Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 226300

1000 questions total · 14pages · All types, answers revealed

Page 3

Page 4 of 14

Page 5
226
MCQeasy

In mobile forensics, which acquisition method preserves the highest level of data integrity and captures the most data from an iOS device?

A.File system acquisition
B.Physical acquisition
C.Logical acquisition
D.Manual acquisition
AnswerB

Physical acquisition creates a bit-for-bit copy of the entire flash memory, preserving all data including deleted files.

Why this answer

Physical acquisition is correct because it creates a bit-for-bit copy of the entire flash storage, including unallocated space, deleted files, and system partitions. This method bypasses the iOS file system abstraction, preserving the highest data integrity and capturing all recoverable data, unlike higher-level acquisitions that only retrieve accessible files.

Exam trap

EC-Council often tests the misconception that 'file system acquisition' is the most thorough because it includes system files, but the trap is that physical acquisition alone captures unallocated space and deleted data, which file system acquisition cannot access due to iOS sandboxing and file system abstraction.

How to eliminate wrong answers

Option A is wrong because file system acquisition only copies allocated files and metadata visible through the iOS file system (e.g., via AFC or iTunes backup), missing deleted data and unallocated space, thus providing lower integrity and less data. Option C is wrong because logical acquisition extracts only user-accessible data (e.g., contacts, messages) via APIs like iTunes backup or libimobiledevice, ignoring system files and deleted artifacts, resulting in the least data capture. Option D is wrong because manual acquisition involves physically interacting with the device screen to capture data (e.g., screenshots or notes), which is highly operator-dependent, alters the device state, and cannot recover hidden or deleted data, offering the lowest integrity and data completeness.

227
MCQeasy

Refer to the exhibit. During incident response, a first responder runs 'netstat -ano' on a compromised Windows system. Which connection is most likely to be the command-and-control (C2) channel and should be prioritized for isolation?

A.192.168.1.100:1045 to 203.0.113.5:4444 (ESTABLISHED)
B.192.168.1.100:1047 to 10.0.0.1:22 (ESTABLISHED)
C.192.168.1.100:1046 to 192.168.1.1:443 (ESTABLISHED)
D.192.168.1.100:1048 to 198.51.100.7:80 (TIME_WAIT)
AnswerA

Port 4444 is a well-known C2 port; the external IP suggests communication with an attacker.

Why this answer

Option A shows an established connection from the internal host (192.168.1.100) to an external IP (203.0.113.5) on TCP port 4444, which is commonly associated with Metasploit reverse shells and other C2 frameworks. The ESTABLISHED state indicates an active, ongoing session, making it the highest priority for isolation during incident response.

Exam trap

EC-Council often tests the misconception that any external connection is suspicious, but the trap here is that candidates overlook the significance of the ESTABLISHED state and the specific port 4444, instead focusing on the IP address alone or mistaking a TIME_WAIT connection for an active threat.

How to eliminate wrong answers

Option B is wrong because port 22 is SSH, which is typically used for legitimate remote administration; while it could be abused, it is less likely than a non-standard high port like 4444 to be a C2 channel. Option C is wrong because 192.168.1.1:443 is a local gateway HTTPS connection, likely normal web traffic to the default gateway or a local proxy, not an external C2. Option D is wrong because the connection is in TIME_WAIT state, meaning it has already been closed and is not actively communicating, so it cannot be an active C2 channel.

228
MCQeasy

In network forensics, an analyst captures traffic and sees a large number of ICMP echo requests from 10.0.0.1 to 10.0.0.2 with varying payload sizes. What is the most likely scenario?

A.Network reconnaissance (ping sweep)
B.A man-in-the-middle attack
C.A DoS attack using ICMP floods
D.A DNS amplification attack
AnswerA

Ping sweeps use ICMP echo requests to multiple hosts to identify live systems.

Why this answer

Large numbers of ICMP echo requests (pings) with varying payload sizes are characteristic of a ping sweep or network reconnaissance to identify live hosts.

229
Multi-Selectmedium

Which TWO of the following are essential components of the forensic investigation process? (Select two.)

Select 2 answers
A.Reporting
B.First response
C.Chain of custody
D.Analysis
E.Preservation
AnswersD, E

Analysis is a core phase where data is examined to draw conclusions.

Why this answer

Analysis (D) is an essential component because it is the phase where the investigator examines the acquired data to identify evidence, reconstruct events, and draw conclusions. Preservation (E) is equally essential as it ensures the integrity of digital evidence from the moment of collection through the entire investigation, typically by creating a bit-for-bit forensic image (e.g., using dd or FTK Imager) and storing it on write-protected media. Without analysis, no actionable findings emerge; without preservation, evidence is inadmissible due to tampering or spoliation.

Exam trap

EC-Council often tests the distinction between procedural steps (like first response or chain of custody) and the core forensic process phases, leading candidates to select 'First Response' or 'Chain of Custody' as essential components when they are actually supporting activities within the preservation phase.

230
MCQhard

In an iOS forensic examination, an analyst extracts an encrypted iTunes backup. The backup contains a file named 'manifest.plist' which lists the backup version and encryption state. Which tool is specifically designed to brute-force the backup password using GPU acceleration?

A.Hashcat
B.Oxygen Forensic Detective
C.Cellebrite UFED
D.GrayKey
AnswerA

Hashcat can crack iTunes backup passwords using GPU acceleration with mode 14700 for iTunes backups.

Why this answer

Hashcat is the correct tool because it is a password recovery utility that leverages GPU acceleration to perform high-speed brute-force attacks on encrypted iTunes backup passwords. It can directly process the password hash extracted from the 'manifest.plist' file, which contains the backup version and encryption state, allowing efficient cracking of the backup password.

Exam trap

Cisco often tests the distinction between tools used for physical device extraction (like Cellebrite UFED or GrayKey) versus those used for password cracking (like Hashcat), and the trap here is that candidates may confuse GrayKey's passcode bypass capability with backup password cracking, even though GrayKey does not use GPU acceleration for brute-forcing encrypted backups.

How to eliminate wrong answers

Option B (Oxygen Forensic Detective) is wrong because it is a forensic analysis suite for extracting and analyzing mobile device data, not a dedicated password cracking tool with GPU acceleration. Option C (Cellebrite UFED) is wrong because it is a physical extraction and forensic imaging tool for mobile devices, not designed for brute-forcing encrypted backup passwords using GPU acceleration. Option D (GrayKey) is wrong because it is a specialized device for bypassing iOS passcodes via hardware exploits or software vulnerabilities, not for cracking encrypted iTunes backup passwords with GPU-accelerated brute-force attacks.

231
MCQmedium

An incident responder receives an alert that a workstation is beaconing to a known malicious IP address. The responder captures network traffic and analyzes it with Wireshark. Which of the following would be an immediate indicator of compromise (IoC) visible in the traffic capture?

A.Large file transfers during off-hours
B.ARP requests from unknown MAC addresses
C.Encrypted payloads using TLS 1.3
D.Repeated connections to a known malicious IP address on a non-standard port
AnswerD

A known malicious IP is a clear IoC; repeated connections suggest beaconing.

Why this answer

Option D is correct because repeated connections to a known malicious IP address on a non-standard port directly match the definition of a beaconing indicator of compromise (IoC). In network traffic analysis, beaconing is characterized by periodic, outbound connections to a command-and-control (C2) server, often using a non-standard port to evade detection. This pattern is a primary IoC in malware forensics and is immediately visible in Wireshark as a series of TCP SYN packets to the same IP and port at regular intervals.

Exam trap

Cisco often tests the distinction between a direct IoC (like beaconing to a known malicious IP) and secondary indicators (like large file transfers or ARP anomalies) that require additional context to confirm compromise.

How to eliminate wrong answers

Option A is wrong because large file transfers during off-hours may indicate data exfiltration but are not an immediate indicator of beaconing; they are a secondary behavioral anomaly that requires correlation with other evidence. Option B is wrong because ARP requests from unknown MAC addresses indicate local network scanning or spoofing, not beaconing to a remote malicious IP; ARP operates at Layer 2 and does not reveal C2 communication patterns. Option C is wrong because encrypted payloads using TLS 1.3 are not inherently malicious; TLS 1.3 is a standard security protocol used by legitimate services, and its presence alone does not indicate compromise—beaconing is defined by connection patterns, not encryption.

232
MCQmedium

The command used to acquire a disk image resulted in an I/O error. What is the most likely cause?

A.The source disk has bad sectors
B.The output file already exists and is being overwritten
C.The target directory does not have write permissions
D.The target drive is full
AnswerA

Bad sectors cause read errors.

Why this answer

When a disk imaging tool (e.g., dd, FTK Imager, EnCase) encounters an I/O error during acquisition, the most common cause is physical damage or degradation of the source media, specifically bad sectors. Bad sectors prevent the read head from reliably retrieving data, triggering an I/O error at the operating system or device driver level. This is distinct from logical errors like file system corruption, which typically produce different error messages.

Exam trap

The trap here is that candidates confuse an I/O error (a hardware-level read failure) with logical or permission-based errors, mistakenly attributing the error to the output destination rather than the source media.

How to eliminate wrong answers

Option B is wrong because overwriting an existing output file does not cause an I/O error; it may produce a warning or prompt for confirmation, but the read operation from the source disk proceeds normally. Option C is wrong because a lack of write permissions on the target directory results in a permission denied error, not an I/O error, and the acquisition tool would fail before attempting to read the source. Option D is wrong because a full target drive causes a 'disk full' or 'no space left on device' error, which is a write failure, not a read-related I/O error from the source disk.

233
MCQhard

An incident responder analyzes a compromised system and finds evidence of timestomping: the Modified timestamp of a malicious DLL is earlier than the Creation timestamp. Additionally, the DLL is encrypted with an XOR key. Which anti-forensic techniques are being employed?

A.Timestomping and obfuscation
B.Packer and anti-debugging
C.Rootkit installation and process hiding
D.Log wiping and data hiding
AnswerA

Timestamp manipulation is timestomping; XOR encryption is obfuscation/packing.

Why this answer

Timestomping is confirmed because the Modified timestamp (which tracks file content changes) is earlier than the Creation timestamp, which is logically impossible under normal file system operations—this indicates an attacker deliberately set the Modified timestamp backward to evade timeline analysis. The XOR encryption of the DLL is a form of obfuscation, a technique used to hide the true content of the file from static analysis tools and signature-based detection. Together, these two actions represent the anti-forensic techniques of timestomping and obfuscation.

Exam trap

EC-Council often tests the distinction between obfuscation (e.g., XOR encryption) and packing (e.g., UPX compression), where candidates mistakenly equate any encryption with a packer, but a packer specifically alters the PE structure and includes a decompression stub, while XOR obfuscation is a simpler, non-structural transformation.

How to eliminate wrong answers

Option B is wrong because a packer compresses or encrypts an executable to reduce size or evade signature detection, but it does not alter timestamps, and anti-debugging techniques (e.g., IsDebuggerPresent API calls) are runtime defenses, not file-level obfuscation or timestamp manipulation. Option C is wrong because rootkit installation involves modifying the OS kernel or system calls to hide processes or files, and process hiding is a runtime concealment method—neither directly relates to timestamp manipulation or XOR encryption of a single DLL. Option D is wrong because log wiping targets system or application logs (e.g., clearing Event Logs or /var/log files), and data hiding typically refers to steganography or alternate data streams, not XOR encryption of a DLL.

234
MCQeasy

In a macOS forensic investigation, which log system stores high-level events such as application launches and authentication attempts in a binary format, and can be queried using the 'log' command?

A.system.log
B.Audit log
C.FSEvents
D.Unified logging
AnswerD

Unified logging is the current macOS logging system.

Why this answer

Unified logging (os_log) is the modern macOS logging system, storing events in a binary format and queried via the 'log' command.

235
Multi-Selectmedium

Which TWO of the following are essential components of a proper chain of custody documentation? (Select TWO)

Select 2 answers
A.The forensic tools used to analyze the evidence
B.The hash value of the evidence at the time of acquisition
C.Date and time of each transfer of custody along with the names of individuals involved
D.A description of the evidence including serial numbers and unique identifiers
E.Digital signatures of all individuals who handled the evidence
AnswersC, D

Tracking every transfer is crucial.

Why this answer

Option C is correct because the chain of custody documentation must record the date, time, and identity of each individual who handles the evidence to ensure a complete, unbroken record of custody. This allows the court to verify that evidence was not tampered with or altered between collection and presentation. Without these timestamps and names, the chain of custody is legally insufficient.

Exam trap

EC-Council often tests the distinction between evidence integrity verification (hash values) and chain of custody documentation, leading candidates to mistakenly select hash values as a required component of the chain of custody form.

236
MCQhard

An investigator images an SSD that has TRIM enabled. Which of the following challenges will MOST likely affect the recovery of deleted files from this SSD?

A.The SSD uses a different partition table scheme
B.TRIM causes the SSD to zero out freed blocks, preventing recovery
C.The SSD firmware encrypts all data, requiring a decryption key
D.Wear leveling spreads data across blocks, complicating recovery
AnswerB

TRIM erases data blocks after deletion, making recovery impossible.

Why this answer

TRIM command allows the SSD to erase data blocks immediately after deletion, making recovery impossible as data is physically erased.

237
MCQmedium

During a Linux forensic investigation, you find a suspicious cron job in /etc/cron.d/malware that runs every 5 minutes as root. Which persistence mechanism is being used?

A.Bash history
B.Systemd service
C.Cron job
D.Init script
AnswerC

Cron jobs are scheduled tasks; entries in /etc/cron.d/ run at specified intervals.

Why this answer

Cron jobs are a common Linux persistence mechanism. Entries in /etc/cron.d/ are system-wide cron jobs that execute at scheduled intervals.

238
MCQhard

In a UK-based investigation under the Police and Criminal Evidence Act (PACE), a forensic examiner is asked to seize computers from a business premises. Which of the following actions is MOST compliant with PACE requirements?

A.Conduct a forensic analysis at the scene to determine relevance before seizure
B.Copy all data on-site and delete the originals to avoid leaving evidence behind
C.Enter the premises without a warrant because evidence may be destroyed
D.Seize only items that are specified in the search warrant and provide a receipt
AnswerD

PACE Code B requires officers to list seized items and provide a receipt to the occupier.

Why this answer

Option D is correct because PACE requires that during a search under warrant, only items specified in the warrant may be seized, and a receipt must be provided to the occupier. This ensures legal compliance, chain of custody, and respect for property rights, which are fundamental to admissible digital evidence.

Exam trap

EC-Council often tests the misconception that on-site preview or analysis is permissible under PACE to determine relevance, but the correct procedure is to seize only warrant-specified items and provide a receipt, deferring analysis to the lab.

How to eliminate wrong answers

Option A is wrong because conducting forensic analysis at the scene (e.g., live imaging or preview) without proper authorization or a warrant extension can exceed the scope of PACE and risks altering evidence, violating the principle of maintaining integrity. Option B is wrong because copying data and deleting originals destroys potential evidence and violates PACE's requirement to preserve original media; deletion may also constitute unlawful destruction of property. Option C is wrong because entering without a warrant is only permissible under PACE in exigent circumstances (e.g., to prevent serious harm), not merely because evidence may be destroyed; the threshold is high and requires immediate risk, not speculative destruction.

239
MCQmedium

A forensic analyst is examining a Windows 10 system and finds suspicious activity. Which registry hive contains user-specific configuration data that can reveal evidence of recent file access through ShellBags, UserAssist, and MRU lists?

A.HKLM\SYSTEM
B.HKLM\SAM
C.HKLM\SOFTWARE
D.NTUSER.DAT
AnswerD

NTUSER.DAT is the user hive loaded under HKCU, containing ShellBags, UserAssist, MRU, and other user activity traces.

Why this answer

NTUSER.DAT is the user-specific registry hive loaded under HKCU, containing ShellBags, UserAssist, MostRecentlyUsed (MRU) lists, and other user activity artifacts. SAM stores local account hashes, SYSTEM stores system-wide config, and SOFTWARE stores installed applications info.

240
MCQmedium

In a legal context, which rule of evidence requires that the evidence presented be sufficient to prove a fact and not be misleading?

A.Reliability
B.Admissibility
C.Authenticity
D.Completeness
AnswerA

Reliability requires that evidence is consistent, accurate, and not misleading; it must be sufficient to prove the fact.

Why this answer

Reliability, under rules of evidence such as Federal Rule of Evidence 403, requires that the probative value of evidence is not substantially outweighed by the danger of unfair prejudice, confusing the issues, or misleading the jury. In computer forensics, this means the evidence must be sufficiently trustworthy and accurate to prove a fact without creating a misleading impression. For example, a log file with inconsistent timestamps or incomplete data would fail the reliability test because it could mislead the trier of fact.

Exam trap

EC-Council often tests the distinction between reliability and admissibility, trapping candidates who confuse the general requirement that evidence be 'admissible' with the specific rule that evidence must be sufficient and not misleading, which is a reliability concern under FRE 403.

How to eliminate wrong answers

Option B (Admissibility) is wrong because admissibility is a broader concept that encompasses multiple rules (relevance, authenticity, hearsay exceptions, etc.), not specifically the requirement that evidence be sufficient to prove a fact and not misleading. Option C (Authenticity) is wrong because authenticity, under FRE 901, requires evidence to be what it claims to be (e.g., proving a log file came from a specific system via hash verification), but it does not address whether the evidence is sufficient or misleading. Option D (Completeness) is wrong because completeness, under FRE 106, allows a party to introduce the remainder of a writing or recording to avoid misleading context, but it is a rule of completeness in presentation, not a standalone requirement that evidence itself be sufficient and not misleading.

241
MCQhard

In a database forensic investigation, you recover a MySQL binary log with the following entry: #230110 13:45:22 server id 1 end_log_pos 123456 Query thread_id=100 exec_time=0 error_code=0 SET TIMESTAMP=1673358322; SELECT * FROM customers INTO OUTFILE '/tmp/export.csv';. What does this indicate?

A.Data exfiltration via the MySQL instance
B.A backup operation was performed
C.A stored procedure execution
D.A SQL injection attack using UNION
AnswerA

The query exports customer data to a file in /tmp, which can be retrieved by the attacker. This is a known data exfiltration technique.

Why this answer

This log entry records a SELECT ... INTO OUTFILE statement that exports the customers table to a CSV file. This is a common technique for data exfiltration, as it writes data to a file that can be accessed by the attacker.

242
MCQhard

An organization uses a cloud-based SIEM to collect logs from multiple sources. The investigator notices gaps in the log data for a critical system during the incident timeframe. What is the MOST likely cause?

A.Network latency delayed log delivery
B.Log rotation policy deleted logs prematurely
C.Time drift between the system and the SIEM
D.The system's log level was set to ERROR only
AnswerC

Clock skew can cause logs to appear missing or out of order.

Why this answer

Time drift between the system and the SIEM causes logs to be timestamped incorrectly, leading to apparent gaps when the SIEM queries by time range. Even if logs are delivered, they may fall outside the incident timeframe in the SIEM's index, creating the illusion of missing data. This is a common issue in cloud-based SIEMs where NTP synchronization is not enforced across all sources.

Exam trap

The trap here is that candidates confuse 'missing logs' with 'logs not sent' (option A) or 'logs deleted' (option B), but the question specifically says 'gaps in the log data' during the incident timeframe, which points to a timestamp alignment issue rather than a delivery or retention problem.

How to eliminate wrong answers

Option A is wrong because network latency delays log delivery but does not cause gaps in the log data itself; logs will eventually arrive and be indexed, though possibly out of order. Option B is wrong because log rotation policies delete old logs, not logs from the incident timeframe unless the rotation interval is shorter than the retention period, which is unlikely for a critical system under investigation. Option D is wrong because setting the log level to ERROR only would reduce the volume of logs but not create gaps; all ERROR-level events would still be recorded and timestamped correctly.

243
MCQeasy

Which Windows Registry hive is primarily used to store user-specific application settings and recently accessed files?

A.HKU\.DEFAULT
B.HKLM\SYSTEM
C.HKLM\SAM
D.NTUSER.DAT
AnswerD

NTUSER.DAT is the user-specific hive for settings and recent items.

Why this answer

NTUSER.DAT is the registry hive that contains user-specific settings, including MRU lists and application preferences.

244
MCQeasy

In cloud forensics, one of the major challenges is that data may be stored in multiple jurisdictions with different legal requirements. This challenge is known as:

A.Multi-tenancy
B.Chain of custody
C.Volatile evidence
D.Data jurisdiction
AnswerD

Correct term for legal boundaries across regions.

Why this answer

Data jurisdiction refers to the legal and regulatory issues that arise when data is stored or processed across different geographic locations with varying laws.

245
Multi-Selectmedium

A forensic analyst is investigating a Windows system for evidence of malware persistence. Which TWO registry locations are commonly used by malware to automatically execute on system startup?

Select 2 answers
A.HKLM\SAM
B.C:\Windows\Prefetch
C.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellBags
D.HKLM\SYSTEM\CurrentControlSet\Services
E.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AnswersD, E

Services subkeys can be configured to start automatically, used by malware for persistence.

Why this answer

Run keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) are common startup locations. The SAM hive stores password hashes, not persistence. Prefetch tracks program execution but does not cause auto-start.

Services can be used for persistence but are not a registry key (they use subkeys under SYSTEM).

246
MCQmedium

During an investigation of a Linux system, an analyst runs `ls -li` and sees that a file's inode number is 0. What does this indicate about the file?

A.The file is a symbolic link
B.The file is a device file
C.The file is a hard link
D.The file has been deleted but is still open
AnswerD

An inode of 0 often means the file is unlinked (deleted) but still referenced by an open file descriptor.

Why this answer

In Linux, an inode number of 0 typically indicates a file that has been deleted but is still open by a process. The directory entry may be removed but the inode remains until the file is closed.

247
MCQmedium

An analyst is examining a hard drive that was seized from a suspect. The drive is detected as a smaller capacity than listed on the label. Which of the following is the MOST likely explanation?

A.The drive has been partitioned with a GPT table, which does not use the full capacity
B.The file system is FAT32, which has a 2 TB limit
C.The drive controller has a firmware bug reporting incorrect size
D.The drive has a Host Protected Area (HPA) that hides sectors from the OS
AnswerD

HPA hides sectors by setting a maximum address lower than actual.

Why this answer

The Host Protected Area (HPA) or Device Configuration Overlay (DCO) can hide portions of the drive. HPA is set by the manufacturer or user, DCO can be set by the manufacturer. Both reduce the visible capacity.

This is a common data hiding technique.

248
Multi-Selecthard

Which THREE of the following are best practices for a first responder when arriving at a computer crime scene?

Select 3 answers
A.Photograph the entire scene, including the computer screen and connections
B.Disconnect the computer from the network to prevent remote tampering
C.Turn off the computer immediately to prevent remote access
D.Boot the computer from a forensic CD to preview the hard drive
E.Collect volatile data such as RAM if the computer is on
AnswersA, B, E

Thorough documentation is critical for preserving the scene.

Why this answer

Option A is correct because photographing the entire scene, including the computer screen and connections, preserves a visual record of the state of the evidence before any changes are made. This documentation is critical for establishing the chain of custody and proving that the evidence was not tampered with. It also captures the exact configuration of cables and peripherals, which can be vital for later analysis.

Exam trap

EC-Council often tests the misconception that immediately powering off a computer is a safe first step, when in fact it destroys volatile evidence and can corrupt the file system, making forensic recovery harder.

249
Multi-Selectmedium

Which TWO of the following are essential components of a proper chain of custody documentation? (Select TWO.)

Select 2 answers
A.The name of the suspect
B.Date and time of each evidence transfer
C.Signature of each person who handled the evidence
D.The operating system version of the suspect's computer
E.The IP address of the forensic workstation
AnswersB, C

Timestamps are crucial to establish a continuous chain.

Why this answer

The chain of custody documentation must record the date and time of each evidence transfer to establish a clear chronological timeline of custody. This ensures that the evidence can be tracked from collection through analysis to presentation in court, preventing claims of tampering or mishandling.

Exam trap

EC-Council often tests the misconception that technical details about the evidence (like OS version or IP address) are part of chain of custody, when in fact the chain only tracks who handled the evidence and when, not the evidence's configuration.

250
MCQmedium

During the initial response to a suspected data breach, a first responder discovers a live system with active network connections. The responder needs to preserve evidence while minimizing alteration. Which of the following is the MOST appropriate first step?

A.Use a memory acquisition tool to capture the contents of RAM.
B.Run a full disk imaging tool to capture the hard drive contents.
C.Disconnect the network cable to isolate the system from the network.
D.Immediately shut down the system by pulling the power cord.
AnswerA

Capturing RAM preserves volatile data, which is the most critical first step.

Why this answer

A is correct because in a live system with active network connections, the most volatile evidence is in RAM (e.g., running processes, network connections, encryption keys). Using a memory acquisition tool (like FTK Imager or WinPmem) captures this volatile data before any other action, preserving evidence that would be lost on shutdown or disconnection. This aligns with the order of volatility (RFC 3227), which prioritizes memory over disk.

Exam trap

Cisco often tests the misconception that disconnecting the network or shutting down is the safest first step, but the trap here is that volatile memory is the most critical evidence and must be captured before any action that could alter or destroy it.

How to eliminate wrong answers

Option B is wrong because running a full disk imaging tool first would overwrite unallocated space and modify system metadata (e.g., last access times), altering evidence; it also ignores the higher volatility of RAM. Option C is wrong because disconnecting the network cable may terminate active connections and cause the system to lose volatile data (e.g., network state, encryption keys), and it can trigger anti-forensic scripts that wipe evidence. Option D is wrong because immediately shutting down by pulling the power cord destroys all volatile memory (RAM), including running processes and network connections, and can corrupt disk data due to unclean shutdown.

251
MCQhard

During a cloud forensic investigation, you review AWS CloudTrail logs and find the following event: {"eventSource":"ec2.amazonaws.com","eventName":"RunInstances","userIdentity":{"arn":"arn:aws:iam::123456789012:user/attacker"},"requestParameters":{"instanceType":"t2.micro","imageId":"ami-0abcdef1234567890"},"responseElements":{"instancesSet":{"items":[{"instanceId":"i-0a1b2c3d4e5f67890"}]}}}. What is the immediate forensic action?

A.Delete the instance immediately
B.Check the VPC flow logs for network traffic
C.Isolate the instance and create a forensic snapshot
D.Notify the user who launched the instance
AnswerC

Isolation prevents further actions, and a snapshot captures the instance state for analysis.

Why this answer

The log shows an unauthorized user launched an EC2 instance. The immediate action is to isolate the instance by stopping it or applying a security group to block traffic, preventing further malicious activity while preserving the instance for forensic analysis.

252
Multi-Selectmedium

Which TWO Windows artifacts can be used to identify recently accessed files or folders on a system? (Select the two best answers.)

Select 2 answers
A.Event ID 4624
B.SAM hive
C.Prefetch files
D.LNK files
E.ShellBags
AnswersD, E

Correct. LNK files point to recently opened files.

Why this answer

ShellBags store folder view settings and paths, while LNK files are shortcuts that record the target file path and timestamps. Both can indicate accessed locations.

253
MCQmedium

A network forensic analyst captures packets and sees a TCP SYN packet sent to port 80, followed by a SYN-ACK, then an ACK, and then an HTTP GET request. What can be concluded?

A.The session was hijacked after the handshake
B.A TCP half-open scan was performed
C.The TCP connection was successfully established
D.The connection was refused by the server
AnswerC

The three-way handshake completed, followed by data transfer.

Why this answer

This is the standard three-way handshake (SYN, SYN-ACK, ACK) followed by data (HTTP GET), indicating a successful TCP connection establishment.

254
Multi-Selectmedium

Which THREE of the following are common techniques used by malware to achieve persistence on a Windows system? (Select THREE)

Select 3 answers
A.Creating a scheduled task
B.Process hollowing
C.Adding a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
D.WMI event subscription
E.Installing as a Windows service
AnswersA, C, E

Scheduled tasks can run malware at specific times or events.

Why this answer

Creating a scheduled task is a common persistence technique because it allows malware to execute at predefined times or system events, such as user logon or system startup. The Windows Task Scheduler can run arbitrary executables with SYSTEM privileges, making it a reliable method for maintaining access even after a reboot.

Exam trap

EC-Council often tests the distinction between persistence mechanisms and execution/injection techniques, so the trap here is confusing process hollowing (a runtime evasion method) with persistence methods that survive reboots.

255
Multi-Selectmedium

An analyst is examining a Windows 10 system and suspects the use of NTFS alternate data streams (ADS) to hide malicious executables. Which THREE methods can the analyst use to detect hidden ADS on the system?

Select 3 answers
A.Checking the $MFT for $DATA attributes where the attribute name is not empty
B.Using `Sysinternals streams.exe` to enumerate streams on the drive
C.Comparing file sizes from `dir` output with raw disk sector counts
D.Running `sfc /scannow` to verify system file integrity
E.Running `dir /r` in the command prompt to list files with alternate streams
AnswersA, B, E

Default $DATA has no name; named streams indicate ADS.

Why this answer

ADS can be detected by using tools that list streams (like streams.exe or dir /r), checking the $MFT for $DATA attributes with a non-empty name, or scanning for known malicious ADS names with forensic tools.

256
MCQmedium

During a mobile forensic investigation, an analyst uses Cellebrite UFED to extract data from a locked iOS device. The extraction successfully retrieves the device's passcode, call logs, SMS messages, and application data. Which extraction method did the analyst MOST likely use?

A.File system extraction
B.Physical extraction
C.Advanced logical extraction
D.Logical extraction
AnswerC

Advanced logical extraction (e.g., via UFED) can extract passcodes and app data from locked iOS devices.

Why this answer

C is correct because Advanced Logical Extraction (ALE) on Cellebrite UFED leverages a combination of file system parsing, agent-based extraction, and exploit techniques to retrieve the device passcode, call logs, SMS messages, and application data from a locked iOS device without requiring a full physical dump. This method bypasses the logical extraction limitations by using a custom agent or AFC (Apple File Conduit) to access protected data, making it the most likely method for the described successful extraction.

Exam trap

Cisco often tests the misconception that 'physical extraction' is the most powerful method for locked iOS devices, but the trap here is that physical extraction is rarely achievable on modern iOS due to hardware encryption, whereas Advanced Logical Extraction is the practical method used by tools like Cellebrite UFED to retrieve passcodes and application data from locked devices.

How to eliminate wrong answers

Option A is wrong because file system extraction typically requires the device to be jailbroken or have an unlocked state to mount the file system and retrieve raw files; it does not inherently retrieve the passcode from a locked device. Option B is wrong because physical extraction on iOS devices is extremely limited due to hardware encryption and secure enclave protections, and it rarely succeeds on locked devices without advanced bootrom exploits (e.g., checkm8), which are not standard in Cellebrite UFED for passcode retrieval. Option D is wrong because logical extraction only retrieves data that the device's operating system exposes via standard APIs (e.g., iTunes backup), which does not include the passcode or deep application data from a locked device.

257
MCQmedium

A Linux system uses the ext4 filesystem. A forensic analyst needs to recover a recently deleted file. Which of the following methods is MOST likely to succeed if the file's inode has not been reallocated?

A.Mount the filesystem with `mount -o ro,noatime` and browse
B.Use `dd` to copy the entire partition and search for the file signature
C.Use `ls -la` to view deleted file entries
D.Run `extundelete /dev/sda1 --restore-file /path/to/file`
AnswerD

Correct. extundelete is designed for this purpose.

Why this answer

extundelete is a utility that can recover deleted files on ext3/4 by parsing the journal and inode information. It works best if the inode is still intact.

258
Multi-Selecteasy

Which TWO of the following are considered best practices for a first responder at a digital crime scene? (Select TWO.)

Select 2 answers
A.Power off the computer immediately to secure data
B.Boot the system into safe mode to examine logs
C.Disconnect all cables to isolate the device
D.Photograph the scene including screen contents and connections
E.Document all actions taken at the scene
AnswersD, E

Photographs document the original state.

Why this answer

First responders should not power off the system (to preserve volatile data) and should photograph the scene to document the state.

259
Multi-Selectmedium

During a mobile forensic investigation, an examiner wants to recover deleted WhatsApp messages from an Android device. Which of the following artefacts should the examiner examine? (Select TWO.)

Select 2 answers
A./data/media/0/Android/data/com.whatsapp/
B./data/data/com.android.providers.telephony/databases/mmssms.db
C./data/data/com.whatsapp/databases/msgstore.db
D./data/data/com.whatsapp/files/Avatars/
E./data/data/com.google.android.gms/databases/
AnswersA, C

This directory contains WhatsApp media and backup files that may include message history.

Why this answer

Option A is correct because WhatsApp stores media files (images, videos, voice notes) in the external app-specific directory `/data/media/0/Android/data/com.whatsapp/`. Even after a message is deleted from the chat, the media file may remain in this directory if it was not explicitly removed, allowing recovery. Option C is correct because the primary SQLite database `msgstore.db` in `/data/data/com.whatsapp/databases/` contains the chat messages, including deleted entries that are often only marked as deleted but not physically removed until a vacuum operation.

Exam trap

Cisco often tests the distinction between the app-specific data directory (`/data/data/`) and the external media directory (`/data/media/0/`), tricking candidates into thinking only the internal database holds deleted messages, while media files in the external directory are also recoverable artefacts.

260
MCQmedium

During a forensic investigation, an analyst acquires a hard drive using a hardware write blocker. Which of the following is the PRIMARY reason for using a hardware write blocker?

A.To increase the transfer speed of the imaging process.
B.To bypass the drive's password protection.
C.To compress the data during imaging.
D.To ensure that the operating system does not mount the drive as writable.
AnswerD

The primary purpose is to prevent any writes to the original evidence drive.

Why this answer

The primary reason for using a hardware write blocker is to physically intercept the SATA/IDE bus between the suspect drive and the forensic workstation, ensuring that only read commands (e.g., ATA READ DMA) are passed through while blocking any write commands (e.g., ATA WRITE DMA). This prevents the operating system from mounting the drive as writable, which would otherwise cause automatic writes (e.g., timestamp updates, journaling, or prefetch creation) that alter evidence and break the chain of custody.

Exam trap

The trap here is that candidates confuse the write blocker's purpose with performance features (speed, compression) or assume it can bypass security mechanisms, when in fact its sole forensic function is to guarantee read-only access at the hardware interface level.

How to eliminate wrong answers

Option A is wrong because hardware write blockers do not increase transfer speed; they operate at the bus speed and may even introduce slight latency due to filtering logic. Option B is wrong because bypassing drive password protection is not a function of a write blocker; that requires specialized tools like forensic drive unlockers or ATA security commands. Option C is wrong because compression is a software feature of imaging tools (e.g., dd with gzip, FTK Imager, EnCase) and is unrelated to the hardware write blocker's role of write prevention.

261
Multi-Selectmedium

A forensic examiner is analyzing an Android device and needs to extract application data from the /data/data/ directory. Which TWO conditions must be met to access this directory? (Select TWO.)

Select 2 answers
A.USB debugging must be enabled
B.The device must be rooted
C.The device must be in recovery mode
D.The bootloader must be unlocked
E.The screen must be unlocked
AnswersA, B

ADB requires USB debugging to be enabled.

Why this answer

The /data/data/ directory on Android contains application private data, which is protected by Linux user permissions (UID/GID) and SELinux policies. USB debugging must be enabled (Option A) to allow the forensic workstation to communicate with the device via ADB (Android Debug Bridge) for command execution. The device must be rooted (Option B) because the /data/data/ directory is owned by the system and individual app UIDs, and only a root user (UID 0) can bypass these permissions to read all application data.

Exam trap

EC-Council often tests the misconception that unlocking the bootloader or using recovery mode alone provides full filesystem access, but the key distinction is that root privileges are required to override Linux UID permissions, and USB debugging is required for ADB communication.

262
Multi-Selecteasy

Which TWO of the following are common challenges specific to cloud forensics?

Select 2 answers
A.Multi-tenancy issues
B.Data jurisdiction
C.Inability to create disk images
D.Permanent data deletion recovery
E.Lack of forensic tools
AnswersA, B

Data from multiple tenants may be co-mingled, complicating isolation.

Why this answer

Multi-tenancy complicates data isolation, and data jurisdiction affects legal access to data across regions.

263
Multi-Selecthard

In the context of e-discovery, which THREE of the following are key steps in the Electronic Discovery Reference Model (EDRM)? (Select THREE)

Select 3 answers
A.Preservation
B.Production
C.Collection
D.Prosecution
E.Investigation
AnswersA, B, C

Preservation is a critical step to prevent spoliation.

Why this answer

The EDRM includes Information Governance, Identification, Preservation, Collection, Processing, Review, Analysis, and Production. Key steps include Preservation, Collection, and Production.

264
MCQmedium

An investigator is analyzing cloud storage logs and finds an entry showing that a file was accessed using the root credentials from an IP address in a different geographic region. The organization has strict policies against root usage. What should the investigator do FIRST?

A.Check if the activity correlates with a known vulnerability or authorized task
B.Contact law enforcement for cybercrime investigation
C.Change the password of the root account
D.Immediately revoke the root access keys
AnswerA

This helps determine if the access is malicious or accidental.

Why this answer

Option A is correct because the first step in any forensic investigation is to correlate the suspicious activity with known events, such as authorized tasks or vulnerabilities, to avoid false positives. Root access from an unfamiliar IP could be legitimate if tied to a scheduled maintenance window or a known vulnerability exploitation attempt that requires verification. Prematurely changing credentials or contacting law enforcement could destroy evidence or alert an attacker before the scope is understood.

Exam trap

The trap here is that candidates panic and choose a reactive security action (like revoking keys or changing passwords) instead of following forensic best practice: preserve and validate before acting.

How to eliminate wrong answers

Option B is wrong because contacting law enforcement is a premature escalation step that should only occur after internal validation and evidence preservation, not as the first action. Option C is wrong because changing the root password could alert an active attacker and destroy volatile evidence such as active sessions or memory artifacts. Option D is wrong because immediately revoking root access keys could disrupt legitimate operations and also destroy evidence; the investigator must first verify the activity's legitimacy and preserve logs.

265
MCQhard

A forensic analyst is using Plaso (log2timeline) to create a super timeline from a compromised Windows system. Which of the following is the PRIMARY advantage of using Plaso over manual timeline creation?

A.It automatically correlates events from different sources and provides a unified timeline
B.It can detect malware by signature scanning
C.It generates a timeline only from Windows Event Logs
D.It encrypts the timeline for secure storage
AnswerA

Plaso extracts timestamps from many artifacts and creates a single timeline, enabling efficient analysis of event sequences.

Why this answer

Plaso automates the extraction and correlation of timestamps from multiple artifacts (registry, event logs, file system, etc.) into a unified timeline, saving time and reducing errors compared to manual extraction.

266
MCQmedium

An analyst is performing malware analysis and executes a suspicious binary in a sandbox. The sandbox reports that the binary creates a mutex named 'Global\DRIVER_UPDATE_MTX' before attempting to connect to 'http://malicious.com/update'. Which tool would BEST capture the network traffic during dynamic analysis?

A.Regshot
B.Wireshark
C.Process Explorer
D.Process Monitor
AnswerB

Wireshark captures and analyzes network packets, ideal for monitoring C2 traffic.

Why this answer

Wireshark is the correct tool because it captures and analyzes network packets at the protocol level, allowing the analyst to inspect the HTTP request to 'http://malicious.com/update', including headers, payload, and any subsequent data exfiltration. Dynamic analysis of malware requires monitoring network traffic to identify command-and-control (C2) communications, and Wireshark provides full packet capture (PCAP) for this purpose.

Exam trap

EC-Council often tests the distinction between host-based monitoring tools (like Process Monitor and Process Explorer) and network-based capture tools (like Wireshark), leading candidates to choose a host-based tool when the question explicitly asks for network traffic capture.

How to eliminate wrong answers

Option A is wrong because Regshot is a registry and file system snapshot comparison tool, not a network traffic capture tool; it cannot capture HTTP or TCP/IP packets. Option C is wrong because Process Explorer is a process management and analysis utility that shows handles, DLLs, and threads, but it does not capture network traffic at the packet level. Option D is wrong because Process Monitor monitors file system, registry, and process/thread activity in real time, but it does not capture raw network packets or HTTP traffic.

267
Multi-Selectmedium

Which TWO of the following are essential duties of a first responder at a digital crime scene? (Select two.)

Select 2 answers
A.Photograph the scene including the screen, connections, and surrounding area
B.Use a write blocker when connecting the suspect drive to a forensic workstation
C.Attempt to recover deleted files using forensic software on the live system
D.Power off the computer immediately to prevent data modification
E.Disconnect the computer from the network to stop remote access
AnswersA, B

Documenting the scene is critical.

Why this answer

First responders must secure the scene, document everything, preserve evidence, and avoid altering the system state. Photographing the scene and using a write blocker to image are correct; collecting volatile memory is a specialized task, not a first responder's primary duty, and powering off without capturing RAM is generally avoided.

268
MCQeasy

Which of the following is an example of an indicator of compromise (IoC) that can be used to detect malware on a network?

A.A mutex name
B.A known malicious IP address
C.A registry key modification
D.A file's MD5 hash
AnswerB

Malicious IP addresses are network-based IoCs indicating C2 or malware distribution.

Why this answer

A known malicious IP address is a classic indicator of compromise (IoC) because it directly identifies a command-and-control (C2) server or a source of malicious traffic. Network monitoring tools can match outbound or inbound connections against threat intelligence feeds of known bad IPs, triggering an alert. This is a network-based IoC that requires no host-level analysis, making it ideal for initial detection.

Exam trap

EC-Council often tests the distinction between network-based and host-based IoCs, and the trap here is that candidates mistakenly classify host-level artifacts (mutex, registry, hash) as network IoCs because they are common in malware analysis, but the question explicitly asks for an indicator 'on a network'.

How to eliminate wrong answers

Option A is wrong because a mutex name is a host-based artifact used to detect malware on an infected system (e.g., ensuring only one instance runs), not a network-based IoC. Option C is wrong because a registry key modification is a host-based forensic artifact indicating persistence or configuration changes on a Windows system, not a network-level indicator. Option D is wrong because a file's MD5 hash is a host-based file integrity check or malware signature, used to identify known malicious files on disk, not to detect malware on the network.

269
MCQhard

During a forensic examination, an analyst uses the command 'dd if=/dev/sda of=/mnt/evidence/image.dd bs=4096 conv=noerror,sync'. What is the primary purpose of the 'conv=noerror,sync' option in this context?

A.To split the image into multiple smaller files
B.To skip bad sectors and continue imaging, padding the output with zeros
C.To compress the output image file
D.To verify the image integrity using a hash
AnswerB

noerror allows dd to continue on read errors, and sync pads the output so that the resulting image is the same size as the original device.

Why this answer

The 'conv=noerror,sync' option tells dd to continue reading even when it encounters read errors (noerror) and to pad the output with zeros (sync) to maintain the correct offset alignment, ensuring the image remains a bit-for-bit copy of the source drive despite bad sectors. This is critical in forensic imaging to preserve the integrity of the data stream and avoid truncation or corruption of the output file.

Exam trap

The trap here is that candidates often confuse 'conv=noerror,sync' with error correction or data recovery, when in fact it simply allows the imaging to proceed past bad sectors by padding with zeros, not by recovering the lost data.

How to eliminate wrong answers

Option A is wrong because splitting an image into multiple files is achieved with options like 'split' or 'bs' combined with 'count', not with 'conv=noerror,sync'. Option C is wrong because compression is not a function of dd's conv parameter; compression requires piping through gzip or using a separate tool. Option D is wrong because hash verification is done with separate commands like 'md5sum' or 'sha256sum', not with the conv parameter of dd.

270
MCQhard

During a memory forensics analysis using Volatility, an examiner runs 'python vol.py -f memory.dmp pslist' and sees a suspicious process named 'expl0rer.exe' with a PPID of 4. What does a PPID of 4 indicate, and what should the examiner do next?

A.The process is probably a hidden or injected process; run 'psxview' and 'malfind' to detect anomalies
B.The process is a child of the System process, indicating it is a legitimate system process; no further action needed
C.The process is a child of the System Idle Process, which is normal; ignore it
D.The process has been injected into the System process and is likely a rootkit; run 'psscan' to verify
AnswerA

'psxview' cross-references with other sources to find hidden processes; 'malfind' searches for injected code.

Why this answer

PPID 4 is the System process (PID 4) in Windows. Legitimate processes should not have System as parent; this suggests process hollowing or injection. The examiner should investigate the process further with process dump and memory analysis.

271
Multi-Selecthard

During a mobile forensic examination of an iOS device, the analyst encounters encrypted backups. Which THREE of the following are valid methods to access the data?

Select 3 answers
A.Performing a logical acquisition via ADB
B.Using Cellebrite UFED to force a physical extraction without backup
C.Obtaining the backup password from the device owner through legal process
D.Brute-forcing the backup password using a tool like Elcomsoft Phone Breaker
E.Using GrayKey to bypass the device passcode and then extract the backup key
AnswersC, D, E

If legally permissible, the user can provide the password.

Why this answer

Option C is correct because obtaining the backup password from the device owner through a legal process is a standard and valid method to access encrypted iOS backups. The backup password is required to decrypt the backup data, and if the owner provides it voluntarily or through a court order, the forensic analyst can legally access the encrypted backup contents.

Exam trap

EC-Council often tests the misconception that physical extraction is always possible on iOS devices, but hardware encryption and the Secure Enclave make physical extraction infeasible on modern iPhones without the passcode or backup password.

272
MCQeasy

Which of the following is the PRIMARY purpose of using a write blocker in computer forensics?

A.To speed up the imaging process by caching writes.
B.To convert the hard drive interface from SATA to USB.
C.To encrypt the forensic image for secure transport.
D.To prevent any modification to the original evidence drive during acquisition.
AnswerD

This is the primary purpose: preserving the original evidence.

Why this answer

A write blocker ensures that no data is written to the original evidence drive during acquisition, maintaining its integrity.

273
Multi-Selecthard

Which THREE of the following are common challenges specific to cloud forensics? (Select THREE)

Select 3 answers
A.Data jurisdiction and legal compliance across regions
B.Volatility of evidence due to auto-scaling and ephemeral instances
C.Inability to acquire physical hard drives
D.Lack of standardized log formats
E.High cost of forensic tools
AnswersA, B, C

Data may be stored in multiple countries with different laws.

Why this answer

Cloud forensics faces challenges such as data jurisdiction (legal boundaries), volatile evidence (ephemeral resources), and multi-tenancy (data commingling).

274
MCQhard

A malware analyst is examining a PE file that has a section named '.tls' and imports from 'kernel32.dll' and 'ntdll.dll'. The entry point points to a small stub that decrypts the main code at runtime. Which of the following best describes this technique?

A.Code injection via Reflective DLL
B.TLS callback-based decryption
C.Packing with UPX
D.Anti-debugging via NtGlobalFlag
AnswerB

TLS callbacks can execute before the main entry point, often used to decrypt code.

Why this answer

The presence of a '.tls' section in a PE file, combined with imports from kernel32.dll and ntdll.dll, indicates the use of Thread Local Storage (TLS) callbacks. These callbacks execute before the entry point, allowing the malware to decrypt the main code at runtime before the main executable logic runs. This is a classic TLS callback-based decryption technique, not a form of code injection or packing.

Exam trap

EC-Council often tests the distinction between TLS callbacks and other obfuscation techniques, and the trap here is that candidates confuse the '.tls' section with packing or injection, failing to recognize that TLS callbacks execute before the entry point and are a legitimate PE feature exploited for decryption.

How to eliminate wrong answers

Option A is wrong because Reflective DLL injection involves loading a DLL from memory without using the standard LoadLibrary API, and it does not rely on a '.tls' section or TLS callbacks for decryption. Option C is wrong because UPX packing typically adds sections like 'UPX0' and 'UPX1', not a '.tls' section, and the entry point usually points to a unpacking stub, not a decryption stub that uses TLS callbacks. Option D is wrong because anti-debugging via NtGlobalFlag involves checking the Process Environment Block (PEB) for the BeingDebugged flag or NtGlobalFlag value, which is unrelated to the '.tls' section or runtime decryption of code.

275
Multi-Selecteasy

Which TWO of the following are common Linux log files that can be used for forensic analysis?

Select 2 answers
A./etc/passwd
B./var/log/syslog
C./var/log/auth.log
D./etc/shadow
E./proc/cpuinfo
AnswersB, C

Captures system logs including kernel messages, services, etc.

Why this answer

/var/log/auth.log records authentication attempts, and /var/log/syslog records general system messages. Both are valuable in forensic investigations.

276
MCQmedium

A network forensics analyst captures traffic and sees a series of TCP SYN packets sent to multiple ports on a target, with no corresponding SYN-ACK replies. What type of activity is MOST likely indicated?

A.A denial-of-service (DoS) flood
B.A port scan reconnaissance
C.A man-in-the-middle attack
D.Normal web browsing traffic
AnswerB

SYN packets to multiple ports without replies indicate scanning for open ports.

Why this answer

A port scan sends SYN packets to various ports; if no SYN-ACK is received, the ports are likely filtered or closed, characteristic of a scan.

277
MCQeasy

According to Locard's exchange principle, which of the following is MOST relevant to digital forensics?

A.The chain of custody must be maintained for all evidence
B.When a person interacts with a digital device, they leave digital traces that can be recovered
C.Every crime scene contains at least one latent fingerprint
D.Digital evidence is always stored in non-volatile memory
AnswerB

This is the digital adaptation of Locard's principle.

Why this answer

Locard's principle states that every contact leaves a trace. In digital forensics, this translates to the concept that digital devices leave traces of their activities and interactions, such as logs, metadata, and artifacts.

278
MCQhard

A forensic tool outputs a timeline of file system events. The analyst needs to correlate registry modifications with file creation times. Which tool is specifically designed for super timeline creation from multiple sources?

A.Plaso
B.Autopsy
C.Volatility
D.Sleuth Kit
AnswerA

Plaso (log2timeline) creates super timelines by parsing multiple sources.

Why this answer

Plaso (log2timeline) is a timeline creation tool that aggregates data from various forensic artifacts into a super timeline.

279
MCQhard

During malware dynamic analysis in a sandbox, a sample creates a file named 'C:\Users\Admin\AppData\Local\Temp\svchost.dll' and then executes 'rundll32.exe C:\Users\Admin\AppData\Local\Temp\svchost.dll,Start'. This behavior is indicative of which technique?

A.DLL injection
B.Process hollowing
C.Reflective DLL loading
D.DLL side-loading
AnswerD

The malware placed a malicious DLL in a location where rundll32.exe will load it, exploiting the search order.

Why this answer

D is correct because the sample places a malicious DLL named 'svchost.dll' in a user-writable directory (Temp) and then invokes it via rundll32.exe, which is a legitimate Microsoft binary. This exploits the Windows DLL search order: when rundll32.exe loads the DLL without specifying a full path, Windows first searches the application's directory, then system directories, but here the attacker explicitly provides the full path to the Temp folder, bypassing the search order and forcing the load of the attacker's DLL. This is classic DLL side-loading, where a trusted executable loads a malicious DLL from a non-standard location.

Exam trap

The trap here is that candidates confuse DLL side-loading with DLL injection because both involve a DLL being loaded by a legitimate process, but side-loading relies on the search order and file placement, while injection requires active code injection into a running process.

How to eliminate wrong answers

Option A is wrong because DLL injection involves forcing a target process to load a DLL into its address space using API calls like CreateRemoteThread and LoadLibrary, not by executing a DLL directly via rundll32.exe. Option B is wrong because process hollowing replaces the legitimate code of a process (e.g., svchost.exe) with malicious code in memory, whereas here the sample executes rundll32.exe to load a DLL, not hollowing out an existing process. Option C is wrong because reflective DLL loading loads a DLL entirely from memory without touching the disk, but here the DLL is written to disk first (C:\Users\Admin\AppData\Local\Temp\svchost.dll) and then executed, so it is not reflective.

280
Multi-Selecthard

A malware analyst is performing static analysis on a packed executable. Which THREE techniques are effective for unpacking or analyzing packed malware? (Select THREE.)

Select 3 answers
A.Renaming the file to .txt
B.Performing strings analysis on the packed binary
C.Running PEiD to identify the packer
D.Executing the sample in Cuckoo Sandbox
E.Using OllyDbg to step through the unpacking routine
AnswersB, C, E

Strings may reveal embedded data or unpacked code regions.

Why this answer

Option B is correct because performing strings analysis on a packed binary can reveal embedded strings, such as import hints, configuration data, or the original entry point (OEP), which may survive packing. While packing obfuscates many strings, some packers leave remnants that static analysis tools like `strings` can extract, providing initial clues about the malware's functionality without execution.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis techniques, and the trap here is that candidates may incorrectly select dynamic methods like Cuckoo Sandbox (Option D) when the question explicitly limits the scope to static analysis.

281
Matchingmedium

Match each log type to its typical content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Login attempts, privilege use

Driver failures, system crashes

Application errors and events

Allowed/blocked network connections

HTTP requests, IP addresses, user agents

Why these pairings

These logs record different categories of events.

282
MCQmedium

In an ext4 file system, a forensic analyst needs to examine the journal to recover recently deleted files. Where is the journal typically stored?

A.In a reserved area after the superblock
B.In the superblock
C.In a special inode (inode 8)
D.In the group descriptor table
AnswerC

The journal is stored in inode 8 by default.

Why this answer

In ext4, the journal is stored in a special inode (inode 8) or as a file named .journal. It can also be stored in a separate block group.

283
MCQmedium

An analyst discovers a suspicious file named 'cmd.aspx' in the uploads directory of an IIS web server. Analysis reveals the file contains code to execute system commands. What is this file most likely?

A.A log file
B.A benign configuration file
C.A web shell
D.A backup of a legitimate page
AnswerC

Web shells are scripts that provide remote access and command execution.

Why this answer

A file with .aspx extension that executes commands is a webshell, allowing remote command execution on the server.

284
MCQmedium

During a forensic investigation, you encounter a Windows system with an NTFS volume. The suspect claims they never used the recycle bin, but you find files in the $Recycle.bin folder. Which artifact can help you determine the original file path and deletion time?

A.The USN journal
B.The file slack space
C.The $I file in the $Recycle.bin folder
D.The $MFT entry for the deleted file
AnswerC

Correct. $I files contain original path and deletion time.

Why this answer

The $Recycle.bin contains $I (info) and $R (data) files. The $I file stores metadata including original filename, path, and deletion timestamp.

285
Multi-Selecthard

Which TWO of the following are challenges in SSD forensics compared to traditional HDD forensics? (Choose two.)

Select 2 answers
A.SSDs are not compatible with forensic imaging tools
B.Wear leveling distributes data across blocks, making it harder to recover specific files
C.TRIM command causes deleted data to be erased quickly
D.SSDs have larger storage capacity than HDDs
E.SSDs are more resistant to physical damage
AnswersB, C

Wear leveling moves data around, complicating file carving.

Why this answer

B is correct because wear leveling is a fundamental SSD technology that spreads write operations evenly across all memory blocks to prevent premature wear. This process scatters file fragments across different physical locations, making it significantly harder to recover specific files using traditional forensic methods that rely on contiguous data storage.

Exam trap

EC-Council often tests the misconception that TRIM is a challenge only for deleted data recovery, but candidates must also recognize wear leveling as a separate, equally critical challenge that affects the forensic recovery of both deleted and existing files.

286
Multi-Selectmedium

Which THREE of the following are best practices for conducting malware forensics in a safe and effective manner?

Select 3 answers
A.Use a dedicated forensic workstation that is not connected to any network
B.Delete the malware sample after analysis to prevent accidental infection
C.Always create a cryptographic hash of the malware sample before analysis
D.Use a virtual machine or sandbox for dynamic analysis
E.Run all analysis using the same tools and versions as the attacker
AnswersA, C, D

Prevents malware from spreading and ensures analysis integrity.

Why this answer

Option A is correct because a dedicated forensic workstation that is not connected to any network prevents the malware from communicating with command-and-control (C2) servers, exfiltrating data, or spreading to other systems. This isolation ensures the integrity of the analysis environment and protects the broader infrastructure from accidental infection or data leakage.

Exam trap

Cisco often tests the misconception that deleting malware after analysis is a safety measure, when in fact preservation and proper containment (e.g., using hashes and isolated environments) are the correct forensic practices.

287
MCQmedium

During an iOS forensic examination, an analyst extracts an iTunes backup and finds the file '3d0d7e5fb2ce288813306e4d4636395e047a3d28'. Which type of data does this file typically contain?

A.Call history
B.SMS and iMessage conversations
C.Keychain data
D.Notes app data
AnswerD

The hash corresponds to the Notes app's SQLite database (NotesStore.sqlite).

Why this answer

The file '3d0d7e5fb2ce288813306e4d4636395e047a3d28' is the SQLite database (NotesStore.sqlite) that stores Apple's Notes app data in an iOS backup. Its SHA-1 hash name corresponds to the domain 'AppDomain-com.apple.mobilenotes' and contains the notes, attachments, and metadata. This is a well-known artifact in iOS forensics for recovering user-created notes.

Exam trap

Cisco often tests the misconception that all hash-named files in iOS backups are SMS or iMessage databases, but the specific hash '3d0d7e5fb2ce288813306e4d4636395e047a3d28' is uniquely tied to the Notes app, not SMS.

How to eliminate wrong answers

Option A is wrong because call history is stored in the file 'call_history.db' (or 'CallHistory.storedata') under the domain 'com.apple.callhistory', not in a hash-named file associated with the Notes app. Option B is wrong because SMS and iMessage conversations are stored in the 'sms.db' file (or '3d0d7e5fb2ce288813306e4d4636395e047a3d28' is not the correct hash for SMS; the actual SMS database hash is different, e.g., '3d0d7e5fb2ce288813306e4d4636395e047a3d28' is specifically for Notes). Option C is wrong because Keychain data is stored in the 'keychain-backup.plist' or 'keychain-2.db' files, not in a SQLite database with this hash; Keychain uses encrypted plist or SQLite files with different identifiers.

288
MCQeasy

Which mobile forensic tool is commonly used for physical extraction of iOS devices via checkm8 exploit?

A.GrayKey
B.Cellebrite UFED
C.Magnet AXIOM
D.Oxygen Forensic Detective
AnswerA

GrayKey is specifically designed to use the checkm8 exploit for physical extraction.

Why this answer

GrayKey is correct because it is a dedicated forensic tool that leverages the checkm8 bootrom exploit (CVE-2019-15971) to perform physical extraction on iOS devices. The checkm8 exploit is unpatchable in hardware, allowing GrayKey to bypass the device's security enclave and extract a full file system image, including encrypted data, from iPhones up to the iPhone X.

Exam trap

EC-Council often tests the misconception that Cellebrite UFED is the primary tool for all mobile extractions, but the trap here is that checkm8 is a specific hardware-level exploit unique to GrayKey, not a general feature of commercial forensic suites.

How to eliminate wrong answers

Option B (Cellebrite UFED) is wrong because while Cellebrite UFED can perform physical extractions on many devices, it does not natively use the checkm8 exploit; instead, it relies on other methods like advanced logical extraction or proprietary bootloader exploits for iOS, and checkm8-based extraction is typically associated with GrayKey. Option C (Magnet AXIOM) is wrong because it is a forensic analysis platform that processes data from various sources but does not perform physical extraction via checkm8; it imports data from other tools like GrayKey or Cellebrite. Option D (Oxygen Forensic Detective) is wrong because it is a forensic analysis tool that supports logical and file system extractions but does not implement the checkm8 exploit for physical extraction; it relies on other acquisition methods or third-party tools.

289
Multi-Selecthard

A security analyst observes a process making repeated network connections to an IP address 192.168.1.100 on TCP port 4444, and the process writes a DLL file to C:\Users\Public\. Which THREE actions should the analyst take immediately as part of dynamic analysis?

Select 3 answers
A.Isolate the host from the network to prevent further C2 communication
B.Capture a memory dump using FTK Imager or similar
C.Delete the DLL file to stop the malware
D.Monitor process creation and file system activity with Process Monitor
E.Reimage the hard drive to remove the malware
AnswersA, B, D

Isolation stops the malware from communicating and spreading.

Why this answer

Option A is correct because isolating the host from the network immediately stops the ongoing C2 communication to 192.168.1.100 on TCP port 4444, which is a common port for reverse shells (e.g., Metasploit). This containment prevents further data exfiltration, lateral movement, or command execution by the attacker, and is a critical first step in dynamic analysis to preserve the integrity of the investigation.

Exam trap

EC-Council often tests the distinction between immediate dynamic analysis actions (containment, monitoring, memory capture) versus destructive or premature remediation steps (deleting files, reimaging), and the trap here is that candidates mistakenly choose to delete the DLL or reimage the drive, thinking it will stop the malware, when in fact it destroys evidence and bypasses the forensic process.

290
Multi-Selectmedium

Which TWO of the following are challenges specific to SSD forensics compared to traditional HDD forensics?

Select 2 answers
A.Bad sectors
B.Wear leveling
C.File fragmentation
D.TRIM command
E.Slack space
AnswersB, D

Why this answer

TRIM command causes SSDs to erase deleted blocks immediately, and wear leveling spreads data across cells to extend lifespan, both complicating data recovery.

291
MCQhard

A forensic analyst is examining a Windows 10 system and needs to determine the last boot time of the system. Which registry hive and key should the analyst query to find this information?

A.NTUSER.DAT hive, key 'Control Panel\Desktop\'
B.SYSTEM hive, key 'CurrentControlSet\Control\Windows\', value 'ShutdownTime'
C.SOFTWARE hive, key 'Microsoft\Windows NT\CurrentVersion\'
D.SAM hive, key 'SAM\Domains\Account\Users\'
AnswerB

The 'ShutdownTime' value in this key records the last system shutdown time, which can be used to infer the last boot time (as the system boots after shutdown).

Why this answer

The SYSTEM hive stores system-wide configuration data, and the key 'CurrentControlSet\Control\Windows\' contains the 'ShutdownTime' value, which records the last system shutdown time. Since the last boot time is effectively the time after the last shutdown, querying this value provides the necessary information. This is a standard forensic artifact for determining system uptime and boot events on Windows 10.

Exam trap

EC-Council often tests the misconception that the SOFTWARE hive or NTUSER.DAT hive stores boot-related timestamps, but only the SYSTEM hive's 'CurrentControlSet\Control\Windows\' key contains the official 'ShutdownTime' value for determining last boot time.

How to eliminate wrong answers

Option A is wrong because NTUSER.DAT is the per-user registry hive, and 'Control Panel\Desktop\' contains user-specific desktop settings (like wallpaper or screen saver), not system boot or shutdown times. Option C is wrong because the SOFTWARE hive's 'Microsoft\Windows NT\CurrentVersion\' key stores OS version and installation details (e.g., product name, build number), not boot or shutdown timestamps. Option D is wrong because the SAM hive's 'SAM\Domains\Account\Users\' key contains user account security identifiers and password hashes, with no relation to system boot or shutdown events.

292
MCQmedium

A network analyst is reviewing a packet capture and sees a large number of TCP SYN packets sent to various ports on a single host from multiple source IPs. This pattern is most indicative of which type of attack?

A.ARP spoofing
B.SYN flood
C.DNS amplification
D.Ping of death
AnswerB

SYN flood is a DoS attack with many SYN packets.

Why this answer

A SYN flood sends many SYN packets without completing the handshake, overwhelming the target. The source IPs may be spoofed.

293
Multi-Selectmedium

Which THREE of the following are Windows Event IDs that are particularly useful for investigating account logon activities?

Select 3 answers
A.4625 - An account failed to log on
B.4648 - A logon was attempted using explicit credentials
C.4624 - An account was successfully logged on
D.4656 - A handle to an object was requested
E.7045 - A service was installed in the system
AnswersA, B, C

Records failed authentication attempts.

Why this answer

Event ID 4624 logs successful logons, 4625 logs failed logons, and 4648 logs logon attempts using explicit credentials (e.g., RunAs). These are key for tracking authentication events.

294
MCQeasy

An email forensic analyst receives a suspicious email and wants to trace its origin. Which email header field provides the most reliable information about the IP address of the sending SMTP server?

A.Return-Path
B.Received
C.DKIM-Signature
D.X-Originating-IP
AnswerB

Each SMTP hop adds a Received header with the IP address of the sending server.

Why this answer

The 'Received' header is added by each SMTP server that handles the email, and the last 'Received' header (or the first after the client) contains the originating IP.

295
MCQhard

A forensic examiner needs to analyze a Microsoft Outlook PST file from a suspect's computer. Which tool is BEST suited to parse and extract emails, attachments, and metadata from the PST file?

A.Aid4Mail
B.DB Browser for SQLite
C.MailXaminer
D.Outlook Express
AnswerA

Aid4Mail is specifically designed for email forensic analysis and supports PST files.

Why this answer

Aid4Mail is a professional email forensic tool that can parse PST files and extract all components including metadata, attachments, and headers.

296
Multi-Selectmedium

Which TWO of the following are valid artifacts for determining program execution on a Windows system? (Select TWO.)

Select 2 answers
A.Pagefile.sys
B.System Restore points
C.Jump Lists
D.Prefetch files
E.Windows Error Reporting logs
AnswersC, D

Jump Lists record recently accessed files per application, showing usage.

Why this answer

Prefetch files store execution information for applications, and Jump Lists track recent files opened by applications, indicating usage.

297
MCQmedium

An examiner is analyzing an Android device using Cellebrite UFED. The device is locked with a PIN, and the examiner has no PIN. Which acquisition type should the examiner attempt FIRST to maximize data recovery without destroying evidence?

A.Logical extraction via ADB backup
B.Manual extraction by photographing the screen
C.File system extraction via ADB root shell
D.Physical extraction using a bootloader exploit
AnswerA

ADB backup can often be performed on a locked device without root, providing a logical copy of user data.

Why this answer

Option A is correct because when an Android device is locked with a PIN and no PIN is known, a logical extraction via ADB backup is the safest first step. ADB backup (adb backup) can capture app data and system settings without requiring root or unlocking the bootloader, and it does not modify the device state, preserving evidence integrity. This method works if USB debugging was previously enabled, which is common in forensic acquisitions, and it avoids the risk of triggering lockout or data wiping that physical methods might cause.

Exam trap

EC-Council often tests the misconception that physical extraction is always the best first step for locked devices, but the trap here is that bootloader exploits or physical methods can trigger data wiping or require unlocking, whereas ADB backup is a non-invasive logical method that preserves evidence integrity when USB debugging is enabled.

How to eliminate wrong answers

Option B is wrong because manual extraction by photographing the screen is a non-acquisition technique that only captures visible content, not underlying data like deleted files or app databases, and it is not a standard forensic acquisition method for maximizing data recovery. Option C is wrong because file system extraction via ADB root shell requires root access, which is not available on a locked device without a PIN; attempting to root the device could modify system partitions and destroy evidence. Option D is wrong because physical extraction using a bootloader exploit often requires unlocking the bootloader, which wipes the device (factory reset) as a security measure, destroying all user data and making it unsuitable as a first attempt.

298
MCQmedium

During an investigation, an analyst extracts email headers from a suspicious email. The header includes: Received: from mail.attacker.com (192.168.1.100); DKIM-Signature: v=1; a=rsa-sha256; d=legitbank.com; s=selector1; bh=...; The email claims to be from support@legitbank.com. Which indicator strongly suggests email spoofing?

A.The email was sent on a weekend
B.The DKIM signature uses RSA-SHA256 algorithm
C.The X-Originating-IP header is present
D.The Received header shows the email came from a server not owned by legitbank.com
AnswerD

Legitimate emails from legitbank.com would originate from their own mail servers, not attacker.com.

Why this answer

The DKIM-Signature domain (d=legitbank.com) should match the sender domain. However, the Received header shows the email originated from mail.attacker.com, not legitbank.com's mail servers. Additionally, analyzing the DKIM signature might fail if it doesn't match, but the mismatch in origin is a clear spoofing indicator.

299
MCQeasy

Which of the following is the BEST definition of computer forensics?

A.The application of investigative and analytical techniques to gather and preserve evidence from digital devices suitable for presentation in a court of law.
B.The use of software tools to scan for malware on a computer system.
C.The process of recovering deleted files from a hard drive.
D.The process of securing a computer network from unauthorized access.
AnswerA

This definition covers the full scope: collection, preservation, analysis, and legal admissibility.

Why this answer

Option A is correct because computer forensics is fundamentally the application of investigative and analytical techniques to collect, preserve, and analyze digital evidence in a manner that maintains its integrity and admissibility in a court of law. This definition encompasses the entire forensic process, from acquisition through chain of custody to presentation, aligning with the CHFI framework's emphasis on legal and procedural rigor.

Exam trap

EC-Council often tests the distinction between a narrow technical task (like file recovery or malware scanning) and the full legal and procedural scope of computer forensics, causing candidates to confuse a single step with the entire discipline.

How to eliminate wrong answers

Option B is wrong because it describes malware scanning, which is a security or incident response task, not the comprehensive legal and investigative process of computer forensics. Option C is wrong because it focuses solely on file recovery, which is only one small technical step within the broader forensic methodology, ignoring evidence preservation, analysis, and legal presentation. Option D is wrong because it defines network security (e.g., firewalls, access controls), not the post-incident forensic examination of digital evidence for legal proceedings.

300
Multi-Selectmedium

Which TWO tools are commonly used for static analysis of malware binaries?

Select 2 answers
A.Cuckoo Sandbox
B.Wireshark
C.IDA Pro
D.Ghidra
E.Process Monitor
AnswersC, D

IDA Pro is a disassembler and debugger for static analysis.

Why this answer

IDA Pro is a leading interactive disassembler and debugger used for static analysis of malware binaries. It allows analysts to examine executable code without executing it, by disassembling machine code into assembly language and providing cross-references, function graphs, and decompilation capabilities. This makes it essential for reverse engineering malicious software to understand its logic, embedded strings, and control flow.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools, and the trap here is that candidates confuse tools that monitor live behavior (like Cuckoo Sandbox or Process Monitor) with those that analyze code without execution, leading them to select dynamic analysis tools for a static analysis question.

Page 3

Page 4 of 14

Page 5