with a hardcoded name is a common anti-analysis technique used by malware to ensure only one instance runs, preventing multiple infections or sandbox detection. In Cuckoo Sandbox, a hardcoded mutex name (e.g., 'Global\MyMalwareMutex') can indicate a known malware family or a custom implementation, warranting further investigation as it often correlates with persistence or evasion logic.

Exam trap

Cisco often tests the distinction between common benign operations (like reading hardware registry keys or writing to %TEMP%) and truly malicious indicators, so candidates mistakenly flag normal system activities as suspicious without considering context.

210
MCQhard

A forensic analyst is investigating a suspected data exfiltration from a MySQL database. Which log source would be MOST useful to identify the exact SQL queries executed, including SELECT statements that retrieved large volumes of data?

A.MySQL error log
B.MySQL binary log
C.MySQL slow query log
D.MySQL general query log
AnswerD

The general query log logs all SQL statements, including SELECT, making it ideal for detecting data exfiltration via queries.

Why this answer

MySQL's general query log records all SQL queries, including SELECT statements. The binary log records changes (INSERT, UPDATE, DELETE) for replication and recovery, not SELECT queries. Audit logs may be enabled but are not as detailed for SELECT queries by default.

211
MCQmedium

An analyst finds the following in an IIS log: 10.0.0.5, -, 02/15/2024, 14:23:56, GET /../../windows/system32/cmd.exe, 404, 0, 0, 0, Mozilla/4.0. Which attack technique does this log entry represent?

A.Cross-site scripting
B.SQL injection
C.Path traversal
D.Remote code execution
AnswerC

The ../ sequences indicate an attempt to traverse directories.

Why this answer

The URI contains ../ patterns attempting to access a system file outside the web root, which is path traversal.

212
MCQeasy

Which cloud service's audit logs would an investigator examine to identify who deleted a virtual machine in an Azure subscription?

A.GCP Audit Logs
B.Azure Activity Log
C.Azure AD Sign-in Logs
D.AWS CloudTrail
AnswerB

Activity Log tracks resource management operations in Azure.

Why this answer

Azure Activity Logs record all control-plane events (e.g., create/delete resources) at the subscription level, including who performed the action.

213
MCQmedium

Which tool can be used to extract evidence from Android devices through the Android Debug Bridge (ADB) and is often used for logical acquisition?

A.Cellebrite UFED
B.PEiD
C.Cuckoo Sandbox
D.GrayKey
AnswerA

Supports ADB logical acquisition for Android.

Why this answer

Cellebrite UFED (Universal Forensic Extraction Device) is a widely used forensic tool that leverages Android Debug Bridge (ADB) to perform logical acquisition of Android devices. ADB allows the tool to communicate with the device's operating system via USB debugging, enabling extraction of call logs, contacts, SMS, and application data without physical chip-off. This makes it the correct choice for logical acquisition over ADB.

Exam trap

Cisco often tests the distinction between logical acquisition (via ADB) and physical acquisition (via JTAG or chip-off), and candidates may confuse GrayKey (iOS-focused) with Android tools because both are used for mobile forensics.

How to eliminate wrong answers

Option B (PEiD) is wrong because it is a packer identifier for Windows executables, used in malware analysis to detect packed or obfuscated PE files, and has no capability to interface with Android devices via ADB. Option C (Cuckoo Sandbox) is wrong because it is an automated malware analysis environment that runs suspicious files in a virtualized sandbox, not a mobile forensic acquisition tool for extracting evidence from Android devices. Option D (GrayKey) is wrong because, while it is a mobile forensic tool for iOS devices (specifically for bypassing passcodes and extracting data from iPhones), it does not use ADB and is not designed for Android logical acquisition.

214
MCQmedium

A forensic analyst is examining a SQLite database from an iOS device backup. The database contains a table named 'message' with columns 'ROWID', 'text', 'handle_id', and 'date'. This database is MOST likely part of which iOS system database?

A.SMS.db
B.call_history.db
C.Calendar.db
D.AddressBook.db
AnswerA

SMS.db stores text messages and iMessages in the 'message' table.

Why this answer

The 'message' table with columns 'ROWID', 'text', 'handle_id', and 'date' is the core schema of the SMS.db database on iOS devices. This database stores iMessage and SMS/MMS messages, where 'handle_id' links to the 'handle' table for contact identifiers and 'date' stores the timestamp in Apple's absolute time (seconds since 2001-01-01). The presence of these specific columns confirms it is the SMS/Message database.

Exam trap

Cisco often tests the misconception that 'message' tables are found in AddressBook.db or Calendar.db, but the specific column set (ROWID, text, handle_id, date) is unique to SMS.db in iOS forensics.

How to eliminate wrong answers

Option B is wrong because call_history.db stores call logs with columns like 'Z_PK', 'ZADDRESS', 'ZDATE', and 'ZDURATION', not a 'message' table with 'text' and 'handle_id'. Option C is wrong because Calendar.db uses tables like 'CalendarItem' and 'Recurrence' with columns for event dates and titles, not a 'message' table. Option D is wrong because AddressBook.db (now Contacts.sqlite) uses tables like 'ABPerson' and 'ABMultiValue' for contact data, not a 'message' table for text conversations.

215
Multi-Selecthard

A forensic examiner is analyzing a malware sample that creates the following registry keys for persistence: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Malware', 'HKLM\System\CurrentControlSet\Services\MalService', and 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'. Which TWO of the following statements are TRUE regarding these persistence mechanisms?

Select 2 answers
A.The Run key executes the malware when the user logs in.
B.The Services key ensures the malware runs with system privileges before user logon.
C.The Services key requires administrative privileges to create.
D.The Winlogon Shell key replaces the default Windows shell (explorer.exe) completely.
E.All three keys ensure persistence across reboots and user sessions.
AnswersA, B

The Run key is designed to run programs at user logon.

Why this answer

Option A is correct because the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' key is a well-known autostart location that executes the specified program each time the user logs into their account. This is a common persistence mechanism used by malware to re-launch after a reboot, as Windows Explorer reads this key during the user logon process.

Exam trap

EC-Council often tests the misconception that the Winlogon Shell key completely replaces explorer.exe, when in fact it only adds an additional program to the logon process, and the default shell remains unless explicitly overridden.

216
MCQhard

During a forensic analysis of a Linux system, the investigator finds that the bash_history file is empty for the root user. However, the system has been used actively. What is the MOST likely explanation?

A.The system was shut down improperly
B.The file is corrupted
C.The user deleted the history
D.The HISTSIZE environment variable is set to 0 or the history file is redirected to /dev/null
AnswerD

Setting HISTSIZE=0 disables history; redirecting to /dev/null discards entries.

Why this answer

If HISTSIZE is set to 0 or the history file is a symlink to /dev/null, commands are not recorded. This is common in forensic evasion.

217
MCQmedium

Which tool is commonly used for timeline analysis in digital forensics, allowing examiners to parse and correlate timestamps from various artifacts?

A.log2timeline
B.Sleuth Kit
C.Nmap
D.Wireshark
AnswerA

log2timeline/Plaso is the forensic tool for creating timelines from multiple artifacts.

Why this answer

log2timeline (and its successor Plaso) is the standard tool for timeline analysis, parsing artifacts into a super timeline.

218
MCQhard

A forensic analyst examines a Mac system and runs "log show --predicate 'eventMessage contains "disk"' --last 1h" in Terminal. This command extracts Unified Log entries related to disk activity. Which macOS forensic artifact is the analyst MOST likely querying?

A..plist files
B.FSEvents
C.Core Storage logs
D.Apple Unified Logging
AnswerD

The 'log show' command retrieves entries from the unified logging system, which encompasses system and user activity logs.

Why this answer

The 'log show' command with --predicate queries the Apple Unified Logging system, which centralizes logs from various subsystems.

219
Multi-Selecthard

Which THREE artefacts are typically recoverable from an iOS iTunes backup?

Select 3 answers
A.RAM dump of running processes
B.SMS.db containing text messages
C.AddressBook.db containing contacts
D.Call_history.db containing call logs
E.iCloud Keychain items
AnswersB, C, D

SMS.db is included in iTunes backups.

Why this answer

Option B is correct because an iTunes backup of an iOS device includes the SQLite database file SMS.db, which stores all text messages (iMessages and SMS). This file is located in the backup's AppDomain group for com.apple.mobileSMS and can be extracted and parsed to recover message content, timestamps, and sender/receiver information.

Exam trap

Cisco often tests the distinction between what is stored in a local iTunes backup versus cloud-based or volatile artifacts, leading candidates to incorrectly include iCloud Keychain items or RAM data as recoverable from a backup.

220
MCQeasy

A first responder arrives at a scene where a computer is powered on and a user is logged in. An incident is suspected. What should the responder do FIRST?

A.Begin capturing a memory dump using a forensic tool.
B.Power off the computer immediately to preserve the disk.
C.Photograph the screen to document the current state.
D.Ask the user to log off so the system can be imaged.
AnswerC

Documentation of the live state is critical before any collection.

Why this answer

Option C is correct because the first priority at a live incident scene is to preserve volatile evidence. Photographing the screen captures the current state of the system, including open applications, network connections, and user activity, which can be lost if the system is altered or powered down. This documentation provides a baseline for the investigation and ensures that critical volatile data is recorded before any forensic acquisition begins.

Exam trap

EC-Council often tests the misconception that immediate memory capture or power-off is the correct first step, but the trap here is that the first responder must first document the volatile state of the screen to preserve evidence that can be lost the instant any action is taken.

How to eliminate wrong answers

Option A is wrong because while capturing a memory dump is important, it should not be the first action; the responder must first document the current state of the screen to preserve volatile evidence that may be lost during the memory capture process. Option B is wrong because powering off the computer immediately can destroy volatile data (e.g., RAM contents, network connections, running processes) and may trigger anti-forensic mechanisms or cause data corruption; the proper procedure is to follow a live response approach. Option D is wrong because asking the user to log off can alter the system state, potentially destroying evidence such as open files, registry keys, or network sessions, and may also trigger cleanup scripts that delete volatile data.

221
Multi-Selectmedium

Which THREE of the following are essential steps in network forensic investigation?

Select 3 answers
A.Conduct interviews with all network users
B.Create a timeline of network events
C.Secure the network to prevent further damage
D.Perform a bit-for-bit copy of all hard drives
E.Capture network packets using a sniffer
AnswersB, C, E

Timeline analysis helps correlate events.

Why this answer

Creating a timeline of network events (Option B) is essential in network forensic investigation because it establishes a sequence of activities, correlating packet captures, logs, and system events to reconstruct the attack path. This chronological mapping is critical for identifying the initial compromise point, lateral movement, and data exfiltration, often using tools like Wireshark or tcpdump with timestamps from NTP-synchronized sources.

Exam trap

EC-Council often tests the distinction between network forensics (focusing on packets, flows, and logs) and host-based forensics (focusing on disk images and memory), leading candidates to mistakenly select hard drive imaging as a network forensic step.

222
Drag & Dropmedium

Drag and drop the steps to perform a forensic analysis of a Windows registry using RegRipper into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Registry analysis requires acquiring hives, running RegRipper with profiles, and correlating results.

223
MCQmedium

A forensic examiner acquires a RAM image from a Windows 10 system and uses Volatility to analyze it. Which command would list all running processes along with their parent process IDs and command lines?

A.volatility -f mem.raw pslist
B.volatility -f mem.raw netscan
C.volatility -f mem.raw cmdline
D.volatility -f mem.raw pstree
AnswerD

pstree displays processes in a tree format showing parent-child relationships and also includes command lines.

Why this answer

The pstree plugin shows processes in tree format with parent-child relationships, while pslist lists processes without parent info. For parent PIDs and command lines, pstree is appropriate.

224
MCQmedium

A security analyst examines a compromised Windows server and finds a file named 'readme.txt' that appears legitimate. However, using `dir /r`, they discover an alternate data stream named 'readme.txt:hidden.exe'. What is the most likely purpose of this alternate data stream?

A.It is a backup copy of the file
B.It is a symbolic link to another file
C.It is a malicious executable hidden in the file
D.It is a log file generated by the operating system
AnswerC

Attackers often hide malware in ADS to evade detection.

Why this answer

Alternate Data Streams can be used to hide malicious executables within seemingly innocuous files. The stream 'hidden.exe' suggests an executable is hidden in the file.

225
MCQhard

You are imaging a suspect's hard drive using a write blocker and dd command. After imaging, you verify the hash of the original drive and the image file. The original drive hash is SHA1: A1B2C3D4E5..., and the image hash is SHA1: F6G7H8I9J0... What is the most likely cause of the mismatch?

A.The dd command used a different block size
B.The write blocker malfunctioned and allowed writes to the original drive
C.The dd command compressed the output
D.The image file was corrupted during transfer
AnswerB

If the original drive was modified during acquisition, the hashes will differ.

Why this answer

The hash mismatch indicates that the data on the original drive and the image file are not identical. A write blocker malfunction that allowed writes to the original drive during the imaging process would alter the source data after the initial hash was computed, causing the final hash of the original drive to differ from the hash of the image file taken at a different point in time. This is the most direct cause of a hash mismatch because the write blocker's primary purpose is to prevent any modification to the evidence.

Exam trap

EC-Council often tests the misconception that dd's block size or compression affects the hash, but the trap here is that candidates overlook the write blocker's role in preserving evidence integrity and instead focus on technical details of the dd command that do not alter the data content.

How to eliminate wrong answers

Option A is wrong because the dd command's block size affects read/write performance and the number of blocks, but it does not change the underlying data; the hash of the output will match the input regardless of block size as long as the entire drive is read. Option C is wrong because dd does not compress output by default; it performs a bit-for-bit copy, and even if compression were applied (e.g., via piping to gzip), the hash would be computed on the compressed file, not the raw image, but the question states the image file hash is compared, so compression would not cause a mismatch between the original drive hash and the image hash if the image is decompressed correctly. Option D is wrong because corruption during transfer would affect the image file's integrity, but the hash of the original drive would remain unchanged; the mismatch described is between the original drive hash and the image hash, and transfer corruption would only alter the image hash, not the original drive hash.

Page 2

Page 3 of 14

Page 4