Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 301375

1000 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQmedium

A security analyst is investigating a containerized application running on a Docker host. The analyst needs to collect forensic evidence from a stopped container without starting it. Which of the following Docker commands should be used to export the container's filesystem as a tar archive?

A.docker commit
B.docker export
C.docker cp
D.docker save
AnswerB

docker export exports a container's filesystem to a tar archive.

Why this answer

docker export exports the container's filesystem as a tar archive. It works on stopped or running containers and does not require the container to be started.

302
MCQeasy

In Windows forensics, which artifact is used to track recently accessed files and folders via the 'Recent Items' feature?

A.Jump lists
B.ShellBags
C.Prefetch files
D.LNK files
AnswerD

LNK files track file access via shortcuts.

Why this answer

LNK files (shortcuts) are created automatically when a user opens a file, and they contain metadata such as the target path and timestamps.

303
MCQmedium

A Linux system administrator notices unusual outbound connections from a server. Which of the following commands would MOST effectively capture a list of all current network connections along with the associated process IDs?

A.sudo iptables -L
B.sudo lsmod
C.sudo ifconfig -a
D.sudo ss -tunap
AnswerD

ss -tunap lists all TCP/UDP sockets with numeric addresses, process info, and PID.

Why this answer

The 'ss -tunap' command displays TCP/UDP sockets with process information. 'netstat -tunap' is similar but deprecated on many systems. 'lsof -i' shows open files for network connections.

304
Multi-Selecthard

Which THREE of the following are common persistence mechanisms found in Linux systems? (Select three.)

Select 3 answers
A..bashrc in user home directories
B.SSH authorized_keys
C.Systemd services (.service files)
D.Cron jobs (crontab)
E./etc/passwd file modification
AnswersB, C, D

Adding an attacker's public key to authorized_keys allows persistent SSH access.

Why this answer

Cron jobs, SSH authorized_keys, and systemd services are common methods used by attackers to maintain persistence on Linux. /etc/passwd is for user accounts, not persistence. .bashrc runs for interactive shells, but it is less common for persistence.

305
MCQhard

During an investigation, an analyst uses `dd if=/dev/sdb of=evidence.img bs=4k conv=noerror,sync`. What is the purpose of the `conv=noerror,sync` option?

A.It hashes each block to verify integrity.
B.It enables synchronous writing to ensure data integrity.
C.It compresses the output image to save space.
D.It skips read errors and pads the output with zeros to maintain block alignment.
AnswerD

That is the function of noerror and sync.

Why this answer

The `conv=noerror,sync` option in `dd` instructs the tool to continue processing even when a read error is encountered (`noerror`) and to pad the output block with zeros (`sync`) to maintain the original block alignment. This ensures that the resulting image file remains the same size as the source device, preserving the forensic integrity of the data layout despite hardware-level read failures.

Exam trap

EC-Council often tests the misconception that `sync` in `conv=noerror,sync` refers to synchronous I/O or write caching, when in fact it means padding output blocks with zeros to maintain alignment after read errors.

How to eliminate wrong answers

Option A is wrong because `conv=noerror,sync` does not perform hashing; hashing is done separately with options like `hash=md5` or via a pipe to `sha256sum`. Option B is wrong because synchronous writing is controlled by the `oflag=sync` or `conv=fsync` option, not `conv=noerror,sync`; the `sync` in `conv` refers to padding with zeros, not write synchronization. Option C is wrong because `dd` does not compress data; compression requires piping through `gzip` or using `conv=lz4` or similar, and `conv=noerror,sync` has no compression effect.

306
MCQhard

An organization in the UK suspects an employee of data theft. The IT manager wants to search the employee's company-issued laptop without consent. Which law primarily governs this action?

A.Police and Criminal Evidence Act 1984 (PACE)
B.Computer Misuse Act 1990
C.GDPR (General Data Protection Regulation)
D.Human Rights Act 1998
AnswerA

PACE provides the legal framework for police powers to search and seize evidence, and applies to company investigations when involving law enforcement.

Why this answer

The Police and Criminal Evidence Act (PACE) 1984 governs search and seizure powers in the UK, including digital evidence.

307
MCQhard

A forensic investigator is analyzing a compromised web server. In the Apache access logs, the investigator finds the following request: 'GET /images/../../../etc/passwd HTTP/1.1' with a 200 status code. Which of the following is the MOST likely reason the server returned a 200 (OK) response?

A.The server redirected the request to the root directory and returned the index page
B.The server has a custom 404 page that returns a 200 status code
C.The request was blocked by a web application firewall (WAF) which returned a 200 status
D.The server is vulnerable to directory traversal and returned the contents of /etc/passwd
AnswerD

A 200 status code with a path traversal attempt suggests successful exploitation, as the server served the requested file.

Why this answer

A 200 response to a path traversal request indicates that the server executed the request and returned the file content, meaning the directory traversal attack succeeded.

308
MCQhard

A forensic examiner is analyzing a RAID 5 array consisting of three disks. One disk has failed and is not available. The remaining two disks contain data and parity. Which technique can be used to reconstruct the missing disk's data and recover the original data?

A.Replace the failed disk and rebuild the array using the controller's rebuild function
B.Use dd to image the two disks, then perform a XOR operation on the data stripes to reconstruct the third disk's data
C.Use FTK Imager to create a logical image of each disk and merge them
D.Simply image the two disks and use file carving tools to extract files
AnswerB

XOR of data from two disks yields the missing data if parity is involved.

Why this answer

In RAID 5, parity is distributed across all disks. With two disks and one missing, XOR operations can reconstruct the missing data.

309
MCQmedium

A forensic investigator is examining a Mac system with APFS. Which artifact would be most useful for determining the exact time a file was moved to the Trash?

A.The file's creation timestamp in the directory entry
B.The APFS journal (fsroot) records the move operation with a timestamp
C.The .DS_Store file in the Trash folder
D.The 'com.apple.metadata:kMDItemWhereFroms' extended attribute
AnswerB

The journal logs metadata changes, including move operations.

Why this answer

APFS maintains a journal (fsroot) that records file system operations, including moves to Trash.

310
MCQhard

During a forensic analysis of a compromised server, you discover that a rootkit has hidden itself by modifying the HPA (Host Protected Area) of the hard disk. Which tool can detect the presence of an HPA by comparing the reported size with the actual number of sectors?

A.smartctl
B.dd
C.fdisk
D.hdparm
AnswerD

hdparm can read ATA settings, including HPA and DCO, to detect hidden areas.

Why this answer

The hdparm tool in Linux can query the ATA security features, including HPA. The command `hdparm -N /dev/sda` displays the HPA settings and can reveal if an HPA is active by showing a reduced device size.

311
MCQeasy

Which tool is specifically designed for dynamic analysis of malware by executing it in a controlled, isolated environment and logging its behavior?

A.PEiD
B.IDA Pro
C.Ghidra
D.Cuckoo Sandbox
AnswerD

Dynamic analysis sandbox.

Why this answer

Cuckoo Sandbox is the correct answer because it is an open-source automated malware analysis system specifically designed to execute suspicious files in a controlled, isolated environment (a sandbox) and log their behavior, including system calls, file system changes, network traffic, and memory dumps. Unlike static analysis tools, Cuckoo performs dynamic analysis by actually running the malware and observing its runtime actions.

Exam trap

Cisco often tests the distinction between static analysis tools (like PEiD, IDA Pro, Ghidra) and dynamic analysis tools (like Cuckoo Sandbox), trapping candidates who confuse reverse engineering with automated behavioral analysis in a sandbox.

How to eliminate wrong answers

Option A is wrong because PEiD is a static analysis tool that detects packers, cryptors, and compilers in PE files by scanning file signatures; it does not execute malware or log runtime behavior. Option B is wrong because IDA Pro is a disassembler and debugger used for static and interactive reverse engineering of binary code, not for automated dynamic analysis in an isolated sandbox environment. Option C is wrong because Ghidra is a reverse engineering framework developed by the NSA that focuses on static analysis and decompilation, lacking the sandboxed execution and behavior logging capabilities of a dedicated dynamic analysis tool like Cuckoo.

312
MCQhard

During an incident response, a first responder needs to preserve the integrity of evidence. Which action ensures the best chain of custody?

A.Use a write blocker when acquiring the disk image.
B.Compute a SHA-256 hash of the acquired image immediately after collection and record it in the chain of custody form.
C.Document every person who handled the evidence.
D.Place the evidence in an evidence bag and lock it in a secure room.
AnswerB

Hashing provides a verifiable integrity check.

Why this answer

Option B is correct because computing a SHA-256 hash immediately after acquisition creates a cryptographic fingerprint of the image. This hash, when recorded in the chain of custody form, provides verifiable integrity: any subsequent alteration of the image will produce a different hash, proving tampering. While other steps are important, only hashing directly ties the evidence's integrity to a mathematical proof that can be independently verified later.

Exam trap

EC-Council often tests the distinction between evidence preservation techniques (write blockers, secure storage) and evidence integrity verification (hashing), leading candidates to confuse physical protection with cryptographic proof of integrity.

How to eliminate wrong answers

Option A is wrong because using a write blocker preserves the integrity of the source drive during acquisition, but it does not establish or document the chain of custody for the acquired image; chain of custody requires tracking who handled the evidence and verifying its integrity after acquisition. Option C is wrong because documenting every person who handled the evidence is a necessary part of chain of custody, but it does not by itself ensure the integrity of the evidence; without a cryptographic hash, a handler could tamper with the image and the documentation alone would not detect it. Option D is wrong because placing evidence in a bag and locking it in a secure room is a physical security measure that prevents unauthorized access, but it does not provide a verifiable, mathematical proof of integrity; if the evidence is later removed and replaced, physical security alone cannot prove the original data was unchanged.

313
MCQeasy

A security analyst reviews Windows Event Logs and sees Event ID 4625 multiple times for a single user account from a remote IP address within a short time frame. What is the MOST likely interpretation?

A.The user successfully logged on from multiple locations
B.An attacker is attempting to brute-force the user's password
C.The system is experiencing a denial-of-service attack
D.A service installed itself on the system
AnswerB

Multiple failed logon attempts from a single IP indicate a brute-force attack.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple occurrences from the same remote IP suggest a brute-force password guessing attack.

314
MCQeasy

Which file system uses a Master File Table ($MFT) as its central catalog for file metadata?

A.FAT32
B.APFS
C.ext4
D.NTFS
AnswerD

Why this answer

NTFS uses the $MFT to store information about all files and directories on the volume.

315
MCQmedium

When analyzing an NTFS volume, an investigator wants to identify files that were recently accessed or modified. Which NTFS artifact stores metadata about file system changes and can be parsed using tools like MFTEcmd or NTFSLogTracker?

A.$USN_Jrnl
B.$LogFile
C.$Recycle.Bin
D.$MFT
AnswerA

The $USN_Jrnl (USN Journal) records all changes to files and directories.

Why this answer

The USN (Update Sequence Number) journal records changes to files and directories, including timestamps and reason codes. It is commonly used to track recent activity.

316
MCQeasy

Which Linux log file is the primary source for authentication-related events, including SSH login attempts and sudo usage?

A./var/log/kern.log
B./var/log/syslog
C./var/log/auth.log
D./var/log/messages
AnswerC

Correct: auth.log is dedicated to authentication logs.

Why this answer

On most Linux distributions, authentication events are logged to /var/log/auth.log (or /var/log/secure on RHEL-based systems).

317
MCQhard

During an Android forensic examination, the analyst uses ADB to run 'adb shell dumpsys batterystats --reset' before acquiring data. What is the MOST likely purpose of this command?

A.To clear battery logs that may contain evidence of app activity
B.This command is not recommended in forensic acquisition as it may destroy potential evidence
C.To ensure the device is in a low-power state for safe extraction
D.To optimize device performance during imaging
AnswerB

Resetting battery stats erases historical battery data, which could include evidence of app usage or timestamps.

Why this answer

Option B is correct because the 'adb shell dumpsys batterystats --reset' command clears the battery statistics logs on the device. In forensic acquisition, any command that modifies or deletes data on the device is considered destructive to evidence. The reset operation removes historical battery data that may contain timestamps and app usage patterns, which could be critical evidence.

Therefore, this command is not recommended in forensic acquisition as it may destroy potential evidence.

Exam trap

EC-Council often tests the misconception that clearing logs is a benign or preparatory step, when in fact any command that modifies device state during acquisition violates forensic best practices and may be considered evidence spoliation.

How to eliminate wrong answers

Option A is wrong because clearing battery logs is precisely what the command does, and while those logs may contain evidence of app activity, the purpose of the command is to reset them, not to preserve them; the question asks for the 'most likely purpose' in a forensic context, which is that it is destructive. Option C is wrong because the command does not affect the device's power state; it only resets battery statistics data, and ensuring a low-power state is achieved through other means like disabling radios or using airplane mode. Option D is wrong because the command does not optimize device performance during imaging; it only clears battery stats, and performance optimization is irrelevant to forensic acquisition.

318
MCQmedium

An investigator needs to testify in court as an expert witness. Which of the following qualifications is MOST important for the court to accept their testimony?

A.They have a certification in computer forensics.
B.They have published articles in peer-reviewed journals on digital forensics.
C.They can demonstrate knowledge, skill, experience, training, or education that will assist the trier of fact.
D.They have been employed as a forensic analyst for over 10 years.
AnswerC

Under FRE 702 (Daubert standard), the expert must have qualifications that will help the jury understand the evidence.

Why this answer

Under the Federal Rules of Evidence (FRE) Rule 702, a witness qualified as an expert by knowledge, skill, experience, training, or education may testify if their specialized knowledge will assist the trier of fact. Option C directly mirrors this legal standard, making it the most critical qualification for admissibility. Certifications, publications, or years of service are supporting factors but not independently sufficient under the Daubert or Frye standards.

Exam trap

EC-Council often tests the misconception that a certification or years of experience alone qualifies someone as an expert witness, but the legal standard under FRE 702 requires the witness to demonstrate that their knowledge, skill, experience, training, or education will actually assist the trier of fact.

How to eliminate wrong answers

Option A is wrong because a certification alone does not guarantee that the court will accept the testimony; the court must assess whether the witness's actual knowledge and experience will assist the trier of fact, and certifications are not a substitute for demonstrated competence. Option B is wrong because published articles in peer-reviewed journals are a factor under the Daubert standard but are not the most important qualification; the witness must still show that their expertise directly aids the court in understanding the evidence. Option D is wrong because 10 years of employment as a forensic analyst does not automatically qualify someone as an expert; the court evaluates the substance of their experience and whether it logically applies to the specific digital evidence in question.

319
MCQeasy

Which tool is specifically designed to analyze email headers, track the path of an email, and extract metadata such as originating IP and authentication results?

A.Volatility
B.Wireshark
C.EmailTracker
D.FTK Imager
AnswerC

EmailTracker parses email headers and provides detailed path and authentication info.

Why this answer

EmailTracker is specifically designed to parse email headers, trace the email's path through mail servers, and extract metadata such as the originating IP address, authentication results (SPF, DKIM, DMARC), and timestamps. Unlike general-purpose tools, it focuses solely on email header analysis and visualization, making it the correct choice for this task.

Exam trap

EC-Council often tests the distinction between network packet analysis tools (Wireshark) and email-specific header analysis tools (EmailTracker), trapping candidates who confuse live SMTP traffic capture with post-delivery email header forensics.

How to eliminate wrong answers

Option A is wrong because Volatility is a memory forensics framework used for analyzing RAM dumps, not for parsing email headers or tracking email paths. Option B is wrong because Wireshark is a network protocol analyzer that captures and inspects live network traffic (e.g., SMTP packets), but it does not parse stored email headers or extract metadata like originating IP from an email's header fields. Option D is wrong because FTK Imager is a disk imaging and data acquisition tool used for creating forensic images of storage media, not for analyzing email headers or extracting email metadata.

320
MCQmedium

A network analyst captures suspicious traffic and uses Wireshark to examine packets. The analyst notices many TCP SYN packets sent to various ports on a single host with no SYN-ACK replies. What type of activity is MOST likely observed?

A.Denial of Service (DoS) attack
B.Port scan
C.DNS amplification
D.ARP poisoning
AnswerB

SYN packets to multiple ports are characteristic of a TCP SYN scan.

Why this answer

A port scan sends SYN packets to multiple ports to identify open ones; lack of SYN-ACK replies indicates closed ports.

321
MCQeasy

Based on the log exhibit, what type of attack is occurring?

A.Man-in-the-middle attack
B.SQL injection attack
C.Denial of Service attack
D.Brute-force attack on SSH
AnswerD

Repeated failed attempts for root user from same IP.

Why this answer

The log shows multiple failed SSH login attempts from the same IP address with different usernames and passwords, which is characteristic of a brute-force attack targeting SSH. The repeated 'Failed password' entries for various user accounts (e.g., root, admin, user) indicate an automated attempt to guess credentials, not a single successful compromise or a different attack type.

Exam trap

EC-Council often tests the distinction between a brute-force attack and a DoS attack by including logs with repeated authentication failures, leading candidates to mistakenly choose DoS due to the high volume of events, but the key indicator is the specific 'Failed password' message targeting SSH, not a flood of traffic.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack would involve intercepting or modifying traffic between two parties, not repeated failed login attempts; there is no evidence of ARP spoofing, session hijacking, or traffic redirection in the log. Option B is wrong because SQL injection attacks target web application databases via malicious SQL queries in input fields, not SSH authentication logs; the log shows no SQL syntax or database error messages. Option C is wrong because a Denial of Service attack aims to overwhelm a service with traffic to cause disruption, not to repeatedly attempt authentication; the log shows sequential login failures without a flood of packets or resource exhaustion indicators.

322
MCQmedium

A forensic analyst is examining a compromised Linux server and finds a suspicious binary running as a service. Which file should be checked to determine if the binary is set to start at boot?

A./etc/crontab
B./etc/shadow
C./var/log/auth.log
D./etc/passwd
AnswerA

Crontab files can be used to run tasks at boot (e.g., @reboot).

Why this answer

Cron jobs are used for scheduling tasks; a cron job could be set to run a binary at boot. However, init scripts or systemd services are more common for services. Among the options, crontabs are the most direct for persistence, but the question asks for 'file' from the list. /etc/crontab defines system-wide cron jobs.

323
MCQmedium

A security analyst notices that a compromised Android device's /data/data/com.example.app/databases/ directory contains a database with tables named 'accounts', 'transactions', and 'settings'. Which type of forensic acquisition would be MOST appropriate to capture this app-specific data while preserving deleted records?

A.Physical extraction
B.File system extraction
C.Logical extraction via ADB
D.Manual extraction via device UI
AnswerA

Physical extraction provides a complete bit-for-bit image, including deleted data.

Why this answer

Physical extraction creates a bit-for-bit copy of the entire flash memory, including unallocated space and deleted SQLite records that have not been overwritten. This is the only method that can recover deleted rows from the 'accounts', 'transactions', and 'settings' tables because logical and file-system extractions typically skip unallocated blocks. The /data/data/com.example.app/databases/ directory is protected by Android's sandboxing, but physical acquisition bypasses the OS and reads the raw NAND or eMMC blocks directly.

Exam trap

Cisco often tests the misconception that file system extraction (Option B) can recover deleted app data, but candidates forget that file system extraction only sees allocated files and does not capture unallocated space where deleted SQLite records persist.

How to eliminate wrong answers

Option B (File system extraction) is wrong because it only retrieves allocated files and metadata from the mounted file system, missing deleted records that reside in unallocated space or SQLite free pages. Option C (Logical extraction via ADB) is wrong because ADB backup or content provider queries only export active data and cannot access deleted rows or unallocated clusters. Option D (Manual extraction via device UI) is wrong because the user interface only displays current application data and provides no mechanism to recover deleted database entries.

324
MCQhard

During a malware investigation, an analyst identifies a suspicious file that appears to be a Windows executable. Using PEiD, the analyst detects the file is packed with UPX. After unpacking, the analyst runs the file in a sandbox and observes it modifies the following registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MalService. What behavioural indicator is primarily demonstrated?

A.Persistence mechanism
B.Command and control communication
C.Anti-forensic technique (timestomping)
D.Privilege escalation attempt
AnswerA

Adding a value to the Run key ensures persistence.

Why this answer

The modification of the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MalService is a classic persistence mechanism. By adding an entry to the Run key, the malware ensures that it executes automatically every time the user logs into the system, maintaining its presence across reboots.

Exam trap

EC-Council often tests the distinction between persistence and privilege escalation, where candidates mistakenly think modifying HKCU\Run requires administrative rights, but it only requires user-level access and is a persistence technique, not an escalation attempt.

How to eliminate wrong answers

Option B is wrong because command and control communication involves network traffic to an external server (e.g., HTTP, DNS, or IRC), not a local registry modification. Option C is wrong because anti-forensic techniques like timestomping alter file timestamps (e.g., using SetFileTime or touch), not registry keys. Option D is wrong because privilege escalation attempts typically target security tokens or exploit vulnerabilities to gain higher access (e.g., SeDebugPrivilege or UAC bypass), not setting a user-level Run key.

325
MCQmedium

During a forensic analysis of a compromised Linux server, you notice that the file /var/log/auth.log has been cleared. However, you find that the attacker's commands are still partially recoverable. Which artifact most likely contains the attacker's command history?

A./var/log/syslog
B.~/.bash_history
C./proc/1/cmdline
D./etc/shadow
AnswerB

This file logs commands entered in bash.

Why this answer

The bash_history file for each user (typically ~/.bash_history) stores command-line history. Even if auth.log is cleared, this file often retains command entries.

326
MCQeasy

In Linux, which file contains hashed user passwords?

A./etc/gshadow
B./etc/group
C./etc/passwd
D./etc/shadow
AnswerD

Correct. /etc/shadow holds the password hashes.

Why this answer

The /etc/shadow file stores hashed user passwords along with password aging information, and is readable only by root to enhance security. In contrast, /etc/passwd contains user account information but stores only a placeholder (usually 'x' or '*') for the password hash, not the hash itself. This separation is a standard Linux security mechanism to prevent unauthorized access to password hashes.

Exam trap

EC-Council often tests the misconception that /etc/passwd still contains password hashes, leading candidates to choose option C, but modern Linux systems have moved hashes to /etc/shadow for security.

How to eliminate wrong answers

Option A is wrong because /etc/gshadow stores hashed group passwords and group administrator information, not user passwords. Option B is wrong because /etc/group defines group memberships and optionally group passwords (often stored as 'x' with hashes in /etc/gshadow), not user password hashes. Option C is wrong because /etc/passwd historically stored password hashes, but modern Linux systems use shadow passwords, and /etc/passwd now contains only a placeholder (e.g., 'x') indicating the hash is in /etc/shadow.

327
MCQmedium

During a Windows forensic investigation, an analyst finds a registry key under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count. What type of artifact is this, and what information does it typically contain?

A.UserAssist entries that record program execution history with counts and timestamps
B.Jump list data from the taskbar showing recently opened files
C.Prefetch file metadata indicating application launch times
D.ShellBags data displaying folder view settings and sizes
AnswerA

UserAssist is designed to log program launches by the user, including the number of times run and last execution.

Why this answer

UserAssist keys track programs launched via Windows Explorer, recording the executable path, last execution time, and run count. This is a common artifact for determining application usage.

328
MCQmedium

A security analyst reviewing Apache access logs finds entries like: 192.168.1.10 - - [12/Jan/2023:15:23:11 +0000] "GET /search?q=1' OR '1'='1 HTTP/1.1" 200 5324. What attack is indicated?

A.Cross-site scripting (XSS)
B.SQL injection
C.Path traversal
D.Command injection
AnswerB

The payload '1' OR '1'='1' is a classic SQL injection tautology aiming to bypass authentication or extract data.

Why this answer

The log entry shows a SQL injection attempt via the 'q' parameter with a tautology. The 200 response indicates the request was processed, suggesting possible success.

329
MCQhard

A network forensic analyst examines a pcap file in Wireshark and sees an HTTP POST request to '/shell.jsp' with a parameter 'cmd' containing 'dir'. The response contains a directory listing. Which intrusion artifact is indicated?

A.SQL injection
B.Directory traversal
C.Webshell
D.Cross-site scripting (XSS)
AnswerC

A webshell allows remote command execution via web requests, evidenced by cmd parameter and directory listing.

Why this answer

A webshell is a malicious script that provides remote command execution via web requests. The POST to a JSP file with a cmd parameter and directory listing in the response indicates a webshell.

330
MCQhard

A forensic analyst is examining a Windows system and finds that the UserAssist key in the NTUSER.DAT hive contains entries with Rot13-encoded names. What is the primary purpose of the UserAssist key?

A.Record USB device connection history
B.Store user password history
C.Log program execution counts and last run times
D.Track recently opened documents via Jump Lists
AnswerC

UserAssist tracks how often and when programs were run.

Why this answer

UserAssist tracks application execution count and last run time. The Rot13 obfuscation is to hide the names from casual viewing.

331
MCQmedium

An Android forensic analyst connects a suspect device to their workstation and issues the command "adb backup -apk -shared -all -f backup.ab". Which type of acquisition is being performed?

A.Manual acquisition through device UI
B.Physical acquisition via JTAG
C.Logical acquisition via ADB backup
D.File system acquisition via dd
AnswerC

ADB backup creates a logical backup of app data and settings.

Why this answer

The command `adb backup -apk -shared -all -f backup.ab` creates a full Android backup via the Android Debug Bridge (ADB) protocol. This is a logical acquisition because it requests user data and installed APKs through the high-level backup service, not a bit-for-bit copy of the storage. The resulting `.ab` file is an Android Backup archive, which contains files and directories that the device’s backup manager chooses to export, making it a logical extraction.

Exam trap

Cisco often tests the distinction between logical and physical acquisition by presenting a command that looks like it might be low-level (e.g., containing 'backup' or 'all') but is actually a logical method, leading candidates to mistakenly choose physical or file system acquisition.

How to eliminate wrong answers

Option A is wrong because manual acquisition through the device UI involves navigating menus and copying data manually, not using ADB commands. Option B is wrong because physical acquisition via JTAG requires hardware-level access to the device’s JTAG interface to dump raw flash memory, not a software command over USB. Option D is wrong because file system acquisition via `dd` creates a bit-for-bit image of a partition or block device, whereas `adb backup` only extracts logical files and does not capture deleted data or unallocated space.

332
MCQeasy

A forensic investigator examines a hard drive and needs to recover deleted files. Which tool is specifically designed for file carving by scanning raw data for file headers and footers without relying on the file system?

A.Foremost
B.Volatility
C.Autopsy
D.FTK Imager
AnswerA

Foremost is a classic file carving tool that recovers files based on signatures.

Why this answer

Foremost is a file carving tool that recovers files based on headers, footers, and data structures, independent of the file system metadata.

333
MCQeasy

Which tool is specifically designed for timeline analysis of forensic artifacts across multiple systems and can process output from various forensic tools?

A.Autopsy
B.Wireshark
C.Sleuth Kit
D.log2timeline
AnswerD

log2timeline (Plaso) is used for timeline generation and analysis in digital forensics.

Why this answer

log2timeline (Plaso) is a tool for creating super timelines from multiple log and artifact sources, enabling analysis of events across time.

334
MCQmedium

In a UK-based investigation, which legal framework governs the search and seizure of digital evidence?

A.Electronic Communications Privacy Act
B.PACE (Police and Criminal Evidence Act)
C.Fourth Amendment
D.GDPR
AnswerB

PACE governs police powers in England and Wales.

Why this answer

The Police and Criminal Evidence Act 1984 (PACE) provides the legal framework for police powers, including search and seizure of digital evidence in the UK.

335
MCQmedium

During a malware analysis, an analyst runs a suspicious executable in a Cuckoo Sandbox and observes that the process creates a mutex named 'Global\XPSS-1.0.0' and writes a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What do these actions MOST likely indicate?

A.The malware is performing privilege escalation by exploiting a known vulnerability.
B.The malware is communicating with a command-and-control server to receive further instructions.
C.The malware is attempting to hide its presence by using a system mutex name and a legitimate registry location.
D.The malware is establishing persistence and ensuring only one instance of itself runs.
AnswerD

The Run registry key provides persistence, and the mutex prevents multiple instances.

Why this answer

The mutex 'Global\XPSS-1.0.0' is used to prevent multiple instances of the malware from running simultaneously, which is a common anti-analysis and stability technique. Writing a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a standard method for achieving persistence, ensuring the malware executes automatically at user logon. Together, these actions directly indicate persistence and single-instance control, not privilege escalation, C2 communication, or hiding.

Exam trap

EC-Council often tests the distinction between persistence mechanisms and hiding techniques, trapping candidates who confuse a standard persistence location (Run key) with a stealth or concealment method, when hiding typically involves alternate data streams, registry run keys under Policies, or rootkit-level hooks.

How to eliminate wrong answers

Option A is wrong because creating a mutex and writing a Run key are not techniques for privilege escalation; privilege escalation typically involves exploiting vulnerabilities (e.g., via token manipulation or kernel exploits) to gain higher access rights, not mutex or registry operations. Option B is wrong because mutex creation and Run key persistence are local system actions; communication with a command-and-control server would involve network connections (e.g., HTTP, DNS, or IRC traffic) and is not directly indicated by these artifacts. Option C is wrong because the mutex name 'Global\XPSS-1.0.0' is not a standard system mutex (system mutexes often use 'Global\' prefix with well-known names like 'Global\MSCTF.CtfMonitor') and the Run key is a well-known persistence location, not a hiding technique; hiding would involve rootkits, fileless techniques, or stealthy registry locations like HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run.

336
MCQmedium

A web server log shows the following request: 'GET /../../../../etc/passwd HTTP/1.1' with a 200 response code. The web server is running Apache on Linux. What attack has likely succeeded?

A.Remote File Inclusion (RFI)
B.SQL injection
C.Cross-Site Request Forgery (CSRF)
D.Local File Inclusion (LFI) or Path Traversal
AnswerD

The URI attempts to traverse directories to access /etc/passwd.

Why this answer

The '../' sequences indicate path traversal, attempting to access files outside the web root. A 200 response suggests the file was served.

337
MCQhard

A company's legal department issues a legal hold notice for electronically stored information (ESI) related to a pending lawsuit. The IT department is tasked with preserving data. Which of the following actions is MOST likely to violate the legal hold requirements?

A.Notifying all employees to preserve documents related to the lawsuit.
B.Suspending routine deletion of emails older than 30 days.
C.Continuing to run a script that deletes temporary files older than 24 hours.
D.Taking a forensic image of the relevant servers.
AnswerC

If temporary files could contain relevant ESI, deletion violates the hold.

Why this answer

Option C is correct because continuing to run a script that deletes temporary files older than 24 hours directly destroys ESI that may be relevant to the lawsuit, violating the legal hold requirement to preserve all potentially relevant data. Legal hold mandates the suspension of any automated or manual processes that could alter or delete ESI, including temporary files that might contain fragments of relevant documents or metadata. Unlike suspending routine email deletion (Option B), which is a preservation action, the script actively purges data and thus breaches the hold.

Exam trap

EC-Council often tests the misconception that only 'obvious' data like emails or documents need preservation, but the trap here is that temporary files and caches are also ESI and must be preserved under a legal hold, making their automated deletion a violation.

How to eliminate wrong answers

Option A is wrong because notifying employees to preserve documents is a standard and necessary step to implement a legal hold, ensuring awareness and compliance. Option B is wrong because suspending routine deletion of emails older than 30 days is a proper preservation action that stops the destruction of potentially relevant ESI. Option D is wrong because taking a forensic image of relevant servers is a best-practice preservation technique that captures a point-in-time snapshot of data without altering it, fully compliant with legal hold requirements.

338
MCQeasy

An investigator needs to capture network traffic from a live network segment without altering the traffic flow. Which technique should they use?

A.Enable NetFlow on the router and capture flows
B.Configure a SPAN port on the switch
C.Deploy an ARP spoofing tool to redirect traffic
D.Set the NIC to promiscuous mode on the forensic workstation
AnswerB

Port mirroring (SPAN) copies traffic to a monitor port without interrupting the original flow.

Why this answer

A SPAN (Switched Port Analyzer) port, also known as a mirror port, copies all traffic from a specified source port or VLAN to a destination port where the forensic workstation is connected. This allows the investigator to capture traffic without injecting any frames or altering the forwarding behavior of the switch, thus preserving the integrity of the live network segment.

Exam trap

EC-Council often tests the misconception that promiscuous mode alone is sufficient for capturing all traffic on a switched network, but candidates forget that switches isolate traffic per port unless a SPAN port is configured.

How to eliminate wrong answers

Option A is wrong because NetFlow is a flow-based accounting and monitoring technology that exports aggregated flow records (e.g., source/destination IP, ports, protocol) rather than capturing full packet payloads; it cannot provide the raw packet-level data needed for deep forensic analysis. Option C is wrong because ARP spoofing actively sends forged ARP replies to redirect traffic through the attacker's machine, which alters the traffic flow and can cause network disruptions or detection, violating the requirement to not alter the traffic flow. Option D is wrong because setting a NIC to promiscuous mode only allows the workstation to receive all frames on the collision domain of its connected switch port, but on a modern switched network, the switch will not forward traffic destined for other ports to the forensic workstation, so promiscuous mode alone cannot capture traffic from other hosts without additional techniques like ARP spoofing or a SPAN port.

339
MCQmedium

A CHFI analyst is called to investigate a suspected data breach. The IT team has already shut down the server. Which of the following is the most appropriate order of actions to preserve evidence?

A.Immediately power on the server to check for running processes.
B.Copy all files from the server to an external USB drive.
C.Run antivirus scan to ensure no malware is present before imaging.
D.Secure the scene, photograph the setup, document connections, remove hard drives, and create forensic images using a write-blocker.
AnswerD

This follows proper forensic procedure: secure, document, collect, image with write-blocker.

Why this answer

Option D is correct because it follows the established forensic investigation process: secure the scene to prevent contamination, document the state of the server (photographs and connection diagrams), then physically remove the hard drives and create forensic images using a write-blocker to preserve the original data without alteration. This ensures evidence integrity and admissibility in legal proceedings.

Exam trap

EC-Council often tests the misconception that immediate data collection (like powering on or scanning) is acceptable, when in fact the first priority is to preserve the scene and prevent any modification to the evidence.

How to eliminate wrong answers

Option A is wrong because powering on a server that has been shut down can alter volatile data (e.g., memory contents, temporary files, system logs) and may trigger anti-forensic mechanisms, destroying evidence. Option B is wrong because copying files directly to an external USB drive modifies file metadata (e.g., last access timestamps) and does not capture deleted data or unallocated space, violating forensic best practices. Option C is wrong because running an antivirus scan on a live or powered-off system can modify files (e.g., quarantine, deletion, or repair) and alter the evidence, compromising its integrity.

340
MCQhard

A forensic analyst is examining an Android device that has been factory reset. Which type of data is LEAST likely to be recoverable using forensic tools?

A.Google account tokens stored in AccountManager
B.Encrypted app data from /data/data/
C.System logs in /data/log/
D.Deleted text messages from SQLite files
AnswerB

File-based encryption keys are wiped; data is inaccessible.

Why this answer

After a factory reset, the /data partition is wiped and re-encrypted with a new key. Encrypted app data stored under /data/data/ is protected by file-based encryption (FBE) using a per-user encryption key that is discarded during the reset. Without the original encryption key, forensic tools cannot decrypt this data, making it the least likely to be recoverable.

Exam trap

Cisco often tests the misconception that a factory reset makes all data permanently unrecoverable, but the trap here is that encrypted data is truly irrecoverable due to key destruction, whereas unencrypted or synced data may still be retrieved from residual storage or cloud sources.

How to eliminate wrong answers

Option A is wrong because Google account tokens stored in AccountManager are often synced to Google's servers and may be recoverable from cloud backups or Google's authentication logs, even after a factory reset. Option C is wrong because system logs in /data/log/ are plaintext files that, although overwritten by the reset, may still be partially recoverable using file carving techniques if the blocks have not been overwritten. Option D is wrong because deleted text messages from SQLite files reside in the /data partition, and while the database is wiped, unallocated space may still contain remnants of the deleted records that can be recovered with forensic tools like Cellebrite or Oxygen Forensic Detective.

341
Multi-Selectmedium

An investigator is analyzing a Windows system and wants to find evidence of USB device usage. Which TWO registry keys should be examined? (Select TWO.)

Select 2 answers
A.HKLM\SAM\SAM
B.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
C.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
E.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
AnswersC, D

Lists all USB storage devices ever connected.

Why this answer

USBSTOR stores connected USB devices; MountPoints2 stores volume mount points with device identifiers.

342
MCQmedium

An analyst suspects that sensitive data was hidden in the NTFS Alternate Data Streams (ADS) of a file on a suspect's drive. Which tool is specifically designed to enumerate and extract data from ADS on a live Windows system?

A.Foremost
B.PhotoRec
C.dd
D.Streams.exe (Sysinternals)
AnswerD

Correct: Streams.exe lists and extracts ADS data.

Why this answer

Streams.exe (from Sysinternals) is the standard tool to list and extract data from Alternate Data Streams on Windows.

343
Multi-Selecthard

Which THREE of the following are challenges specific to SSD forensics compared to HDD forensics?

Select 3 answers
A.Garbage collection that automatically erases stale blocks
B.TRIM command causing data erasure
C.Wear leveling algorithms that relocate data
D.Platter rotation causing magnetic remanence
E.Controller-based compression reducing data size
AnswersA, B, C

GC can erase data without OS command, complicating recovery.

Why this answer

SSDs have unique features: TRIM command erases data blocks, wear leveling moves data around complicating recovery, and garbage collection can erase deleted data without OS intervention. Platter rotation is HDD-specific.

344
MCQeasy

Which email header field is specifically used to verify that an email was not tampered with during transit and is signed by the sender's domain?

A.X-Originating-IP
B.Message-ID
C.Received
D.DKIM-Signature
AnswerD

DKIM uses a digital signature to verify the email was not altered and originated from the claimed domain.

Why this answer

DKIM-Signature header contains a digital signature that allows the receiver to verify the email's integrity and authenticity.

345
MCQhard

A forensic analyst is examining a hard drive that was imaged using a software write blocker. Which of the following is a potential disadvantage of using a software write blocker compared to a hardware write blocker?

A.It cannot be used with USB drives
B.It may be susceptible to operating system or driver vulnerabilities
C.It does not support hashing algorithms for integrity
D.It is more expensive than hardware write blockers
AnswerB

Software blockers depend on the OS; a compromised OS could bypass the blocker.

Why this answer

A software write blocker operates at the operating system level, intercepting write commands before they reach the storage device. Because it relies on the OS and its drivers, any vulnerability in the OS kernel, storage driver stack, or the blocker's own filter driver could be exploited, potentially allowing unintended writes to the evidence. In contrast, a hardware write blocker physically prevents write signals from reaching the drive at the bus level, offering a more robust isolation that is independent of the host OS's security state.

Exam trap

EC-Council often tests the misconception that software write blockers are functionally equivalent to hardware blockers, but the trap here is that candidates overlook the OS-layer dependency and vulnerability surface of software blockers, assuming they are just as reliable as physical write-blocking hardware.

How to eliminate wrong answers

Option A is wrong because software write blockers can be used with USB drives; they intercept write commands at the OS level regardless of the interface (SATA, USB, etc.), though some may require specific driver support. Option C is wrong because software write blockers do not inherently prevent hashing; hashing algorithms like SHA-256 are applied to the acquired image by forensic tools (e.g., FTK Imager, dd with sha256sum) independently of the write blocker. Option D is wrong because software write blockers are generally less expensive than hardware write blockers, often being free or low-cost tools (e.g., built-in OS features or open-source utilities), while hardware blockers involve dedicated electronic components.

346
MCQhard

In the context of e-discovery, what does the 'best evidence rule' require regarding digital documents?

A.That the original electronic file or a reliable duplicate be produced.
B.That all evidence be authenticated by a witness.
C.That only paper copies of digital documents are admissible.
D.That metadata is preserved in all copies.
AnswerA

The rule prefers the original, but accurate duplicates are often allowed.

Why this answer

The best evidence rule, codified in Federal Rule of Evidence 1002, requires the original writing, recording, or photograph to prove its content unless otherwise provided. In e-discovery, an original electronic file or a reliable duplicate (e.g., a bit-for-bit forensic image verified by a hash such as MD5 or SHA-1) satisfies this rule because the duplicate is functionally equivalent to the original for evidentiary purposes.

Exam trap

EC-Council often tests the misconception that the best evidence rule requires the 'original' in a physical sense, leading candidates to reject reliable duplicates, when in fact digital duplicates verified by hash are legally equivalent to the original under FRE 1003.

How to eliminate wrong answers

Option B is wrong because the best evidence rule does not mandate authentication by a witness; authentication is a separate requirement under FRE 901, which can be satisfied through testimony or circumstantial evidence like hash values. Option C is wrong because the rule does not require paper copies; in fact, paper copies of digital documents are often considered duplicates and may be admissible if they accurately reflect the original, but the rule prefers the original or a reliable duplicate, not exclusively paper. Option D is wrong because while metadata preservation is a best practice in forensics, the best evidence rule itself does not explicitly require metadata preservation in all copies; it focuses on the content of the document, not its metadata.

347
Multi-Selecteasy

A forensic analyst is performing static analysis of a Windows PE file. Which TWO of the following tools are specifically designed for static analysis of malware?

Select 2 answers
A.Wireshark
B.Cuckoo Sandbox
C.IDA Pro
D.Ghidra
E.Process Monitor
AnswersC, D

IDA Pro is a disassembler and debugger used for static analysis.

Why this answer

IDA Pro is a disassembler and debugger that allows analysts to reverse-engineer binary executables by converting machine code into assembly language. For static analysis of malware, IDA Pro enables examination of the PE file's structure, strings, imports, and code flow without executing the sample, making it a core tool for malware forensics.

Exam trap

EC-Council often tests the distinction between static and dynamic analysis tools, and the trap here is that candidates confuse network or process monitoring tools (Wireshark, Process Monitor) with static analysis, or mistake sandboxing (Cuckoo) for static analysis when it is inherently dynamic.

348
MCQeasy

Which Windows artifact is primarily used to determine the execution history of applications, including the path and run count?

A.LNK files
B.Jump lists
C.Prefetch files
D.Event logs
AnswerC

Prefetch files contain execution history, path, and run count for applications.

Why this answer

Prefetch files (.pf) store information about recently executed applications, including execution count and timestamps. They are located in C:\Windows\Prefetch.

349
MCQmedium

A security analyst is investigating a compromised Windows system and wants to see which processes were running at the time of memory capture. Which Volatility command should they use?

A.volatility -f mem.dump pslist
B.volatility -f mem.dump hashdump
C.volatility -f mem.dump malfind
D.volatility -f mem.dump netscan
AnswerA

pslist lists all processes from the memory image.

Why this answer

The 'pslist' plugin lists processes from the EPROCESS structures. 'pstree' shows parent-child relationships.

350
MCQhard

An analyst runs 'dcfldd if=/dev/sdb of=/evidence/disk.dd hash=sha256 hashlog=/evidence/hash.log' on a Linux system. What is the primary advantage of using dcfldd over plain dd for forensic imaging?

A.It can acquire memory dumps from live systems
B.It supports compression of the output image
C.It automatically creates a write-blocked connection
D.It can compute hashes on-the-fly and log them
AnswerD

Correct. dcfldd can compute and log hashes during imaging.

Why this answer

D is correct because dcfldd is a specialized forensic version of dd that can compute cryptographic hashes (e.g., SHA-256) on-the-fly while writing the image, and log those hashes to a separate file (hashlog). This ensures data integrity verification without requiring a separate post-imaging hashing pass, which is a critical requirement in forensic imaging to prove the acquired image is an exact bit-for-bit copy of the source.

Exam trap

The trap here is that candidates may confuse dcfldd's on-the-fly hashing with other features like compression or memory acquisition, or assume that dd itself can perform hashing, when in fact plain dd has no built-in hash computation capability.

How to eliminate wrong answers

Option A is wrong because dcfldd is designed for disk imaging, not memory acquisition; tools like LiME or fmem are used for live memory dumps. Option B is wrong because dcfldd does not natively support compression; compression must be done via piping to gzip or using other tools like ewfacquire. Option C is wrong because dcfldd does not create a write-blocked connection; write-blocking is a hardware or software layer (e.g., using a hardware write-blocker or the Linux kernel's read-only mount) that must be established before running the imaging command.

351
Multi-Selecthard

Which THREE of the following are valid rules of evidence that digital evidence must satisfy to be admissible in court? (Select three.)

Select 3 answers
A.Best evidence rule
B.Admissibility
C.Chain of custody
D.Authenticity
E.Completeness
AnswersB, D, E

Evidence must be relevant and not excluded by legal rules.

Why this answer

Option B (Admissibility) is correct because digital evidence must be legally permissible in court, meaning it must be obtained lawfully and not violate constitutional rights. Admissibility is a foundational rule that ensures evidence meets legal standards for consideration by the court, often tied to the Federal Rules of Evidence (FRE) or similar jurisdictional rules. Without admissibility, even the most compelling digital evidence cannot be presented to the jury.

Exam trap

EC-Council often tests the distinction between procedural concepts (like Chain of Custody) and formal rules of evidence, causing candidates to mistakenly select Chain of Custody as a rule when it is actually a supporting process for authenticity and completeness.

352
Multi-Selecthard

A security analyst is investigating a potential webshell on an IIS server. Which THREE artifacts are commonly associated with webshell presence?

Select 3 answers
A.Increase in NetFlow traffic to a known good update server
B.Presence of encoded scripts in the web application directory
C.Event ID 4624 logon events from the service account
D.Unusual HTTP POST requests to .asp or .aspx files in IIS logs
E.Process creation events for cmd.exe or powershell.exe spawned by w3wp.exe
AnswersB, D, E

Webshell files are typically stored in web-accessible directories.

Why this answer

Webshells leave traces in IIS logs (HTTP requests), file system (malicious files in web directories), and event logs (process creation or errors).

353
MCQmedium

During a network forensic investigation, you need to capture live network traffic from a switch span port. Which tool would best capture the traffic in a forensically sound manner?

A.Nmap
B.Wireshark
C.Netcat
D.Tcpdump
AnswerB

Wireshark captures packets and can save them in standard formats.

Why this answer

Wireshark is the best tool for capturing live network traffic from a switch SPAN port in a forensically sound manner because it provides a robust graphical interface for real-time packet capture and analysis, supports full packet capture with timestamps, and can write captures directly to a pcapng file format that preserves packet integrity and metadata. Its ability to run in promiscuous mode ensures all traffic from the SPAN port is captured without altering the data, meeting forensic requirements for accuracy and completeness.

Exam trap

EC-Council often tests the misconception that Tcpdump is the only forensically sound command-line tool, but Wireshark is preferred for its GUI, advanced filtering, and pcapng support, which are critical for thorough forensic analysis and documentation.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for host discovery and port enumeration, not for capturing live traffic from a SPAN port; it does not support packet capture or promiscuous mode for forensic traffic acquisition. Option C is wrong because Netcat is a simple networking utility for reading/writing data across network connections, lacking the packet capture, filtering, and timestamping capabilities needed for forensically sound traffic acquisition from a SPAN port. Option D is wrong because while Tcpdump can capture packets, it is a command-line tool that lacks the graphical analysis features and advanced file format support (e.g., pcapng) of Wireshark, making it less suitable for comprehensive forensic capture and review, though it can be used in a pinch.

354
MCQeasy

An investigator needs to parse and analyze a Microsoft Outlook personal folders file (.pst). Which tool is specifically designed for this purpose?

A.Aid4Mail
B.FTK Imager
C.Wireshark
D.Sleuth Kit
AnswerA

Aid4Mail specializes in email forensics and supports PST files.

Why this answer

Aid4Mail is a forensic email analysis tool that can parse Outlook PST files, among other formats, and extract metadata, attachments, and headers.

355
MCQmedium

An analyst detects a large amount of data being exfiltrated from a network over DNS queries. Which type of network analysis would BEST detect this activity?

A.Proxy log analysis
B.Firewall log analysis
C.Packet capture analysis
D.IDS/IPS log analysis
AnswerC

Packet capture (e.g., with Wireshark) can inspect DNS query content for encoded data, detecting tunneling.

Why this answer

DNS tunneling uses DNS queries to exfiltrate data. NetFlow analysis can identify unusual DNS traffic patterns, such as large or frequent queries to a domain, while packet capture can reveal the content.

356
Multi-Selectmedium

Which THREE of the following are characteristics of the Master File Table ($MFT) in NTFS? (Choose three.)

Select 3 answers
A.It contains a record for every file and directory on the volume
B.Small files can be stored resident within the $MFT record
C.Each record is typically 1024 bytes in size
D.It is located at a fixed position at the beginning of the volume
E.It is only used for directory metadata
AnswersA, B, C

Each file and directory has at least one $MFT record.

Why this answer

The $MFT stores metadata (attributes) for each file and directory in records. Each record is typically 1 KB. Small files can be stored resident within the $MFT record.

357
MCQhard

You are a CHFI analyst responding to a security incident at a medium-sized financial firm. The IT team reports that an employee's workstation (Windows 10, single SSD) was used to access sensitive customer data without authorization. The workstation is still running, and the employee is currently logged in. The IT team has isolated the machine from the network but has not powered it off. You have been called to perform forensic acquisition. The company policy requires preservation of volatile data and a full disk image. The machine has 16 GB RAM and a 512 GB SSD. You have a forensic toolkit including FTK Imager, win32dd (for memory acquisition), and a write-blocker. Which of the following is the best course of action?

A.Use win32dd to capture the contents of RAM to an external drive, then use FTK Imager to create a physical image of the SSD over the network to a secure share.
B.Perform a graceful shutdown via the operating system, then remove the SSD and image it using a hardware write-blocker.
C.Boot the workstation from a forensic live CD, then use 'dd' to image the SSD to an external USB drive.
D.Immediately shut down the workstation by unplugging the power cord, remove the SSD, and create a forensic image using a write-blocker on a forensic workstation.
AnswerA

This captures memory first (volatile data) and then acquires a disk image while the system is still running, preserving evidence.

Why this answer

Option A is correct because it follows the proper order of volatility: capturing RAM first (volatile data) using win32dd, then imaging the SSD with FTK Imager. Since the machine is still running and isolated, network imaging is acceptable and preserves the disk state without risking data loss from a shutdown. This approach complies with the requirement to preserve volatile data and create a full disk image.

Exam trap

EC-Council often tests the order of volatility (RFC 3227) and the misconception that a graceful shutdown is safe, when in fact it destroys volatile data and alters disk state.

How to eliminate wrong answers

Option B is wrong because a graceful shutdown triggers OS cleanup processes that overwrite volatile data in RAM and may alter disk artifacts (e.g., pagefile, registry hives), violating forensic integrity. Option C is wrong because booting from a forensic live CD would overwrite portions of RAM and potentially modify the SSD (e.g., via temporary files or partition table changes), and using 'dd' without a write-blocker on a running system risks writes to the source drive. Option D is wrong because immediately unplugging the power cord loses all volatile data (RAM, network connections, process lists) that must be preserved per policy, and it may cause filesystem corruption on the SSD.

358
MCQeasy

Which Windows Event ID is generated when a new service is installed on a system?

A.4624
B.7045
C.4648
D.4720
AnswerB

Correct. 7045 is the service install event.

Why this answer

Event ID 7045 in the System log is logged when a service is installed, started, or changed.

359
MCQmedium

An email forensic investigator examines a suspicious email and notices the following header: Received: from mail.evil.com (192.168.1.100) by mail.company.com. The DKIM-Signature header fails verification. What does this indicate?

A.The receiving server rejected the email
B.The email is legitimate and was forwarded through a relay
C.The email was sent from a compromised mail server
D.The email may be spoofed or its content altered
AnswerD

DKIM failure means the signature does not match the domain's public key, indicating spoofing or modification.

Why this answer

A failing DKIM-Signature indicates the email may have been tampered with during transit or was not signed by the claimed domain. This is a strong indicator of email spoofing or alteration.

360
MCQmedium

After collecting digital evidence from a suspect's computer, the forensic examiner creates a forensic image using FTK Imager. The examiner then computes the MD5 hash of the original drive and the image file. Which of the following BEST describes the purpose of this hashing?

A.To verify that the image is an exact bit-for-bit copy of the original.
B.To encrypt the data for secure storage.
C.To index the files for faster searching.
D.To reduce the storage size of the image.
AnswerA

Matching hashes confirm data integrity.

Why this answer

Hashing verifies the integrity of the image by ensuring it is an exact copy of the original, and is used to detect any tampering during the investigation.

361
MCQmedium

A forensic examiner needs to acquire an image of a suspect's laptop hard drive. The laptop is running, and the examiner wants to capture volatile data first. According to best practices, which order of steps should the examiner follow?

A.Unplug the laptop, remove the drive, and boot the drive in a forensic workstation.
B.Immediately remove the hard drive, then capture RAM from the drive.
C.Create a full disk image over the network while the laptop is running.
D.Capture volatile data, then shut down normally, remove the drive, and image with a write blocker.
AnswerD

Volatile data first, then safe shutdown, then imaging.

Why this answer

Option D is correct because forensic best practices mandate capturing volatile data (e.g., RAM, network connections, running processes) first, as this data is lost on power loss. After capturing volatile data, the examiner should perform a graceful shutdown to preserve file system integrity, then remove the drive and acquire a forensic image using a write blocker to prevent any modification to the original evidence.

Exam trap

The trap here is that candidates may think immediate power-off (Option A) preserves the disk state, but they forget that volatile data is lost and an unclean shutdown can corrupt the filesystem, making the image less reliable.

How to eliminate wrong answers

Option A is wrong because unplugging the laptop immediately destroys volatile data (RAM contents, encryption keys, network state) and may cause file system corruption from an unclean shutdown. Option B is wrong because removing the hard drive while the system is running is physically dangerous and technically impossible without first powering off; moreover, capturing RAM from the drive is nonsensical—RAM is volatile memory, not stored on the hard drive. Option C is wrong because creating a full disk image over the network while the laptop is running modifies the system state (network traffic, open files, timestamps) and violates the principle of maintaining evidence integrity; network imaging should only be used when a write-blocked local acquisition is impossible, and even then volatile data must be captured first.

362
MCQmedium

A Linux investigator wants to see all commands run by a user from the bash shell. Which file should be examined?

A./etc/passwd
B./var/log/auth.log
C.~/.bash_history
D./var/log/syslog
AnswerC

This file stores bash command history.

Why this answer

The .bash_history file in the user's home directory contains the command history for bash.

363
Multi-Selectmedium

A forensic examiner is analyzing an iOS device backup and wants to extract the user's iCloud-related artefacts. Which TWO of the following are typical sources of iCloud artefacts in an iTunes backup?

Select 2 answers
A.AddressBook.db
B.com.apple.accounts.plist
C.Call_history.db
D.Keychain database (keychain-backup.plist)
E.SMS.db
AnswersB, D

This plist contains iCloud account details.

Why this answer

Option B is correct because the `com.apple.accounts.plist` file in an iTunes backup stores the user's iCloud account configuration, including the primary iCloud email address and associated account metadata. This plist is a direct source for identifying which iCloud account was configured on the device, making it a key artefact for iCloud-related analysis.

Exam trap

EC-Council often tests the misconception that iCloud artefacts are found in user-facing databases like SMS.db or AddressBook.db, when in fact they reside in system configuration files like plists and the Keychain database.

364
Multi-Selectmedium

An analyst is reviewing firewall logs and sees repeated outbound connections from an internal host to a known malicious IP on port 443. Which TWO network forensic data sources would BEST help determine if data exfiltration occurred?

Select 2 answers
A.NetFlow records showing packet sizes and counts
B.Full packet capture (PCAP) of the sessions
C.IDS alerts for signatures
D.Windows security event logs
E.Proxy logs with TLS interception and decrypted content
AnswersB, E

PCAPs allow reconstruction of data streams.

Why this answer

Full packet capture provides payload content, and TLS interception logs show decrypted traffic if available.

365
MCQeasy

Which Windows Registry hive contains user-specific configuration such as MRU lists and UserAssist artifacts?

A.NTUSER.DAT
B.HKLM\SAM
C.SYSTEM
D.HKLM\System
AnswerA

NTUSER.DAT is the user-specific registry hive.

Why this answer

NTUSER.DAT is the registry hive for user-specific settings, located in %UserProfile%. It contains MRU lists, UserAssist, and other user activity artifacts.

366
MCQeasy

Locard's exchange principle in digital forensics states that:

A.The chain of custody must be documented for all evidence
B.Digital evidence is always stored in the cloud
C.Only the forensic examiner can handle evidence
D.Every contact leaves a trace, and digital evidence is no exception
AnswerD

This is the direct application of Locard's principle to digital evidence.

Why this answer

Locard's exchange principle, originally from forensic science, asserts that whenever two objects come into contact, a transfer of material occurs. In digital forensics, this translates to the fact that digital devices and systems inevitably leave traces of their interactions—such as log entries, metadata, file artifacts, or network packets—making it possible to reconstruct events. Option D correctly captures this core idea that every contact leaves a trace, and digital evidence is no exception.

Exam trap

EC-Council often tests whether candidates confuse procedural concepts (like chain of custody) with the foundational scientific principle of trace evidence transfer, leading them to pick Option A instead of D.

How to eliminate wrong answers

Option A is wrong because the chain of custody is a procedural requirement for maintaining evidence integrity, not a statement of Locard's exchange principle. Option B is wrong because digital evidence can reside on local storage (e.g., hard drives, SSDs, RAM) as well as in the cloud; the principle applies regardless of storage location. Option C is wrong because multiple authorized personnel (e.g., first responders, investigators, analysts) may handle evidence under proper protocols, not exclusively the forensic examiner.

367
MCQeasy

Which of the following principles states that when two objects come into contact, there is a transfer of material between them?

A.The best evidence rule
B.Locard's exchange principle
C.The chain of custody
D.The hearsay rule
AnswerB

This principle describes the transfer of material upon contact.

Why this answer

Locard's exchange principle is a foundational concept in forensic science, including digital forensics, where every contact leaves a trace.

368
MCQeasy

Which tool is specifically designed to acquire RAM from a Linux system for forensic analysis?

A.WinPmem
B.LiME
C.EnCase
D.FTK Imager
AnswerB

LiME is the standard Linux memory acquisition tool.

Why this answer

LiME (Linux Memory Extractor) is a tool for capturing RAM on Linux systems, often used with the Volatility framework.

369
MCQeasy

In Windows forensics, which artifact is used to track recently executed programs on a per-user basis?

A.Jump lists
B.UserAssist
C.ShellBags
D.Prefetch files
AnswerB

UserAssist in NTUSER.DAT logs program executions per user.

Why this answer

UserAssist keys in the NTUSER.DAT hive store information about programs executed via Windows Explorer, including run count and last execution time.

370
MCQmedium

A forensic examiner is investigating a Docker container suspected of being used for malicious activity. Which of the following is the BEST approach to collect volatile evidence from the container without altering its state?

A.Stop the container immediately and then export its filesystem with 'docker export'
B.Create a memory dump of the host machine and extract container memory
C.Use 'docker commit' to create an image of the container's current state
D.Execute 'docker exec' to access the container shell and run forensic tools
AnswerC

docker commit captures the container's filesystem state without modifying it, preserving volatile data.

Why this answer

Using 'docker commit' creates a snapshot of the container's filesystem without stopping the container, preserving volatile evidence.

371
MCQmedium

A security analyst responds to a suspected data breach. The analyst documents the scene, photographs the computer, and labels the cables. Which phase of the forensic investigation process is being performed?

A.Collection
B.First response
C.Examination
D.Reporting
AnswerB

First response covers initial actions to secure the scene, document, and preserve volatile evidence.

Why this answer

The actions described—documenting the scene, photographing the computer, and labeling cables—are part of the First Response phase. This phase occurs immediately after an incident is detected and focuses on preserving the integrity of the scene and evidence before any collection or analysis begins. In the CHFI methodology, First Response includes securing the area, creating a detailed log of the initial state, and ensuring no unauthorized changes occur.

Exam trap

EC-Council often tests the distinction between First Response and Collection, where candidates mistakenly think that any hands-on action (like labeling cables) is part of Collection, but Collection specifically refers to the technical acquisition of data, not scene preservation.

How to eliminate wrong answers

Option A is wrong because Collection involves the actual acquisition of digital evidence (e.g., creating bit-for-bit forensic images using tools like dd or FTK Imager), not the initial scene documentation and labeling. Option C is wrong because Examination is the in-depth analysis of acquired data (e.g., file carving, registry analysis, timeline reconstruction), which occurs after evidence has been collected and preserved. Option D is wrong because Reporting is the final phase where findings are documented and presented, not the initial response activities.

372
MCQmedium

During a forensic investigation, an analyst creates a bit-for-bit copy of a suspect's hard drive using the 'dd' command with the following parameters: dd if=/dev/sda of=/evidence/image.dd bs=4k conv=noerror,sync. What is the purpose of 'conv=noerror,sync'?

A.To hash the output image
B.To ensure the command runs with superuser privileges
C.To ignore read errors and pad with zeros
D.To compress the output image
AnswerC

Correct. This ensures the image is complete despite errors.

Why this answer

Option C is correct because 'conv=noerror,sync' tells dd to continue reading even when encountering read errors (noerror) and to pad the output with zeros (sync) to maintain the same total size as the original drive. This ensures a complete forensic image is created despite bad sectors, preserving the integrity of the acquisition for analysis.

Exam trap

Cisco often tests the misconception that 'sync' refers to flushing disk caches (like the sync command) rather than its actual function of padding output with null bytes on read errors.

How to eliminate wrong answers

Option A is wrong because hashing is not performed by the conv parameter; hashing requires separate tools like sha256sum or md5sum, or using dd with piped output to a hash function. Option B is wrong because superuser privileges are obtained via sudo or running as root, not through conv parameters; conv controls data conversion, not permissions. Option D is wrong because compression is not a function of conv; compression requires piping dd output through gzip or using a separate tool like dc3dd with built-in compression.

373
Multi-Selecteasy

Which TWO of the following are valid email header fields that can be used to detect email spoofing? (Select 2)

Select 2 answers
A.Subject
B.Received-SPF
C.Content-Type
D.MIME-Version
E.DKIM-Signature
AnswersB, E

Indicates SPF check result.

Why this answer

SPF and DKIM are email authentication mechanisms that help detect spoofing. SPF checks if the sending server is authorized, DKIM verifies the email integrity.

374
MCQeasy

Which of the following BEST defines the chain of custody in digital forensics?

A.The legal authority required to seize evidence
B.The order in which forensic tools are applied to evidence
C.The physical security measures used to store evidence
D.The chronological documentation of evidence handling, transfer, and analysis
AnswerD

This accurately describes the chain of custody.

Why this answer

The chain of custody is a formal, chronological record that documents every instance of evidence handling, transfer, and analysis from the moment of seizure through its entire lifecycle. This documentation is critical to prove that evidence has not been tampered with, altered, or corrupted, thereby maintaining its admissibility in legal proceedings under rules such as Federal Rule of Evidence 901.

Exam trap

Cisco often tests the distinction between the physical security of evidence (Option C) and the procedural documentation of its handling (Option D), leading candidates to confuse storage controls with the chain of custody itself.

How to eliminate wrong answers

Option A is wrong because legal authority to seize evidence (e.g., a search warrant or subpoena) is a prerequisite for lawful collection, not the ongoing tracking of evidence after seizure. Option B is wrong because the order of forensic tool application (e.g., using FTK Imager before Autopsy) is a procedural workflow choice, not a documentation requirement for evidentiary integrity. Option C is wrong because physical security measures (e.g., locked safes, access logs) are part of evidence storage controls, but they do not constitute the chronological documentation of handling and transfer that defines chain of custody.

375
MCQmedium

During a forensic investigation, an analyst discovers data hidden in the Host Protected Area (HPA) of a hard drive. Which tool is commonly used to view and access the HPA?

A.PhotoRec
B.fdisk
C.dd
D.hdparm
AnswerD

Why this answer

hdparm is a Linux utility that can be used to manage ATA commands, including reading or modifying the HPA size.

Page 4

Page 5 of 14

Page 6